Data Controller & Contacts
The data controller is Kuzi Design Ltd (company registered in England & Wales).
- Email: app@xproduct.co.uk
- Phone: 07487 566557
- Address: Cradley Enterprise Centre, Maypole Fields, Halesowen, B63 2QB, UK
Scope
This policy applies to the website, the xProduct web application, and related services (e.g., customer support emails and subscription management). By using our services you acknowledge this policy in addition to our Terms & Conditions.
We follow the EU GDPR and UK GDPR (Data Protection Act 2018). Where laws differ, the stricter standard generally applies.
Data We Collect
Provided by you
- Name, email, password (hashed), organisation
- Billing details for subscriptions (via our payment processor)
- Product data you add to create Digital Product Passports
- Support requests and feedback
Collected automatically
- IP address, device/browser, approximate location
- Usage events (e.g., page views, feature clicks)
- QR code scan events for your DPP analytics (time, UA, coarse geo)
- Cookies (see Cookies & Analytics)
Purposes & Legal Bases (GDPR Art. 6)
| Purpose | Examples | Legal basis |
|---|---|---|
| Provide the service | Account management, DPP features, support | Performance of contract (Art. 6(1)(b)) |
| Payments & billing | Subscription charges, invoices, fraud checks | Performance of contract; legitimate interests; legal obligation |
| Analytics & product improvement | Feature usage, QR scan metrics | Legitimate interests (Art. 6(1)(f)) / consent where required |
| Comms & service messages | Transactional emails (password resets, notices) | Performance of contract; legitimate interests |
| Marketing (optional) | News, feature updates | Consent (Art. 6(1)(a)); you can withdraw any time |
International Transfers
If data leaves the UK/EU, we rely on adequacy decisions or Standard Contractual Clauses and implement supplementary measures as needed.
Data Retention
We keep data only as long as necessary for the purposes above or to meet legal/financial obligations. Typical periods:
| Data | Retention |
|---|---|
| Account profile | For the life of the account and 30 days after deletion |
| DPP content you create | Until you delete it or the account is closed; QR codes become inactive after account deletion |
| Billing records | 6 years (UK tax compliance) |
| Server logs / security | Up to 12 months unless needed for an investigation |
Security
We use TLS encryption in transit, role-based access, hashed passwords, least-privilege principles and regular backups. No internet service can be 100% secure, but we take reasonable steps to protect your data.
Your Rights (GDPR/UK GDPR)
- Access, rectification, erasure
- Restriction and objection to processing
- Data portability
- Withdraw consent where processing is based on consent
- Lodge a complaint with a supervisory authority
To exercise your rights, email app@xproduct.co.uk. We’ll respond within one month.
Children
Our services are not directed to children under 16 and we do not knowingly process their data.
Automated Decision-Making
We do not carry out decisions producing legal or similar significant effects solely by automated means.
Changes to this Policy
We may update this policy to reflect changes in law or our services. We’ll post updates here and, where appropriate, notify you by email/in-app.
Complaints
If you have concerns, contact Us first. You also have the right to complain to the UK Information Commissioner’s Office (ICO).
- ICO website: https://ico.org.uk
- ICO helpline: 0303 123 1113