1. Introduction

Ownership Tag LTD ("we", "our", "us") is committed to protecting your privacy and being transparent about how we collect, use, disclose, and safeguard your information when you use our services. This Cookie & Data Policy explains our practices regarding cookies, data collection, and your privacy rights.

This policy applies to all users of our website, mobile application, and services, including customers, verifiers, and administrators. By using our services, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect information that you provide directly to us, information collected automatically, and information from third-party services.

2.1 Personal Information

• Account Information: When you create an account, we collect your first name, last name, email address, and a securely hashed password.
• Contact Information: Physical address including street, city, state, zip code, and country for product registration and verification purposes.
• Identity Verification: Images of your passport or other government-issued ID documents for identity verification. These are stored securely and encrypted, accessed only for verification purposes, and retained in accordance with legal requirements.
• Profile Information: Profile pictures (avatar) that you choose to upload to your account.

2.2 Product Information

• Product Details: Product name, description, serial number, date of purchase, and product images that you upload when registering a product.
• Proof of Purchase: Invoice or receipt documents uploaded as proof of purchase for product registration.
• Product Status: Registration status, approval status, and any rejection reasons provided by administrators.
• Ownership History: Complete history of product ownership transfers, including timestamps and blockchain transaction hashes.

2.3 Payment and Transaction Information

• Payment Methods: Payment method details processed through our third-party payment provider, Stripe. We only store the last four digits of your card, card brand (Visa, Mastercard, etc.), and expiry month/year for your convenience.
• Transaction Records: Details of all transactions including product registrations, ownership transfers, and license purchases. This includes transaction amounts, dates, payment status, and invoice information.
• Invoice Information: Generated invoices for all transactions, including $0 transactions where seller codes are applied. Invoices include itemized charges, taxes, and order numbers.
• Seller Codes: Usage of discount codes for fee waivers, tracked for accounting and reporting purposes.

2.4 Blockchain and Cryptocurrency Information

• Wallet Address: Cryptocurrency wallet address automatically generated or provided by you for NFT certificate storage on the Polygon blockchain.
• Blockchain Transactions: Transaction hashes for NFT minting and ownership transfers, stored on the public Polygon blockchain. These transactions are publicly visible and immutable.
• NFT Certificates: Digital certificate (NFT) information including certificate IDs, token IDs, and metadata associated with your registered products.
• Smart Contract Interactions: Records of interactions with our smart contract on the Polygon blockchain, including minting and transfer operations.

2.5 Usage and Activity Information

• Tamper Check Logs: Records of tamper detection scans performed on products, including timestamps, tamper detection results, AI-generated explanations, and user IDs.
• Owner Verification Logs: Records of QR code scans with PIN verifications, including product IDs, timestamps, scanner user IDs, and owner IDs.
• Daily Usage Limits: Tracking of daily scan limits for tamper detection and owner verification to enforce usage quotas based on user roles and license types.
• Authentication Logs: Login timestamps, session information, and authentication attempts for security monitoring.

2.6 License and Subscription Information

• License Keys: Verifier Pro license keys, activation dates, expiry dates, and license status.
• License Usage: Information about license generation, activation, and usage for billing and account management.
• Subscription Status: Current subscription status, payment history, and renewal information for Pro licenses.

2.7 Communication Information

• Email Communications: Email addresses and email content for transactional emails (verification codes, password resets, welcome emails, product approvals, transfer notifications).
• Notifications: In-app notifications including titles, messages, read status, and timestamps.
• Contact Form Submissions: Information submitted through our contact form, including name, email, subject, and message content.

2.8 Job Application Information

• Application Details: Full name, email address, cover letter, and CV/resume documents submitted for job positions.
• Job Preferences: Job title, department, and position applied for.
• Application Status: Status of job applications and recruitment process information.

2.9 Technical and Automatically Collected Information

• Device Information: Browser type, device type, operating system, and screen resolution.
• Network Information: IP address, internet service provider, and network connection type.
• Usage Data: Pages visited, time spent on pages, clicks, scrolling behavior, and navigation patterns.
• Cookies and Tracking Technologies: Information collected through cookies, local storage, and similar technologies as described in Section 5.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Provision

• Provide, operate, and maintain our ownership verification platform
• Process product registrations and create digital certificates (NFTs) on the blockchain
• Facilitate ownership transfers between users
• Enable tamper detection and owner verification services
• Generate and manage invoices for transactions
• Manage user accounts, licenses, and subscriptions

3.2 Identity and Security Verification

• Verify user identity using government-issued ID documents
• Authenticate user logins and prevent unauthorized access
• Verify product ownership through PIN-protected QR code scanning
• Detect and prevent fraud, abuse, and security threats
• Enforce usage limits and access controls based on user roles

3.3 Payment Processing

• Process payments for product registrations, transfers, and license purchases
• Manage payment methods and billing information through Stripe
• Generate invoices and transaction records
• Handle refunds, disputes, and payment-related communications
• Apply seller codes and discount codes for fee waivers

