StartDPP

Privacy Policy

Last updated: May 5, 2026

⚠️ Legal notice: This Privacy Policy is provided as a template for informational purposes. We strongly recommend having it reviewed by a qualified data protection professional, particularly given the intersection of Moroccan law, GDPR, and the EU Digital Product Passport regulation.

1. Who We Are

Data Controller: MAHI AHMED ECOMTECH, a sole proprietorship registered in Morocco (RC N°6312, IF N°25009853, ICE N°002031524000024), with registered address at N° 46 Lot Fatima Azzahraa, 2éme étage, Kasba Tadla, Maroc.
Contact: contact@startdpp.com | Phone: +212 663-745054
Website: startdpp.com

We have not appointed a formal Data Protection Officer (DPO) as we are a micro-enterprise. For all data protection inquiries, please contact us at contact@startdpp.com. We will respond within the statutory timeframes.

2. Scope & Applicable Law

This Privacy Policy applies to all personal data processed through the StartDPP website and service (collectively, the “Service”). We process personal data in accordance with:

  • Moroccan Law No. 09-08 on the Protection of Individuals with regard to the Processing of Personal Data;
  • EU General Data Protection Regulation (GDPR) 2016/679, where applicable to data subjects in the European Economic Area;
  • Regulation (EU) 2024/1781 (ESPR), as it relates to Digital Product Passport data.

3. What Personal Data We Collect

3.1 Data You Provide

CategoryDataPurpose
AccountName, email, password (hashed)Authentication, account management
BillingBilling name, address, VAT numberInvoicing (processed by Paddle)
CompanyCompany name, brand nameProfile, DPP branding
CommunicationMessages sent via contact formCustomer support
Product dataProduct name, description, material composition, certifications, images, GTIN/EANDPP creation (this may include personal data if you upload it)

3.2 Data Collected Automatically

DataPurposeLegal basis
IP addressSecurity, fraud preventionLegitimate interest (Art. 6.1.f GDPR)
Browser type & versionService optimizationLegitimate interest
Pages visited & features usedService improvementConsent (when analytics cookies used)
Session cookiesAuthentication, session managementNecessary for contract performance (Art. 6.1.b)

3.3. Payment Data

We do not store credit card numbers or any sensitive payment data. All payments are processed by Paddle.com Inc., our Merchant of Record. Paddle acts as an independent data controller for payment data. Please refer to Paddle's Privacy Policy for details on how they handle your payment information.

4. Lawful Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

  • Contract performance (Art. 6.1.b): Account creation, service delivery, billing, and support.
  • Legitimate interest (Art. 6.1.f): Security monitoring, fraud prevention, service improvement, and analytics that do not require consent.
  • Consent (Art. 6.1.a): Optional analytics cookies, marketing communications, and any processing that requires opt-in consent. You may withdraw consent at any time.
  • Legal obligation (Art. 6.1.c): Compliance with tax, accounting, and regulatory record-keeping requirements.

5. How We Use Your Data

  • To provide, maintain, and improve the Service;
  • To process payments and manage subscriptions (via Paddle);
  • To communicate with you about your account, billing, and service updates;
  • To detect, prevent, and address technical issues, fraud, and abuse;
  • To comply with legal obligations (tax, accounting, regulatory);
  • With your consent, to send marketing communications about new features or offers.

6. Data Sharing & Third-Party Processors

We do not sell your personal data to third parties. We share data only with the following categories of recipients:

ProcessorPurposeLocationSafeguards
Supabase Inc.Database hosting, authenticationUSA (multi-region)SCCs, SOC 2 certified
Paddle.com Inc.Payment processing, invoicing, tax complianceUSA / IrelandSCCs, independent controller (payment data)
Hetzner Online GmbHServer hosting (application & database)GermanyGDPR-compliant, DPA in place
IPFS / ArweaveDecentralized DPP archiving (Pro+ plans)Global (distributed)No personal data included (PII stripped before archiving)

An up-to-date list of sub-processors is available on request. We will notify you of any changes to our sub-processors.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside Morocco and the European Economic Area (EEA), including the United States. When such transfers occur, we ensure appropriate safeguards are in place:

  • EU Standard Contractual Clauses (SCCs) adopted by the European Commission Decision 2021/914;
  • Data Processing Agreements (DPAs) with each sub-processor that include equivalent data protection obligations;
  • Where applicable, the UK International Data Transfer Agreement (IDTA) for UK data subjects.

8. Data Retention

Data categoryRetention period
Account personal dataDuration of account + 30 days after deletion (grace period for export)
Billing records10 years (Moroccan tax/accounting legal requirement)
Product dataDuration of account + 30 days, unless archived on IPFS/Arweave
IPFS/Arweave archivesPermanent (immutable by design of the decentralized networks)
Analytics / logs12 months (aggregated/anonymized data retained indefinitely)

9. Your Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:

RightDescription
Right of access (Art. 15)Request a copy of the personal data we hold about you
Right to rectification (Art. 16)Correct inaccurate or incomplete data
Right to erasure (Art. 17)Request deletion of your data (“right to be forgotten”)
Right to restriction (Art. 18)Restrict processing under certain conditions
Data portability (Art. 20)Receive your data in a structured, machine-readable format
Right to object (Art. 21)Object to processing based on legitimate interest or direct marketing
Right not to be subject to automated decision-making (Art. 22)We do not use automated decision-making (including profiling) that produces legal effects on you
Right to withdraw consentWhere processing is based on consent, you may withdraw at any time
Right to lodge a complaintWith your local data protection supervisory authority

To exercise any of these rights, contact us at contact@startdpp.com. We will respond within 30 days, extendable to 60 days for complex requests. No fee is charged unless the request is manifestly unfounded or excessive.

If you are in Morocco, you also have rights under Law No. 09-08 and may lodge a complaint with the Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP).

10. Cookie Policy

We use only essential cookies necessary for the operation of the Service (session management, authentication). These cookies do not require consent under applicable law:

  • sb-*-auth-token — Supabase Auth session cookie (session)
  • __session — Framework session cookie (session)

We do not currently deploy analytics or advertising cookies that require consent. If we add such cookies in the future, we will implement a cookie consent mechanism that requires your explicit opt-in before any non-essential cookies are placed.

You can manage or disable cookies in your browser settings. However, disabling essential cookies may prevent the Service from functioning properly.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit: TLS 1.3 for all communications (HTTPS);
  • Encryption at rest: Database-level encryption for stored data;
  • Access controls: Row-Level Security (RLS) in Supabase, least-privilege access policies;
  • Authentication: Supabase Auth with industry-standard hashing and optional MFA;
  • Regular backups: Encrypted daily backups with 7-day retention;
  • Incident response: We have a documented security incident response procedure.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33-34.

12. Children's Data

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately so we can delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email (to the address associated with your account) and/or by a prominent notice on the Service at least 30 days before the changes take effect. We encourage you to review this policy periodically.

14. Contact & Supervisory Authority

Data Controller:
eComTechMAHI AHMED ECOMTECH
N° 46 Lot Fatima Azzahraa, 2éme étage, Kasba Tadla, Maroc
Phone: +212 663-745054
Email: contact@startdpp.com

EU Representative (for GDPR purposes):
We have not yet appointed an EU representative as required by GDPR Article 27. This is a gap we are actively working to address. In the interim, you may contact us directly at contact@startdpp.com.

Supervisory authorities:

  • Morocco: Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP) — www.cndp.ma
  • EU/EEA: Your local data protection authority — List of EU DPAs