Last update: August 30th, 2024
This privacy notice informs you about how Scantrust collects, uses, and protects your personal data when you visit our website or make use of our solutions. We are committed to respecting your privacy and adhering to our obligations under the General Data Protection Regulation (GDPR).
1. Who we are
Scantrust is a provider of cloud-based connected packaging solutions for anti-counterfeiting, EU digital wine labels, supply chain traceability, enterprise QR codes and digital product passports. We prioritise personal data protection and are committed to maintaining adequate standards of privacy and security.
In this privacy notice, we outline how we collect, use, and safeguard your personal data when you interact with our website or make use of our solutions. We recognise the importance of transparency and trust in our relationship with you, and we are committed to ensuring that your personal data is handled responsibly and in accordance with applicable data protection laws and regulations.
The data controller responsible for your personal data is:
Scantrust S.A. [“we”, “us”, “our”]
EPFL Innovation Park, PSE-D
CH-1015 LAUSANNE
Switzerland
2. Scope of the privacy notice
This privacy notice applies to the following categories of people:
- Website visitors
- Staff of our customers
- End users of our solutions
- Staff of our partners
- Staff of our suppliers
- Newsletter subscribers
- Job applicants
- Participants of our trainings and webinars
- Investors
- Leads
This notice does not apply to employees of Scantrust.
3. How we use your personal data
We use your personal data for the following purposes:
Processing activity | General description of purposes | Lawful basis | Categories of data | Retention period |
---|---|---|---|---|
Website, analytics & marketing | ||||
Website analytics | We analyse website traffic to determine how visitors use our site and in what ways we can improve. | Legitimate interest
Article 6(1)(f) of the GDPR |
|
1 day |
Use of cookies | We make use of cookies and other tracking technologies to ensure that our website functions properly, remember user preferences, maintain sessions and track user behaviour across different sites. | Consent
Article 6(1)(a) of the GDPR We rely on your consent for the use of non-essential cookies. Legitimate interest Article 6(1)(f) of the GDPR When we make use of essential cookies, we rely on our legitimate interest to ensure that the website functions properly |
|
See section 4 for the retention period of the various cookies used |
Receiving requests through website forms | Website forms allow us to receive and respond to demo requests from potential customers | Consent
Article 6(1)(a) of the GDPR By filling out the website form and checking the consent box, you give us the permission to use the information you have provided in the form to handle your request, set up a demo account for your organisation and contact you to facilitate your request. |
|
Until deletion is requested |
Organising events and webinars | We sometimes organise events and host webinars to create brand awareness, to discuss product updates and latest industry topics | Legitimate interest
Article 6(1)(f) of the GDPR We host webinars in our legitimate interest to promote our brand and inform about our products and services |
|
Until deletion is requested |
Registering for an event or webinar | You may sign up to attend an event or webinar that we have organised | Consent
Article 6(1)(a) of the GDPR In order to sign you up for a webinar, we rely on your consent to provide the required information. We also request that you give additional optional consent to be invited in the future to similar events or webinars |
|
2 years |
Managing the Scantrust social media accounts (LinkedIn, Instagram and X) | We operate an account on the stated social platforms to maintain a credible social and professional presence. When you engage with us on these platforms, we can see the details you have made available on your social profile. | Legitimate interest
Article 6(1)(f) of the GDPR |
|
n/a as we do not process this information further |
Sharing customer reviews | Our customers often find our products satisfactory. When they do, we sometimes request a review from them. We share the reviews of satisfied customers to increase positive brand perception. | Consent
Article 6(1)(a) of the GDPR |
|
Direct identifiers are retained until the end of the customer relationship. The reviews and case studies themselves remain on our website..0 |
Product and server security | ||||
Securing the Scantrust platform | We are interested in ensuring that the Scantrust platform is a safe and secure environment for our customers. | Legitimate interest
Article 6(1)(f) of the GDPR We do this in our legitimate interest to ensure the security of the Scantrust platform and prevent system attack and abuse. |
|
100 days |
Maintaining server logs | We store certain information in log files to prevent system attack and for fraud / abuse prevention, incident management, forensics and error investigation. | Legitimate interest
