Privacy Policy
DPPify is committed to protecting the privacy of its users. This policy describes how we collect, use and protect your personal data, in accordance with the General Data Protection Regulation (GDPR — EU 2016/679).
1. Data Controller
- Identity: Information being updated
- Address: Information being updated
- DPO Email: contact@dppify.com
2. Data Collected
We collect the following data in connection with the use of the service:
2.1 Registration Data
- First and last name
- Professional email address
- Password (stored in hashed, non-reversible form)
- Organization name
2.2 Usage Data
- Digital product passports created (product data entered by the user)
- Imported files (CSV, product images)
- Audit logs (actions performed, timestamps, IP address)
2.3 Billing Data
- Lemon Squeezy customer identifier (our payment provider)
- Subscription plan and status
Note : We do not store any credit card data. Payments are processed entirely by Lemon Squeezy (Merchant of Record), which acts as data controller for payment data.
3. Purposes of Processing
| Purpose | Legal basis | Retention period |
|---|---|---|
| Provision of the service (DPP creation and management) | Performance of contract | Account duration + 1 year |
| Authentication and security management | Performance of contract | Session duration |
| Billing and subscription management | Performance of contract / Legal obligation | 10 years (accounting obligation) |
| Audit logs (change traceability) | Legitimate interest (security) | 3 years |
| Transactional emails (welcome, notifications) | Performance of contract | Account duration |
4. Subprocessors and Data Transfers
| Provider | Role | Location |
|---|---|---|
| Information being updated | Server and database hosting | European Union |
| Lemon Squeezy (Lemon Squeezy LLC) | Payment processing (Merchant of Record) | United States (Standard Contractual Clauses) |
| Resend | Transactional email delivery | United States (Standard Contractual Clauses) |
No product data (DPP content) is transferred outside the European Union. Only payment data and emails are processed by US-based providers, covered by Standard Contractual Clauses (SCC) in accordance with Article 46 of the GDPR.
5. Cookies
DPPify uses only strictly necessary cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Authentication and user session management | Session duration (max 30 days) |
No advertising, analytics or third-party tracking cookies are used. Consent is not required for strictly necessary cookies (Article 82 of the French Data Protection Act).
6. Your Rights
In accordance with the GDPR, you have the following rights over your personal data:
- Right of access — obtain a copy of your data
- Right to rectification — correct inaccurate data
- Right to erasure — request the deletion of your data
- Right to data portability — receive your data in a structured format (JSON/CSV)
- Right to object — object to processing on legitimate grounds
- Right to restriction — restrict processing in certain cases
To exercise these rights, contact us at: contact@dppify.com. We will respond within 30 days.
If you believe your rights are not being respected, you may lodge a complaint with the CNIL: www.cnil.fr.
7. Security
We implement the following security measures:
- Encrypted communications (HTTPS/TLS)
- Passwords hashed with a non-reversible algorithm
- Organization-based access control with roles (owner / member)
- Timestamped audit logs for all data modifications
- HMAC verification of payment webhooks
- Protection against CSRF, XSS and SQL injection attacks
8. Changes
This policy may be updated to reflect changes in our practices or in regulations. In the event of a substantial change, users will be notified by email. The date of the last update is indicated below.
Last updated: March 2026