Privacy policy

Last updated: March 2026

1. Who we are

ENVRT ("we," "us," "our") provides a sustainability data platform for fashion brands. Our services include Digital Product Passports (DPPs), modelled lifecycle metrics, transparency visualisations, brand dashboards, collection forms, and evidence uploads.

This policy explains how we collect, use, and protect personal data across our websites and services:

  • envrt.com — marketing site
  • dashboard.envrt.com — brand and supplier dashboard
  • dpp.envrt.com — public Digital Product Passport pages
  • reports.envrt.com — report viewing pages

If you have questions about this policy, see Section 13 for contact details.

2. Data we collect

We collect different data depending on how you interact with our services.

Website visitors (envrt.com)

We collect anonymous analytics using a lightweight first-party beacon. This includes:

  • Page path, referrer URL, and UTM parameters
  • Device type, screen resolution, and browser language
  • Approximate location (country, region, and city) derived from server-side request headers provided by our hosting infrastructure, not from GPS, IP geolocation databases, or device-level location services
  • Scroll depth and time on page
  • Session grouping via a sessionStorage identifier that is automatically cleared when the browser tab is closed
  • Information you submit through contact or signup forms (name, email, company)

We do not store IP addresses, use cookies, use localStorage fingerprinting, or perform any cross-site tracking on the marketing site.

Dashboard users (dashboard.envrt.com)

  • Account details: name, email address, company name, role
  • Authentication data (managed through our authentication provider)
  • Data you enter or upload: product information, supply chain data, documents, PDFs, images
  • Usage analytics associated with your account: page path, page title, session identifier (sessionStorage, cleared on tab close), time on page, scroll depth, device type, screen resolution, browser language, approximate location (from server-side request headers), and navigation flow

Dashboard analytics do not use cookies or localStorage for tracking purposes. No IP addresses are stored.

DPP visitors (dpp.envrt.com)

DPP pages are public by design. See Section 11 for more on public and private information. We collect anonymous view data including page path, referrer URL, UTM parameters, device type, screen resolution, browser language, and approximate location (country, region, and city from server-side request headers). We do not store IP addresses, use cookies, use localStorage fingerprinting, or perform any cross-site tracking on DPP pages.

Report viewers (reports.envrt.com)

If you access a report via a shared link, we may log basic access information such as browser type, timestamp, and referring URL. If you are a logged-in user, your access may be associated with your account.

3. How we use data

  • Providing our services — operating the platform, processing uploads, generating DPPs, and producing modelled metrics
  • Account management and support — managing your account, responding to queries, and resolving issues
  • Security — detecting and preventing unauthorised access, fraud, or abuse
  • Product improvement — understanding how the platform is used so we can improve features, performance, and reliability
  • Analytics — measuring traffic, usage patterns, and engagement in aggregate
  • Communications — sending service-related messages such as account notifications, updates, or responses to enquiries. We will only send marketing communications where we have appropriate consent or a lawful basis to do so

4. Legal bases for processing

We process personal data under the UK GDPR and EU GDPR. The legal bases we rely on include:

  • Contract — processing that is necessary to provide our services to you or to take steps at your request before entering a contract. This applies to dashboard users with an active account or subscription.
  • Legitimate interests — processing that is necessary for our reasonable business interests, provided those interests are not overridden by your rights. This includes security monitoring, fraud prevention, product improvement, and analytics.
  • Consent — where you have given clear consent for a specific purpose, such as receiving marketing emails or accepting optional analytics cookies. You can withdraw consent at any time.
  • Legal obligation — processing that is necessary to comply with a legal or regulatory requirement.

5. Sharing and subprocessors

We do not sell personal data.

We share personal data only where necessary to operate our services. We use third-party service providers ("subprocessors") in the following categories:

  • Hosting and infrastructure — cloud hosting providers that store and serve our platform and data
  • Database, authentication, and storage — services that manage user accounts, authentication, and file storage
  • Analytics — tools that help us understand website and platform usage in aggregate
  • Email and communications — services that deliver transactional and service-related emails

All subprocessors are bound by data processing agreements. We review these arrangements periodically.