Article 6(1)(f) of the GDPR We maintain logs in our legitimate interest to secure our software environment and infrastructure. |
|
100 days |
Maintaining scan logs | In order to provide our service to our customers and ensure that our products work correctly i.e QR codes display properly, we process technical information of devices constituting the scan log. | Performance of a contract
Article 6(1)(b) of the GDPR We maintain scan logs to ensure the correct functioning of our products and generally fulfil the contract that our customers and end users have with us. |
|
100 days |
Acquiring statistical data | We derive aggregate information on usage based on log files to gain insight into product usage and for product improvement | Legitimate interest
Article 6(1)(f) of the GDPR We acquire statistical data in our interest to derive aggregate information on usage and continuously improve our products |
|
100 days |
Granting access to our staging environment | We sometimes allow customers access to the Scantrust staging environment. We do this to enable them to experience a mirror implementation of how the platform functions. | Performance of a contract
Article 6(1)(b) of the GDPR Access to our staging environment occurs in line with the agreement entered into with customers or as a pre-contractual step towards concluding a contract with potential customers. |
|
Until the end of the customer relationship |
Receiving suspected counterfeiting reports | This allows us to receive user-initiated suspected counterfeit reports and communicate the same to our customers. | Performance of a contract
Article 6(1)(b) of the GDPR As part of our service contract with customers, we are obliged to enable this function within our products and communicate counterfeit reports to customers. |
|
Counterfeit reports are maintained as long as, and until the end of the customer relationship |
Product verification on the Scantrust Apps (public and enterprise) | When you scan a QR code, we process technical information to authenticate and verify the codes and to detect counterfeits | Performance of a contract
Article 6(1)(b) of the GDPR As part of our service contract with customers and the individuals who use the Scantrust App, we are obliged to enable this function for product verification. |
|
100 days |
Logging in to the Scantrust enterprise App | Customers who make use of the Scantrust platform are able to also use the Scantrust enterprise App on the go. We require login credentials to secure customers’ enterprise accounts. | Performance of a contract
Article 6(1)(b) of the GDPR We are obliged to secure enterprise accounts of our customers from unlawful and unauthorised access even when accessed from the Scantrust enterprise App |
|
Until the end of the customer relationship |
Project management | ||||
Setting up customer accounts | When we enter into a contract with our customers, we enable the set up of their account on the Scantrust platform for the efficient use of the service | Performance of a contract
Article 6(1)(b) of the GDPR This is done in line with the terms of the customer contract. |
|
Until the end of the customer relationship |
Scheduling and hosting meetings with customers | We sometimes organise meetings with customers to understand their unique needs, their use of the platform as well as the project scope. | Performance of a contract
Article 6(1)(b) of the GDPR This is done in order to be able to understand customer needs and fulfil the terms of the customer contract. |
|
Until the end of the customer relationship |
Training customers on the use of the Scantrust platform | We train customers on the use of the Scantrust platform to help customers get started and harness the full capacities of the platform | Performance of a contract
Article 6(1)(b) of the GDPR This is done in line with the terms of the customer contract. |
|
Until the end of the customer relationship |
Collaborating with printing partners | This collaboration is aimed at enabling customers and their printing partners’ systems to integrate with the Scantrust platform. | Performance of a contract
Article 6(1)(b) of the GDPR This is done in line with the terms of the customer contract. |
|
Until the end of the customer relationship |
Training printing partners | We train printing partners to ensure that they are able to correctly obtain, download and print QR codes from the Scantrust platform. | Performance of a contract
Article 6(1)(b) of the GDPR This is done in line with the terms of the customer contract to ensure seamless printing of customer QR codes. |
|
Until the end of the customer relationship |
Managing customer projects until the platform is live | We manage customer projects to support our customers, especially in the staging environment, until they are ready to go live on the Scantrust platform. | Performance of a contract
Article 6(1)(b) of the GDPR This is done in line with the terms of the customer contract. |
|
Until the end of the customer relationship |
Finance, Accounting and Reporting | ||||
