← Back to Home

Privacy Policy

Last updated: 20 March 2026

1. Introduction

Family Labs Pty Ltd (ACN 688 034 988) (Family Labs, we, us, or our) operates the Universal Goods Protocol and associated platform services, including the enterprise dashboard, consumer application, and the Universal Goods website (collectively, the Services).

We are committed to protecting the privacy of all individuals who interact with our Services. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the EU General Data Protection Regulation (GDPR), and other applicable data protection laws.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

2. Who We Are

Family Labs Pty Ltd is an Australian company registered at 470 St Kilda Rd, Melbourne VIC 3004, Australia. We build open infrastructure that provides physical products with secure, verifiable digital identities through EU-compliant Digital Product Passports (DPPs).

For the purposes of the GDPR, Family Labs is the data controller responsible for your personal information when you use our Services directly. When we process personal information on behalf of our enterprise clients (for example, product and supply chain data provided by brands), we act as a data processor under the instructions of that client.

3. Information We Collect

3.1 Information you provide directly

  • Account registration details: name, email address, organisation name, job title, and contact information.

  • Enterprise onboarding data: company details, ERP/PLM system information, supply chain data, and product information submitted for Digital Product Passport creation.

  • Communications: correspondence you send to us, including support requests, feedback, and enquiries.

  • Payment information: billing details processed through our third-party payment providers. We do not store full payment card details on our systems.

  • Identity verification data: information required for Know Your Customer (KYC) and Know Your Business (KYB) processes, processed by our verification partner.

3.2 Information collected automatically

  • Device and browser information: IP address, browser type, operating system, device identifiers, and screen resolution.

  • Usage data: pages visited, features used, session duration, clickstream data, and interaction patterns.

  • Cookies and similar technologies: as described in Section 10 below.

3.3 Information from third parties

  • Enterprise clients: product data, supply chain information, and supplier details provided by brands using our platform.

  • Identity verification providers: results of KYC/KYB checks conducted by our verification partners.

  • Analytics and advertising partners: aggregated usage and performance data.

3.4 Public network data

When you use our Services to create or interact with Digital Product Passports, certain information is recorded on a public network to ensure verifiability and transparency. This includes product identity data, ownership records, and transaction histories associated with DPPs. This data is pseudonymous and linked to your account profile, not directly to your personal identity. Once recorded on a public network, this data cannot be modified or deleted by Family Labs or any other party.

4. How We Use Your Information

We use your personal information for the following purposes:

  • Providing and operating our Services, including account management, DPP creation, and platform access.

  • Processing transactions and facilitating settlement between enterprise clients and their supply chain partners.

  • Verifying your identity for regulatory compliance, including KYC/KYB obligations.

  • Communicating with you about your account, service updates, and technical support.

  • Improving and developing our Services, including analytics and performance monitoring.

  • Complying with legal obligations, including EU ESPR requirements, anti-money laundering laws, and tax reporting.

  • Protecting our Services, detecting fraud, and enforcing our terms.

  • Sending marketing communications where you have provided consent or where we have a legitimate interest (with an easy opt-out mechanism).

4.1 Legal bases for processing (GDPR)

Where the GDPR applies, we process your personal information on one or more of the following legal bases:

(a) Contract: Processing necessary to perform our contract with you or to take pre-contractual steps at your request.

(b) Legal obligation: Processing necessary to comply with applicable laws and regulations, including ESPR, AML/CTF, and tax requirements.

(c) Legitimate interests: Processing necessary for our legitimate business interests (such as fraud prevention, service improvement, and direct marketing to existing clients), provided these interests do not override your rights.

(d) Consent: Where you have given clear consent for specific processing activities, such as receiving marketing communications.

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

  • Service providers: Third-party providers who perform services on our behalf, including cloud hosting (Microsoft Azure), payment processing (Bridge by Stripe), identity verification, and analytics. These providers are contractually bound to protect your information and may only use it to provide services to us.

  • Enterprise clients and supply chain participants: Where you are a supplier, manufacturer, or other participant in a client's supply chain, product and supply chain data may be shared with relevant parties as necessary for DPP creation and compliance.

