Privacy Policy

2. Data controller

The data controller responsible for your personal data is:

For EU/EEA residents, we have appointed a Data Protection Officer (DPO) who can be contacted at:[email protected]

3. Data we collect

3.1 Information you provide

• Account information: name, email address, username, password (encrypted), profile picture
• User-generated content: reviews, ratings, photos of refill stations, comments
• Communications: messages you send to us, feedback, support requests
• Partner information: business name, address, contact details (for business partners)
• Donation information: when you make a donation via WhyDonate, payment details are processed by WhyDonate; we receive your name, email, donation amount, and transaction ID (we do not store credit card numbers)
• Shop & reward redemption: EcoDrops balance, redemption history, voucher codes, and delivery details for redeemed rewards

3.2 Information collected automatically

• Device information: device type, operating system, unique device identifiers, browser type
• Location data: precise or approximate location (with your consent) to show nearby refill stations
• Usage data: pages visited, features used, time spent, interaction patterns
• Log data: IP address, access times, referring URLs, error logs
• NFC/QR scan data: when you scan an NFC tag or QR code at a refill location, we collect the tag UID, scan timestamp, and your approximate GPS location (if permissions are granted) to verify the visit and award EcoDrops
• NFC device capabilities: whether your device supports Web NFC, used solely to display the appropriate scanning interface

3.3 Information from third parties

• Social login: if you sign in via Google, Apple, or Facebook, we receive your name, email, and profile picture
• Map services: we use mapping services that may collect anonymized usage data

3.4 Sensitive data

We do not intentionally collect sensitive personal data (such as health information, religious beliefs, political opinions, sexual orientation, or biometric data). If you voluntarily provide such information, it will be processed with your explicit consent.

4. Legal basis for processing (GDPR)

We process your personal data based on the following legal grounds:

5. How we use your data

We use your personal data for the following purposes:

• Service delivery: to provide, maintain, and improve our Service
• Personalization: to show nearby refill stations and personalize your experience
• Communication: to respond to your inquiries and send service-related notifications
• Rewards program: to track and provide EcoDrops rewards for your environmental contributions
• NFC/QR verification: to verify refill visits via tag scans, prevent fraud, and accurately award EcoDrops
• Shop & redemptions: to process reward purchases, generate voucher codes, and fulfill orders
• Donations: to process your donations via WhyDonate and provide donation receipts
• Analytics: to understand how users interact with our Service and improve it
• Safety: to detect, prevent, and address fraud, abuse, and security issues
• Legal compliance: to comply with applicable laws and regulations
• Marketing: with your consent, to send promotional communications about our Service

6. Data sharing & disclosure

We may share your personal data with:

6.1 Service providers

Third-party companies that help us operate our Service:

• Cloud hosting providers (data storage)
• Analytics providers (Google Analytics — usage analysis, consent-gated)
• Email service providers (communications)
• Donation processor (WhyDonate — processes payments for donations)
• Map service providers (location features)

6.2 Business partners

When you interact with a partner location (e.g., rating a café), limited information may be shared with that partner to improve their service.

6.3 Legal requirements

We may disclose your data when required by law, court order, or governmental request.

6.4 Business transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred. You will be notified of any such change.

6.5 With your consent

We may share data for other purposes with your explicit consent.

7. Data retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

After the retention period, data is securely deleted or anonymized. You can request earlier deletion by contacting us (subject to legal retention requirements).

8. Your rights

Depending on your location, you may have the following rights:

To exercise these rights, contact us at [email protected]. We will respond within 30 days (or as required by applicable law).

9. Cookies & tracking technologies

We use cookies and similar technologies for:

9.1 Types of cookies

• Essential cookies: required for the Service to function (authentication, security)
• Functional cookies: remember your preferences (language, theme)
• Analytics cookies: help us understand usage patterns (with consent)

9.2 Managing cookies

You can control cookies through your browser settings. Note that disabling certain cookies may affect functionality. We respect "Do Not Track" browser signals.

9.3 Third-party analytics

We may use analytics services that collect anonymized data. These services have their own privacy policies governing their use of data.

10. Children's privacy

Our Service is not directed to children under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children.

If you believe we have collected data from a child, please contact us immediately at [email protected], and we will promptly delete such information.

Parental Notice (COPPA Compliance): If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

11. Data security

We implement appropriate technical and organizational measures to protect your data:

• Encryption: data encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access controls: strict access controls and authentication for staff
• Regular audits: security assessments and penetration testing
• Incident response: procedures to detect, report, and respond to breaches
• Staff training: regular privacy and security training for employees

While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security but commit to notifying you of any breach as required by law.

12. International data transfers

Your data may be transferred to and processed in countries other than your own. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
• Adequacy decisions: transfers to countries deemed adequate by EU Commission
• Binding corporate rules: for intra-group transfers where applicable
• Your consent: for transfers to other destinations with your explicit consent

For transfers from the UK, we rely on the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs.

13. California privacy rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the CCPA/CPRA:

Your rights

• Right to know: what personal information we collect, use, and disclose
• Right to delete: request deletion of your personal information
• Right to correct: correct inaccurate personal information
• Right to opt-out: opt-out of the sale/sharing of personal information
• Right to non-discrimination: we won't discriminate against you for exercising your rights
• Right to limit: limit use of sensitive personal information

Categories of information

In the past 12 months, we have collected the following categories of personal information:

• Identifiers (name, email, username)
• Internet activity (usage data, device information)
• Geolocation data (with consent)
• Inferences drawn from the above

To exercise your California rights, contact us at [email protected] or call our toll-free number. You may designate an authorized agent to make requests on your behalf.

14. Brazil privacy rights (LGPD)

If you are a resident of Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD):

• Confirmation of data processing
• Access to your data
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion of unnecessary data
• Data portability
• Deletion of data processed with consent
• Information about sharing with third parties
• Information about the possibility of denying consent
• Revocation of consent

To exercise your LGPD rights, contact our Data Protection Officer at [email protected].

15. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new policy on this page with an updated "Last Updated" date
• Sending you an email notification (for significant changes)
• Displaying a prominent notice in our app or website

We encourage you to review this policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or your data:

EU/EEA Residents: You have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU DPAs can be found at edpb.europa.eu.

UK Residents: You can contact the Information Commissioner's Office (ICO) at ico.org.uk.