Your privacy matters to us. This policy explains what personal data we collect through the Sustivo platform and its apps, why we use it, who we share it with, and what rights you have. We process your data in accordance with Regulation (EU) 2016/679 (GDPR) and Romanian Law No. 190/2018.
1. Who we are (the data controller)
The controller of your personal data is INFOSHARE CONSULTING SRL, a limited liability company established in Romania:
INFOSHARE CONSULTING SRL
Registered office: Str. Ciprian Porumbescu nr. 72, et. mansardă, ap./birou 19, Otopeni, Ilfov County, postal code 075100, Romania
Tax ID (CUI): 41970536 · Trade Register No.: J2019016428401
Phone: +40 744 366 663
General e-mail: contact@sustivo.eco
Data Protection Officer (DPO): dpo@sustivo.eco
Sustivo is a sustainability and waste-management platform made up of several apps dedicated to different categories of users.
2. Scope
This policy applies to the sustivo.eco website and to all Sustivo apps (mobile and web), including:
- Citizen app (app.sustivo.eco) — challenges, feed, collection calendar, my receipts;
- Admin (admin.sustivo.eco) — content and collection-program management;
- Super Admin (superadmin.sustivo.eco) — platform-wide administration;
- Calendar (calendar.sustivo.eco) — “when is my collection”;
- Scanner (scanner.sustivo.eco) — QR reward validation;
- Maps (maps.sustivo.eco) — collection, donation and repair points;
- Coordinator (coordinator.sustivo.eco) — collection operations;
- Driver (driver.sustivo.eco) — routes and recording collections.
It also applies to our official social-media pages, to the extent we control them.
3. What data we collect
Depending on the app you use and your role, we may collect the following categories of data:
Account and identity data
- first and last name (optional);
- e-mail address;
- phone number and its type;
- password (stored only in encrypted/“hashed” form);
- profile photo (if you upload one).
Location and address data
- the region, street and number associated with your address (for the collection calendar and linking to collection points);
- your device’s geographic location (GPS), when you enable it — used for maps, collection routes and proximity features.
User-generated content
- photos and documents (e.g. receipts, proof of collection);
- content generated by scanning QR codes.
Activity and usage data
- participation in challenges, quizzes and campaigns, points, rewards and leaderboards;
- history of collections, routes and receipts;
- preferences and onboarding status.
Technical and diagnostic data
- device type, operating system and app identifiers;
- IP address and access logs;
- diagnostic and crash-reporting data (via Firebase Crashlytics);
- push-notification tokens;
- cookies and similar technologies — see our Cookies Policy.
4. Legal bases for processing
We process your data only on one of the following legal bases set out in Article 6 GDPR:
- Performance of a contract — to create your account and provide the platform’s services;
- Your consent — for optional features such as precise location, push notifications or marketing communications; consent can be withdrawn at any time;
- Our legitimate interests — for the security of the platform, fraud prevention, and improving and operating our services;
- Legal obligation — where the law requires us to retain or disclose certain data.
5. Purposes of processing
- creating and managing your account and authenticating you;
- providing each app’s features (collection calendar, challenges, QR scanning, maps, routes, receipts);
- linking citizens’ addresses to collection points and keeping a record of services provided;
- sending technical notifications and, with your consent, informational communications;
- ensuring security and preventing abuse and fraud;
- analytics and service improvement;
- complying with legal obligations.
6. Who we share data with
We do not sell your data. We may disclose it to the following categories of recipients, strictly for the purposes above:
- Service providers (processors) who process data on our behalf under data-processing agreements: Supabase (database hosting and authentication, in the EU), Google Firebase (crash reporting, file storage, push notifications), and our transactional e-mail provider;
- Client controllers (in a multi-tenant context) — local authorities and waste-collection operators using the platform for their region may act as controllers, or joint controllers, for the data relating to the collection service in their area;
- Public authorities — where required by law or to protect our legitimate rights.
7. International transfers
Data is stored primarily on servers located in the European Union. Where a provider (for example, Google services) involves a transfer outside the European Economic Area, this takes place only with adequate safeguards, such as the Standard Contractual Clauses approved by the European Commission.
8. How long we keep your data
- Account data — for as long as your account is active; we delete or anonymise it within a reasonable period after closure, unless the law requires us to retain it;
- Technical logs — up to 2 years;
- Correspondence with us — up to 24 months after the request is resolved;
- Collection and receipt data — for the period required by the legal and contractual obligations applicable to collection operators.
9. Data security
We use secure servers and encrypt data transfers to and from our servers using SSL/TLS technology. We apply access controls, row-level data isolation (Row Level Security) and restrict access to trained staff who need the data to perform their duties. However, no system can guarantee absolute security.
10. Your rights
As a data subject, you have the following rights under the GDPR:
- the right of access to your data;
- the right to rectification of inaccurate data;
- the right to erasure (“the right to be forgotten”);
- the right to restriction of processing;
- the right to data portability;
- the right to object to processing;
- the right to withdraw consent at any time, without affecting the lawfulness of prior processing.
You can exercise these rights by e-mailing dpo@sustivo.eco. You also have the right to lodge a complaint with the Romanian Data Protection Authority (ANSPDCP) — www.dataprotection.ro.
11. Children
Our apps and services are not intended for persons under 18 years of age. We do not knowingly collect data from anyone under that age. If you learn that a minor has provided us with data without the consent of their legal guardian, please contact us at dpo@sustivo.eco so we can delete it.
12. Automated decisions and profiling
We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.
13. Changes to this policy
We may update this policy from time to time to reflect changes in our practices or legal requirements. We will publish the updated version on this page, indicating the date of the last update. We encourage you to review it periodically.
14. Contact
For any question about this policy or the processing of your data, you can contact us at contact@sustivo.eco or, for data-protection matters, at dpo@sustivo.eco.
← Back to sustivo.eco