3.4 Communication

• Send transactional emails (verification codes, password resets, welcome emails)
• Notify users about product approvals, rejections, and ownership transfers
• Send in-app notifications about important account activities
• Respond to contact form submissions and customer support requests
• Communicate about service updates, security alerts, and policy changes

3.5 Blockchain Operations

• Mint NFT certificates on the Polygon blockchain for approved products
• Transfer NFT ownership when products are transferred between users
• Record ownership history and transaction hashes on the blockchain
• Enable users to add NFT certificates to their cryptocurrency wallets
• Maintain immutable records of product ownership

3.6 AI and Analytics

• Use Google Gemini AI for tamper detection analysis of QR code images
• Generate explanations for tamper detection results
• Analyze usage patterns to improve service quality and user experience
• Monitor system performance and identify technical issues
• Conduct security audits and fraud detection

3.7 Legal and Compliance

• Comply with legal obligations and regulatory requirements
• Respond to legal requests, court orders, and government inquiries
• Protect our rights, property, and safety, as well as that of our users
• Enforce our Terms of Service and other agreements
• Maintain records for accounting, tax, and audit purposes

4. Data Sharing and Disclosure

We share your information only in the following circumstances:

4.1 Third-Party Service Providers

• Stripe: We use Stripe for payment processing. Stripe collects and processes payment information in accordance with their privacy policy. We only receive the last four digits of cards and payment method IDs.
• Resend: We use Resend for sending transactional emails. Resend processes email addresses and email content in accordance with their privacy policy.
• Google Gemini AI: We use Google Gemini AI for tamper detection. Product images are sent to Google for analysis in accordance with Google's privacy policy.
• Polygon Blockchain: Product ownership information, wallet addresses, and transaction hashes are recorded on the public Polygon blockchain, which is accessible to anyone.
• Google Cloud Platform (GCP): We use GCP for hosting, database storage, and Secret Manager for secure key storage in accordance with Google's privacy policy.
• Firebase App Hosting: We use Firebase App Hosting for application deployment and hosting services.

4.2 Public Blockchain Information

Important: Information stored on the Polygon blockchain is publicly visible and immutable. This includes:

• Wallet addresses associated with products
• NFT certificate IDs and token IDs
• Ownership transfer transaction hashes
• Blockchain transaction timestamps

This information cannot be deleted or modified once recorded on the blockchain. Please be aware that blockchain transactions are permanent and publicly accessible.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to:

• Comply with legal processes or government requests
• Protect our rights, property, or safety
• Protect the rights, property, or safety of our users or others
• Prevent or investigate fraud, abuse, or security threats

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change in ownership or control of your information.

5. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your use of our website. This section explains what cookies we use, why we use them, and how you can manage your cookie preferences.

5.1 What Are Cookies?

Cookies are small text files that are placed on your device when you visit a website. They are widely used to make websites work more efficiently and provide information to website owners.

5.2 Types of Cookies We Use

Essential Cookies (Always Active)

These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually set in response to actions made by you, such as:

• Authentication Cookies: NextAuth session cookies that maintain your login state and authenticate your requests. These cookies are essential for accessing your account and using authenticated features.
• Security Cookies: CSRF (Cross-Site Request Forgery) tokens and security tokens that protect against unauthorized access and malicious attacks.
• Payment Cookies: Stripe cookies necessary for processing payments and managing payment sessions securely.

Duration: Session cookies expire when you close your browser. Persistent cookies may last up to 30 days.

Examples: next-auth.session-token, next-auth.csrf-token, Stripe session cookies

Functional Cookies (Optional)

These cookies enable enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages.

• Preference Cookies: Remember your preferences, such as theme (dark/light mode), language, and sidebar state.
• User Experience Cookies: Store information about your interactions with the website to provide a more personalized experience.

Duration: Up to 1 year

Examples: sidebar_state, theme preferences, language settings

You can disable these cookies, but it may affect the functionality of the website.

Analytics Cookies (Optional - Currently Not in Use)

These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously.

• Usage Analytics: Track page views, user behavior, traffic sources, and website performance metrics.
• Performance Monitoring: Monitor website speed, error rates, and technical performance.

Duration: Up to 2 years

Note: We currently do not use analytics cookies, but we reserve the right to implement them in the future with your consent.

You can disable these cookies at any time through your cookie preferences.

5.3 Third-Party Cookies

• Stripe: Stripe may set cookies for payment processing and fraud prevention. These are essential for payment functionality.
• Google Services: If we implement Google Analytics in the future, Google may set cookies for analytics purposes (only with your consent).

5.4 Managing Your Cookie Preferences

You can manage your cookie preferences at any time by clicking the "Cookie Preferences" or "Customize" button in our cookie consent banner. You can:

• Accept only essential cookies
• Accept all cookies (essential, functional, and analytics)
• Reject optional cookies (functional and analytics)
• Customize your preferences for each cookie category

You can also manage cookies through your browser settings. However, disabling essential cookies may prevent you from using certain features of our website, including logging in and making payments.

