Privacy Policy
Last updated: 1 April 2026
1. Introduction & Data Controller
This Privacy Policy explains how [Company Name] (“EcoClaim”, “we”, “us”, or “our”), operating at ecoclaim.eu, collects, uses, shares, and protects your personal data when you use our platform and services.
EcoClaim is a Software-as-a-Service platform that scans e-commerce stores for compliance with EU greenwashing regulations, including the EU Green Claims Directive and the Unfair Commercial Practices Directive. Users submit URLs of web pages; our platform retrieves page content, captures screenshots, and generates compliance reports using AI analysis.
Data Controller:
[Company Name]
[Registered Address]
Data Protection Officer: [Data Protection Officer Email]
If you have any questions about this Privacy Policy or our data practices, please contact our Data Protection Officer at the email address above.
2. What Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address (used as your login identifier)
- Full name (optional, for personalisation and invoicing)
- Authentication tokens managed by Supabase Auth (passwords are hashed and never stored in plain text)
2.2 Scan & Report Data
When you use our scanning service, we process:
- URLs you submit for scanning
- HTML content and text extracted from those pages via ScrapFly
- Screenshots of scanned pages, stored in Supabase Storage
- AI-generated analysis results and compliance reports produced by Anthropic Claude (text analysis) and Google Gemini (visual analysis)
- Metadata such as scan timestamps and scan status
2.3 Payment Data
We use Stripe to process all payments. We do not store credit card numbers, CVVs, or full card details on our servers. Stripe collects and processes:
- Payment method details (card number, expiry, CVC) — handled entirely by Stripe as an independent data controller
- Billing name, email, and address (shared with Stripe for invoicing and fraud prevention)
- Stripe Customer ID and Subscription ID (stored in our database to link your account to your subscription)
2.4 Usage & Analytics Data
We may collect usage data to understand how our platform is used and to improve the service:
- Pages visited, features used, and actions taken within the application
- Browser type, operating system, screen resolution, and language preference
- Referring website, session duration, and interaction patterns
- IP address (anonymised where analytics are used)
Analytics data via Google Analytics is only collected with your explicit consent through our cookie consent banner.
2.5 Server Logs
Our hosting infrastructure (Vercel) automatically collects server logs that include IP addresses, request paths, timestamps, HTTP status codes, and user-agent strings. These logs are used exclusively for security monitoring and debugging.
3. Legal Basis for Processing
Under Articles 6 and 7 of the GDPR, we process your personal data on the following legal bases:
3.1 Performance of a Contract (Art. 6(1)(b))
Processing your account data, scan data, and payment data is necessary to perform the contract between you and EcoClaim — i.e., to provide the scanning, analysis, and reporting services you have signed up for.
3.2 Legitimate Interest (Art. 6(1)(f))
We rely on legitimate interest for:
- Maintaining security of the platform, including fraud detection, abuse prevention, and infrastructure monitoring
- Improving and optimising our services based on aggregated, non-identifying usage patterns
- Communicating essential service updates (e.g., changes to terms, downtime notifications)
We have conducted a legitimate interest assessment for each of these processing activities and concluded that our interests do not override your fundamental rights and freedoms.
3.3 Consent (Art. 6(1)(a))
We rely on your explicit, freely-given consent for:
- Setting non-essential cookies (analytics and marketing), which you can manage at any time via our cookie consent banner
- Sending optional marketing communications, if you opt in
You have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
3.4 Legal Obligation (Art. 6(1)(c))
We retain certain financial records (invoices, transaction logs) as required by EU and national tax legislation.
4. How We Use Your Data
We use the data we collect to:
- Provide our services: create and manage your account, run compliance scans on URLs you submit, generate reports, and store results for your review
- Process payments: manage subscriptions, charge fees, issue invoices, and handle refunds through Stripe
- Improve the product: analyse aggregated usage data to identify bugs, improve AI accuracy, and enhance the user experience
- Ensure security: detect and prevent fraud, abuse, and unauthorised access; monitor infrastructure health
- Comply with legal obligations: maintain financial records as required by tax authorities and respond to lawful requests from regulators or courts
- Communicate with you: send transactional emails (scan completion, account alerts), service updates, and, where you have consented, marketing communications
5. Data Sharing & Sub-processors
We do not sell your personal data. We share data only with third-party sub-processors that are necessary to operate our service. Each sub-processor is bound by a Data Processing Agreement (DPA) that ensures GDPR-compliant handling of personal data.
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase (PostgreSQL, Auth, Storage) | Database hosting, user authentication, file storage (screenshots, reports) | Account credentials, scan results, page screenshots, generated reports | EU (Frankfurt, AWS eu-central-1) |
| Stripe | Payment processing, subscription management, invoicing | Name, email, billing address, payment method tokens (card numbers never touch our servers) | EU / US (Stripe acts as independent controller for payment data) |
| Vercel | Application hosting, edge network, serverless functions | IP addresses, request metadata, server-side logs | EU (Frankfurt edge, iad1 function region configurable) |
| ScrapFly | Web scraping API to retrieve target page HTML and render screenshots | Target URLs submitted by users, rendered page content and screenshots | EU (France) |
| Anthropic (Claude API) | AI-powered text analysis for greenwashing claim detection | Extracted text content from scanned pages (no personal data of end-users is sent) | US (data processed under DPA with SCCs) |
| Google (Gemini API) | AI-powered visual analysis of product imagery and labels | Screenshots and images from scanned pages (no personal data of end-users is sent) | EU / US (data processed under DPA with SCCs) |
| Google Analytics (optional) | Anonymous website usage analytics | Anonymised IP, page views, session duration, referral source (only with user consent) | EU (analytics data region setting enabled) |
We may also share personal data where required by law, regulation, legal process, or governmental request.
