Przejdź do głównej treści

Privacy policy

Privacy Policy EN

PRIVACY POLICY

Unwaste EMS

Effective date: 2026-02-20

1. Data Controller

The controller of personal data is:

Unwaste P.S.A. ul. Jana Pawła II 3A 37-500 Jarosław Poland KRS: 0001174941 NIP: 7922328190 E-mail: support@unwaste.energy

Personal data are processed in accordance with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR"),
  • applicable national laws of EU Member States.

2. Scope

This Privacy Policy applies to the processing of personal data in connection with:

  • the Unwaste EMS cloud service,
  • private and business user accounts,
  • the website and web panel,
  • newsletter communications,
  • online payments.

The service is intended exclusively for adults (18+).

3. Categories of Personal Data

3.1. Private Accounts

When registering and using the service, we process:

  • email address,
  • username (alias),
  • registration date,
  • last token refresh date,
  • IP address used for login,
  • browser information,
  • information about granted consents.

3.2. Business Accounts

For business accounts, we additionally process invoicing data:

  • company name,
  • registered address (including country),
  • VAT number,
  • company registration number (KRS or equivalent),
  • invoicing data.

3.3. Technical Data

For security and debugging purposes:

  • IP address linked to the account,
  • basic session-related technical information.

We do not store energy consumption data in the cloud.

3.4. Energy and Installation Data

Energy consumption data, device readings, and installation parameters:

  • are stored locally in the user's environment,
  • may pass through cloud infrastructure solely to enable remote access,
  • are not retained or archived by the Controller,
  • are accessible only to the user and persons explicitly authorized by the user.

4. Statistical Data

We process aggregated and anonymized statistical data, including:

  • country and region (not linked to an account),
  • account type (private/business),
  • aggregated energy consumption data,
  • aggregated savings data.

Such data do not allow identification of an individual user.

5.1. Performance of a Contract (Art. 6(1)(b) GDPR)

  • account creation and maintenance,
  • provision of the cloud service,
  • payment handling,
  • technical support.
  • accounting and tax compliance.

5.3. Legitimate Interest (Art. 6(1)(f) GDPR)

  • ensuring system security,
  • preventing abuse,
  • debugging and maintaining infrastructure.
  • sending newsletters and marketing communications.

Consent may be withdrawn at any time.

6. Online Payments

Payments are processed by Stripe.

Stripe acts as an independent data controller with respect to payment data. The Controller does not store payment card details.

Further information is available in Stripe's Privacy Policy.

7. Processors and Third Parties

We use the following service providers:

  • OVH – hosting provider (servers located in France, EU),
  • Mailgun – email delivery services,
  • Cloudflare (Turnstile) – bot protection,
  • Stripe – payment processing.

Personal data are not transferred outside the European Economic Area except where required by the use of Stripe or Cloudflare services. In such cases, appropriate safeguards are implemented (e.g., Standard Contractual Clauses).

8. Data Retention

  • Account data – until account deletion.
  • IP address – until account deletion.
  • System backups – up to 30 days.
  • Accounting documentation – up to 6 years (as required by law).
  • Marketing data – until consent is withdrawn.

Upon account deletion, personal data are deleted without undue delay, subject to statutory retention obligations.

9. Automated Decision-Making

No automated decision-making within the meaning of Article 22 GDPR applies to private accounts.

For business accounts, pricing may be automatically calculated based on objective technical parameters (e.g., number of installations). This mechanism does not involve profiling or evaluation of personal characteristics.

10. Data Subject Rights

Individuals have the right to:

  • access their data,
  • rectify data,
  • erase data,
  • restrict processing,
  • data portability,
  • object to processing,
  • withdraw consent,
  • lodge a complaint with a supervisory authority.

In Poland, the supervisory authority is the President of the Personal Data Protection Office (UODO).

11. Data Security

We implement appropriate technical and organizational measures, including:

  • TLS encryption of data transmission,
  • access control mechanisms,
  • environment separation,
  • regular system backups.

12. Mandatory Nature of Data

Providing data required for registration is necessary to conclude and perform the contract. Providing marketing data is voluntary.

13. Changes to this Privacy Policy

This Privacy Policy may be updated due to legal, technological, or organizational changes. The current version is published on the Controller's website.