1. Data Controller

Ecopassly - Digital Product Passport Contact Email: info@parkkan.com

2. Information We Collect

We collect different types of personal data depending on your interaction with our Service: 2.1 Data provided directly by you: • Account Data: Email, ID/Tax ID, password (encrypted). • Brand Data: Brand name, logo, description, legal name, fiscal address, phone, social media, website. • Product Data: Name, description, images, material composition, care instructions, certifications, sustainability data, and any other custom fields you add. • Billing Data: Payment information processed exclusively by Stripe (we do not store credit card data). • Custom Domain Configuration: Domains you connect to the Service and associated DNS records. 2.2 Automatically collected data: • Technical Data: IP address, browser type, operating system, device identifier. • Usage Data: Pages visited, session time, features used, traffic source. • Cookies and tracking technologies: As detailed in section 6. 2.3 Integrated Service Providers: • Supabase: For authentication, database, and storage (processor for account and product data). • Stripe: For secure payment processing (processes billing data). • Cloudinary: For storage and delivery of product images and logos. • Cloudflare: For custom domain management, CDN, and service protection.

3. Legal Basis and Purpose of Processing

We process your personal data under the following legal bases according to GDPR: 3.1 Contract Performance (Art. 6.1.b GDPR): • Providing access to the Service and its features. • Managing your user account and subscription. • Processing payments and billing. • Hosting and serving public product pages with QR codes. • Configuring and maintaining custom domains. 3.2 Legitimate Interest (Art. 6.1.f GDPR): • Improving Service security and preventing fraud. • Analyzing Service usage to optimize features and user experience. • Sending communications about product updates, new features, or significant changes (you can opt-out at any time). 3.3 Legal Obligation Compliance (Art. 6.1.c GDPR): • Retaining fiscal and billing data according to Spanish law (minimum 6 years). • Responding to requests from competent authorities. 3.4 Consent (Art. 6.1.a GDPR): • Sending commercial communications or newsletters (only if expressly accepted). • Use of analytical or marketing cookies (you can manage preferences).

4. How We Use Your Information

We use your data to: • Provide, maintain, and improve the Service. • Process payments and manage subscriptions. • Generate QR codes and public product pages. • Configure and verify custom domains. • Send important communications related to your account (confirmations, security alerts, expiration or data deletion notifications). • Provide technical support and customer service. • Comply with legal and fiscal obligations. • Analyze usage patterns to improve experience and detect technical issues. • Prevent fraud, abuse, and protect Service security.

5. Information Sharing and Transfer

5.1 We do not sell your personal data. 5.2 We share information only with: • Essential Service Providers: Supabase (auth & DB), Stripe (payments), Cloudinary (images), Cloudflare (domains & CDN). These providers are contractually obligated to protect your data under GDPR and only process it according to our instructions. • Legal Authorities: When required by law, court order, or to protect legal rights. 5.3 International Transfers: Some of our service providers may process data outside the European Economic Area (EEA). In such cases, we ensure appropriate safeguards are in place via EU Standard Contractual Clauses or equivalent certifications (like the EU-US Data Privacy Framework). 5.4 Public Product Pages: Product data you intentionally publish (name, description, images, specifications) are publicly accessible via QR codes and product URLs, consistent with the purpose of the Service.

6. Cookies and Tracking Technologies

6.1 Types of cookies we use: • Essential Cookies: Necessary for Service operation (auth, session, security). Cannot be disabled. • Analytical Cookies: Google Analytics or similar tools to analyze Service usage and improve experience. Can be disabled. • Preference Cookies: Remember selected language and custom settings. 6.2 Cookie Management: You can manage your cookie preferences from your browser settings or via the consent banner when accessing the Service for the first time. Rejecting analytical cookies will not affect essential Service operation.

7. Data Retention

7.1 Active Subscriptions: Data for users with active subscriptions is retained while the subscription is valid and necessary to provide the Service. 7.2 Cancellation and Grace Period: When a subscription expires or is cancelled, data is retained for an additional 90 days to allow service reactivation without data loss. 7.3 Automatic Deletion: After the 90-day grace period, all your data (products, images, brand info, custom domains, and user account) is permanently deleted automatically and irreversibly from our systems and third-party services (Supabase, Cloudinary, etc.). 7.4 Prior Notification: You will receive an email warning 7 days before definitive data deletion, with an option to reactivate your account if desired. 7.5 Lifetime Users: Users with a Lifetime plan are exempt from the automatic data deletion policy while the Service remains operational. 7.6 Immediate Deletion: You may request immediate deletion of all your data at any time from your account settings or by contacting us at info@parkkan.com. Deletion will be executed within a maximum of 72 hours. 7.7 Legal Retention: Fiscal and billing data is retained for the legally required period (6 years under Spanish law), even after account deletion.

8. Your Rights Under GDPR

Under GDPR, you have the following rights regarding your personal data: • Right of Access (Art. 15): Request a copy of all personal data we hold about you. • Right to Rectification (Art. 16): Correct inaccurate or incomplete data from your profile or by contacting us. • Right to Erasure/"Right to be Forgotten" (Art. 17): Request deletion of your data (subject to legal exceptions like fiscal obligations). • Right to Restriction of Processing (Art. 18): Request we limit processing of your data in certain cases. • Right to Data Portability (Art. 20): Export your data in a structured, commonly used format (JSON, CSV). • Right to Object (Art. 21): Object to processing based on legitimate interest. • Right to Withdraw Consent (Art. 7): Withdraw consent for commercial communications or cookies at any time. • Right to Lodge a Complaint: File a complaint with the Spanish Data Protection Agency (AEPD) if you believe your rights have not been respected. How to exercise your rights: • From your account settings in the Service. • Sending an email to info@parkkan.com with your request. • We will respond to your request within a maximum of 30 days.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure, including: • Encryption of passwords and sensitive data. • Use of HTTPS/TLS for all communications. • Strict access controls to databases and servers. • Continuous security monitoring and regular audits. • Periodic and secure backups. Despite our efforts, no system is 100% secure. You are responsible for maintaining the confidentiality of your password.

10. Protection of Minors

The Service is not directed to individuals under 16. We do not knowingly collect data from minors. If we detect we have collected data from a minor without parental consent, we will delete it immediately.

11. Changes to this Privacy Policy

We may update this Privacy Policy occasionally to reflect changes in our practices, applicable law, or Service features. Significant changes will be notified via email at least 30 days in advance. The updated version will be published on our website with the "Last updated" date.

12. Privacy Contact

For any inquiry, exercise of rights, or request related to data protection: Digital Product Passport Email: info@parkkan.com