6. Data Security and Storage

We implement industry-standard security measures to protect your information from unauthorized access, alteration, disclosure, or destruction.

6.1 Security Measures

• Encryption: All data in transit is encrypted using TLS/SSL. Sensitive data at rest is encrypted using industry-standard encryption algorithms.
• Password Security: Passwords are hashed using bcrypt before storage. We never store plain-text passwords.
• PIN Security: Owner PINs are hashed using bcrypt. Plain-text PINs are stored temporarily for user convenience but are encrypted and protected.
• Access Controls: We implement role-based access controls to limit access to sensitive information based on user roles (admin, customer, verifier).
• Secure Storage: Sensitive API keys and secrets are stored in Google Cloud Secret Manager, not in our database.
• Database Security: Our database is hosted on Google Cloud SQL with private IP connectivity and restricted access.
• Regular Security Audits: We conduct regular security audits and vulnerability assessments.

6.2 Data Storage Locations

• Primary Database: User data, product information, and transaction records are stored in Google Cloud SQL (PostgreSQL) databases located in Europe (europe-west2) or as configured.
• Blockchain: Ownership records and NFT certificates are stored on the Polygon blockchain, which is distributed and publicly accessible.
• File Storage: Product images, passport images, and invoice documents are stored securely in our cloud storage infrastructure.
• Email Services: Email communications are processed through Resend, which may store email data in accordance with their privacy policy.

6.3 Data Retention

We retain your information for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law.

• Account Information: Retained for as long as your account is active, plus 7 years for legal and tax purposes after account closure.
• Product Information: Retained indefinitely as long as products are registered in the system, as ownership records are permanent.
• Blockchain Records: Permanently stored on the Polygon blockchain and cannot be deleted.
• Transaction Records: Retained for 7 years for accounting and tax compliance purposes.
• Identity Verification Documents: Retained for the duration required by law (typically 5-7 years) and then securely deleted.
• Usage Logs: Retained for 2 years for security and fraud prevention purposes.
• Job Applications: Retained for 1 year after the application date, or as required by employment law.

6.4 Data Deletion

You can request deletion of your account and personal information by contacting us. However, please note that:

• Blockchain records cannot be deleted as they are immutable and publicly accessible.
• Transaction records may be retained for legal and tax compliance purposes even after account deletion.
• Some information may be retained in backup systems for a limited period before permanent deletion.
• We may retain certain information if required by law or to protect our legal rights.

7. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information. We are committed to honoring these rights.

7.1 Access Rights

You have the right to access and obtain a copy of your personal information that we hold. You can access much of this information through your account dashboard.

7.2 Correction Rights

You have the right to correct inaccurate or incomplete information. You can update most of your information through your account settings.

7.3 Deletion Rights

You have the right to request deletion of your personal information, subject to legal and contractual obligations. Please contact us to request account deletion.

7.4 Data Portability

You have the right to receive your personal information in a structured, commonly used, and machine-readable format. You can export your product data and transaction history through your account.

7.5 Objection and Restriction Rights

You have the right to object to processing of your personal information or request restriction of processing in certain circumstances.

7.6 Withdraw Consent

You have the right to withdraw your consent for optional cookies and data processing at any time. You can manage your cookie preferences through our cookie consent banner.

7.7 Opt-Out of Marketing

You can opt-out of marketing communications by clicking the unsubscribe link in our emails or by contacting us directly.

7.8 Exercising Your Rights

To exercise any of these rights, please contact us through our contact form or email us at the address provided in Section 10. We will respond to your request within 30 days.

8. International Data Transfers

Ownership Tag LTD is registered in England & Wales with company number 16624945. Our services are hosted and operated in the European Union (EU), specifically in the Google Cloud Platform region of Europe (europe-west2). However, some of our third-party service providers may process your information in other countries.

• Stripe: Payment processing may involve data transfers to Stripe's servers, which may be located in the United States or other countries. Stripe complies with international data protection standards.
• Google Services: Google Gemini AI and Google Cloud Platform services may process data in various locations worldwide. Google complies with international data protection standards.
• Resend: Email services may involve data transfers to Resend's servers, which may be located in various countries. Resend complies with international data protection standards.
• Polygon Blockchain: Blockchain data is distributed globally and publicly accessible from any location.

We ensure that all international data transfers comply with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other relevant regulations.

9. Children's Privacy

Our services are not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact us immediately, and we will take steps to delete such information.

10. Changes to This Policy

We may update this Cookie & Data Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending you an email notification if the changes are significant
• Displaying a notice on our website for a reasonable period

We encourage you to review this policy periodically to stay informed about how we collect, use, and protect your information.

11. Contact Us

If you have any questions, concerns, or requests regarding this Cookie & Data Policy or our data practices, please contact us:

• Email: Through our contact form on our website
• Website: www.ownershiptag.com
• Support: Available through your account dashboard

We are committed to addressing your concerns and will respond to your inquiries within a reasonable timeframe.