Privacy

Privacy Policy

Privacy Policy of Transpareo AG. How we process and protect personal data.

1. Controller

The controller for data processing within the meaning of the GDPR and the Swiss Data Protection Act (nDSG) is:

Transpareo AG
Tech Cluster Zug
6300 Zug
Switzerland

Company ID: CHE-220.381.580
Commercial register: CH-170.3.047.128-7 (Canton of Zug)
Represented by: Günter Reichelt, Chairman of the Board of Directors

Email:

2. Our Two Roles: Controller and Processor

When you use the platform, two kinds of data arise that we treat differently in law:

As a controller, we process the data that arises when you visit our website, register your account and are billed (Sections 3 to 8). For this data, we determine the purposes and means of processing ourselves.

As a processor, we process the product and passport data - and any personal data contained therein - that you as a customer enter, import or transmit via the interfaces into the platform (Section 5). Here you are the controller; we act exclusively on your instructions on the basis of a data processing agreement (DPA) under Section 14 of the Terms of Service.

3. What Data We Collect

As a controller, we collect personal data in the following situations:

Website use: When you visit our website, technical access data (IP address, browser type, timestamp) is logged. These server logs are deleted after 30 days. The geographic lookup of the IP address is performed via a local database on our own server; no data is transmitted to third parties in the process.

Registration & use of the platform: When you register, we collect your name, email, company name and country. Payment is handled by our payment service provider (Section 6); card details are entered directly with them and are not stored by us.

Contact form: For enquiries via the contact form, we process the contact details you provide in order to respond to your enquiry.

4. Purposes & Legal Bases

Insofar as we act as a controller, we process your data on the following legal bases:

  • Performance of a contract (Article 6(1)(b) GDPR): providing the platform, managing your account and billing
  • Legitimate interests (Article 6(1)(f) GDPR): operating and securing the website, including the 30-day server logs to detect and prevent abuse
  • Legal obligations (Article 6(1)(c) GDPR): statutory retention obligations for invoicing and accounting data
  • Consent (Article 6(1)(a) GDPR): marketing communications, where you have agreed to them

As a Swiss company, Transpareo AG is also subject to the revised Swiss Data Protection Act (nDSG); its requirements are met in parallel with the GDPR.

5. Processing on Behalf of Our Customers

The product and passport data that our customers place in the platform is processed by us as a processor, exclusively on their instructions. Where this data contains personal data (for example the name of a responsible person), the respective customer is the controller for it. The basis is the data processing agreement under Section 14 of the Terms of Service.

We store, process, translate and sign this data technically and make published Digital Product Passports publicly accessible via their permanent URL. Published passports are therefore publicly and permanently retrievable; for a passport registered in the EU register, the published versions additionally remain in an immutable archive for ten years (see Section 10 of the Terms of Service).

Data subjects whose data is contained in a product passport should exercise their rights with the respective customer as the controller. On the customer’s instructions, we support them in handling such requests.

6. Recipients and Processors

We share personal data only where this is necessary to perform the contract or where you have consented. We use the following carefully selected processors, with each of whom a data processing agreement is in place:

  • Hetzner Online GmbH (Germany): hosting and object storage. All platform servers and stored data are located in Germany.
  • KeyCDN (proinity GmbH, Switzerland): delivery of the website and the public product passport pages via a content delivery network. In this context, visitors’ connection data (in particular the IP address) is processed at globally distributed edge servers.
  • Stripe (Stripe Payments Europe Ltd. / Stripe, Inc.): payment processing and invoicing. In this context, payment data is processed in the USA (see Section 7).
  • Kreativmedia (Switzerland): dispatch of system and notification emails via an SMTP relay.
  • DeepL SE (Germany): machine translation of content within the EU data zone.

7. International Data Transfers

Our entire hosting infrastructure and all data stored on it are located in Germany and thus within the EU/EEA data zone.

For delivery via the KeyCDN content delivery network (reachable at cdn.transpareo.com), visitors’ requests may be processed at edge servers outside the EU/EEA. Only publicly accessible content is delivered via the network; the master data stored in Germany is not affected by this. Any such transfers are safeguarded by Standard Contractual Clauses.

A transfer to the USA takes place exclusively in the context of payment processing via Stripe. This transfer is safeguarded by the European Commission’s Standard Contractual Clauses and by Stripe’s participation in the EU-U.S. Data Privacy Framework.

Transpareo AG is domiciled in Switzerland. For transfers from the EU to Switzerland, an adequacy decision of the European Commission is in place; the Swiss level of data protection is deemed equivalent.

8. Retention Period

We store personal data only for as long as is necessary for the respective purposes:

  • Server logs: 30 days
  • Account data: for the duration of the contractual relationship
  • Invoice data: 10 years (statutory retention obligation)
  • Support enquiries: 3 years after the enquiry is closed
  • Marketing consents: until withdrawn

Product and passport data that we process on behalf of our customers is stored according to their instructions; published and registered passport versions are subject to the ten-year archive period under Section 10 of the Terms of Service.

9. Cookies & Tracking

We use only technically necessary cookies to operate our website (e.g. login session). We do not use analytics or tracking cookies.

We deliberately avoid third-party tracking technologies (Google Analytics, Facebook Pixel, etc.). Our internal statistics are privacy-compliant and do not capture personal profiles.

10. Data Subject Rights

As a data subject, you have the following rights towards Transpareo:

  • Access (Article 15 GDPR): you can request information about the data stored about you at any time.
  • Rectification (Article 16 GDPR): you can request the correction of inaccurate data or the completion of incomplete data.
  • Erasure (Article 17 GDPR): you can request the erasure of your data, provided no statutory retention obligations prevent this.
  • Data portability (Article 20 GDPR): you can receive your data in a structured, commonly used format or have it transferred directly to another controller.
  • Objection (Article 21 GDPR): you can object to processing based on legitimate interests.
  • Withdrawal of consent (Article 7(3) GDPR): you can withdraw consent you have given at any time with effect for the future.

11. Data Security

We use technical and organisational measures to protect your data:

  • Encryption of all data in transit (TLS) and at rest (AES-256)
  • Isolated databases per customer, each encrypted with its own key
  • Hosting with an ISO 27001-certified provider in Germany
  • Continuous monitoring of our systems and regular security updates and hardening

12. Data Protection Officer and Representatives

We have appointed an external data protection officer:

DGD Deutsche Gesellschaft für Datenschutz
Prof. Dr. h.c. Heiko Jonny Maniero
Franz-Joseph-Str. 11
80801 Munich, Germany

Email:
Phone: +49 (0)800 6264376

Our representative in the EU (Article 27 GDPR), our representative in Switzerland (Article 14 nDSG) and the contact points for further jurisdictions are set out in our transparency document.

13. Contact

For questions about data protection and to exercise your rights, please contact:

Data protection contact at Transpareo AG
Email:

You also have the right to lodge a complaint with a data protection supervisory authority - in Switzerland with the Federal Data Protection and Information Commissioner (FDPIC), and in the EU with the supervisory authority of your member state.

Last updated: June 2026