Paying invoices | We settle invoices in order to pay vendors for the service supplied and fulfil the terms of the service agreement. | Performance of a contract
Article 6(1)(b) of the GDPR This is done in line with the terms of the supplier contract. |
|
As long as the supplier contract exists / 10 years thereafter |
Authorising / keeping track of new customers | We approve new customers to keep track of our customer list and track payments due from them. | Performance of a contract
Article 6(1)(b) of the GDPR This is done in line with the terms of the customer contract. |
|
As long as the customer contract exists / 10 years thereafter |
Authorising / keeping track of new suppliers | We approve new suppliers to keep track of our supplier list and track payments due to them. | Performance of a contract
Article 6(1)(b) of the GDPR This is done in line with the terms of the supplier contract. |
|
As long as the customer contract exists / 10 years thereafter |
Purchasing stock | We make stock purchases to acquire the necessary stock for company use. | Performance of a contract
Article 6(1)(b) of the GDPR This is done in line with the terms of the supplier contract. |
|
10 years |
Fundraising | As a startup, we sometimes organise events to raise funds for operations from investors. | Legitimate interest
Article 6(1)(f) of the GDPR We conduct fundraising campaigns to attract and secure investment funding from investors in our interest to continue operating as a trusted anti-counterfeiting software provider. |
|
As long as the investment continues |
Reporting | We present financial results to stakeholders such as investors and Board members. | Legitimate interest
Article 6(1)(f) of the GDPR We present financial results in our legitimate interest to ensure transparency and foster trust from stakeholders. |
|
10 years |
Financial reporting and annual auditing | We provide periodic reports on the company’s liquidity and capital status to comply with the law and carry out audits. | Legal obligation
Article 6(1)(C) of the GDPR We conduct audits and provide period reports to comply with Article 725 of the Swiss Code of Obligations |
|
10 years |
Sales | ||||
Collecting contact information at trade shows | We attend or organise trade shows where we collect contact information of potential customers to follow-up with them in the future. | Legitimate interest
Article 6(1)(f) of the GDPR We do this in our legitimate interest to increase brand awareness and potentially meet new customers. |
|
Until the recipient unsubscribes |
Communicating with leads and managing contact details of leads interested in Scantrust products | We manage the contact details of leads to be able to contact them for follow up discussions, understand their needs and expectations in relation to our products | Legitimate interest
Article 6(1)(f) of the GDPR We do this in our legitimate interest to convert leads to customers and keep operations ongoing |
|
Until opt-out |
Managing lead lifecycle | We do this to categorise and manage leads progression through the sales pipeline e.g Sales qualified lead, Sales qualified lead with meeting occurred, Opportunity. | Legitimate interest
Article 6(1)(f) of the GDPR We do this in our legitimate interest to measure sale strategy success and convert leads to customers |
|
Deleted immediately the lead opts out or 3 years, whichever is earlier. |
Onboarding customers | We support in customer onboarding to enable customers register to the e-label product | Performance of a contract
Article 6(1)(b) of the GDPR |
|
Until the customer contract ends |
|
|
Performance of a contract
Article 6(1)(b) of the GDPR |
|
Until the customer contract ends |
Offboarding customers | We offboard customers to terminate their subscription based on request or in accordance with clause 7C of the e-label Terms of Service. | Performance of a contract
Article 6(1)(b) of the GDPR |
|
Until the customer contract ends and the offboarding process is complete |
Negotiating, contracting and closing deals with customers | We do this to negotiate, enter into contracts and close deals with leads, converting them to customers. | Performance of a contract
Article 6(1)(b) of the GDPR |
|
Until the customer contract ends |
Managing customer relationships | We manage customer relationships to ensure customer satisfaction and efficient management of customer lifecycle. | Legitimate interest
Article 6(1)(f) of the GDPR The interest pursued is customer satisfaction. |
|
Until the customer contract ends |
Managing referral programs | This enables Scantrust to offer to partners, 10% of the revenue generated by partner referrals | Performance of a contract
Article 6(1)(b) of the GDPR |
|
As long as the referral agreement is valid |
Offering and enabling the use of discount codes for e-labels | By enabling the use of discount codes, we are able to honour coupon codes issued to partners and customers aimed at increasing sales and boosting profit margin. | Performance of a contract
Article 6(1)(b) of the GDPR |
|
As long as the referral agreement is valid |
Conducting email campaigns | We conduct email campaign to drive brand awareness for our wine label solution | Legitimate interest
