DigiProdPass Limited
Privacy Notice

Document title
DigiProdPass Limited — Privacy Notice
Document reference
DPPL-PRIV-001
Version
2
Issue date
September 2025
Last reviewed
May 2026
Next review date
May 2027
Document owner
Data Protection Officer, DigiProdPass Limited
Approver
Chief Operating Officer, DigiProdPass Limited
Classification
Public

1. Introduction

This Privacy Notice explains how DigiProdPass Limited ("DPPL", "we", "us" or "our") collects, uses and otherwise processes personal data when you visit digiprodpass.com (the"Website"), engage with us as a prospective or existing customer, or otherwise interact withour products and services.
DPPL is the controller of the personal data described in this Notice. We process personal data in accordance with the United Kingdom General Data Protection Regulation ("UKGDPR"), the Data Protection Act 2018 ("DPA 2018"), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). Where we process the personal data of individuals located in the European Economic Area, we also comply with Regulation (EU) 2016/679 ("EU GDPR").
This Notice should be read together with our Cookie Policy, which sets out in detail how we use cookies and similar technologies on the Website.

2. Who we are and how to contact us

2.1 Controller

The controller of your personal data is:
  • DigiProdPass Limited
  • Registered office: First Floor, Units 8 & 9, Rutherford House, Manchester Science Park, Pencroft Way, Manchester M15 6JJ, United Kingdom
  • Company contact email: contact@digiprodpass.com

2.2 Data Protection Officer

DPPL has formally appointed a Data Protection Officer in accordance with Article 37 UK GDPR. The DPO is the primary point of contact for any matter relating to the processing of your personal data, including the exercise of any of the rights set out in Section 9 of this Notice.

You can contact the DPO directly:
  • By email: dpo@digiprodpass.com
  • By post: Data Protection Officer, DigiProdPass Limited, First Floor, Units 8 & 9, Rutherford House, Manchester Science Park, Pencroft Way, Manchester M15 6JJ, United Kingdom
The contact details of our DPO have been notified to the Information Commissioner's Officein accordance with Article 37(7) UK GDPR.

3. The personal data we collect

Depending on how you interact with us, we may process the following categories of personal data:

3.1 Information you provide directly

When you complete a contact form, request a demonstration, download a resource, or subscribe to a mailing list, you may provide us with: your first and last name; business email address; company or organisation name; country; job title or profession; field of activity; telephone number; and any free-text message or description you submit.

3.2 Information collected automatically

When you visit the Website, the following may be collected automatically through cookies, similar technologies and server logs (subject to consent where required by PECR): IP address; device information (operating system, device type); browser information (type,version, language); referral URL; pages viewed; clicks; session duration and statistics; interaction events (mouse movements, scroll position, keypress events, touch events); and other usage data necessary for security, troubleshooting, and (where you have consented) analytics or behavioural targeting.

3.3 Information from third-party sources

We may receive limited contact details about you from publicly available business sources(for example, professional networking sites or company websites) where we contact you in a business-to-business capacity. Where we do, we will inform you of the source of the data on first contact, in accordance with Article 14 UK GDPR.

3.4 Special category data

DPPL does not knowingly collect, request or process special category personal data (Article 9 UK GDPR) or personal data relating to criminal convictions and offences (Article 10 UK GDPR). You are asked not to submit such data to us through the Website or any of our forms.

4. Purposes for which we process personal data and the lawful basis for each

In accordance with Article 13(1)(c)–(d) UK GDPR, the table below sets out, for each processing purpose, the categories of data we use, the lawful basis we rely on, and (where the basis is legitimate interests) the specific interest pursued.
Responding to enquiries via the contact form (via Mailchimp)
Identification and contact details; message content; usage data.
Booking and conducting a product demonstration
Identification and contact details; company information; demo-specific information.
Providing downloadable resources (eBooks, whitepapers, guides) requested by lead-form submission
Identification and contact details; company information; topic of interest.
Sending marketing emails, newsletters and product updates (via Mailchimp)
Email address; subscription preferences; engagement data (opens, clicks).
Website analytics and performance measurement (Google Analytics 4, Ahrefs)
Online identifiers; usage data; session statistics.
Heat-mapping and session recording (Microsoft Clarity, Crazy Egg)
Online identifiers; clicks; interaction events; session duration.
Conversion tracking and behavioural advertising (LinkedIn Insight Tag)
Online identifiers; usage data; device information.
Tag management infrastructure (Google Tag Manager)
Online identifiers; usage data.
Spam and abuse prevention on webforms (Googlere CAPTCHA)
Behavioural signals; online identifiers.
Hosting, operating and securing the Website (Webflow)
Identifiers and usage data necessary for site operation.
Compliance with legal obligations (e.g. responding to lawful requests; record-keeping for tax, accounting, regulatory purposes)
Any data necessary to comply with the obligation in question
Establishing, exercising or defending legal claims
Any relevant data.
Hosting of technical and organisational measures (TOMs) documentation on the Drata Trust Center for customer due diligence
Limited identifiers of authorised viewers (e.g. business email addresses).
Where we rely on legitimate interests (Article 6(1)(f) UK GDPR), we have completed a Legitimate Interests Assessment (LIA) for the relevant activity. You may request a summary of the relevant LIA by contacting our DPO.

