Privacy Policy

Last updated: 16 March 2026

This Privacy Policy explains how Startwitus Limited, trading as TieBack, a company incorporated in England, UK with registered number 16316535 and registered office at 3rd Floor, 86-90 Paul Street, London, England, United Kingdom, EC2A 4NE (“TieBack”, “we”, “us”, or “our”), collects, uses, shares, stores, and protects personal data when you use:

• the website at https://tieback.io and any related subdomains, pages, and portals;
• the TieBack platform, dashboards, APIs, and documentation;
• product passport pages and consumer-facing product identity experiences delivered through TieBack for our business customers; and
• any related support, communications, and services.

This Policy is intended primarily for a business-to-business service model. TieBack contracts with companies, not individual consumers. However, some parts of the Services involve the processing of personal data about individuals, including website visitors, users of customer-configured passport features, and people who interact with digital product passport pages.

---

1. Who we are

Data controller / processor overview

TieBack may act as either:

• an independent data controller; or
• a processor (or service provider) acting on behalf of a TieBack business customer,

depending on the context.

A. Where TieBack acts as controller

We generally act as an independent controller for:

• our public website and business contact forms;
• account administration for our business customers and their authorised users;
• procurement, support, billing, security, and operational communications;
• platform security, fraud prevention, abuse detection, and service analytics; and
• limited scan and telemetry data we use to protect the integrity of the Services and verify product identity interactions.

B. Where a brand / customer acts as controller

Where a TieBack business customer uses our Services to present product passport content, verify product interactions, operate ownership features, or manage customer-facing lifecycle workflows, that business customer will generally be the controller for the personal data processed through those workflows. In those cases, TieBack acts as a processor or service provider on the customer’s behalf, except where we use limited technical telemetry for our own security and fraud-prevention purposes.

If you are unsure whether TieBack or a brand is the relevant controller for a particular interaction, you can contact us using the details below and we will help direct your request.

2. What personal data we collect

The categories of personal data we may collect depend on how the Services are used.

A. Website and business contact data

When you visit our website or contact us, we may collect:

• name;
• work email address;
• company name;
• job title;
• phone number;
• enquiry details;
• support or procurement correspondence; and
• basic technical data such as IP address, browser type, device type, referring URL, and access timestamps.

B. Platform account and authorised user data

For customer organisations and their authorised users, we may collect:

• account login and profile information;
• organisation and role information;
• access logs, authentication events, and security events;
• support requests and administrative actions; and
• usage data relating to the operation of the platform.

C. Product passport scan and verification telemetry

When an individual views a product passport page or interacts with a product identity endpoint, we may collect technical interaction data such as:

• IP address;
• device identifiers or device fingerprints;
• browser and operating system details;
• approximate location derived from IP;
• timestamps;
• scan / view frequency and interaction history;
• referrer data where available; and
• anti-fraud, anti-abuse, and product-verification signals.

We use this data for fraud prevention, product identity verification, website/service usage analysis, and platform security. We may also make relevant scan and verification data available to the relevant brand customer for those same purposes.

D. Ownership, wallet, and retention features

Where a user chooses to use an ownership feature, retain a product passport, or save a passport to a digital or smart wallet, we may collect additional personal data such as:

• email address;
• phone number;
• device-linked identifiers;
• wallet-associated data or wallet pass identifiers;
• ownership or claim status information; and
• any other information the user voluntarily submits to enable that feature.

We store this data securely and retain it for as long as the relevant user retains that passport or feature association, unless the data is deleted earlier in accordance with customer configuration, legal requirements, or a valid deletion request.

E. Data we receive from our business customers

Our customers may provide us with product-, user-, or workflow-related data so that we can operate the Services for them. In those cases, the customer is generally responsible for determining what personal data is collected and why, and TieBack processes that data on the customer’s behalf unless otherwise stated.

3. How we collect personal data

We may collect personal data:

• directly from you when you contact us, request access, create or use an account, or use an ownership or wallet feature;
• automatically when you use our website, platform, or product passport pages;
• from our customers when they configure and use our Services;
• from devices and browsers that interact with product identity pages; and
• from service providers, integrations, or third parties where permitted by law and necessary to operate the Services.

4. Purposes of processing and lawful bases

We process personal data for the following purposes and rely on one or more lawful bases under UK GDPR and, where applicable, EU GDPR:

A. To provide and operate the Services

Including:

• providing access to the platform and documentation;
• serving product passport pages;
• supporting product identity and verification workflows;
• enabling ownership, aftercare, and lifecycle features where configured; and
• maintaining accounts and customer administration.

Lawful basis: performance of a contract; and/or legitimate interests in operating and improving our business-to-business services.

B. To secure the Services and prevent fraud or abuse

Including:

• platform security;
• rate limiting, abuse detection, and anomaly detection;
• preventing misuse of product identity endpoints;
• product identity verification and anti-fraud analysis; and
• investigating incidents.

Lawful basis: legitimate interests in securing the Services, preventing fraud, and protecting our customers, users, and systems.

C. To support product identity verification and customer-configured workflows

Including:

• making scan and verification telemetry available to the relevant brand customer;
• supporting customer-configured fraud prevention, trust, and lifecycle processes;
• enabling customer-configured ownership or retention flows.

