Effective date: 2025-10-09
Updated on: 2025-10-09.
Legitag (hereinafter “we,” “our,” or “Legitag”) attaches particular importance to the protection of personal data and to respecting the privacy of its users, clients, and partners.
This policy describes how we collect, use, store, and protect personal data in the context of using our traceability solutions, smart labels, and associated services.
Legitag acts as a data processor within the meaning of Article 28 of the General Data Protection Regulation (GDPR), on behalf of its business clients, who remain the data controllers.
Responsibilities and Contractual Framework
Legitag never acts autonomously on personal data processed through its platform.
All processing operations are carried out solely on the documented instructions of the professional client, in accordance with the data processing agreement signed between the parties.
The client retains full responsibility for:
- Determining the purposes and means of the processing;
- Obtaining consent from data subjects when required;
- Communicating with end users (notifications, emails, etc.);
- And overall GDPR compliance as the data controller.
Legitag, for its part, ensures:
- Security, confidentiality, and traceability of operations;
- Compliance with the processor’s obligations set out in Article 28 of the GDPR;
- And cooperation with the client to facilitate the exercise of data subjects’ rights.
In accordance with the data minimization principle (Article 5.1.c of the GDPR), Legitag only collects information strictly necessary for the provision of its services.
Data may include:
- Email address, name, and technical identifiers of administrators designated by the client;
- Product identifiers (tags, chips, QR codes, etc.) and metadata related to items registered on the platform;
- Technical data (IP address, access logs) for security and auditing purposes;
- No sensitive data as defined in Article 9 of the GDPR is collected.
Personal data processed by Legitag is used solely to:
- Allow authorized users to access the platform;
- Ensure tracking, certification, and management of registered products or batches;
- Guarantee the integrity and traceability of performed operations;
- Provide technical support and service monitoring for the client.
Data is never used for other purposes, including commercial, advertising, or analytical ones, without the client’s consent.
Legitag does not send marketing or direct communication emails to end users.
All communications (notifications, informational emails, promotional messages, etc.) are sent exclusively by the partner brand or professional client, acting as the data controller.
Such communications are managed through the client’s own tools, outside of Legitag’s operational responsibility.
Legitag may only securely transmit the necessary information (e.g., email addresses or access tokens) to enable the client to carry out campaigns in GDPR-compliant conditions.
Processing operations carried out by Legitag are based on:
- The performance of a service contract between Legitag and the professional client (Article 6.1.b GDPR); or
- For certain optional operations, on consent obtained by the client (Article 6.1.a).
Data is retained for the duration of the contract and then deleted or anonymized within a maximum of 90 days after termination, unless otherwise required by law.
Product traceability data may be archived for a longer period at the client’s request, particularly for regulatory compliance or evidentiary purposes.
Data is not shared with any unauthorized third parties.
It is hosted on secure servers located within the European Union.
No transfer outside the EU is carried out without the client’s written consent and without the implementation of safeguards provided for under the GDPR (standard contractual clauses, etc.).
Legitag implements robust technical and organizational measures, including:
- Full encryption of data exchanges (TLS/HTTPS);
- Multi-factor authentication (MFA/OTP);
- Segregation of internal access and operation logging;
- Continuous monitoring and encrypted backups.
The Legitag website uses only strictly necessary cookies for its technical operation and session management.
No advertising, analytics, or third-party tracking cookies are activated without explicit consent.
Maximum duration: 90 days.
In accordance with Articles 15 to 22 of the GDPR, data subjects have the following rights:
- Right of access, rectification, and erasure;
- Right to restrict or object to processing;
- Right to data portability;
- Right to withdraw consent at any time.
Requests must be addressed to the data controller (the partner brand or client).
Legitag will cooperate with the controller to ensure the effective exercise of these rights.
In case of a complaint, users may:
- Contact their brand or the company responsible for processing; or
- If necessary, file a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés) if their rights are not respected.
Legitag may update this policy to ensure compliance with the GDPR and its contractual obligations.
Any significant updates will be notified to professional clients.
Legitag
Email: contact@legitag.fr
Website: https://legitag.fr/contact
Data Protection & Compliance Officer: Data Protection Officer (DPO) – Legitag
