EN NL
Request a Demo
Legal

Privacy Policy

Effective date: 2026-04-19 · Last updated: 2026-04-19 · Version 1.0
Summary in one paragraph PackR8 is a packaging data management platform operated by Circular Vision B.V. (Utrecht, Netherlands). We collect the minimum personal data required to provide the service, host it in the European Union, and never sell it. Customers' packaging data is processed on their behalf under a Data Processing Agreement (DPA). This policy explains what we collect, why, how long we keep it, and the rights you have under the GDPR.
Contents
  1. Who we are
  2. Scope of this policy
  3. Data we collect
  4. Why we process your data (lawful basis)
  5. Retention periods
  6. Who we share with
  7. International transfers
  8. Your rights under the GDPR
  9. Cookies & tracking
  10. Security
  11. Children
  12. Changes to this policy
  13. How to contact us

1. Who we are

The data controller for personal data collected through this website (packr8.com) and for prospect / sales data is Circular Vision B.V. (KvK 80971636), registered at Utrecht, Netherlands ("Circular Vision", "we", "us", "our"). PackR8 is a product operated by Circular Vision.

For packaging data and operational data processed within the PackR8 platform on behalf of our customers, Circular Vision acts as data processor. Our customer (the producer or importer using PackR8) is the data controller. Those processing activities are governed by a separate Data Processing Agreement (DPA). See packr8.com/dpa.

2. Scope of this policy

This Privacy Policy applies to personal data we process as a controller, specifically:

  • Visitors to packr8.com and any subdomain;
  • Prospects who request a demo, sign up for a newsletter, or otherwise interact with our marketing;
  • Authorised users of the PackR8 platform whose account details we manage (separate from customer-content data covered by the DPA);
  • Suppliers and contractors of Circular Vision and PackR8.

It does not apply to packaging data, supplier records, or other customer content loaded into PackR8 by our customers — that is governed by the DPA.

3. Data we collect

3.1 Data you provide directly

  • Contact data: name, business email, company, role, country (via demo request, newsletter sign-up, or contact forms).
  • Account data: for authorised users — name, business email, role in customer organisation, hashed password (if native login is used), MFA settings, session tokens.
  • Communication data: messages you send us (email, Calendly intake, chat).
  • Commercial data: billing contact, VAT number, invoice history (for paying customers).

3.2 Data we collect automatically

  • Technical data: IP address (truncated after 24 hours), user agent, referring URL, timestamps, pages visited.
  • Usage data (platform): features accessed, error logs, performance telemetry (de-identified where possible).
  • Cookies: see Cookie Policy. We use strictly-necessary cookies by default; analytics cookies require consent.

3.3 Data we receive from third parties

  • Calendly: when you book a demo, Calendly passes your name, email, and answers to scheduling questions to us.
  • SSO identity providers: when you log in via Google Workspace, Microsoft Entra, or Okta, we receive identity claims (email, name, unique identifier).
  • Customer administrators: when a customer's admin invites you as a user, they provide your name, email, and role in the platform.

4. Why we process your data (lawful basis)

PurposeLawful basis (GDPR Art. 6)
Provide and operate PackR8 for authorised usersPerformance of contract (Art. 6(1)(b))
Respond to demo requests and sales enquiriesLegitimate interest in doing business (Art. 6(1)(f))
Send occasional product updates to customersPerformance of contract / legitimate interest
Marketing emails to prospectsConsent (Art. 6(1)(a)) — opt-in, unsubscribe in every message
Analytics & improvement of the websiteConsent (Art. 6(1)(a)) via cookie banner
Billing and accounting recordsLegal obligation (Art. 6(1)(c)) — Dutch bookkeeping law requires 7 years
Security, abuse prevention, fraud detectionLegitimate interest (Art. 6(1)(f))
Complying with regulator requestsLegal obligation (Art. 6(1)(c))

5. Retention periods

We keep personal data only as long as we need it for the purpose we collected it:

CategoryRetention
Website visitor logs (truncated IP)30 days
Prospect contact data (no engagement)24 months, then deleted
Demo request / sales conversation records36 months after last contact
Active customer user accountsDuration of subscription + 30 days
Deactivated user accounts90 days soft-delete, then permanent deletion
Billing / invoice records7 years (Dutch tax law)
Support ticket communications36 months
Marketing consent recordsFor as long as the consent is valid + 24 months after withdrawal

6. Who we share with

We do not sell personal data. We share it only with processors and partners who need it to deliver the service. Current sub-processors are listed on our Security page.

