Privacy Policy

Last updated: March 2026  ·  Version 1.0

1. Data Controller

Grigolato.it
Gaffel 48, 1319 BV Almere, Netherlands
VAT NL005084668B28  ·  KvK 97060658
Email: privacy@grigolato.it

2. What Data We Collect and Why

We collect personal data only where there is a lawful basis to do so.

2.1 When you use the B2C Product Passport (consumer)

Viewing a product passport does not require creating an account. We do not set tracking cookies on B2C passport pages. Your browser may send your IP address to our hosting provider (Hetzner) as part of a standard HTTPS request — this is technically necessary and constitutes legitimate interest (Art. 6(1)(f) GDPR).

If you scan a QR code that includes a verification token, that token is used solely to confirm product authenticity and is not linked to your identity.

Google Maps is used to display the product's supply chain journey. This feature only loads after you accept cookies via the consent banner. If you decline, the journey timeline is shown as text without a map. Google's privacy policy applies to map data: policies.google.com/privacy.

2.2 When you register as a B2B customer (onboarding)

We collect: full name, business email, company name, industry, country, company size, website, job title, and phone number. Legal basis: performance of a contract (Art. 6(1)(b)) and compliance with legal obligations (Art. 6(1)(c)) — specifically GDPR Art. 28 (DPA) and ESPR record-keeping requirements.

We also store: your IP address at time of agreement acceptance, the date and time of acceptance, and a cryptographic hash of the agreement document version you accepted. This is required for our legal compliance under Dutch commercial law and GDPR.

2.3 When you use the B2B platform

We process product data, blockchain wallet addresses, and usage logs on your behalf as a data processor (Art. 28 GDPR). See the Data Processing Agreement you accepted at registration for full details.

3. How Long We Keep Your Data

Data type	Retention
B2B account & product data	Duration of contract + 30 days export window, then deleted
Legal agreement records	7 years (Dutch commercial law requirement)
Server access logs	90 days
Blockchain records (DPP on Sui)	Permanent (immutable by design — see §6)

4. Who We Share Your Data With

We use the following sub-processors. All are bound by GDPR-compliant data processing agreements:

• Hetzner Online GmbH (Germany, EU) — Cloud hosting and infrastructure
• Mysten Labs Inc. (USA) — Sui blockchain network for DPP anchoring. Data transfers covered by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework (DPF).
• Resend Inc. (USA) — Transactional email delivery. Data transfers covered by SCCs and DPF.

We do not sell, rent, or share your personal data with any other third party for marketing purposes.

5. Your Rights (GDPR Art. 15–22)

As a data subject in the EU/EEA you have the right to:

• Access — request a copy of all personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your data (subject to legal retention obligations)
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interest
• Restriction — request that we pause processing of your data
• Complaint — lodge a complaint with the Dutch DPA: autoriteitpersoonsgegevens.nl

To exercise any right, email privacy@grigolato.it. We will respond within 30 days.

6. Blockchain and the Right to Erasure

Digital Product Passport records anchored on the Sui blockchain are cryptographically immutable by design. Once a DPP is minted, it cannot be deleted from the blockchain. This is disclosed in the Service Agreement (§6.4) and constitutes a technical limitation to the right to erasure under Art. 17(3)(b) GDPR (processing necessary for compliance with a legal obligation).

DPP records on-chain do not contain personal data — they contain product metadata, custody events, and ESG metrics. Personal data (such as your account details) is stored off-chain and is deletable.

7. Cookies and Tracking

We do not use tracking or advertising cookies. We use:

• Strictly necessary — session cookies for authentication in B2B, 3PL, and ADM portals
• Functional (with consent) — Google Maps JavaScript API for the supply chain journey map on product passport pages
• Fonts — Google Fonts loaded from Google's servers (fonts.googleapis.com). This is a functional service that may transmit your IP address to Google as part of the HTTP request.

8. Contact

Data protection enquiries: privacy@grigolato.it
Legal enquiries: legal@grigolato.it