5. Cookies, similar technologies and consent

Cookies and similar technologies (collectively, "trackers") used on the Website are described in detail in our Cookie Policy. The Cookie Policy is the authoritative source for the categorisation, retention and provider of every tracker we use on the Website.

In summary:
  • Strictly necessary trackers (those required to deliver an information society service explicitly requested by you, within the meaning of Regulation 6(4) PECR) are loaded by default. These are limited to trackers required for the operation, security and accessibility of the Website.
  • All other trackers — including analytics, heat-mapping, session-recording, advertising and tag-management — are non-essential. They are blocked by default and only load after you have given affirmative consent through the cookie consent banner. The "Reject all" option is presented with the same prominence as "Accept all" on the first layer of the banner.
  • You can change your preferences at any time using the cookie preferences link in the Website footer. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

6. Recipients of your personal data

We share personal data only with the categories of recipient set out below. We do not sell personal data.

6.1 Categories of recipient

  • Authorised personnel of DPPL who require access to perform their role (sales, marketing, product, customer support, legal, IT).
  • Authorised personnel of Technovative Solutions Ltd (TVS), the sister company within the DPPL/TVS group, where they provide shared corporate operations, ISMS, IT security and infrastructure under a documented intercompany ISMS agreement.
  • Processors and sub-processors engaged by DPPL under written contracts compliant with Article 28 UK GDPR (see Section 6.2 below).
  • Professional advisers (legal, accounting, audit) where necessary and under duties of confidentiality.
  • Public authorities, regulators, courts and law-enforcement bodies where we are legally required to disclose personal data.

6.2 Specific recipients and sub-processors

The table below lists the principal recipients and sub-processors that may receive personal data in connection with the operation of the Website and our services. The country of processing and the transfer mechanism (where applicable) is also shown.
Recipient
Purpose
Country of processing
Transfer mechanism
Technovative Solutions Ltd (TVS)
Group-shared corporate operations, ISMS, IT security and infrastructure under an intercompany ISMS agreement.
United Kingdom
Intra-UK transfer.
Webflow, Inc.
Website hosting and content management.
United States
UK IDTA / EU SCCs as applicable.
Google LLC (Google Analytics 4, Google Tag Manager, reCAPTCHA)
Analytics, tag management, anti-bot protection. Non-essential trackers fire only after user consent.
United States
UK IDTA / EU SCCs as applicable.
Microsoft Corporation (Clarity)
Heat-mapping and session-recording (loaded only after user consent).
United States
UK IDTA / EU SCCs as applicable.
Crazy Egg, Inc.
Heat-mapping (loaded only after user consent).
United States
UK IDTA / EU SCCs as applicable.
Ahrefs Pte. Ltd.
Web analytics (loaded only after user consent).
Singapore
UK IDTA / EU SCCs as applicable.
LinkedIn Corporation (Insight Tag)
Conversion tracking and behavioural targeting (loaded only after user consent).
United States / Ireland
UK IDTA / EU SCCs as applicable.
Drata Inc. (Drata Trust Center)
Hosting of DPPL's technical and organisational measures (TOMs) documentation for due-diligence purposes.
United States
UK IDTA / EU SCCs as applicable.
Mailchimp (Intuit Inc.)
Mailing list and newsletter delivery.
EEA / UK / United States
Adequacy / UK IDTA / EU SCCs as applicable.
This list is reviewed regularly. The current list of sub-processors is available on request from the DPO.

7. How long we keep your personal data

We retain personal data for no longer than is necessary for the purposes for which it was collected, in accordance with Article 5(1)(e) UK GDPR. The principal retention periods are:
Contact form enquiries
Up to 60 months from the last meaningful interaction, unless a longer period is required by law or the enquiry develops into a contractual relationship (in which case the contractual retention period applies).
Demo requests
Up to 24 months from the last meaningful interaction, unless the request develops into an active commercial opportunity.
Lead magnet / downloadable resource forms
Up to 36 months from the last meaningful interaction, unless a longer period is required by law or the lead becomes an active commercial opportunity.
Newsletter subscriber data
Until you unsubscribe or withdraw consent. Suppression records (i.e. the fact that you have unsubscribed) are retained indefinitely so that we can honour your opt-out.
Email engagement data (opens, clicks)
Aggregated and anonymised at 24 months.
Website server logs and security logs
Up to 12 months, except where necessary for ongoing investigation of a security incident.
Cookie consent records
24 months from the date of consent or last interaction with the consent banner, whichever is later.
Records required for accounting, tax or regulatory compliance
As required by the applicable law (typically 6 years for accounting and tax records under UK law).
Records relating to legal claims
Until the limitation period for the relevant claim has expired.
Where the periods above use the phrase "last meaningful interaction", this means the most recent substantive contact between you and DPPL — for example, replying to an email, opening a marketing message, downloading a resource, or attending a meeting. Inactivity beyond the relevant period will trigger review and, where appropriate, deletion or anonymisation of the data.

