TracePass
Get started

Terms of Service

Last updated: May 10, 2026

1. About These Terms

These Terms of Service ("Terms") govern your use of the TracePass website (tracepass.eu), the application portal at app.tracepass.eu, the public passport resolver, and the REST API. By accessing or using any of these surfaces, you agree to these Terms.

The legal entity is TracePass LTD (Bulgarian UIC 208790302), registered at Shtrossmayer Street, 1309 Sofia, Bulgaria, EU.

2. Service Status

TracePass is a live, production service. Paid plans are available and billed through Stripe. Key points:

  • The Free, Basic, Starter, Growth, Scale, Pro, and Enterprise plans defined on the pricing page are all available for self-serve sign-up (Enterprise via contact)
  • Pricing changes. Pricing is the public list price at the time of subscription. TracePass reserves the right to change pricing — including plan fees, included quotas (e.g. passport allowances, EPCIS event allowances), and overage rates — for future billing periods. Any price increase, quota reduction, or overage-rate increase affecting an active paid subscription is notified by email to the workspace owner at least 30 days before it takes effect. The notice email states the change, the effective date, and the customer's options (continue at the new price, downgrade, or cancel before the effective date). Price decreases, quota increases, and new lower-cost plans may take effect immediately and require no notice.
  • Feature descriptions represent current platform behaviour at the time of publication; the changelog at /regulatory/changelog records material changes that affect compliance scope
  • Compliance claims describe how TracePass models EU regulation today; they are design statements, not certifications or guarantees

3. Account Registration

To use the platform you create an account at app.tracepass.eu. By registering you:

  • Confirm you are entitled to bind the legal entity you register on behalf of and that the information you provide is accurate
  • Agree to receive transactional email related to your account (billing, plan-limit warnings, security notices, regulatory-changelog digests). Marketing email is opt-in and unsubscribable separately
  • Become responsible for the security of your credentials and for activity carried out under your account, including by team members and API keys you issue

The Free plan is available without payment details and creates real, public passports up to the plan's allowance. There is no time limit on the Free plan.

4. Intellectual Property

All content on this website — including text, graphics, logos, icons, and software — is the property of TracePass or its licensors and is protected by applicable intellectual property laws.

You may not reproduce, distribute, modify, or create derivative works from our content without prior written permission.

5. Disclaimer of Warranties

This website and its content are provided "as is" and "as available" without warranties of any kind, either express or implied.

In particular:

  • We do not warrant that the information on this website is complete, accurate, or current
  • Regulatory information is provided for informational purposes only and does not constitute legal advice
  • References to EU regulations (ESPR, Battery Regulation 2023/1542, etc.) are based on publicly available sources and may not reflect the latest amendments
  • Compliance claims describe our design intent — TracePass does not guarantee regulatory compliance of generated passports

6. Customer Responsibility for Passport Data

TracePass is a software platform for producing Digital Product Passports. The data inside your passports is yours, and its accuracy, lawfulness, and regulatory truthfulness are your responsibility — not ours.

By using TracePass to publish Digital Product Passports you agree that:

  • You own the data. You are solely responsible for the accuracy, completeness, lawfulness, and regulatory compliance of every value in every passport you publish through your account — material composition, carbon footprint, test-report references, supplier information, recycled-content percentages, safety claims, and anything else that appears on a published passport page.
  • TracePass is a platform, not a data source. Passport data originates from you, from documents you upload, or from suppliers you invite via our portal. We read, structure, and display that data. We do not fact-check it.
  • AI suggestions are suggestions. AI-extracted field values shown in your review queue are proposals with confidence scores. Every proposal requires your explicit review and approval before it appears on a published passport. We make no representation and give no warranty as to the factual correctness of any AI-extracted value.
  • Economic-operator status remains with you. For EU regulatory purposes — including but not limited to the Ecodesign for Sustainable Products Regulation (EU 2024/1781), Battery Regulation (EU 2023/1542), Packaging and Packaging Waste Regulation (EU 2025/40), Construction Products Regulation (EU 2024/3110), Toy Safety Directive, and REACH — you remain the economic operator (manufacturer, importer, distributor, or authorised representative as applicable) responsible for the truthfulness of every declaration in the passport. TracePass is not your compliance officer and does not audit your claims against the physical product, laboratory test results, or supplier attestations.
  • Indemnification. You agree to indemnify, defend, and hold harmless TracePass and its personnel from and against any third-party claim, regulatory investigation, enforcement action, fine, penalty, damages, legal fees, or loss arising out of or connected to inaccurate, misleading, incomplete, or unlawful data published through your account.

7. Limitation of Liability

To the maximum extent permitted by applicable law, TracePass shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from your use of or inability to use this website.

This includes, but is not limited to, damages for loss of profits, data, or business opportunities, even if we have been advised of the possibility of such damages.

8. Third-Party Links

This website may contain links to third-party websites. We are not responsible for the content, privacy practices, or terms of any third-party sites.

