Privacy Policy.

Delvet Ltd (“Delvet”, “we”, “us”, or “our”) is a company registered in England and Wales. We operate a platform that helps fashion brands create and publish EU Digital Product Passports.

This Privacy Policy explains how we collect, use, store, and share personal data when you visit our website or use our platform. It applies to all users of our services.

We are committed to processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.

We collect the following categories of personal data:

• Account data: name, work email address, job title, company name, and password (hashed) when you register.
• Usage data: pages visited, features used, session duration, and actions taken within the platform, collected automatically via server logs and analytics.
• Communication data: messages you send us via email or contact forms.
• Customer data: supply chain information and product data you upload to the platform. This may incidentally contain personal data (e.g. supplier contact names).
• Technical data: IP address, browser type, device information, and cookies. See Section 8 (Cookies) for details.

We do not knowingly collect data from individuals under 16 years of age.

We use your personal data to:

• Provide, operate, and improve the Delvet platform.
• Create and manage your account and authenticate your access.
• Respond to enquiries, support requests, and feedback.
• Send product updates, service announcements, and (with your consent) marketing communications.
• Monitor platform security, prevent fraud, and enforce our Terms of Use.
• Comply with legal obligations.
• Generate aggregated, anonymised analytics to improve our services.

We rely on the following legal bases under UK/EU GDPR:

• Contract performance (Article 6(1)(b)): processing necessary to deliver the Service you have contracted for.
• Legitimate interests (Article 6(1)(f)): analytics and service improvement, security monitoring, and direct marketing to existing customers. We have conducted a legitimate interests assessment and determined our interests are not overridden by your rights.
• Legal obligation (Article 6(1)(c)): where we are required to process data by applicable law.
• Consent (Article 6(1)(a)): for optional marketing emails and non-essential cookies, where we have obtained your prior consent. You may withdraw consent at any time.

We do not sell your personal data. We may share it with:

• Service providers: cloud infrastructure, analytics, email delivery, and customer support tools operating under data processing agreements.
• Professional advisers: lawyers and accountants, bound by confidentiality obligations.
• Regulators and authorities: where required by law or to protect our legal rights.
• Business transfers: in connection with a merger, acquisition, or sale of assets, in which case we will notify you before your data is transferred to a new controller.

All third-party processors are contractually bound to process your data only on our instructions and to maintain appropriate security measures.

We retain personal data only for as long as necessary for the purposes described in this Policy:

• Account data: for the duration of your account, plus 30 days after deletion.
• Usage and technical data: up to 24 months, then anonymised or deleted.
• Communication records: up to 3 years.
• Financial records: 7 years, as required by UK law.

When retention periods expire, data is securely deleted or anonymised.

Under UK/EU GDPR, you have the following rights:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure: request deletion of your data in certain circumstances.
• Restriction: request that we limit how we use your data.
• Data portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: at any time, where processing is based on consent.

To exercise any of these rights, contact us at privacy@delvet.com. We will respond within one month.

You also have the right to lodge a complaint with your supervisory authority. In the UK: the Information Commissioner's Office (ICO).

We use the following categories of cookies:

• Essential cookies: required for the platform to function (authentication, session management). These cannot be disabled.
• Analytics cookies: help us understand how visitors use our site (e.g. pages viewed, time on page). We use only privacy-respecting, aggregated analytics — no individual tracking across sites.

We do not use advertising or cross-site tracking cookies.

You can control non-essential cookies via your browser settings. Disabling analytics cookies will not affect your use of the Service.

Our primary infrastructure is hosted in the EU/EEA. Where we use service providers based in the UK or other countries, we ensure appropriate safeguards are in place:

• UK: the UK is recognised as providing adequate protection under EU GDPR. Data transfers to Delvet from the EU are covered by the EU-UK adequacy decision.
• Other countries: we rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

Contact us if you require further information about international transfer safeguards.

We may update this Privacy Policy to reflect changes in law, our services, or our data practices. Material changes will be communicated by email (to registered users) or by a prominent notice on our website, with at least 14 days' notice.

The date of the most recent revision appears at the top of this page.

Delvet Ltd is the data controller for personal data collected through our website and platform.