xProduct Privacy Policy

1. Introduction

We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use and protect personal data when you use our website and platform.

It applies to users in the United Kingdom and the European Economic Area (EEA), and is designed to comply with both the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR). Where laws differ, the stricter standard generally applies.

By using our services you acknowledge this policy in addition to our Terms & Conditions.

2. Who We Are

Kuzi Design Ltd operates the xProduct platform (registered in England & Wales). Depending on context, we act as:

Data Controller — for account, billing and website data
Data Processor — where we process data on behalf of our business customers (e.g. data submitted to Digital Product Passports or Public Pages)

Email: app@xproduct.co.uk
Phone: 07487 566557
Address: Cradley Enterprise Centre, Maypole Fields, Halesowen, B63 2QB, UK

3. Data We Collect

3.1 Account & Contact Data

Name, email address, company details
Login credentials (passwords stored hashed)
Support requests and feedback

3.2 Billing & Payment Data

Billing address and subscription details
Payment status
Payments processed by Stripe — we do not store full card details

3.3 Usage & Technical Data

IP address, browser type and device information
Log data (access times, actions within the platform)
QR code scan events for DPP analytics (time, UA, coarse geo)
Cookies (see section 5)

3.4 Customer Content (Processor Data)

Product data uploaded to create Digital Product Passports
Data submitted to Public Pages
We process this on behalf of Customers and do not control its content

4. How We Use Your Data & Legal Bases (GDPR Art. 6)

We use personal data to provide and operate the platform, manage accounts and subscriptions, process payments, maintain security, improve performance, and respond to support requests.

Purpose	Examples	Legal Basis
Provide the service	Account management, DPP features, support	Performance of contract (Art. 6(1)(b))
Payments & billing	Subscription charges, invoices, fraud checks	Contract; legitimate interests; legal obligation
Analytics & improvement	Feature usage, QR scan metrics	Legitimate interests (Art. 6(1)(f)) / consent where required
Transactional communications	Password resets, billing notices, confirmations	Contract; legitimate interests
Security & fraud prevention	Rate limiting, abuse detection, access logs	Legitimate interests; legal obligation
Legal compliance	Tax records, regulatory obligations	Legal obligation (Art. 6(1)(c))
Marketing	Product updates, newsletters (opt-in only)	Consent (Art. 6(1)(a))

5. Cookies & Analytics

We may use cookies and similar technologies to improve website functionality, analyse usage, and enhance user experience. Where required by law, we will obtain your consent before placing non-essential cookies.

Please refer to our Cookie Policy for full details.

6. Customer Data (Processor Role)

Where Customers upload data to the platform:

We act as a data processor; the Customer is the data controller
We process data only on the Customer's documented instructions
We do not verify the accuracy of Customer data
We do not control how Customers use personal data on their Public Pages

Customers are responsible for ensuring their use of the platform complies with applicable data protection laws.

7. Sharing & Processors

We never sell personal data. We share it with trusted processors only where necessary to operate the service:

Stripe — payment processing and invoicing
Hosting providers — infrastructure and storage
Email providers — transactional communications
Analytics providers — platform usage (where applicable)

We may also disclose information where required by law, to protect rights, or in connection with a business transfer.

8. International Transfers

Your data may be transferred outside the UK or EEA. Where this occurs, we ensure appropriate safeguards are in place, such as:

Standard Contractual Clauses (SCCs)
Transfers to countries with adequacy decisions

9. Data Retention

We retain personal data only for as long as necessary to provide services, meet legal and regulatory requirements, and resolve disputes.

Data	Retention Period
Account profile	For the life of the account and 30 days after deletion
DPP content you create	Until you delete it or the account is closed; QR codes become inactive after account deletion
Billing records	6 years (UK tax compliance)
Server logs / security	Up to 12 months unless needed for an investigation

Customer Content may be deleted after account termination, subject to reasonable retention periods.

10. Security

We implement appropriate technical and organisational measures to protect personal data, including TLS encryption in transit, role-based access controls, hashed passwords, least-privilege principles and regular backups. No internet service can be 100% secure, and we cannot guarantee absolute security.

11. Your Rights (UK & EU GDPR)

Under UK and EU data protection laws, you have the right to:

Access your personal data
Correct inaccurate data
Request deletion of your data
Restrict or object to processing
Request data portability
Withdraw consent (where applicable)
Lodge a complaint with your local data protection authority

To exercise your rights, email app@xproduct.co.uk. We'll respond within one month.

From your dashboard you can delete products, disable QR codes, or close your account. Closing your account permanently deletes associated data after 30 days.

12. Children

Our services are not directed to children under 16 and we do not knowingly collect or process their personal data.

13. Automated Decision-Making

We do not carry out decisions producing legal or similarly significant effects solely by automated means.

14. Third-Party Links

Our website or Public Pages may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policy of any site you visit.

15. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in law or our services. We will notify users where appropriate via email or by posting a notice on the Site. Continued use of the platform indicates acceptance of any updates.

16. Contact Us

If you have any questions or wish to exercise your rights, please contact:

Company: Kuzi Design Ltd trading as xProduct
Address: Cradley Enterprise Centre, Maypole Fields, Halesowen, B63 2QB, United Kingdom
Email: app@xproduct.co.uk
Phone: 07487 566557

You can also contact us through the feedback form on our Site.

Complaints & ICO

If you have concerns, please contact us first and we will aim to resolve them promptly. You also have the right to complain to the UK Information Commissioner's Office (ICO):

ICO website: ico.org.uk
ICO helpline: 0303 123 1113