  • Cloud infrastructure: [Hosting provider — e.g. AWS eu-central-1 (Frankfurt) / Hetzner Cloud Falkenstein]
  • Email delivery: [Postmark / Resend / similar]
  • Analytics (with consent): [Plausible / Fathom / similar privacy-friendly analytics]
  • Calendly: demo scheduling
  • Payment processing: [Stripe / similar]
  • Customer support tooling: [Help Scout / Intercom / similar]
  • Legal & accounting advisers when a specific matter requires it (under NDA).

If we are required to disclose personal data by law (court order, Dutch regulator, EU member state regulator), we will do so, and we will notify affected individuals unless the legal process prevents it.

7. International transfers

PackR8's primary data processing happens inside the European Union. Where a sub-processor is established outside the EU/EEA (for example, some US-based SaaS providers), we use one or more of the following safeguards:

  • EU Commission adequacy decisions (where available);
  • Standard Contractual Clauses (SCCs) with supplementary measures where required by Schrems II;
  • EU-US Data Privacy Framework certification of the recipient (where applicable);
  • Technical measures (encryption in transit and at rest, pseudonymisation where feasible).

8. Your rights under the GDPR

You have the following rights regarding personal data we hold about you. To exercise them, email privacy@packr8.com and we will respond within one month.

  • Right of access (Art. 15): a copy of the personal data we hold about you.
  • Right of rectification (Art. 16): correction of inaccurate or incomplete data.
  • Right of erasure (Art. 17): deletion of your personal data, subject to legal retention obligations.
  • Right to restrict processing (Art. 18).
  • Right to data portability (Art. 20): structured, commonly-used, machine-readable format.
  • Right to object (Art. 21): to processing based on legitimate interest, including direct marketing.
  • Right not to be subject to automated decision-making (Art. 22): PackR8 does not make legally significant decisions about individuals through automated profiling.
  • Right to withdraw consent (Art. 7(3)) at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or your local EU supervisory authority.

9. Cookies & tracking

PackR8 uses cookies only where strictly necessary for the service to function, or where you have given consent. A full inventory is in our Cookie Policy. You can withdraw consent at any time via the cookie banner or your browser settings.

10. Security

PackR8 is hosted in the European Union, with encryption in transit (TLS 1.2+) and at rest (AES-256). We operate role-based access control (RBAC), multi-factor authentication for all administrator access, and an immutable audit log. Full detail on our Security page.

If you believe we have suffered a breach of your personal data, please email security@packr8.com. We commit to notifying the Dutch DPA within 72 hours of becoming aware of a reportable breach, as required by GDPR Art. 33.

11. Children

PackR8 is a business-to-business product. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified via email (to active customers and users) and via a banner on packr8.com for at least 30 days. The "Last updated" date at the top of this page always reflects the latest version.

13. How to contact us

Circular Vision B.V.
KvK 80971636
Utrecht, Netherlands

General privacy questions: privacy@packr8.com
Security / breach reports: security@packr8.com
Data Protection contact: dpo@packr8.com (Circular Vision has not formally appointed a DPO under GDPR Art. 37(1), but a designated privacy contact is maintained at this address.)

Draft notice This Privacy Policy is a baseline draft. Prior to public launch of packr8.com, it will be reviewed by qualified Dutch / EU privacy counsel and updated to reflect final sub-processor selections, DPO designation status, and any customer-specific commitments.