Article 6(1)(f) of the GDPR The interest pursued is increased brand awareness and lead-to-customer conversion |
|
Until email recipient opts out / unsubscribes |
Sending invitations to prospects to register for webinars and the free u-label version | Scantrust invites potential customers to webinars to discuss anti-counterfeiting solutions, drive brand awareness and increase sales. | Legitimate interest
Article 6(1)(f) of the GDPR The interest pursued is increased brand awareness and lead-to-customer conversion |
|
Until the recipient requests deletion |
Recruitment | ||||
Receiving job applications and conducting interviews | As job positions become vacant, we advertise them and receive applications from candidates to fill the vacant positions based on our assessment of their skills and qualification during interviews | Performance of a contract
Article 6(1)(b) of the GDPR Reviewing CVs and conducting interviews are pre-contractual steps necessary to conclude an employment contract with the successful candidate. |
|
Applications of unsuccessful candidates are deleted immediately after the end of the recruitment exercise. |
Retaining applicant data from speculative applications | We sometimes receive speculative applications from job applicants. If an applicant permits, we will retain this application to be able to contact the applicant when a suitable job position becomes vacant. | Consent
Article 6(1)(a) of the GDPR |
|
3 months |
Conducting background checks | Scantrust conducts background checks on the successful candidate to verify records and information provided. | Legitimate interest
Article 6(1)(f) of the GDPR As an anti-counterfeiting business, we conduct background checks in our interest to ensure that our employees have the minimum clearance level for the job and to ensure that referrals, qualifications and certificates are authentic. |
|
Until the end of the employment |
Support | ||||
Receiving and responding to support requests from customers | We receive and respond to support requests to ensure that our customers receive the help they request and are able to continue seamless use of Scantrust products. | Performance of a contract
Article 6(1)(b) of the GDPR |
|
Until the end of the customer relationship |
Meeting with customers | In some cases, we schedule meetings with customers to discuss their support request in more detail and the solutions either via telephone or video conferencing. | Performance of a contract
Article 6(1)(b) of the GDPR |
|
Until the end of the customer relationship |
Analysing customer success | This is to ensure that customers achieve their desired goals with Scantrust products | Legitimate interest
Article 6(1)(f) of the GDPR Ensuring customer success and satisfaction is in our interest to remain the leading provider of anti-counterfeiting software with high customer success rate |
|
Until the end of the customer relationship |
Requesting customer feedback / review | We want to let people know how effective our products are. This is why we request feedback and review from our customers. | Legitimate interest
Article 6(1)(f) of the GDPR Customer feedback is one of the ways through which we improve and increase brand awareness by sharing positive reviews. |
|
Until the end of the customer relationship |
Applying product discount for case studies | We incentivise our customers to provide case studies to understand in detail, how our products have helped customers achieve their objectives and determine areas of improvement. | Performance of a contract
Article 6(1)(b) of the GDPR |
|
Until the end of the customer relationship |
Customer onboarding and training | We onboard and train customers to enable them make effective use of Scantrust products. | Performance of a contract
Article 6(1)(b) of the GDPR |
|
Until the end of the customer relationship |
Receiving and sharing counterfeit reports | We enable end users to share counterfeit reports within our products as part of the terms of our service. This helps customers investigate and potentially take action against counterfeits. It also helps to keep the end user safe. | Performance of a contract
Article 6(1)(b) of the GDPR |
|
Until the end of the customer relationship |
Applying partnership discount to customers | Scantrust offers partnership discounts to subscription customers | Performance of a contract
Article 6(1)(b) of the GDPR |
|
Until the end of the customer relationship |
Where required, Scantrust will retain your details for a period of time to comply with a legal obligation, Article 6(1)(c) of the GDPR. For instance, when you opt out of emails about product updates and features, we process information necessary to implement your choice and ensure that we never contact you again to ensure compliance with Article 7(1) of the GDPR. Please note that if your information is processed for a different purpose, for instance, when a valid customer contract exists, we may contact you in the course of the normal customer relationship such as customer support and training.
