Privacy Policy
Last updated: July 2, 2026
1. Introduction
DutyScope (“we”, “our”, “the Service”) is operated by Vanguard 360 Solutions SRL, a company registered in Romania. We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Extended Producer Responsibility (EPR) compliance platform. We comply with the EU General Data Protection Regulation (GDPR) 2016/679 and Romania’s Law No. 190/2018 on the protection of natural persons with regard to the processing of personal data.
2. Data Controller
The data controller for personal data processed through DutyScope is:
3. Information We Collect
3.1 Account Information
When you create an account, we collect your name, email address, and authentication credentials. If you sign in via Google OAuth, we receive your name, email address, and profile picture from Google.
3.2 Organisation Data
We collect the information you enter about your organisation, including company name, EU/non-EU status, home country, and team member details.
3.3 Product Data
We store product details you enter, including material compositions, weights, sales countries, SKUs, and GTINs.
3.4 Compliance Data
We store registration numbers, PRO memberships, reporting declarations, and uploaded compliance documents.
3.5 Payment Information
Subscription payments are processed by Stripe. We do not store your full credit card number, CVC, or other sensitive payment credentials on our servers. Stripe processes your payment information under its own privacy policy and PCI DSS certification.
3.6 Usage Data
When PostHog analytics is enabled, we collect anonymous usage patterns (pages visited, features used, interaction flows) to help us improve the Service. No compliance data, document content, or personally identifiable compliance information is shared with analytics providers. PostHog data is hosted within the EU (eu.posthog.com).
4. Legal Basis for Processing (GDPR Art. 6)
Contractual necessity (Art. 6(1)(b)): Processing necessary to provide the Service you have subscribed to, including account management, compliance tools, and subscription handling.
Legitimate interests (Art. 6(1)(f)): Product analytics for service improvement, security monitoring, fraud prevention, and infrastructure optimisation.
Consent (Art. 6(1)(a)): Marketing communications (with opt-out available at any time), and non-essential cookies where consent is required.
Legal obligation (Art. 6(1)(c)): Retention of billing and accounting records as required by Romanian and EU tax law.
5. Data Storage and Security
All user data is stored in Supabase, hosted within the European Economic Area (EEA) on the eu-central-1 (Frankfurt) region. We use industry-standard encryption for data at rest (AES-256) and in transit (TLS 1.3). Database backups are encrypted and stored within the EEA. Our application is hosted on Vercel with edge functions deployed in the EEA.
6. Sub-Processors
We rely on the following sub-processors to deliver the Service. All sub-processors are subject to data processing agreements incorporating Standard Contractual Clauses (SCCs) where applicable.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, file storage | EEA (eu-central-1) |
| Vercel | Application hosting & edge functions | EEA (US with SCCs for certain operations) |
| Stripe | Payment processing | US (SCCs, PCI DSS certified) |
| Resend | Transactional email delivery | EEA |
| OAuth authentication (sign-in) | EEA (US with SCCs) | |
| PostHog | Product analytics (when enabled) | EU (eu.posthog.com) |
We will notify you of any addition or change to our sub-processors at least 14 days in advance. If you object to a new sub-processor, you may terminate your account.
7. Data Retention
We retain your account data for the duration of your account plus 30 days after deletion, after which it is permanently erased from our production systems and backups. Billing records and invoices are retained for 10 years as required by Romanian accounting and tax legislation (Law No. 82/1991). You may request immediate deletion of non-billing data at any time by contacting us.
8. International Data Transfers
Where we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place in accordance with GDPR Chapter V. These include:
- Standard Contractual Clauses (SCCs) issued by the European Commission (2021/914/EU) for transfers to the United States (Stripe, Google, select Vercel operations).
- Adequacy decisions where applicable (current EU-US Data Privacy Framework participants).
- Technical measures including end-to-end encryption and pseudonymisation.
You may request a copy of the relevant safeguards by contacting privacy@dutyscope.com.
9. Your GDPR Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): Obtain confirmation of whether we process your data and a copy of that data.
- Right to rectification (Art. 16): Correct inaccurate or incomplete personal data.
- Right to erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.
- Right to restriction (Art. 18): Restrict processing in certain circumstances.
- Right to data portability (Art. 20): Receive your data in a structured, commonly used, and machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact privacy@dutyscope.com. We will respond within 30 calendar days. We may ask you to verify your identity before processing your request.
10. Supervisory Authority
You have the right to lodge a complaint with your local data protection supervisory authority. Our lead supervisory authority is the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):
Bulevardul G-ral. Gheorghe Magheru 28-30
Sector 1, București, Romania
www.dataprotection.ro
11. Children’s Privacy
DutyScope is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to This Policy
We will notify you of material changes via email and in-app notification at least 14 days before they take effect. For non-material changes, we will update the “Last updated” date on this page. Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.
13. Contact Us
If you have questions, concerns, or wish to exercise your data protection rights, please contact us:
Data Protection Officer: dpo@dutyscope.com