Privacy Policy

We collect the following categories of personal data:

• Account data: name, email address, password hash (bcrypt), registration date
• Report data: company name, address, legal entity identifier (LEI), product descriptions, emission figures you enter into the wizard
• Payment data: subscription tier, payment status. Full card details are handled by our payment processor and never stored by us.
• Usage data: pages visited, features used, error logs (pseudonymised). We do not use third-party analytics trackers.
• Audit log data: actions performed in your account (e.g. report created, dossier downloaded) for security and compliance purposes.

We process your data under the following GDPR legal bases:

• Contract (Art. 6(1)(b)): to provide the service you signed up for
• Legitimate interest (Art. 6(1)(f)): security monitoring, fraud prevention, and service improvement
• Legal obligation (Art. 6(1)(c)): where required by EU or member state law
• Consent (Art. 6(1)(a)): for optional marketing emails (you may withdraw consent at any time)

Your data is used to:

• Provide and operate the MicroReport service
• Generate IUCLID i6z dossier files on your request
• Process payments and manage your subscription
• Send transactional emails (account confirmation, password reset)
• Detect and prevent fraud or abuse
• Comply with legal and regulatory obligations

We do not sell your data to third parties. We do not use your report data for training AI models.

We share personal data only with the following categories of third parties acting as data processors under binding agreements:

• Cloud infrastructure: servers and databases hosted in the EU
• Payment processors: to handle subscription billing
• Email delivery service: to send transactional emails

All processors are bound by GDPR-compliant data processing agreements and are prohibited from using your data for their own purposes.

We retain your data as follows:

• Account and report data: for as long as your account is active, plus 30 days after deletion to allow recovery
• Billing records: 7 years to comply with EU accounting obligations
• Audit logs: 2 years for security purposes
• Backups: purged within 90 days of account deletion

As a data subject in the EU/EEA you have the following rights, which you can exercise via the Settings page or by emailing us:

• Access (Art. 15): receive a copy of your personal data — use “Export My Data” in Settings
• Rectification (Art. 16): correct inaccurate data
• Erasure (Art. 17): delete your account and all associated data — use “Delete Account” in Settings
• Restriction (Art. 18): restrict processing in certain circumstances
• Portability (Art. 20): receive your data in machine-readable format (JSON export available in Settings)
• Objection (Art. 21): object to processing based on legitimate interest

We will respond to all requests within 30 days. You also have the right to lodge a complaint with your national data protection authority.

We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest for sensitive fields, bcrypt password hashing, and regular security reviews. Access to production data is restricted to authorised personnel only.

We use a single session cookie required for authentication. We do not use tracking, advertising, or analytics cookies.

Your data is stored and processed within the EU. If a transfer outside the EU/EEA is ever required, we will ensure it is covered by an adequacy decision or Standard Contractual Clauses (SCCs).

We may update this Privacy Policy from time to time. We will notify you by email at least 14 days before material changes take effect.

For privacy-related requests or questions, contact us at support@microplastics-report.com.

If you are not satisfied with our response, you have the right to complain to your local supervisory authority.