Seaside StudioContact
Tagpass

TagpassShopify app

Privacy Policy

Last updated 2026-05-20

1. Introduction

This Privacy Policy explains how Seaside Apps ("Seaside", "we", "us", "our") collects, uses, and protects personal data in connection with Tagpass, a Shopify application that helps merchants create, manage, and publish EU Digital Product Passports ("DPPs") for their products.

This policy applies to:

  • Merchants who install and use Tagpass from the Shopify App Store; and
  • Visitors who view a public product passport page produced by Tagpass (for example, by scanning a QR code on a product).

It does not apply to Shopify itself, to merchant storefronts, or to any third-party website. Shopify's own handling of data is governed by Shopify's privacy policy.

To be completed before publication: the full legal entity name and registered business address of the operator of Tagpass. Insert it here and in Section 15.

2. Who is responsible for your data (controller and processor roles)

  • Merchant account data. For personal data about the merchant and its staff that we collect to provide the app (see Section 3.1 and 3.3), Seaside Apps acts as the data controller.
  • Passport content. The product passport content a merchant enters into Tagpass — including any business-contact details such as a manufacturer or EU-representative name, address, email, or phone number — is supplied and published by the merchant. For that content, the merchant is the data controller and Seaside Apps acts as a data processor on the merchant's behalf. Merchants are responsible for ensuring they have a lawful basis to include and publish any personal data within passport content.
  • Scan data. The data recorded when a public passport page is viewed is anonymous and is not personal data (see Section 5).

3. Information we collect

3.1 From merchants (via Shopify)

When a merchant installs Tagpass, Shopify provides us with the information needed to run the app, including the store name and domain, the store owner's name, the store contact email address, the store country, and the Shopify plan. With the read_products and write_products permissions the merchant grants at install, we also access the merchant's product catalog — product titles, variants, identifiers, and metafields.

3.2 Passport content entered by the merchant

As merchants build a Digital Product Passport, they enter product compliance data — for example manufacturer details, EU responsible-person details, material composition, substance declarations, care and repair information, and sustainability data. Some of these fields can contain the name and contact details of individuals (for example a named EU representative). This information is entered by the merchant and is intended for publication on the public passport page.

3.3 Support requests

When a merchant contacts us through the in-app support form, we collect the email address and the message they provide so that we can respond.

3.4 Technical and diagnostic data

Our hosting and application platform records standard server logs and error diagnostics needed to operate the app securely and reliably.

4. How we use information and our legal bases

We use the information described above to:

  • provide, operate, and maintain the Tagpass app, and to create, validate, and publish Digital Product Passports (legal basis: performance of a contract);
  • generate QR codes and host public passport pages (performance of a contract);
  • respond to support requests (legitimate interests, and performance of a contract);
  • secure, monitor, debug, and improve the app (legitimate interests);
  • comply with legal obligations, including Shopify's mandatory data-protection requests (legal obligation).

We do not sell personal data, and we do not use it for advertising or profiling.

5. What we deliberately do NOT collect — anonymous scan analytics

Tagpass is built so that no personal data about the people who scan or view a product passport is ever stored.

When a public passport page is viewed, we may record only:

  • the product GTIN (a product identifier, not a person);
  • the date of the view, to the day only (no precise time);
  • a coarse country code derived from network information; and
  • a non-reversible, salted hash used solely to avoid counting the same view twice.

We do not store IP addresses, full device or browser identifiers, precise timestamps, session identifiers, referrer paths, or any account information for passport visitors. Because this data cannot be linked to an identifiable person, it is anonymous data and falls outside the scope of the EU General Data Protection Regulation (GDPR). We use it only to give merchants aggregate counts of how often their passports are viewed.

6. Where data is stored and international transfers

Tagpass runs on the Gadget application platform, hosted on Google Cloud infrastructure in the United States. Merchant account data and passport content are therefore processed in the United States.

Where personal data of individuals in the European Economic Area (EEA) or the United Kingdom is transferred to the United States, that transfer is protected by appropriate safeguards, including the European Commission's Standard Contractual Clauses entered into with our service providers. The volume of personal data involved is deliberately minimal, and — as described in Section 5 — no personal data of passport visitors is collected or transferred at all.

7. Sharing your information — our service providers

We do not sell personal data. We share data only with service providers who help us run the app, under contractual data-protection obligations:

  • Shopify — the platform Tagpass runs on; provides merchant and product data and hosts the merchant's store.
  • Gadget — our application development and hosting platform, including database hosting and outbound email delivery (United States, on Google Cloud).

We may also disclose information where required by law, to enforce our agreements, or to protect the rights, safety, and security of our users and the public.

8. Data retention

  • Passport drafts and operational data are retained while the app is installed. If a merchant uninstalls Tagpass, this data is retained briefly and then deleted when Shopify sends the shop-redaction request (normally 48 hours after uninstall).
  • Published passport content is mirrored into the merchant's own Shopify product metafields, which remain with the merchant and under the merchant's control even after the merchant uninstalls Tagpass.
  • Support correspondence is retained for as long as needed to handle the request and for a reasonable period afterwards for our records.
  • Anonymous scan data contains no personal data and may be retained indefinitely in aggregate form.

9. Shopify data-protection requests

As a Shopify app, Tagpass receives and acts on the mandatory Shopify privacy webhooks:

  • Customer data request and customer redaction — Tagpass does not store personal data about a merchant's customers, so these requests are handled by confirming that no such data is held.
  • Shop redaction — when received, we delete the operational data we hold for that store.

10. Your rights

Depending on your location, you may have the right to access, correct, delete, or receive a copy of your personal data, to object to or restrict certain processing, and to withdraw consent where processing is based on consent. Individuals in the EEA and the United Kingdom also have the right to lodge a complaint with their data protection supervisory authority.

To exercise any of these rights, contact us at seaside@seasideapps.co. If your request concerns personal data contained inside a product passport, we may need to direct you to the merchant who controls that content.

11. Security

We rely on the security measures provided by Shopify and the Gadget platform, including encrypted connections, managed access controls, and tenant isolation so that one merchant's data is not accessible to another. No system is perfectly secure, but we work to protect data against unauthorized access, loss, and misuse.

12. Cookies

The Tagpass admin interface runs embedded inside the Shopify admin and uses only the session tokens required for authentication and core functionality. Public product passport pages do not set advertising or tracking cookies.

13. Children's privacy

Tagpass is a business tool intended for use by merchants. It is not directed to children, and we do not knowingly collect personal data from children.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify merchants within the app.

15. Contact us

For any questions about this Privacy Policy or how we handle data, contact:

Seaside Apps

Email: seaside@seasideapps.co