Privacy Policy

§ 2 – Scope

2.1. This privacy policy informs about the nature, scope, and purpose of the processing of personal data in connection with the use of the website dpphero.com (hereinafter "Website") and the SaaS platform DPP Hero provided through it (hereinafter "Platform").

2.2. Personal data within the meaning of this privacy policy means any information relating to an identified or identifiable natural person (Art. 4(1) GDPR). This includes in particular names, email addresses, postal addresses, IP addresses, and usage data.

2.3. The contractual language is German. Translations of this privacy policy are additionally available in other languages. All translations are non-binding courtesy services. In case of discrepancies between the German version and a foreign-language version, the German version shall prevail exclusively.

§ 3 – Legal bases for data processing

The processing of personal data always takes place in accordance with the GDPR. Insofar as this privacy policy refers to legal bases, the following apply:

(a) Art. 6(1)(a) GDPR (Consent): The data subject has given consent to the processing of their personal data for one or more specific purposes.

(b) Art. 6(1)(b) GDPR (Performance of a contract): Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.

(c) Art. 6(1)(c) GDPR (Legal obligation): Processing is necessary for compliance with a legal obligation to which the controller is subject.

(d) Art. 6(1)(f) GDPR (Legitimate interest): Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights of the data subject.

§ 4 – Provision of the website and server log files

4.1. Each time the website is accessed, the hosting provider automatically collects information transmitted by the user's browser (so-called server log files). These include:

(a) IP address of the accessing device;

(b) Date and time of access;

(c) Name and URL of the retrieved page;

(d) Volume of data transferred;

(e) Notification of whether the retrieval was successful (HTTP status code);

(f) Browser type and version;

(g) Operating system of the device;

(h) Referrer URL (previously visited page);

(i) The requesting provider.

4.2. This data is processed for the purpose of providing the website, ensuring system security and stability, technical error analysis, and detecting and preventing misuse.

4.3. The legal basis is Art. 6(1)(f) GDPR. The legitimate interest lies in the technically flawless provision and security of the website.

4.4. The server log files are collected by the hosting provider Vercel, Inc. (San Francisco, USA) and stored in accordance with their retention policies (typically a maximum of 72 hours). Serverless Functions are executed in the EU region Frankfurt (fra1). These data are not merged with other data sources.

§ 5 – Bot protection (Cloudflare Turnstile)

5.1. The website uses the Cloudflare Turnstile service provided by Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). Cloudflare Turnstile serves to protect against automated access (bots) and misuse, particularly during registration and login forms.

5.2. When using Cloudflare Turnstile, technical data (including IP address, browser information, interaction patterns) is transmitted to Cloudflare and processed there to distinguish human users from automated access. Cloudflare does not use cookies that require consent for this purpose.

5.3. The legal basis is Art. 6(1)(f) GDPR. The legitimate interest lies in protecting the platform from automated attacks and misuse.

5.4. Cloudflare, Inc. is certified under the EU-US Data Privacy Framework. Further information: https://www.cloudflare.com/privacypolicy/

§ 6 – Registration and user account

6.1. The use of the platform requires the creation of a user account. The following personal data is collected during registration:

(a) Email address;

(b) Password (stored exclusively as a cryptographic hash; DPP Hero has no access to the plaintext password).

6.2. After registration, additional organisational data is collected during the onboarding process (see § 8).

6.3. The processing of this data is necessary for the performance of the contract (provision of the user account and platform features). The legal basis is Art. 6(1)(b) GDPR.

6.4. Account data is stored for the duration of the contractual relationship. After termination and expiry of any statutory retention periods, the data will be deleted (see § 21).

§ 7 – Authentication and account security

7.1. DPP Hero uses the Supabase Auth service (Supabase, Inc., San Francisco, USA) for authentication. The Supabase project of DPP Hero is operated in the EU region eu-central-1 (Frankfurt, Germany) on servers of Amazon Web Services (AWS). All database, authentication, and file storage data is stored and processed on servers within the European Union. The following data is processed during login:

(a) Email address and password hash;

(b) Session token (JWT access token and refresh token);

(c) Authenticator Assurance Level (AAL) to distinguish between single-factor authentication and multi-factor authentication;

(d) Language preference (the language selected by the user).