  • Public network records: As described in Section 3.4, certain pseudonymous data is recorded on a public network and is accessible to anyone.

  • Legal requirements: Where required by law, regulation, legal process, or government request.

  • Business transfers: In connection with a merger, acquisition, reorganisation, or sale of assets, your information may be transferred to the successor entity.

  • With your consent: Where you have explicitly consented to a specific disclosure.

6. International Data Transfers

Family Labs is based in Australia and operates infrastructure and services globally. Your personal information may be transferred to, and processed in, countries other than the country in which you reside, including Australia, the European Union, and the United States.

Where we transfer personal information outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.

  • Transfers to countries that have received an adequacy decision from the European Commission.

  • Other lawful transfer mechanisms under the GDPR.

Where we transfer personal information outside Australia, we take reasonable steps to ensure the overseas recipient handles the information in accordance with the APPs.

7. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Specific retention periods include:

  • Account data: retained for the duration of your account and for a reasonable period thereafter (generally 2 years) to address any post-termination enquiries or disputes.

  • Transaction and DPP data: retained for the duration required by applicable law, including EU ESPR requirements and tax obligations (typically 7 years for financial records).

  • KYC/KYB records: retained for the period required by anti-money laundering regulations (typically 7 years from the end of the business relationship).

  • Usage and analytics data: retained in identifiable form for up to 24 months, after which it is aggregated or anonymised.

  • Marketing consent records: retained for the duration of your consent and for a reasonable period thereafter to demonstrate compliance.

Data recorded on public networks as described in Section 3.4 is immutable and cannot be deleted by Family Labs or any other party.

8. Your Rights

8.1 Under the Australian Privacy Act

You have the right to:

  • Access the personal information we hold about you.

  • Request correction of inaccurate, incomplete, or out-of-date information.

  • Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

8.2 Under the GDPR (EEA residents)

If you are located in the European Economic Area, you have additional rights including:

  • Right of access: Obtain confirmation of whether we process your data and request a copy.

  • Right to rectification: Request correction of inaccurate data.

  • Right to erasure: Request deletion of your data in certain circumstances. Note that data recorded on public networks cannot be erased.

  • Right to restriction: Request that we restrict processing in certain circumstances.

  • Right to data portability: Receive your data in a structured, commonly used, machine-readable format.

  • Right to object: Object to processing based on legitimate interests or for direct marketing purposes.

  • Rights related to automated decision-making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

  • Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, contact us at support@familylabs.xyz. We will respond within 30 days (or within the timeframe required by applicable law). You also have the right to lodge a complaint with your local supervisory authority.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS 1.2+) and at rest.

  • Role-based access controls and the principle of least privilege.

  • Regular security assessments and vulnerability testing.

  • Secure hosting on Microsoft Azure with enterprise-grade security certifications.

  • Incident response procedures and breach notification processes.

While we take reasonable precautions, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your information.

10. Cookies and Similar Technologies

We use cookies and similar tracking technologies to operate and improve our Services. These include:

  • Essential cookies: Required for the operation of our Services, including authentication and session management. These cannot be disabled.

  • Analytics cookies: Help us understand how visitors interact with our Services so we can improve performance and user experience.

  • Preference cookies: Remember your settings and preferences for a more personalised experience.

You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our Services. Where required by applicable law, we will obtain your consent before placing non-essential cookies.

11. Children's Privacy

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at support@familylabs.xyz.

12. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you access through our platform.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website with a revised "Last updated" date. Where required by law, we will provide additional notice (such as email notification) for significant changes.

Your continued use of our Services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

Family Labs Pty Ltd

470 St Kilda Rd, Melbourne VIC 3004, Australia

Email: support@familylabs.xyz

ACN: 688 034 988

If you are not satisfied with our response to a privacy concern, you may lodge a complaint with:

  • Australia: Office of the Australian Information Commissioner (OAIC) --- www.oaic.gov.au

  • European Union: Your local data protection supervisory authority