What we collect on verification
Every time a verification URL (/v/[uid]) is opened — whether by NFC tap, QR scan or direct link — we record one entry in our internal verification_logs table. The entry contains:
• the IP address-derived country code and region (read from Vercel edge headers; the raw IP itself is not stored);
• the browser user-agent string;
• the timestamp of the visit;
• whether the visitor was signed in as the owner of the piece (Phase 5+).
Authentication data
Administrators sign in with an email address and password managed by Supabase Auth. The session is a strictly-necessary cookie required to access the admin panel. We do not use any tracking, analytics or third-party advertising cookies.
Why we collect it
Verification logs let the editor detect cloning attempts — a single chip pinging from multiple distant countries in a short window is a strong fraud signal. The legal basis is legitimate interest under GDPR Art. 6(1)(f). Authentication data is processed on the basis of contract performance with the administrator (GDPR Art. 6(1)(b)).
Retention
Verification logs are kept indefinitely for the lifetime of the corresponding piece. When a piece is permanently deleted, its logs are deleted with it via database cascade.
Data transfers outside the EU
Our hosting and database providers (Vercel Inc. and Supabase Inc.) are established in the United States. Data may therefore be processed in the USA under the standard contractual clauses (SCCs) adopted by the European Commission.
Your rights
Under the GDPR you may request access to, rectification of, erasure of or portability of the personal data we hold about you, and you may object to its processing. Write to contact@nachi3d.com from the email address tied to your records. We will respond within one month.