7.2. Two-factor authentication (2FA). DPP Hero optionally offers two-factor authentication using time-based one-time passwords (TOTP). When 2FA is activated, encrypted TOTP secrets are stored server-side at Supabase. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) in conjunction with Art. 6(1)(f) GDPR (security of the user account).

7.3. Password reset. When using the password reset function, a one-time, time-limited reset link is sent to the registered email address. The legal basis is Art. 6(1)(b) GDPR.

7.4. Email confirmation. After registration, a confirmation email is sent to the provided email address. Confirmation is required to verify the email address. The legal basis is Art. 6(1)(b) GDPR.

§ 8 – Organisation data

8.1. As part of the platform usage, the user enters master data of their organisation. This includes:

(a) Company name;

(b) Business address (street, postal code, city, country);

(c) Name of the contact person;

(d) Billing email address;

(e) VAT identification number;

(f) Global Location Number (GLN, optional);

(g) EORI number (optional).

8.2. This data is processed for the performance of the contract (subscription management, invoicing, identification). The legal basis is Art. 6(1)(b) GDPR. Where tax and commercial law retention obligations exist, the additional legal basis is Art. 6(1)(c) GDPR.

8.3. The contact person's name constitutes personal data within the meaning of Art. 4(1) GDPR. The user ensures that the person concerned is informed about the data processing.

§ 9 – Public company profile

9.1. In addition to internal organisation data, the user may create a public company profile. This includes:

(a) Public company name;

(b) Business address;

(c) Website;

(d) Support email address;

(e) Contact person;

(f) Spare parts email and website.

9.2. The data from the public profile is displayed in published product passports and is therefore accessible to anyone via the internet. The user acknowledges that the data stored in the public profile becomes publicly accessible upon publication of a product passport.

9.3. The legal basis is Art. 6(1)(b) GDPR, as the provision of the public profile is a direct component of the contractually agreed platform functionality. Publication is carried out exclusively at the express initiative of the user.

9.4. The user may modify or remove the public profile data at any time via the dashboard.

§ 10 – Product data and digital product passports

10.1. The platform enables the collection, management, and publication of product data in a multi-step process (identification, materials, carbon footprint, due diligence, circularity, performance, labeling).

10.2. Product data may contain personal data, in particular:

(a) Name and address of the manufacturing facility;

(b) Information about contact persons;

(c) Contact person for spare parts.

10.3. DPP Hero processes the product data exclusively for the provision of the contractually agreed platform functions (input, storage, preview, publication, export). The legal basis is Art. 6(1)(b) GDPR.

10.4. Published product passports. Upon publication of a product passport, the product data designated as "public" is made available via a publicly accessible URL and can be accessed without authentication. Publication is carried out exclusively at the express initiative of the user.

10.5. Product images and documents. Uploaded images and documents (PDF, JPEG, PNG, WebP) are stored in publicly accessible storage areas (see § 16). The user ensures that uploaded documents do not contain personal data of third parties for which no appropriate legal basis for processing exists.

10.6. Insofar as the user enters personal data of third parties as part of the product data (e.g., contact persons, employees at manufacturing facilities), the user is the controller responsible under data protection law within the meaning of Art. 4(7) GDPR and ensures that an appropriate legal basis exists and that the data subjects have been informed in accordance with Art. 13/14 GDPR.

§ 11 – Digital signing and audit trail

11.1. The platform offers HMAC-SHA256-based integrity verification for product data. During the signing process, the following data is processed and stored:

(a) Cryptographic hash value (SHA-256) of the product data;

(b) HMAC-SHA256 signature;

(c) Timestamp of the signing;

(d) User ID of the signing user;

(e) Signing reason (e.g., initial publication, re-signing).

11.2. This data is logged in an audit trail (signature history) and stored for the duration of the contractual relationship. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) in conjunction with Art. 6(1)(f) GDPR (traceability and integrity assurance).

11.3. The digital signing does not constitute a qualified electronic signature within the meaning of the eIDAS Regulation (EU) No 910/2014.

