Legal
Privacy Policy
Last updated: 12 April 2026
Who we are
EuroGPSR ("we", "us", "our") is an automated audit tool for EU ecommerce compliance. Our service scans publicly accessible web pages and produces risk reports covering the European Accessibility Act (EAA) and the General Product Safety Regulation (GPSR).
For GDPR purposes, the data controller is:
Contact: privacy@eurogpsr.com
Data we collect
We collect only what is necessary to provide the service.
| Account data | Name, email address, and profile photo from Google when you sign in with Google OAuth. | Contract (Art. 6(1)(b) GDPR) |
| Scan data | The URL you submit, the HTML we fetch from that URL, and the analysis results. We do not store the raw HTML long-term — only the derived findings. | Contract / Legitimate interest |
| Usage data | Pages visited, features used, and timestamps — collected via server logs to maintain service quality. No third-party analytics trackers. | Legitimate interest (Art. 6(1)(f)) |
| Payment data | Billing details are handled exclusively by Stripe. We never see or store raw card numbers. | Contract |
| Cookies | Strictly necessary session cookies to keep you signed in. See our Cookie Policy for details. | Legitimate interest |
How we use your data
- To create and manage your account
- To run scans and deliver results
- To process subscription payments via Stripe
- To send you transactional emails (scan completion, account changes)
- To improve the service based on aggregated, anonymised usage patterns
- To comply with legal obligations
We do not sell your data. We do not use your data for advertising.
Data retention
| Account data | Until you delete your account, plus 30 days |
| Scan results | Free plan: 7 days. Starter: 90 days. Pro: 365 days. |
| Payment records | As required by Spanish and EU tax law (generally 7 years) |
| Server logs | 30 days rolling window |
Sharing and processors
We share data only with the following trusted processors, each bound by a Data Processing Agreement:
| Supabase | Database, authentication | EU region (Frankfurt) |
| Vercel | Hosting, serverless functions | EU region available |
| Stripe | Payment processing | EU data centre |
We do not transfer personal data to countries outside the EU/EEA without appropriate safeguards (Standard Contractual Clauses where applicable).
Your rights under GDPR
As a data subject in the EU/EEA, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase your data ("right to be forgotten")
- Restrict or object to processing
- Receive your data in a portable format
- Withdraw consent at any time where processing is consent-based
- Lodge a complaint with your national data protection authority
To exercise any of these rights, email privacy@eurogpsr.com. We will respond within 30 days.
Security
We implement appropriate technical and organisational measures to protect your data: encrypted connections (TLS 1.2+), hashed credentials, row-level security in the database, and access controls limited to personnel who need it.
No system is impenetrable. If you discover a security issue, please disclose it responsibly to security@eurogpsr.com.
Children
EuroGPSR is not directed at children under 16. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.
Changes to this policy
We may update this policy as the service evolves. Material changes will be announced via email and noted at the top of this page with a new "Last updated" date. Your continued use of the service after changes take effect constitutes acceptance.
Contact
Questions about this policy or our data practices:
privacy@eurogpsr.com