4. Cookies and tracking technologies
Scantrust collects website and platform usage data to analyse how end users and customers use our products. We also analyse usage data to identify what areas of our website and products need improvement. We collect anonymous statistical data about the use of this website to optimise our online presence as well as for marketing and sales purposes. The data is collected on servers operated by AWS within Europe (Ireland) Region.
We make use of cookies and other tracking technologies to gain insight into usage patterns. The table below highlights the cookies and trackers we make use of on our website and across our products
Cookie or tracker name | Presence | Provider | Type | Categorisation | Duration |
---|---|---|---|---|---|
Player | Website | Video Vimeo | Session | Functional | 1 year |
vuid | Website | Video Vimeo | Session | Functional | 2 years |
__hs_gpc_banner_dismiss | Website | Hubspot | Persistent | Analytics | 6 months |
__hssc | Website | Hubspot | Session | Analytics | 30 minutes |
__hssrc | Website | Hubspot | Session | Analytics | deleted immediately after the session |
__hstc | Website | Hubspot | Persistent | Analytics | 2 years |
hubspotutk | Website | Hubspot | Persistent | Analytics | 2 years |
messagesUtk | Website | Hubspot | Persistent | Analytics | 2 years |
Firebase | Mobile App | Persistent | Functional | Until device cache is cleared i.e as long as the tracker is retained on the device | |
Amplitude | Mobile App | Amplitude | Persistent | Analytics | Until device cache is cleared i.e as long as the tracker is retained on the device |
Google Analytics | Platform | Persistent | Analytics | Until device cache is cleared i.e as long as the tracker is retained on the device | |
Plausible | Platform | Plausible | Persistent | Analytics | Until device cache is cleared i.e as long as the tracker is retained on the device |
5. Data recipients and international data transfer
We make use of third-party service providers in delivering some of our services or to fulfil our legal obligations for legal and tax purposes. Where service providers are located outside the EU, we will ensure to implement appropriate transfer safeguards as approved under the GDPR such as the use of standard contractual clauses or the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework.
We make use of the following services:
- Docusign
- Slack
- Zoom
- Apollo
- H3 Solutions
- Senders (Kuyozo)
- Twilio
- Zendesk
- Hubspot
- Adobe Creative
- Browser stack
- Clay
- Vimeo
- F-secure
- Iubenda
- Genesis cloud
- AliCloud
- Apple Developer
- Amazon Web Services
- Circle CI
- Cloudflare
- DataDog
- Digital Ocean
- Ghost Inspector
- GUROCK.COM DEV TOOLS
- IcCube
- JetBrains
- ELCA security
- Lucid Chart
- MaxMind
- Pusher
- Paddle.net
- Pushy Pro
- OVH
- Redshift
- Sentry
- Tableau
- TYPEFORM S.L
- WorkOS
- WORLD-TEXT.COM
- Zapier.com
- Zeplin
When you interact with our products, contact us for support, make an inquiry or apply to an open position within our organisation, your personal data may be transferred to, and processed in, countries outside of the EU by our third-party service or providers or other Scantrust entities as listed below:
- Scantrust B.V
Kingsfordweg 151, 1043 GR
Amsterdam, The Netherlands - Scantrust China Limited
Changle Lu Lane 672, No.33,
Renmei building, Room 201,
JingAn district, Shanghai, China
上海市静安区长乐路672弄33号人美楼201室 - Scantrust Limited
Room 602, Chung Wai Commercial Building, 447-449 Lockhart Road,
Causeway Bay, Hong Kong
These transfers are conducted in compliance with the GDPR. We take measures to safeguard your data by implementing appropriate safeguards, such as:
- Transferring data only to countries on the adequacy decision list approved by the European Commission or
- Entering into standard contractual clauses approved by the European Commission with the recipient of data
6. Security measures (technical and organisational)
At Scantrust, we implement technical and organisational measures to safeguard personal data.