Lawful basis: legitimate interests of TieBack and the relevant customer; and/or performance of a contract; and/or consent where a feature is optional and the user actively chooses to provide information to enable it.

D. To communicate with customers and prospective customers

Including:

• responding to enquiries;
• managing procurement, onboarding, and support;
• sending service-related communications; and
• handling billing and account administration.

Lawful basis: performance of a contract; legitimate interests in managing customer relationships; and consent where required for specific marketing communications.

E. To comply with legal obligations

Including:

• responding to lawful requests;
• maintaining records;
• enforcing rights; and
• complying with tax, accounting, sanctions, export control, or regulatory requirements.

Lawful basis: compliance with a legal obligation; and/or legitimate interests in protecting our rights and legal position.

5. How we share personal data

We do not sell personal data.

We may share personal data with:

A. Relevant brand customers

Where scan, verification, ownership, or lifecycle features are used on behalf of a customer, we may share relevant data with that customer for:

• fraud prevention;
• product identity verification;
• customer-configured ownership and lifecycle workflows;
• support and operational analysis; and
• related legitimate product and brand management purposes.

B. Service providers and subprocessors

Including providers of:

• hosting and infrastructure;
• security and monitoring;
• email and communications;
• customer support;
• analytics;
• wallet/pass delivery or related infrastructure; and
• professional services.

These providers process personal data under contract and only as necessary for the relevant services.

C. Professional advisers and authorities

We may share data with lawyers, auditors, insurers, regulators, law enforcement, courts, or other authorities where necessary to:

• comply with law;
• respond to legal process;
• establish, exercise, or defend legal claims; or
• protect the rights, safety, or security of TieBack, our customers, users, or others.

D. Corporate transactions

If TieBack is involved in a merger, acquisition, financing, reorganisation, or sale of all or part of its business, personal data may be disclosed as part of that transaction, subject to appropriate confidentiality and legal safeguards.

6. Retention

We keep personal data only for as long as necessary for the purposes described in this Policy, unless a longer retention period is required by law or necessary to protect legal rights.

Our current baseline retention approach is:

A. Scan / verification telemetry

Personal data collected when an individual views a product passport or verification page — including IP data, device-related identifiers, and similar telemetry — is retained for up to 2 years and then deleted or irreversibly anonymised, unless:

• a shorter period is required by law;
• a longer retention period is needed for a specific security investigation, dispute, or legal hold; or
• the customer’s lawful instructions require otherwise where TieBack is acting as processor.

B. Ownership / wallet feature data

Where users choose to use an ownership feature, retain a passport, or save a passport to a wallet, the associated personal data is retained for as long as the user retains that passport or feature association, unless:

• the user deletes it;
• the relevant customer instructs deletion;
• the account or service is closed; or
• legal retention obligations apply.

C. Business contact and account data

Business contact, support, onboarding, account, and contractual data is retained for as long as reasonably necessary to manage the relationship and comply with legal, accounting, audit, and dispute-resolution obligations.

D. Backups and logs

Residual copies may remain in backups and logs for a limited period in line with our backup and disaster recovery practices, after which they are deleted or overwritten in the normal course.

7. International transfers

We may process or store personal data in the UK, the EEA, or other countries where we or our service providers operate.

Where personal data is transferred outside the UK or EEA in circumstances that require safeguards, we rely on appropriate transfer mechanisms, such as adequacy regulations or adequacy decisions; or standard contractual clauses, the UK International Data Transfer Agreement (IDTA), or the UK Addendum, as applicable.

8. Security

We use technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

These measures may include, as appropriate:

• access controls and least-privilege permissions;
• logging and monitoring;
• encryption in transit and at rest;
• secure development and deployment practices;
• retention controls; and
• incident response procedures.

9. Your rights

Where TieBack acts as a controller, individuals may have rights under applicable data protection law, including the right to:

• be informed; access personal data; rectify inaccurate data; erase data in certain circumstances; restrict processing in certain circumstances; object to processing based on legitimate interests; data portability, where applicable; and withdraw consent, where consent is the lawful basis.

If you want to exercise these rights, contact us at [email protected].

Where TieBack acts only as a processor on behalf of a brand customer, you should normally direct your request to that brand/customer as controller. TieBack will assist the customer in responding where required by contract or law.

You also have the right to complain to the UK Information Commissioner’s Office (ICO), or to the relevant supervisory authority in your jurisdiction if applicable.

10. Cookies and similar technologies

We may use cookies and similar technologies on our website and Services. These may include:

• strictly necessary cookies; functionality cookies; analytics cookies; and other technologies used to secure, operate, and improve the Services.

Where required by law, we will ask for consent before placing non-essential cookies or similar technologies. For more information, please see our Cookie Policy.

11. Children

The Services are intended for business use and are not directed to children. We do not knowingly collect personal data from children except where data is provided through customer-configured workflows and the relevant customer is responsible for the legal basis and notices required for that processing.

If you believe that personal data relating to a child has been collected unlawfully through the Services, please contact us.

12. Third-party links and services

Our website, product passport pages, or documentation may contain links to third-party websites, tools, or services. We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy notices.

13. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in:

• the Services; our processing activities; legal requirements; or our business operations.

We will post the updated version on the website and update the “Last updated” date. Where required by law, we will provide additional notice.

14. Contact us

If you have questions about this Privacy Policy or our handling of personal data, contact: