New 2025-26 EPR fee rates are live. Check your obligations

Privacy Policy

Last updated: March 2026

1. Introduction

EPR Compliance is a trading name of Passport Digital Limited ("we", "us", "our"), a company registered in England and Wales. We are committed to protecting and respecting your privacy.

This privacy policy explains how we collect, use, store, and share your personal data when you use our website at eprcompliance.co.uk and our packaging EPR compliance platform at app.eprcompliance.co.uk (together, the "Service").

We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you have any questions about this policy, please contact us at [email protected].

2. Data We Collect

We collect the following types of personal data:

Account Information

  • Full name
  • Email address
  • Company name
  • Phone number (if provided)
  • Password (stored securely using one-way hashing)

Business Data

  • Company turnover and packaging tonnage (for compliance assessment)
  • Packaging data including material types, weights, and categories
  • SIC codes and organisation identifiers

Payment Information

  • Billing address
  • Payment card details (processed securely by Stripe — we never store full card numbers)

Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Pages visited and usage patterns

3. How We Use Your Data

We use your personal data for the following purposes:

  • Providing the Service: To create and manage your account, process your packaging data, generate compliance reports, and deliver the features you have subscribed to.
  • Billing and payments: To process subscription payments, send invoices, and manage your billing relationship through Stripe.
  • Communication: To send service-related emails including account confirmations, deadline reminders, report notifications, and support responses.
  • Marketing: To send marketing emails about product updates, EPR regulatory changes, and compliance tips — only with your explicit consent. You can unsubscribe at any time.
  • Improving the Service: To analyse usage patterns, fix bugs, and develop new features that help businesses comply with packaging EPR regulations.
  • Legal compliance: To comply with legal obligations, respond to lawful requests from public authorities, and protect our legal rights.

4. Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contract: Processing necessary to perform our contract with you (providing the Service you have subscribed to).
  • Legitimate interests: Processing necessary for our legitimate interests (improving the Service, preventing fraud, ensuring security) where those interests are not overridden by your rights.
  • Consent: Processing based on your specific consent (marketing emails, optional cookies).
  • Legal obligation: Processing necessary to comply with a legal obligation to which we are subject.

5. Cookies

We use cookies and similar technologies to provide, protect, and improve the Service.

Essential Cookies

Required for the Service to function. These include session cookies for authentication and security cookies to prevent cross-site request forgery. You cannot opt out of essential cookies.

Analytics Cookies

Help us understand how visitors use our website and platform. We use this data to improve the user experience and measure the effectiveness of our content. These cookies are only set with your consent.

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of the Service.

6. Third-Party Services

We share personal data with the following third-party services:

  • Stripe: Payment processing. Stripe processes your payment information securely and is PCI DSS Level 1 certified. See Stripe's Privacy Policy.
  • Brevo (formerly Sendinblue): Email delivery. We use Brevo to send transactional emails (account confirmations, password resets, deadline reminders) and marketing emails (with consent). See Brevo's Privacy Policy.

We do not sell, rent, or trade your personal data to any third parties for marketing purposes. We only share data with third parties as described in this policy or with your explicit consent.

7. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfil the purposes described in this policy:

  • Account data: Retained for as long as your account is active, plus 30 days after deletion to allow for recovery.
  • Packaging data and reports: Retained for 7 years after creation to support regulatory audit requirements and historical compliance records.
  • Payment records: Retained for 7 years as required by UK tax and accounting regulations.
  • Marketing consent records: Retained for as long as you remain subscribed, plus 3 years for audit purposes.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

  • 256-bit SSL/TLS encryption for all data in transit
  • Encryption at rest for stored data
  • Secure password hashing using bcrypt
  • Regular security updates and monitoring
  • Access controls limiting data access to authorised personnel only

9. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access: You can request a copy of the personal data we hold about you.
  • Right to rectification: You can request that we correct any inaccurate personal data.
  • Right to erasure: You can request that we delete your personal data (subject to legal retention requirements).
  • Right to restrict processing: You can request that we restrict the processing of your personal data.
  • Right to data portability: You can request a machine-readable copy of your personal data.
  • Right to object: You can object to the processing of your personal data based on legitimate interests or for direct marketing.
  • Right to withdraw consent: Where processing is based on consent, you can withdraw that consent at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

10. International Data Transfers

Some of our third-party service providers may process data outside the UK. Where this occurs, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), to protect your personal data to the same standard as within the UK.

11. Children's Privacy

The Service is designed for business use and is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will take steps to delete it.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of any material changes by email or through a notice on our website. We encourage you to review this policy periodically. The "last updated" date at the top of this page indicates when the policy was last revised.

13. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office

Website: ico.org.uk

Telephone: 0303 123 1113

14. Contact Us

If you have any questions about this privacy policy or our data practices, please contact us:

Passport Digital Limited

Trading as EPR Compliance

Email: [email protected]