Privacy Policy
Who We Are
ZeroWaste+ is a sustainability performance platform operated by RiseUp Africa Inc., a company incorporated in Canada with active operations in Haiti, Kenya, Rwanda, and Canada. For the purposes of applicable data protection legislation, RiseUp Africa Inc. acts as the Data Controller.
- Legal entity: RiseUp Africa Inc.
- Platform: ZeroWaste+ (zerowaste.plus)
- Data Protection contact: [email protected]
- Offices: Kigali (Rwanda) · Nairobi (Kenya) · Port-au-Prince (Haiti) · Toronto (Canada)
Scope of This Policy
This Policy applies to all individuals whose personal data we process, including:
- Registered users of the ZeroWaste+ platform (app.zerowaste.plus)
- Visitors to zerowaste.plus and join.zerowaste.plus
- SAFI 2030 community members
- Prospective clients who submit a registration or inquiry form
- Representatives of corporate or SME client organisations
This Policy does not apply to third-party websites or services that may be linked from our platform.
Personal Data We Collect
We collect only data that is necessary, proportionate, and lawful for the purposes described in this Policy.
| Category | Data Elements |
|---|---|
| Personal Identification | Full name, email address, phone number, job title, company name |
| Account & Authentication | Login credentials (hashed), user role, unique user ID |
| Business & Operational | Sustainability metrics, waste data, packaging details, emissions data by location |
| Technical / Device | IP address, device type, browser type, access logs, session data |
| Registration & Intake | Plan interest, sector, country, payment preference (for SSA onboarding) |
| Optional / Voluntary | Profile photo, survey responses, feedback submissions |
We do not collect or process special category data (e.g. health, biometric, racial or ethnic origin data) unless explicitly consented to and required for a specific service feature.
How We Use Your Data
We process personal data strictly for the following purposes:
- Platform delivery: To create and manage your account, provide access to features, and personalise dashboards.
- Service communications: To send service updates, security alerts, and support responses.
- Analytics and improvement: To analyse usage patterns and improve platform performance and usability.
- Legal compliance: To meet obligations under data protection, sustainability reporting, and anti-money laundering laws.
- Security: To detect, prevent, and respond to fraud, misuse, or security incidents.
- Marketing (opt-in only): To send newsletters or promotional content to users who have explicitly opted in.
We do not use your personal data for automated decision-making or profiling that produces legal or significant effects without human oversight.
Legal Basis for Processing
For users in the EU/EEA or other jurisdictions requiring a lawful basis, we rely on the following grounds:
| Processing Activity | Legal Basis |
|---|---|
| Account registration and platform access | Contractual necessity (Art. 6(1)(b) GDPR) |
| Email communications and service alerts | Contractual necessity / Legitimate interest |
| Platform analytics and improvement | Legitimate interest (Art. 6(1)(f) GDPR) |
| Marketing newsletters | Consent (Art. 6(1)(a) GDPR) — withdrawable at any time |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c) GDPR) |
| Fraud detection and security | Legitimate interest |
| KYC / sanctions screening | Legal obligation (AML/CFT requirements) |
Data Storage and Security
We implement technical and organisational measures commensurate with the sensitivity of the data and the risks involved, including:
- All data in transit is encrypted using HTTPS/TLS 1.2 or higher
- Data at rest is encrypted on Firebase/Google Cloud infrastructure
- Role-based access controls (RBAC) restrict staff access to data on a need-to-know basis
- Firestore security rules enforce per-user data isolation at the database level
- Regular security audits, vulnerability monitoring, and incident response protocols
- All subprocessors are bound by Data Processing Agreements (DPAs)
In the event of a personal data breach that poses a risk to individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware, and affected individuals without undue delay, in accordance with applicable law.
Data Retention
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law.
| Data Type | Retention Period |
|---|---|
| Active account data | Duration of service contract + 12 months |
| Billing and transaction records | 7 years (legal/tax obligations) |
| Registration & inquiry data (unapproved) | 90 days, then securely deleted |
| Security logs and access records | 12 months rolling |
| Marketing opt-in records | Until consent is withdrawn + 3 years |
| Anonymised analytics data | Indefinitely (no personal identifiers retained) |
Upon expiry of the applicable retention period, data is securely deleted or anonymised in a manner that prevents re-identification.
Data Sharing and Third Parties
We do not sell, rent, or trade your personal data. Data may be shared only in the following circumstances:
- Cloud & hosting providers (Firebase / Google Cloud) — under data processing agreements
- Compliance and certification partners — for sustainability impact verification, under strict confidentiality
- Legal or regulatory authorities — when required by a court order or applicable law
- Business transfers — in the event of a merger or acquisition, subject to equivalent protections
- With your explicit consent — for any other sharing not listed above
All third-party processors are vetted and bound by Data Processing Agreements (DPAs) that require them to process data only on our instructions and in accordance with applicable law.
International Data Transfers
Our operations span Kenya, Rwanda, Haiti, and Canada, and our cloud infrastructure is operated by Google Cloud. Data may be transferred internationally. When transfers involve personal data from the EU/EEA or countries with adequacy requirements, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Google Cloud’s data residency controls and Privacy Shield successor frameworks
- Compliance with Kenya’s Data Protection Act requirements on cross-border transfers
- Compliance with Rwanda’s Law No. 058/2021 on cross-border data flows
You may request a copy of the applicable transfer safeguards by contacting [email protected].
Your Data Rights
Depending on your location and applicable law, you have the following rights with respect to your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Correct inaccurate or incomplete personal data |
| Erasure (“Right to be Forgotten”) | Request deletion of your data, subject to legal retention obligations |
| Restriction | Ask us to limit processing of your data in certain circumstances |
| Portability | Receive your data in a structured, machine-readable format (EU/GDPR) |
| Objection | Object to processing based on legitimate interest or for direct marketing |
| Withdraw Consent | Withdraw consent at any time where processing is consent-based |
| Lodge a Complaint | Complain to your national data protection authority (DPA) |
To exercise any of these rights, submit a request to [email protected]. We will respond within 30 calendar days. We may require identity verification before processing your request.
Cookies and Tracking Technologies
We use cookies and similar technologies on our website and platform for the following purposes:
- Essential cookies: Required for platform functionality and session management.
- Analytics cookies: We use Google Analytics 4 (GA4) to understand platform usage. Analytics data is aggregated and does not identify individuals.
- Security cookies: reCAPTCHA v3 is used to detect and prevent automated abuse.
You can manage or disable non-essential cookies through your browser settings or our cookie consent interface. Note that disabling essential cookies may affect platform functionality.
For full details, see our Cookie Policy.
Children’s Privacy
ZeroWaste+ is a business platform not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data without verified parental or guardian consent, we will delete that data promptly.
If you believe a minor’s data has been submitted to us, please contact [email protected] immediately.
Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in law, technology, or our practices. Material changes will be communicated via:
- An in-platform notification for registered users
- An email notice to the address on your account
- An updated “Last Updated” date at the top of this page
Your continued use of ZeroWaste+ after the effective date of any update constitutes your acknowledgment of the revised Policy. Where required by law, we will seek your renewed consent.
Contact Us
For any questions, requests, or concerns regarding this Privacy Policy or the way we process your personal data, please contact our Data Protection team:
Data Protection Contact
Email: [email protected]
Subject line: [Privacy Request] — Your Name — Request Type
Response time: Within 30 calendar days
Postal: RiseUp Africa Inc., Toronto, Ontario, Canada
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority: