Privacy Policy

Last updated: April 2026

1. Who We Are

onpack ("we", "us", "our") operates the onpack.io platform. We provide brands with digital product identity and consumer engagement tools. This policy explains how we handle personal data under the EU General Data Protection Regulation (GDPR).

2. What We Collect

For Consumers (people who scan products)

  • Account data: email address, display name (if you sign up)
  • Scan data: which product was scanned, timestamp, device type
  • Location data: approximate country and city derived from IP address (only if you accept cookies)
  • Points and redemption data: loyalty points earned, rewards redeemed, voucher codes

For Brands (business accounts)

  • Account data: company name, email address, brand prefix
  • Product data: SKU names, descriptions, batch quantities
  • Billing data: processed by Stripe; we do not store card numbers

3. Why We Collect It

  • To provide the service: generating codes, tracking scans, managing loyalty points (legal basis: contract)
  • To show analytics to brands: scan counts, geographic distribution, trends (legal basis: legitimate interest)
  • Location data: only collected with your explicit consent via the cookie banner (legal basis: consent)

4. Who Sees Your Data

  • Brands see aggregated scan analytics for their own products. They do not see individual consumer emails or names unless you explicitly claim a product or redeem a reward.
  • Service providers: hosting (Railway/Hetzner, EU), email (Postmark), payments (Stripe), geo-IP (ipinfo.io).
  • We never sell personal data.

5. Data Retention

  • Account data: kept until you delete your account
  • Scan data: kept for 3 years, then anonymised
  • IP addresses: deleted or anonymised after 90 days

6. Your Rights (GDPR)

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and associated data
  • Export your data in a portable format
  • Withdraw consent for location tracking at any time (clear the onpack_consent cookie or decline in the banner)
  • Object to processing based on legitimate interest

To exercise these rights, email privacy@onpack.io.

7. Cookies

  • onpack_consent: stores your cookie preference (accepted/declined). Expires after 1 year.
  • Session cookies: required for login. Cleared when you close your browser or sign out.

We do not use third-party tracking cookies, advertising pixels, or analytics tools that track you across websites.

8. Security

All data is encrypted in transit (TLS) and at rest. API tokens are stored as hashed values. We use role-based access controls and conduct regular security reviews.

9. Contact

Data Controller: onpack
Email: privacy@onpack.io

If you believe your data rights have been violated, you may lodge a complaint with your local data protection authority.

We use cookies to remember your preferences and improve your experience. On scan pages, we also collect anonymised location data so brands can see where their packs travel. Privacy Policy.