# Privacy Policy — DPP Bangladesh

**Last updated:** 2026-04-29
**Effective date:** _to be set on production launch_

> ⚠️ **Template notice.** This policy is provided as a starting point covering
> the major obligations under EU GDPR (Regulation 2016/679) and EU ESPR
> (Regulation 2024/1781). Replace every `{PLACEHOLDER}` with your real
> business detail and have it reviewed by counsel licensed in your operating
> jurisdiction(s) before publishing.

---

## 1. Who we are

**Data controller:** {COMPANY_LEGAL_NAME}, {COMPANY_REGISTERED_ADDRESS_BANGLADESH}
**Trading as:** DPP Bangladesh
**Contact:** privacy@{YOUR_DOMAIN}
**Data Protection Officer (where required):** {DPO_NAME or "not applicable — under 250 employees and processing not high-risk"}

Where this policy refers to "we," "us," or "our" it means {COMPANY_LEGAL_NAME}. Where it refers to "you" or "the user" it means a natural person whose personal data we process — typically a factory administrator, factory employee, buyer representative, recycler, or auditor using the platform.

## 2. What this platform is

DPP Bangladesh is a SaaS platform that helps Bangladeshi garment manufacturers create, publish, and manage **Digital Product Passports** as required by EU Regulation 2024/1781 (the Ecodesign for Sustainable Products Regulation, "ESPR"). Each DPP describes a textile product's materials, durability, repairability, chemical safety, and end-of-life information so that EU consumers, retailers, regulators and recyclers can scan a QR code and verify the product's compliance.

## 3. What personal data we process

| Category | Examples | Source |
|---|---|---|
| **Account identity** | Full name, email address, phone, language preference, role | Provided by you at registration or by a factory admin who invited you |
| **Authentication** | Salted password hash (scrypt), TOTP secret encrypted at rest with AES-256-GCM, session tokens, login attempt counters | Generated when you set or use a credential |
| **Audit log** | IP address, user agent, action taken, timestamp | Captured automatically on every state-change action |
| **Factory profile** | Factory name, business identification number, address, EOID (Economic Operator ID), facility ID | Provided by the factory admin |
| **Buyer / recycler profile** | Company name, contact email, role | Provided when an EU buyer or recycler requests authorised access to a factory's DPPs |
| **Billing data** | Subscription plan, Stripe customer ID, bKash transaction ID — **we do not store full card numbers** | Stripe / bKash on payment |
| **Support data** | Anything you send to support@{YOUR_DOMAIN} | Provided by you in correspondence |

We do not knowingly collect data from anyone under 16. The platform is intended for B2B use.

## 4. What we do *not* collect

- Full payment card numbers — Stripe processes these on their PCI-DSS infrastructure.
- Biometric data, political opinions, religious beliefs, health data, sexual orientation — none of these are required by the platform and Zod input schemas reject them.
- Browser fingerprints or third-party advertising trackers.

## 5. Why we process it (purposes and legal bases)

| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Authenticate users and operate the service | (b) Contract — providing the service you signed up for |
| Issue Digital Product Passports under ESPR | (c) Legal obligation — Regulation 2024/1781 |
| Maintain audit logs for compliance investigations | (c) Legal obligation + (f) Legitimate interest (security) |
| Bill and collect subscription fees | (b) Contract |
| Send transactional email (verification, password reset, billing) | (b) Contract |
| Send Telegram operations alerts to our team | (f) Legitimate interest (service reliability) |
| Detect and block abuse / fraud | (f) Legitimate interest (security) |
| Respond to lawful authority requests under ESPR Art. 13–14 | (c) Legal obligation |

We do **not** sell your data, share it with advertisers, or use it for automated decision-making with legal effects.

## 6. Where your data lives (data residency)

Personal data is stored in **Cloudflare's Western Europe (WEUR) region** — primarily Frankfurt and Amsterdam data centres. Specifically:

- **Cloudflare D1 (database):** WEUR
- **Cloudflare R2 (file storage):** WEUR
- **Cloudflare KV (rate-limit + session revocation):** Cloudflare's globally-replicated KV — we only store ephemeral, non-sensitive identifiers there
- **Cloudflare Workers (compute):** runs at the edge globally; processes requests transiently and stores nothing persistently

Cloudflare Inc. is the infrastructure data processor. We have signed Cloudflare's Data Processing Addendum (DPA), which incorporates the EU Standard Contractual Clauses for any incidental international transfer.

## 7. Sub-processors

We rely on the following sub-processors. Each one has signed a GDPR-compliant DPA with us; their region is chosen to keep your data inside the EU wherever the vendor offers it.

| Sub-processor | Purpose | Region |
|---|---|---|
| **Cloudflare, Inc.** | Workers, D1, R2, KV, CDN | WEUR (Frankfurt/Amsterdam) |
| **Stripe Payments Europe Ltd.** | Card processing | Ireland (EU) |
| **bKash Ltd.** | Local Bangladeshi payments | Bangladesh — used only for BD-resident factories |
| **Resend, Inc.** | Transactional email | EU instance (Frankfurt) |
| **Functional Software, Inc. (Sentry)** | Error tracking | EU instance (Frankfurt) |
| **Telegram FZ-LLC** | Internal operations alerts (no customer data) | Their global infrastructure — used only for our team's status messages, never for personal data |

A live list of our sub-processors is available at https://{YOUR_DOMAIN}/legal/subprocessors. We notify customers at least 30 days before adding a new sub-processor.

