Privacy Policy

1. Who We Are

VPA Central Registry ("VPA", "we", "our", or "us") operates the product authenticity certification platform available at vparegistry.com. We issue cryptographic certificates that link product photographs to a verified identity on our public registry.

For the purposes of applicable data protection law, including the UK GDPR, EU GDPR, and California Consumer Privacy Act (CCPA), VPA Central Registry is the data controller for personal data collected through our platform.

2. Data We Collect

We collect the following categories of personal data:

• Account information: Name, email address, organisation name, and profile picture collected when you sign in via Google OAuth.
• Certificate data: Product names, batch IDs, and product photographs you upload for certification.
• Usage data: Pages visited, features used, IP address, browser type, and timestamps, collected automatically via server logs.
• Communications: Any correspondence you send to us via email or contact forms.

3. How We Use Your Data

We process your personal data for the following purposes:

• Service provision: To create and manage your partner account, issue certificates, and operate the public verification registry.
• Security: To detect and prevent fraud, abuse, and unauthorised access.
• Communications: To send service-related notifications, respond to your enquiries, and provide customer support.
• Legal obligations: To comply with applicable laws and respond to lawful requests from public authorities.

Our legal basis for processing under GDPR is: performance of a contract (service provision); legitimate interests (security and fraud prevention); and compliance with legal obligations.

4. Public Registry Data

Certificate records — including the VPA Tracking ID, issuance date, manufacturer name, product name, and certified images — are stored on our public registry and accessible to anyone who scans a QR code or searches the registry. By submitting a product for certification, you consent to this public disclosure. Do not submit information you wish to keep confidential.

5. Data Sharing

We do not sell your personal data. We may share your data with:

• Google LLC: For authentication (Google OAuth) and data storage (Google Sheets), subject to Google's privacy policy.
• Google Cloud Platform: Our hosting and infrastructure provider.
• n8n: Our workflow automation provider, used to process certification requests.
• Law enforcement: When required by law or to protect our legal rights.

6. International Transfers

Our services are operated globally. Your data may be transferred to and processed in countries outside your own, including the United States. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent transfer mechanisms, to protect your data.

7. Data Retention

We retain your account data for as long as your account is active. Certificate records on the public registry are retained indefinitely to preserve the integrity of the verification system. Usage logs are retained for up to 90 days. You may request deletion of your account data (excluding public certificate records) at any time.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your personal data
• Object to or restrict our processing of your data
• Data portability (receiving your data in a machine-readable format)
• Withdraw consent at any time where processing is based on consent
• Lodge a complaint with your national supervisory authority (e.g. the ICO in the UK, or your EU member state's DPA)

To exercise any of these rights, contact us at privacy@vparegistry.com.

9. Cookies

We use essential cookies to maintain your login session. We do not use advertising or tracking cookies. For more detail, see our Cookie Policy.

10. Contact Us

For any privacy-related questions or to exercise your rights, contact our Data Protection team at:
privacy@vparegistry.com