6. Data Retention Periods
We retain your data only for as long as necessary for the purposes set out in this policy:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account data | Until account deletion | Required to maintain your account and provide services |
| Scan data & reports | 12 months from creation | Enables users to review historical compliance results; automatically purged after 12 months |
| Screenshots & page content | 12 months from creation | Stored alongside scan reports as supporting evidence; deleted with scan data |
| Payment & billing records | 7 years | Required by EU and national tax and accounting legislation |
| Server & application logs | 90 days | Used for debugging, performance monitoring, and security incident investigation |
| Analytics data | 26 months | Google Analytics default retention; anonymised and aggregated |
When you delete your account, we remove your account data and associated scan data within 30 days. Payment records subject to legal retention requirements will be retained for the mandatory period and then securely deleted.
7. Your Rights Under the GDPR
Under the General Data Protection Regulation, you have the following rights regarding your personal data:
- Right of Access (Art. 15): You can request a copy of the personal data we hold about you, along with information about how it is processed.
- Right to Rectification (Art. 16): You can request correction of inaccurate or incomplete personal data.
- Right to Erasure (Art. 17):You can request deletion of your personal data where there is no compelling reason for its continued processing (“right to be forgotten”).
- Right to Data Portability (Art. 20): You can request your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) and have it transmitted to another controller.
- Right to Restriction (Art. 18): You can request that we restrict processing of your data in certain circumstances, such as when you contest its accuracy.
- Right to Object (Art. 21): You can object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
- Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint (Art. 77): You have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been infringed.
To exercise any of these rights, please contact our Data Protection Officer at [Data Protection Officer Email]. We will respond to your request within 30 days, as required by the GDPR. If the request is complex or we receive a large number of requests, we may extend this period by an additional 60 days, and we will notify you of any such extension.
8. Cookie Policy
8.1 Essential Cookies
We use strictly necessary cookies that are required for the platform to function. These include:
- Authentication cookies: Supabase session tokens that keep you logged in
- Cookie consent preference: Stores your cookie consent choice so we do not ask repeatedly
- Security cookies: CSRF protection and session integrity tokens
These cookies do not require consent under the ePrivacy Directive as they are strictly necessary for the service you have requested.
8.2 Analytics Cookies (Optional)
If you provide consent via our cookie consent banner, we set Google Analytics cookies to collect anonymised usage data. These cookies include:
- _ga— Distinguishes unique users (expires after 2 years)
- _ga_*— Maintains session state (expires after 2 years)
You can withdraw your consent at any time by adjusting your preferences in the cookie consent banner, accessible via the cookie icon in the bottom-left corner of any page. When you withdraw consent, analytics cookies are deleted and no further analytics data is collected.
8.3 No Marketing or Third-Party Tracking Cookies
EcoClaim does not use marketing cookies, retargeting pixels, or any third-party tracking technologies beyond the analytics described above.
9. Security Measures
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: Database contents and stored files in Supabase are encrypted at rest using AES-256.
- Authentication security: Passwords are hashed using bcrypt. We support and encourage two-factor authentication (2FA).
- Access controls: Internal access to production data is restricted to authorised personnel on a need-to-know basis, protected by multi-factor authentication.
- Infrastructure security: Our hosting providers (Supabase and Vercel) maintain SOC 2 Type II compliance and undergo regular third-party security audits.
- Monitoring: We monitor our systems for security incidents and have incident response procedures in place.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay, in accordance with Article 34.
10. International Data Transfers
EcoClaim is designed with an EU-first approach. Our primary database, authentication system, and file storage are hosted in the EU (Frankfurt) via Supabase on AWS eu-central-1.
However, some of our sub-processors are based in, or may process data in, the United States:
- Anthropic (Claude API):Text content from scanned pages is sent to Anthropic’s US-based infrastructure for AI analysis. This data does not contain personal data of our users; it consists of publicly available web page content.
- Google (Gemini API):Screenshots from scanned pages may be processed via Google’s infrastructure. Google is covered by the EU-US Data Privacy Framework adequacy decision.
- Stripe: Payment data may be processed in the US. Stripe participates in the EU-US Data Privacy Framework and also relies on Standard Contractual Clauses (SCCs).
- Vercel: While we configure EU-based edge regions, some serverless function execution may occur outside the EU. Vercel relies on Standard Contractual Clauses (SCCs).
For all transfers to third countries that lack an EU adequacy decision, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
- Data Processing Agreements (DPAs) with each sub-processor
- Transfer Impact Assessments (TIAs) where required
- Supplementary measures such as encryption and pseudonymisation where applicable
You can request a copy of the relevant SCCs or DPAs by contacting our Data Protection Officer.
11. Children’s Privacy
EcoClaim is a business-to-business service designed for professionals managing e-commerce compliance. Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16.
If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information as soon as possible. If you believe a child under 16 has provided us with personal data, please contact our Data Protection Officer immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the “Last updated” date at the top of this page
- Notify you via email or an in-app notification at least 14 days before significant changes take effect
- Where required by law, obtain your renewed consent before applying changes that materially affect how we process your personal data
We encourage you to review this page periodically. Your continued use of EcoClaim after the effective date of any changes constitutes acceptance of the updated policy, except where additional consent is required.
13. Contact & Data Protection Officer
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data, please contact us:
- Data Protection Officer: [Data Protection Officer Email]
- Company: [Company Name]
- Address: [Registered Address]
We aim to resolve all complaints internally. However, if you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU/EEA supervisory authorities is available on the European Data Protection Board website.