## 8. International transfers

Where the data leaves the EU (e.g., DPPs are queried by a recycler in Bangladesh, or a customs authority outside the EU), the transfer is covered by:

- **Cloudflare's Standard Contractual Clauses** (incorporated in their DPA)
- **Bangladesh-specific transfers:** justified under GDPR Art. 49(1)(b) (necessary for performance of a contract you entered with us)
- **Public DPP scans** are not personal-data transfers — the public DPP page omits all personal data via the `redactPublicFields()` server-side filter.

## 9. How long we keep it

| Data | Retention | Why |
|---|---|---|
| Published Digital Product Passports | **At least 10 years** after last update | ESPR Art. 9(7) — at least the technical lifetime of the product |
| Account data | While the account is active + 6 months after deletion | Operational + dispute resolution |
| Audit log | 1 year by default; configurable by platform admin via `POST /admin/audit/sweep?days=` | Security investigations |
| Webhook idempotency records | 90 days | Stripe replay protection |
| Backups | Cloudflare D1 time-travel, 30 days | Disaster recovery |

After the retention period the data is deleted from production and from backups within 30 days, except where we are required to retain it longer by law.

## 10. Your rights (GDPR Art. 15–22)

If you are an EU resident, or your data is processed in the EU, you have the following rights. Email **privacy@{YOUR_DOMAIN}** from the address associated with your account; we respond within 30 days.

- **Right of access (Art. 15):** request a copy of the personal data we hold about you.
- **Right to rectification (Art. 16):** correct inaccurate data — most fields can be self-edited via Account Settings.
- **Right to erasure (Art. 17, "right to be forgotten"):** delete your account. Note: published DPPs containing your name as the manufacturer's contact may need to be retained for 10 years under ESPR Art. 9(7), but personal contact details can be replaced with a generic factory contact on request.
- **Right to restriction (Art. 18):** ask us to pause processing while a dispute is resolved.
- **Right to data portability (Art. 20):** receive your data in a structured, commonly-used, machine-readable format (JSON) — also exposed via `GET /api/me`.
- **Right to object (Art. 21):** object to processing based on legitimate interest.
- **Right to lodge a complaint:** with the data protection authority in the EU member state where you live, work, or where the alleged infringement took place.

## 11. Security

We follow industry-standard practices:

- All traffic is TLS 1.3.
- Passwords are hashed with scrypt (N=2¹⁶, r=8, p=1).
- TOTP secrets are encrypted at rest with AES-256-GCM using a key derived per-row via HKDF.
- Sessions are revocable (REVOKE_KV); access tokens expire in 15 minutes; refresh tokens rotate on use.
- All state-change endpoints enforce Origin/Referer checks (CSRF defense in depth).
- Rate limiting applies per-IP across auth, public DPP reads, and admin endpoints.
- Sensitive fields (passwords, tokens, secrets) are stripped from audit logs.
- Per-authority API keys are SHA-256 hashed and rotatable, with each access audit-logged.

No system is perfectly secure. If you discover a vulnerability, please email **security@{YOUR_DOMAIN}** — we follow the [security.txt](https://{YOUR_DOMAIN}/.well-known/security.txt) disclosure standard.

## 12. Cookies and similar technology

We use only **strictly necessary** browser storage:

- `dpp_jwt`, `dpp_jwt_refresh` (localStorage) — your authenticated session
- `dpp_user` (sessionStorage) — your role / factory context for the current tab
- `dpp_lang` (localStorage) — preferred UI language
- Service Worker caches — offline support for static pages

We do not use marketing, analytics, or third-party advertising cookies. No consent banner is required because no non-essential storage is used.

## 13. ESPR-specific notes (public DPP visibility)

When you publish a Digital Product Passport, the following becomes **publicly accessible** via QR scan, in compliance with ESPR Art. 9(2):

- Product name, GTIN, UPID
- Manufacturer (factory) name and country — but **not** factory address or staff names
- Material composition, certifications, recyclability, repairability score
- Aggregate chemical summary (count of declared chemicals, whether SVHC is present) — **the full per-substance CAS list is NOT public**; it is available only to authenticated recyclers and to authorities under ESPR Art. 14
- ESPR conformity declaration (manufacturer name, declared date)

Personal data of factory employees is **never** included in the public DPP.

## 14. Authorities and law enforcement

Under ESPR Art. 13 and 14, customs and market-surveillance authorities can request full DPP details (including chemical CAS lists) through the `GET /api/authority/dpp/:upid` endpoint, authenticated by a signed API key issued from the `authority_keys` table. Every authority access is recorded in our audit log with the authority's label, IP, and the resource accessed.

We may also disclose data to law enforcement when we receive a legally valid request from competent authority in a jurisdiction where we operate.

## 15. Changes to this policy

We will post material changes to this page with an updated "Last updated" date and notify account-holders by email at least 30 days before they take effect.

## 16. Contact

- General privacy questions: privacy@{YOUR_DOMAIN}
- Security disclosures: security@{YOUR_DOMAIN}
- Legal correspondence: legal@{YOUR_DOMAIN}, attention {COMPANY_LEGAL_NAME}, {COMPANY_REGISTERED_ADDRESS_BANGLADESH}

EU representative for GDPR Art. 27 (where your processing requires one): {EU_REP_NAME_AND_ADDRESS_OR "not applicable — services are offered to EU buyers and recyclers only as data subjects of factories established in Bangladesh; representative will be appointed if the platform begins targeting EU residents directly"}.