Privacy Policy

Last updated: February 2026

This Privacy Policy describes how METIS SAS ("we", "us", "our") collects, uses, and protects your personal information when you use DPP-Tool (the "Service"). Contact: [email protected].

1. Data Controller

METIS SAS, 120 Chemin de Ceinture, 13400 Aubagne, France. SIRET: 991 555 574 00011.

2. Data Collected

We collect the following personal data:

  • Account data: email address, name, company name (optional)
  • Product data: product information you enter to generate Digital Product Passports
  • Usage data: pages visited, features used (with your consent via Google Analytics 4)
  • Technical data: IP address, browser type, device type (for security and performance)

We do not collect payment card data. All payment processing is handled securely by Stripe.

3. Purpose of Data Processing

Your data is processed for the following purposes:

  • Providing the DPP-Tool service and generating Digital Product Passports
  • Managing your user account and subscription
  • Sending transactional emails (account confirmation, subscription updates)
  • Improving the Service through anonymous usage analytics (with consent)
  • Ensuring the security and integrity of the platform

Legal basis: contract performance (Art. 6(1)(b) GDPR), legitimate interest (Art. 6(1)(f)), and consent for analytics (Art. 6(1)(a)).

4. Data Sharing

We do not sell your personal data. We share data only with:

  • Stripe: payment processing (PCI DSS compliant)
  • o2switch: hosting provider (data stored in France)
  • Google Analytics 4: anonymous usage statistics (with your consent only)

5. Data Retention

  • Active accounts: data is retained for the duration of your account
  • Deleted accounts: personal data is erased within 30 days of deletion request
  • Public passports: may be retained longer for regulatory compliance purposes
  • Server logs: automatically deleted after 12 months

6. Data Security

We implement appropriate technical and organizational measures:

  • HTTPS/TLS encryption for all communications
  • Bcrypt password hashing (cost factor 12)
  • CSRF token protection on all forms
  • SQL injection prevention via prepared statements
  • Security headers (HSTS, CSP, X-Frame-Options, etc.)
  • Data stored on EU-based servers (France)

7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access: obtain a copy of your personal data
  • Rectification: correct inaccurate data
  • Erasure: request deletion of your data
  • Restriction: limit processing of your data
  • Portability: receive your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interest

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the French data protection authority (CNIL): www.cnil.fr.

8. Cookies

We use the following cookies:

  • Essential cookies: session management (PHPSESSID) — required for the Service to function
  • Analytics cookies: Google Analytics 4 — only activated with your explicit consent via our cookie banner
  • Preference cookies: cookie consent choice (cookie_consent) — to remember your preferences

You can manage your cookie preferences at any time through the cookie banner at the bottom of the page.

9. International Transfers

Your data is primarily stored and processed in France (EU). When using Google Analytics 4 (with consent), some data may be processed in the US under EU-US Data Privacy Framework safeguards.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of significant changes via email.