§ 12 – Share links (supplier data collection)

12.1. Creators of share links (users of the platform). The user may create token-based share links to enable third parties (e.g., suppliers) to contribute product data. When creating a share link, the following data is processed:

(a) User ID of the creator;

(b) Organisation ID;

(c) Product ID and section key;

(d) Optional label for the share link;

(e) Expiration date;

(f) Creation timestamp.

The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

12.2. Recipients of share links (external third parties without a user account). Recipients of share links can access the provided URL and submit data without holding a user account with DPP Hero. When using a share link, the following data is processed:

(a) The product data entered by the recipient;

(b) Timestamp of the submission;

(c) The submitted data is fully archived in the share token table.

When using a share link, no IP addresses, browser fingerprints, or other technical identifiers of the recipient are stored (without prejudice to the server log files pursuant to § 4).

12.3. The legal basis for processing data submitted by recipients is Art. 6(1)(f) GDPR. The legitimate interest lies in enabling supplier data collection within the scope of the contractually agreed platform functions. The data collection is initiated by the user (creator), not by DPP Hero.

12.4. Upon submission of data via a share link, the creator of the link is notified by email about the data receipt. This email contains the product name, the relevant section, and an optional comment from the submitter.

12.5. The user is responsible under data protection law for informing the recipients of share links about the data processing (Art. 13/14 GDPR). DPP Hero provides recipients with basic data protection information on the share link page.

§ 13 – Payment processing (Stripe)

13.1. Payment processing for paid subscriptions is carried out by the payment service provider Stripe, Inc. (510 Townsend Street, San Francisco, CA 94103, USA) or, for European customers, by Stripe Payments Europe, Limited (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland). For customers based in the European Union, payment data is processed by Stripe Payments Europe, Limited in Ireland.

13.2. In the context of payment processing, the following data is transmitted to Stripe:

(a) Email address of the user;

(b) Organisation ID and user ID (as metadata);

(c) Selected subscription plan;

(d) Payment information (credit card data, IBAN, etc.) – these are exclusively processed and stored by Stripe; DPP Hero has no access to complete payment data.

13.3. Stripe processes the payment data as an independent data controller. Insofar as Stripe acts as a data processor in the context of technical processing, this is done on the basis of a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR.

13.4. Stripe, Inc. is certified under the EU-US Data Privacy Framework. Further information: https://stripe.com/de/privacy

13.5. The legal basis for the transmission to Stripe is Art. 6(1)(b) GDPR (performance of a contract). Insofar as the storage of billing data is required under tax and commercial law, the additional legal basis is Art. 6(1)(c) GDPR.

13.6. Stripe webhooks. DPP Hero receives automated notifications (webhooks) from Stripe regarding payment events (e.g., successful payments, subscription changes, cancellations). These webhooks contain the Stripe customer ID, subscription ID, and event type. The webhook data is used to update the subscription status and to trigger notification emails.

§ 14 – Invoicing (sevDesk)

14.1. For the creation and management of invoices, DPP Hero uses the service sevDesk GmbH (Hauptstraße 115, 77652 Offenburg, Germany).

14.2. In the context of invoicing, the following data is transmitted to sevDesk:

(a) Company name and billing address of the user (street, postal code, city, country);

(b) Billing email address;

(c) VAT identification number (if provided);

(d) Invoice amount and currency;

(e) Subscription plan and invoice description;

(f) Stripe invoice ID as reference.

14.3. sevDesk processes the data as a data processor within the meaning of Art. 28 GDPR. A data processing agreement has been concluded.

14.4. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) in conjunction with Art. 6(1)(c) GDPR (tax and commercial law retention obligations pursuant to §§ 147 AO (German Fiscal Code), 257 HGB (German Commercial Code)).

§ 15 – Email communication (Resend)

15.1. System and transactional emails are sent via the service Resend, Inc. (44 Tehama St, San Francisco, CA 94105, USA). Email delivery is processed through Resend's EU infrastructure (Ireland).

15.2. DPP Hero sends the following categories of emails:

(a) Authentication emails (via Supabase): Registration confirmation, password reset, email change confirmation;

(b) Subscription emails (via Resend): Subscription activation, plan upgrades, plan downgrades, subscription renewal, cancellation;

(c) Share link notifications (via Resend): Notification about submitted supplier data;

(d) Deletion request emails (via Resend): Internal notification about received account deletion requests.

