Privacy Policy

Deutsche Version

Last updated: February 25, 2026

Preamble

This privacy policy explains which personal data we collect, how we process it, and what rights you have regarding your data. We take the protection of your personal data very seriously and treat it confidentially in accordance with the applicable data protection regulations, in particular the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

Controller

BaDuNi GmbH
Iberg 9
77876 Kappelrodeck
Germany

Email: info@eprpilot.com
Legal Notice: eprpilot.com/imprint

Overview of Processing Operations

The following overview summarizes the types of data processed and the purposes of their processing:

  • Contact data (e.g., name, email address)
  • Account data (e.g., login credentials, subscription status)
  • Usage data (e.g., pages visited, time of access)
  • Meta/communication data (e.g., IP addresses, browser information)
  • Product data uploaded by the Customer (e.g., ASIN, EAN, product titles, packaging weights, material types)
  • Aggregated order data (e.g., sales quantities per country — no personal end-customer data is processed)

Legal Bases

We process personal data in accordance with the following legal bases:

  • Consent (Art. 6 para. 1 lit. a GDPR) — The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Contractual performance (Art. 6 para. 1 lit. b GDPR) — Processing is necessary for the performance of a contract or for pre-contractual measures.
  • Legal obligation (Art. 6 para. 1 lit. c GDPR) — Processing is necessary for compliance with a legal obligation.
  • Legitimate interests (Art. 6 para. 1 lit. f GDPR) — Processing is necessary for the purposes of the legitimate interests pursued by us or a third party.

Security Measures

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk. These measures include:

  • Encryption of data transmissions via TLS/SSL (HTTPS)
  • Data storage on servers in Germany (Hetzner Online GmbH)
  • Access controls and authentication mechanisms
  • Regular security assessments
  • Pseudonymization and data minimization where applicable

Sub-Processors

We use the following third-party service providers (sub-processors) for operating the EPR Pilot service:

  • Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) — Application hosting and data storage. All application data is stored on servers in Germany. Privacy Policy
  • Supabase Inc. (970 Toa Payoh North #07-04, Singapore 318992) — Authentication and user management. Data transfers to the US are secured via EU Standard Contractual Clauses (SCCs). Privacy Policy
  • Stripe Inc. (510 Townsend Street, San Francisco, CA 94103, USA) — Payment processing. Data protection is ensured through the EU-US Data Privacy Framework. Privacy Policy
  • Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA) — Website hosting (marketing website only). Privacy Policy

Data Transfers to Third Countries

Your application data (product data, order reports, compliance calculations) is stored exclusively on servers in Germany (Hetzner Online GmbH). For authentication (Supabase) and payment processing (Stripe), data may be transferred to the United States. These transfers are secured via EU Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.

Data Retention and Deletion

We store personal data only for as long as it is necessary for the respective purpose of processing. Specifically:

  • Account data: Stored for the duration of the contractual relationship.
  • Product and order data (workspace data): Deleted within 30 days after contract termination, unless the Customer requests earlier deletion.
  • Invoicing data: Retained for the statutory retention period of 10 years (§ 147 AO, § 257 HGB).
  • Contact form inquiries: Deleted after the inquiry has been conclusively processed, unless a contractual relationship arises.

You may request deletion of your data at any time by contacting us at info@eprpilot.com.

Your Rights

As a data subject, you have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR) — You have the right to obtain confirmation as to whether personal data concerning you is being processed.
  • Right to rectification (Art. 16 GDPR) — You have the right to request the rectification of inaccurate data.
  • Right to erasure (Art. 17 GDPR) — You have the right to request the deletion of your personal data.
  • Right to restriction (Art. 18 GDPR) — You have the right to request restriction of processing.
  • Right to data portability (Art. 20 GDPR) — You have the right to receive your data in a structured, commonly used format.
  • Right to object (Art. 21 GDPR) — You have the right to object to the processing of your personal data at any time.
  • Right to withdraw consent (Art. 7 para. 3 GDPR) — You have the right to withdraw consent at any time.
  • Right to lodge a complaint (Art. 77 GDPR) — You have the right to lodge a complaint with a supervisory authority.

Application Hosting

The EPR Pilot application is hosted on servers of Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). All application data — including your uploaded product data, order reports, and compliance calculations — is stored exclusively on servers in Germany. This processing is based on Art. 6 para. 1 lit. b GDPR (performance of a contract).

Website Hosting

This marketing website (eprpilot.com) is hosted on Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA). When you access this website, Vercel processes technical data such as your IP address, browser type, and time of the server request. This processing is based on Art. 6 para. 1 lit. f GDPR (legitimate interest).

Authentication

We use Supabase Inc. for user authentication and account management. When you create an account or log in, Supabase processes your email address and authentication tokens. Data transfers to the US are secured via EU Standard Contractual Clauses (SCCs). The legal basis is Art. 6 para. 1 lit. b GDPR (performance of a contract).

Contact Form

When you contact us via the contact form, your data (name, email address, message content) will be processed for the purpose of handling your inquiry. The legal basis is Art. 6 para. 1 lit. b GDPR (pre-contractual measures) or Art. 6 para. 1 lit. f GDPR (legitimate interest).

Our contact form is processed through Web3Forms. For more information, see Web3Forms Privacy Policy.

EPR Pilot Application — Data Processing

When you use the EPR Pilot software, you upload data from your Amazon seller account (e.g., Business Reports, EPR Reports) and optionally other sales channels. The following types of data are processed:

  • Product identifiers (ASIN, EAN)
  • Product attributes (title, category, packaging weight, material type)
  • Aggregated sales quantities per country (no personal end-customer data)
  • Calculated waste amounts per waste stream (packaging, electronics, batteries)

This data is processed exclusively for providing the contractual service (Art. 6 para. 1 lit. b GDPR). Your data is stored on German servers (Hetzner) and is not shared with third parties unless necessary for the service (e.g., Keepa API for product data enrichment).

Important: EPR Pilot is an independent service and is not affiliated with, endorsed by, or partnered with Amazon. All Amazon data is uploaded voluntarily by the Customer.

Anonymized Product Data for Service Improvement

We may use anonymized and aggregated product data — such as packaging weights, material classifications, and product categories — to improve the quality and completeness of our product database. This benefits all users by reducing the need for manual data entry.

What is used: Product properties only (weight, material, category, dimensions).

What is never used: Sales quantities, revenue data, order volumes, or any data that could identify the Customer or their business activity.

All data is fully anonymized before use — no link to the original Customer or their account is maintained. The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest in improving our service). You have the right to object to this processing at any time by contacting us at info@eprpilot.com.

Payment Processing

We use Stripe Inc. for payment processing. When you subscribe to a paid plan, your payment data (e.g., credit card number, bank account) is transmitted directly to Stripe and processed on their servers. We do not store your full payment details. The legal basis is Art. 6 para. 1 lit. b GDPR.

Cookies and Storage Technologies

Our website and application use only technically necessary cookies and storage mechanisms:

  • Session cookie — Required for application functionality (Flask session). Expires when the browser is closed.
  • Authentication token — Required for user login (Supabase). Expires after the session ends.

We do not use any analytics, tracking, or marketing cookies. No cookie consent is required for technically necessary cookies (Art. 6 para. 1 lit. f GDPR, § 25 para. 2 TDDDG).

Changes to this Privacy Policy

We reserve the right to adapt this privacy policy to reflect changes in legal requirements or changes to our services. The current version is always available at eprpilot.com/privacy.