Privacy Policy

Effective date: October 6, 2025

This Privacy Policy explains how the Foundation Against Counterfeit Trade ("FACT", "we", "us") collects, uses, and safeguards personal data when you visit our websites, interact with our NFC verification experiences, or contact us.

Data We Process

Device and usage data: IP address, browser type, pages visited, timestamps, language preference, and aggregated analytics.
NFC verification events: Anonymous scan metadata (time, rough location derived from IP, tag identifier hash). We do not collect precise GPS.
Contact information: If you email us, we process your email address and the content you send.

Why We Process Data

Security and fraud prevention: Detect and prevent counterfeit activity and platform abuse.
Service delivery: Provide and improve NFC verification and related pages.
Analytics: Understand usage patterns to improve performance and UX.
Legal compliance: Comply with applicable laws and respond to lawful requests.

Legal Bases

Where the GDPR applies, we rely on legitimate interests (fraud prevention, service improvement), performance of a contract (providing verification), and consent where required (e.g., certain cookies). Where Brazil’s LGPD applies, we rely on legitimate interest (art. 7, IX), execution of contracts (art. 7, V), and compliance with legal or regulatory obligations (art. 7, II).

Cookies and Analytics

We use Google Analytics to understand site usage. You can opt out with Google’s tools or by using browser settings that block third-party cookies. Where required, we will request consent before setting non-essential cookies.

Data Sharing

Service providers processing data under contract and only on our instructions.
Authorities when required by law or to protect rights, safety, and integrity of the service.
Partners/clients may receive aggregated, de-identified insights about scan activity.

International Transfers

Data may be processed in the United States and other countries. Where the GDPR applies, transfers rely on appropriate safeguards such as standard contractual clauses. For LGPD, we adopt mechanisms consistent with art. 33 and following.

Data Retention

We retain personal data only as long as necessary for the purposes above, then delete or anonymize it. Typical retention for analytics is up to 25 months unless a longer period is needed for security or legal obligations.

Your Rights

GDPR: access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.
LGPD (Brazil): confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent, plus review of automated decisions (where applicable).

To exercise rights, contact us at [email protected].

Children’s Privacy

Our services are not directed to children. If you believe we processed data about a child, contact us to remove it.

Information Security

We employ technical and organizational measures appropriate to the risk, including encryption in transit, access controls, and monitoring for abuse.

Data Controller and DPO (Brazil)

Foundation Against Counterfeit Trade (FACT). For LGPD purposes, you may contact our DPO at [email protected].

Updates

We may update this policy from time to time. We will change the “Effective date” above and, where required, notify you.