8. Your data protection rights

Under the UK GDPR you have the following rights in relation to your personal data. The exercise of these rights is free of charge in most cases and we will respond to a valid request within one month, in accordance with Article 12(3) UK GDPR. The period may be extended by up to two further months where necessary, taking into account the complexity and number of requests.
Right
What it means
Right of access (Art. 15)
To confirm whether DPPL processes your personal data and obtain a copy of it together with the supplementary information required by Article 15.
Right to rectification (Art. 16)
To have inaccurate personal data corrected and incomplete data completed.
Right to erasure (Art. 17)
To have your personal data deleted where one of the grounds in Article 17 applies (commonly: data no longer necessary, consent withdrawn, or unlawful processing).
Right to restriction (Art. 18)
To require DPPL to restrict (suspend) processing in defined circumstances, for example while accuracy is being verified.
Right to data portability (Art. 20)
To receive personal data you have provided to us, in a structured, commonly used, machine-readable format, where processing is based on consent or contract and is carried out by automated means.
Right to object (Art. 21)
To object to processing based on legitimate interests (Article 6(1)(f)) or to direct marketing. Objection to direct marketing is absolute and DPPL will stop the processing.
Rights related to automated decision-making (Art. 22)
To not be subject to a decision based solely on automated processing that produces legal or similarly significant effects. DPPL does not currently carry out such automated decision-making.
Right to withdraw consent (Art. 7(3))
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint (Art. 77)
To lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority. Contact details below.

8.1 How to exercise your rights

You may exercise any of the rights above by contacting our DPO at dpo@digiprodpass.com or by post (Section 2.2). To help us deal with your request efficiently, please:
  • Tell us which right you wish to exercise.
  • Provide enough information for us to identify you and the data your request relates to.
  • Where you are acting on behalf of someone else, provide written authority from that person.
We may ask you for additional information to verify your identity, in accordance with Article 12(6) UK GDPR. We will not refuse to act on your request without good cause.

8.2 Right to lodge a complaint with the ICO

If you are concerned about how DPPL has processed your personal data, we encourage you to contact our DPO in the first instance so that we can address the issue. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority:
  • Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
  • Helpline: 0303 123 1113
  • Website: ico.org.uk

9. Automated decision-making and profiling

DPPL does not make decisions that produce legal effects concerning you, or similarly significantly affect you, based solely on automated processing within the meaning of Article 22 UK GDPR. Where this position changes, this Notice will be updated and (where required) your prior consent will be obtained.
Some of our marketing tools (for example, behavioural advertising trackers) involve a limited form of profiling based on online behaviour. These trackers operate only after you have given consent through the cookie consent banner, and you can withdraw your consent at any time.

10. Children

DPPL provides business-to-business services. The Website and our products are not directed at children. We do not knowingly collect personal data from children under the age of 18. If you believe that a child has provided personal data to us, please contact our DPO so that we can investigate and, where appropriate, delete the data.

11. Security of your personal data

DPPL has implemented appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, in accordance with Article 32 UK GDPR. These measures include access controls, encryption in transit and at rest where appropriate, secure hosting, vulnerability and patch management, logging and monitoring, secure software development practices, vendor due-diligence and personnel training.
DPPL operates an Information Security Management System aligned with ISO/IEC 27001. Our technical and organisational measures (TOMs) are summarised on the Drata Trust Center and are available on request to customers and prospective customers under appropriate confidentiality terms.

12. Changes to this Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance. The version number, issue date and "Last reviewed" date in the document control box at the top of this Notice (and in the footer) will always show the current version. Where the changes affect processing carried out on the basis of your consent, we will obtain fresh consent from you where required.
We recommend that you review this Notice periodically. Material changes will, where reasonably practicable, be brought to your attention by email or by a notice on the Website.

13. Definitions and legal references

In this Notice:
  • "Personal data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) UK GDPR.
  • "Processing" has the meaning given in Article 4(2) UK GDPR.
  • "Controller" and "Processor" have the meanings given in Article 4(7) and 4(8) UK GDPR respectively.
  • "Special category data" means personal data within Article 9(1) UK GDPR.
  • "Tracker" means any technology — including cookies, unique identifiers, web beacons, pixels, embedded scripts, e-tags and fingerprinting — that enables the tracking of users by accessing or storing information on the user's device.
  • "UK GDPR" means the UK General Data Protection Regulation as defined in section 3(10) DPA 2018.
  • "PECR" means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), as amended.
  • "ICO" means the Information Commissioner's Office, the UK supervisory authority for data protection.