15.3. Each email contains only the data necessary for its purpose:

(a) Subscription emails: recipient's email address, plan name, price, billing date;

(b) Share link notifications: email address of the token creator, product name, section name, optional comment;

(c) Deletion request emails: email address and user ID of the requester.

15.4. Resend processes the email data as a data processor. Resend, Inc. is certified under the EU-US Data Privacy Framework. A Data Processing Agreement has been concluded.

15.5. The legal basis is Art. 6(1)(b) GDPR (emails necessary for the performance of the contract).

15.6. DPP Hero does not send marketing or newsletter emails. All emails are transactional or system-related in nature and cannot be unsubscribed from, as they are necessary for the operation of the platform.

§ 16 – File storage (Supabase Storage)

16.1. Files uploaded by the user (product images and documents) are stored in storage buckets of the database provider Supabase, Inc. Storage takes place – as with all Supabase services – in the EU region eu-central-1 (Frankfurt, Germany).

16.2. Two storage buckets are used:

(a) Product images: Uploaded image files (JPEG, PNG, WebP) are stored in optimized form (compression, format conversion to JPEG, max. 1600 px). The file paths contain the user ID as the directory name;

(b) Product documents: Uploaded PDF files and images are stored. The file paths contain the user ID as the directory name.

16.3. Uploaded files are accessible via public URLs. This is technically necessary so that the files can be displayed in published product passports and previews. The user is advised that uploaded files may potentially be accessed by third parties if the URL is known.

16.4. When a product is deleted, the associated files are removed from storage. Upon termination of the contractual relationship, all files are deleted in accordance with § 21.

16.5. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

§ 17 – Cookies and similar technologies

17.1. DPP Hero exclusively uses technically necessary cookies. A cookie banner is not required, as no cookies requiring consent are set (§ 25(2) TDDDG (German Telecommunications Digital Services Data Protection Act)).

17.2. The following cookies are used:

(a) Authentication cookies (Supabase Auth): Cookies following the naming scheme sb-<project-identifier>-auth-token store encrypted JWT session data (access token and refresh token). These cookies are technically necessary for maintaining the user session. Attributes: HttpOnly, Secure (in production), SameSite=Lax, Path=/. Lifetime: access token approx. 1 hour (automatically renewed), refresh token approx. 7 days.

(b) Language preference cookie (NEXT_LOCALE): Stores the language selected by the user. This cookie is technically necessary for the correct display of the platform in the selected language.

17.3. DPP Hero does not use tracking cookies, analytics cookies, advertising cookies, or social media cookies. There is no user-level tracking and no profiling. In particular, the following services are not used: Google Analytics, Google Tag Manager, Facebook Pixel, Meta Pixel, Hotjar, Mixpanel, or comparable tracking services.

17.4. DPP Hero uses Vercel Web Analytics to collect anonymized, aggregated usage statistics (page views, referrers, countries, device types). Vercel Web Analytics operates entirely without cookies, without localStorage, without IP address storage, and without browser fingerprinting. No personal data is collected; no user can be identified or re-identified across sessions. Consent pursuant to Art. 5(3) ePrivacy Directive (2002/58/EC) is therefore not required. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the statistical analysis of website usage). Provider: Vercel, Inc., San Francisco, USA. Vercel, Inc. is certified under the EU-US Data Privacy Framework.

17.5. DPP Hero uses the Offset Website service by Tree-Nation (Tree-Nation S.A., Barcelona, Spain) for CO₂ compensation of the website. The embedded script exclusively counts aggregated page views and collects no personal data, no cookies, no IP tracking and no browser fingerprinting. Consent pursuant to Art. 5(3) ePrivacy Directive (2002/58/EC) is not required.

17.6. The legal basis for the use of technically necessary cookies is § 25(2)(2) TDDDG in conjunction with Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in the technical provision of the platform).

17.7. Local storage. DPP Hero does not use either localStorage or sessionStorage of the browser for storing personal data.

§ 18 – Abuse protection (rate limiting)

18.1. To protect against misuse (in particular brute-force attacks on login forms), DPP Hero employs IP-based rate limiting. The following data is processed:

(a) IP address of the accessing device;

(b) Type of action (e.g., login, registration, password reset);

(c) Number of attempts and time window.