We may also share data where required by law, regulation, or legal process.

A list of current subprocessors is available on request. Contact us using the details in Section 13.

6. International transfers

Our services are primarily hosted in the UK and EEA. However, some subprocessors may process data outside the UK or EEA.

Where personal data is transferred internationally, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) to help protect your data.

7. Data retention

We retain personal data for as long as necessary to fulfil the purposes described in this policy and to meet our contractual obligations. As a general guide:

  • Account data — retained for the duration of your account, plus a reasonable period after closure (typically up to 12 months) to handle any follow-up queries or obligations
  • Access logs and analytics data — typically retained for up to 24 months, then deleted or anonymised
  • Uploaded content (documents, images, product data) — retained for the duration of the relevant brand's subscription. After termination, we retain data for a limited period to allow for data export, then delete it in accordance with our agreements
  • Marketing consent records — retained for as long as needed to demonstrate lawful consent

We may retain certain data longer where required by law or to resolve disputes.

8. Security

We take reasonable steps to protect personal data from unauthorised access, loss, and misuse. Our measures include:

  • Encryption in transit using TLS
  • Access controls on all platform services
  • Role-based access within the dashboard, so users only see data relevant to their role
  • Regular review of access permissions
  • Secure storage of uploaded files with restricted access

No system is completely secure. We cannot guarantee the absolute security of your data, but we are committed to maintaining and improving our protections over time.

9. Cookies and tracking

Essential cookies

We use essential cookies only where required to keep the platform functioning, such as session management and authentication on the dashboard. These cannot be disabled without breaking core functionality.

Analytics

We do not use analytics cookies anywhere on the platform. Our analytics are entirely cookie-free and do not use localStorage or any form of browser fingerprinting. Where session grouping is needed, we use a sessionStorage identifier that is automatically cleared when the browser tab is closed and cannot be used to track users across sessions or sites.

Third-party tracking

We do not use third-party tracking scripts, advertising pixels, retargeting tools, or any form of cross-site tracking. We do not share analytics data with third parties. All analytics are first-party and collected solely for platform improvement.

Geographic data

Approximate geographic location (country, region, and city) is derived from server-side request headers provided by our hosting infrastructure. This is not based on GPS, IP geolocation databases, or device-level location services. No IP addresses are stored in our analytics data.

10. Your rights

Under the UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

  • Access — request a copy of the personal data we hold about you
  • Correction — ask us to correct inaccurate or incomplete data
  • Deletion — ask us to delete your data, subject to any legal or contractual retention requirements
  • Objection — object to processing based on legitimate interests
  • Restriction — ask us to restrict processing in certain circumstances
  • Portability — request your data in a structured, machine-readable format
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us using the details in Section 13. We will respond within one month, or let you know if we need more time.

If you are unsatisfied with how we handle your request, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

11. Public and private information

Public: Digital Product Passports

DPP pages on dpp.envrt.com are public by design. The content displayed on a DPP page is controlled by the brand that created it. This may include product details, material information, transparency data, and modelled environmental metrics.

Brands are responsible for deciding what information appears on their public DPP pages.

Private: Evidence uploads and internal data

Evidence uploads (documents, PDFs, images) and internal supplier data submitted through the dashboard are private by default. Access is restricted by role-based controls.

This data is not made public unless a brand explicitly chooses to publish or share it.

12. Automated processing

We use automated systems to generate modelled estimates and insights from data submitted by brands and their supply chains. This includes modelled lifecycle metrics such as CO2e and water scarcity estimates.

These outputs are intended as decision-support tools. They are based on models, assumptions, and the data available at the time of calculation. They should not be treated as verified measurements.

Brands are responsible for any public claims, disclosures, or decisions they make based on outputs from the platform.

13. Contact

If you have questions about this policy or want to exercise your data rights, contact us at:

info@envrt.com

ENVRT Ltd


United Kingdom

14. Changes to this policy

We may update this policy from time to time to reflect changes in our services, legal requirements, or how we handle personal data.

Where changes are significant, we will notify dashboard users by email or through the platform. We encourage you to review this page periodically.

The "Last updated" date at the top of this page shows when the most recent changes were made.