9. Changes to These Terms

We reserve the right to modify these Terms at any time. Material changes are notified to active subscribers by email at least 30 days before they take effect; non-material changes are posted on this page with an updated date. Continued use of the platform after changes take effect constitutes acceptance of the new Terms.

10. Billing & Subscriptions (Paid Plans)

The following apply to all paid plans, in addition to the pricing and plan terms published on the pricing page:

  • Voluntary cancellation. After you cancel a paid subscription, your published Digital Product Passports remain publicly resolvable via QR code and Digital Link for 30 days at no additional charge. During this 30-day grace window, QR codes printed on physical products continue to resolve to the passport. If you operated on a custom domain (every paid plan), the grace window is the time to re-point your DNS record to a successor vendor's resolver — the URL on the printed QR is yours forever because the domain is yours. After the 30 days, shared-domain URLs return an "expired" notice and TracePass stops serving the custom domain. Reactivating before the grace period ends restores full access automatically.
  • Failed payment (past due). If a recurring charge fails and is not resolved, the account enters a "past due" state. During past due, creating new passports, running AI data processing, and sending new supplier requests are paused; published passports stay publicly accessible. If the account remains past due for 14 days, the same 30-day grace window starts — after which passports stop resolving publicly. Settling the outstanding invoice at any point before the grace window ends lifts all restrictions automatically.
  • Data export & portability. Your passport data is yours, exported at no additional charge. Every plan (Free included) includes CSV and JSON-LD export from the dashboard and REST API access for programmatic export — the API's daily call cap applies only to Free (100/day) and Basic (200/day) as free-tier abuse prevention — Starter and above are unlimited. Scale plan and above additionally include downloadable compliance PDF reports. Every field carries full audit trail (who entered it, when, from which source document) and provenance is preserved in export. Data is never deleted on cancellation — resubscribing at any time restores full access. The GS1 Digital Link URL is portable on every paid plan via the custom-domain resolver: you control the URL through your own DNS, and the URL on the printed QR survives any vendor switch.
  • Archived passports. Passports you mark as archived in the dashboard stop resolving publicly immediately. Regulators holding an authority-level access token retain read access for compliance purposes; your own data is not deleted.
  • Data portability. Field data entered into TracePass remains yours. Export via the dashboard or the external API is available to paying plans. Cancellation does not destroy your data — it stops public hosting of passports after the grace windows above.
  • Plan changes. Upgrades apply immediately with prorated charges. Downgrades that reduce the passport cap may trigger an overage charge on the remaining passports at the new plan's per-DPP rate; you are warned before confirming the change.

11. Service-Level Commitments

For all paid plans, TracePass commits to two distinct service-level targets, measured monthly:

  • Application portal availability — 99.9%, excluding scheduled maintenance announced at least 48 hours in advance. The application portal is the dashboard surface where customers and their teams operate (passport creation, editing, supplier management, billing).
  • Public resolver availability — 99.95%. The public resolver is the surface that authority systems and consumers hit when scanning a QR code; we hold it to a higher target because, from a regulatory standpoint, a passport that does not resolve is a passport that does not exist.

Outage credits apply per surface independently. A portal-only outage does not require a resolver outage to trigger portal credits, and vice versa. Service-level targets do not apply to the Free plan.

12. Data Processing Roles

For all customer product data processed through the platform, the customer is the data controller as defined in Article 4(7) of the General Data Protection Regulation (GDPR); TracePass is the data processor acting on the customer's documented instructions.

A standard processor Data Processing Agreement (DPA) is available on request before customer data flows to the platform. The DPA codifies sub-processor disclosure (Article 28 advance notification), breach notification (72 hours from confirmed incident), and the data-deletion process at end of term.

Most fields inside Digital Product Passports are product data, not personal data, and fall outside GDPR scope. GDPR risk concentrates in the analytics surface where consumer scan events may carry IP addresses or user-agent strings — those events are governed by the DPA and the privacy notice.

13. Source Code Escrow

Enterprise customers may opt into a source code escrow arrangement with an independent third-party escrow agent at no additional cost. A tagged copy of the TracePass application source code is deposited and updated on a recurring cadence agreed in the escrow agreement.

Release triggers — typically vendor insolvency, sustained material breach uncured beyond a defined window, or sustained outage beyond an agreed threshold — are codified in the escrow agreement, not in these Terms. Source code escrow is not included in Free, Basic, Starter, Growth, Scale, or Pro plans; it is negotiated as part of the Enterprise contract.

14. Governing Law

These Terms are governed by and construed in accordance with the laws of the Republic of Bulgaria and applicable EU law. Any disputes shall be subject to the exclusive jurisdiction of the courts of Bulgaria.

15. Contact

For questions about these Terms:

Email: info@tracepass.eu

TracePass LTD, Shtrossmayer Street, 1309 Sofia, Bulgaria, EU