18.2. The IP addresses are stored in a rate limiting table. The entries are treated as expired at the latest after the time window has elapsed (maximum 1 hour) and are cleaned up at regular intervals.

18.3. The legal basis is Art. 6(1)(f) GDPR. The legitimate interest lies in protecting the platform and user accounts from unauthorized access.

§ 19 – Data processors and sub-processors

19.1. Personal data is processed principally within the European Union. The core services – database, authentication, and file storage (Supabase, EU region Frankfurt), payment processing (Stripe, Dublin), email delivery (Resend, Ireland), Serverless Functions (Vercel, Frankfurt), and invoicing (sevDesk, Germany) – are operated on servers within the EU.

19.2. DPP Hero engages the following data processors for the provision of its services:

19.3. Data processing agreements (DPA) pursuant to Art. 28 GDPR have been concluded with all data processors. The Data Processing Agreement is available as a separate document at dpphero.com/dpa.

19.4. Changes to the data processors are updated in this privacy policy. A current list of data processors is made available to the user upon request at privacy@dpphero.com.

§ 20 – Data transfers to third countries

20.1. Some of the data processors listed in § 19 are headquartered in the United States of America (USA):

(a) Supabase, Inc.;

(b) Vercel, Inc.;

(c) Stripe, Inc.;

(d) Resend, Inc.;

(e) Cloudflare, Inc.

20.2. Supabase – Data storage in the EU. Supabase, Inc. is headquartered in the USA. Data processing (database, authentication, file storage) in the Supabase project of DPP Hero takes place in the EU region eu-central-1 (Frankfurt, Germany) on servers of Amazon Web Services (AWS). No transfer of content data to the USA takes place. Supabase, Inc. is certified under the EU-US Data Privacy Framework; a data processing agreement has been concluded.

20.3. Stripe – EU processing. For customers based in the European Union, payment data is processed by Stripe Payments Europe, Limited (Dublin, Ireland). Stripe, Inc. is additionally certified under the EU-US Data Privacy Framework.

20.4. Resend – Email delivery via EU infrastructure. Resend, Inc. is headquartered in the USA. Email delivery is processed through Resend's EU infrastructure (Ireland). Resend, Inc. is certified under the EU-US Data Privacy Framework.

20.5. Vercel – Hosting and Web Analytics. Vercel, Inc. is headquartered in the USA. Serverless Functions are executed in the EU region Frankfurt (fra1). Static content is delivered via Vercel's global Edge Network. In addition, Vercel Web Analytics is used, a cookieless analytics tool that collects exclusively anonymized, aggregated page view data. No IP addresses are stored, no cookies are set, and no browser fingerprinting is performed. Vercel, Inc. is certified under the EU-US Data Privacy Framework.

20.6. Cloudflare. Cloudflare, Inc. processes data for bot protection (Turnstile) via its global Edge Network at the nearest available location. Cloudflare, Inc. is certified under the EU-US Data Privacy Framework. Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR are additionally in place.

20.7. sevDesk GmbH is based in Germany. No data transfer to third countries takes place in this regard.

§ 21 – Storage period and deletion

21.1. Personal data is stored only for as long as necessary for the respective processing purpose or as statutory retention obligations require.

21.2. Account data (email, password hash, session data): Stored for the duration of the contractual relationship and deleted upon account deletion.

21.3. Organisation data and product data: Stored for the duration of the contractual relationship. After termination of the contractual relationship, the data is retained for 30 calendar days for data backup purposes and subsequently deleted, unless statutory retention obligations apply.

21.4. Billing and payment data: Retained for 10 years after the end of the calendar year of the last transaction in accordance with §§ 147 AO (German Fiscal Code), 257 HGB (German Commercial Code). The legal basis for retention is Art. 6(1)(c) GDPR.

21.5. Server log files: Retained by the hosting provider for a maximum of 72 hours.

21.6. Rate limiting data (IP addresses): Treated as expired after the time window has elapsed (maximum 1 hour) and cleaned up at regular intervals.