We utilise advanced encryption technologies to protect data both in transit and at rest. All devices are equipped with 0S-encrypted drives, including all RDS databases. Load balancers only allow API and web traffic over HTTPS encrypted with TLA1.2 above. Access control measures prevent unauthorised access to data processing facilities, information systems. We are committed to maintaining the integrity and confidentiality of your personal data, employing industry best practices to provide a secure environment for the processing and storage of your data.
In addition, our employees undergo security training during onboarding and commit to a non-disclosure agreement, thereby ensuring the confidentiality of information. Our employees receive password protected devices and make use of 2-factor authentication for separate levels of user identification. Access logs are maintained and the databases are restricted to only those employees with the required clearance level to access them. An industry-standard level of protection is implemented to prevent the copying, alteration, removal or data manipulation of information, thereby ensuring information integrity. We also implement separation control which keeps user database separate from the scan data.
We inherit some security measures from service providers such as transfer and input control to query logs using Cloudwatch Log Insights, availability control to prevent accidental data destruction and make backup copies available and performance monitoring to detect errors.
All employees of Scantrust are bound by strict internal policies to ensure efficient data protection management and organisational control e.g. Scantrust security policy.
7. Automated individual decision making
Scantrust does not make use of automated decision making in contexts that produce a legal consequence or considerable adverse effect on data subjects.
8. Links to other websites
This website may contain links to external websites. Scantrust is not responsible for the privacy practices or the content of those websites. We therefore recommend that you familiarise yourself with privacy practices of these organisations by reading their privacy notices.
9. Data subject rights available to you
The following rights are available to you as provided under the GDPR:
- The right of access
You have the right to obtain information about what data we process about you, the purpose(s) of the processing, the recipients of the data and the duration of storage.
- The right to rectification
You have the right to request the rectification of inaccurate data or incomplete data.
- The right to erasure
You have the right to request deletion of your data where:
- Data is no longer necessary
- You have objected to the processing under our legitimate interests and no convincing evidence was provided that these interests override your freedoms and liberties
- The processing takes place unlawfully
- The right to restriction
You have the right to request that your data is restricted for further processing in the following cases:
- You contest the accuracy of the data;
- You believe the processing is unlawful;
- You believe your data is no longer needed in relation to the purpose of its collection.
- The right to portability
You have the right to receive the personal data we process about you in a structured, commonly used, machine-readable format, and to request the direct transmission of that data to another organisation of your choice.
- The right to object
You have the right to object to processing carried out in our legitimate interest. Processing will be ceased until we have been able to demonstrate compelling legitimate grounds overriding your rights and freedoms.
- The right to lodge a complaint with a supervisory authority
You have the right to contact a data protection authority of your choice and formulate a complaint. We kindly request that you contact us first to mutually find a solution in case of any concerns.
10. Responsible Disclosure Policy
We consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.
Please do the following:
- E-mail your findings to dpo@scantrust.com.
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data;
- Do not reveal the problem to others until it has been resolved;
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties; and
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
What we promise:
- We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date;
- If you have followed the instructions above, we will not take any legal action against you in regard to the report;
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission;
- We will keep you informed of the progress towards resolving the problem;
- In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
11. Data Protection Officer (DPO) contact
Our Data protection Officer appointed by Scantrust B.V. in the Netherlands monitors and oversees data protection compliance in all Scantrust entities. We encourage you to contact us at DPO@scantrust.com to exercise your data subject rights or if you have any privacy related concerns. If you are not satisfied with the way that we have handled your request, you have the right to lodge a complaint with the supervisory authority.
The details of the responsible supervisory authority in Switzerland are:
The Dutch Personal Data Authority
Hoge Nieuwstraat 8
2514 EL The Hague
(+31) – (0)88 – 1805 250
https://autoriteitpersoonsgegevens.nl/
Postal address
PO Box 93374
2509 AJ The Hague
12. Changes to this privacy notice
This privacy notice may be modified at any time to keep up with changing regulations and changes within Scantrust. The date of the last update is visible at the top of this page. Each visit or interaction with our products will be subject to the latest version of our privacy notice. We encourage you to regularly review our privacy notice to stay informed about our data protection practices.