21.7. Signature history (audit trail): Stored for the duration of the contractual relationship and anonymized upon account deletion (the reference to the user is removed; the audit entry is retained as a cryptographic proof).

21.8. Share token data: Used share tokens and submitted data are stored for the duration of the contractual relationship. When the associated product is deleted, the token data is deleted in a cascading manner.

21.9. Account deletion. The user may request the deletion of their account via the account settings. The deletion request is forwarded by email to privacy@dpphero.com and processed within a reasonable period. Upon account deletion, all personal data that is not subject to statutory retention obligations is deleted. Data subject to statutory retention periods is blocked and automatically deleted upon expiry of the retention period.

§ 22 – Rights of data subjects

22.1. Data subjects have the following rights vis-à-vis the controller under the GDPR:

(a) Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether personal data is being processed and, where that is the case, access to the data as well as information about the processing purposes, the categories of data, the recipients, the storage period, and the origin of the data.

(b) Right to rectification (Art. 16 GDPR): You have the right to obtain without undue delay the rectification of inaccurate personal data or the completion of incomplete personal data. You can rectify many data items directly in the dashboard.

(c) Right to erasure (Art. 17 GDPR): You have the right to obtain the erasure of your personal data, provided the conditions of Art. 17 GDPR are met. Statutory retention obligations may oppose this right (see § 21).

(d) Right to restriction of processing (Art. 18 GDPR): You have the right to obtain the restriction of processing of your personal data under certain conditions.

(e) Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format. The platform offers export functions (PDF, JSON) for this purpose.

(f) Right to object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Art. 6(1)(f) GDPR (legitimate interests). DPP Hero will cease the processing unless there are compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or the processing serves the establishment, exercise, or defence of legal claims.

(g) Right to withdraw consent (Art. 7(3) GDPR): Where data processing is based on consent, you have the right to withdraw your consent at any time. The lawfulness of processing based on consent before its withdrawal is not affected thereby.

22.2. To exercise your rights, please contact: privacy@dpphero.com. DPP Hero will process your request without undue delay, at the latest within one month of receipt (Art. 12(3) GDPR).

22.3. DPP Hero may, for the purpose of identity verification when asserting data subject rights, require the provision of additional information to confirm the identity of the requesting person (Art. 12(6) GDPR).

§ 23 – Data security

23.1. DPP Hero implements appropriate technical and organisational measures to protect personal data against unauthorized processing, loss, destruction, or damage (Art. 32 GDPR). These measures include in particular:

(a) Encryption of data transmission via TLS/SSL;

(b) Password hashing using industry-standard algorithms (bcrypt);

(c) Optional two-factor authentication (TOTP);

(d) Row-Level Security (RLS) for access control at the database level;

(e) Strict separation of user and organisation data through database policies;

(f) Webhook signature verification for incoming Stripe webhooks;

(g) Timing-safe comparisons for cryptographic operations;

(h) IP-based rate limiting to protect against brute-force attacks;

(i) Regular review and updating of the security measures in place.

23.2. DPP Hero notes that data transmission over the internet (in particular via email communication) may have security vulnerabilities. Complete protection of data against third-party access cannot be guaranteed.

§ 24 – No automated decision-making

DPP Hero does not employ automated decision-making including profiling within the meaning of Art. 22 GDPR that produces legal effects concerning the data subject or similarly significantly affects them.

§ 25 – Minors

The platform is not directed at persons under the age of 16. DPP Hero does not knowingly collect personal data from children under the age of 16. Should we become aware that a child under 16 has transmitted personal data to us, we will delete this data without undue delay.

§ 26 – Changes to this privacy policy

26.1. DPP Hero reserves the right to amend this privacy policy as necessary to adapt it to changed legal requirements, technical changes, or new processing activities. The current version is available at dpphero.com/privacy.

26.2. Material changes affecting the rights of users will be communicated to users by email or via the dashboard.

§ 27 – Right to lodge a complaint with a supervisory authority

27.1. Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority if they consider that the processing of their personal data infringes the GDPR (Art. 77 GDPR).

27.2. The supervisory authority responsible for DPP Hero is:

§ 28 – Contact

For questions regarding data protection, for exercising your data subject rights, or for inquiries about the data processing agreement (DPA):