Privacy Policy

Zero Waste Asia is a GAIA Asia Pacific and Asia Home of Solutions Collective initiative that aggregates and visualizes zero waste knowledge contributed by members and the public. This Privacy Notice explains how personal data is collected, used, disclosed, and protected across our websites and tools (including account pages, contribute forms, and community features). It applies to all users, including those in the Philippines and Indonesia.

• We collect only what is needed to provide the service, keep the community safe, and meet legal obligations.
• Users control account information and may request access, correction, deletion, or portability subject to legal limits.
• We do not sell personal data and do not run third-party advertising trackers.
• Community safety is a priority: avoid uploading sensitive personal data (e.g., government IDs, exact home addresses).

• Account and profile data: name, email, password (hashed), country, language, and optional fields (display name, avatar, topic interests).
• Organization verification data (for “Verified by Org” accounts): organization name, role/title, domain-email proof or authorization letter, and reviewer notes.
• Contributions: text and files submitted (e.g., resource listings, directory entries, images). Contributors should anonymize or generalize personal data before posting.
• Community signals: endorsements and flags on entries, including reason codes and timestamps.
• Device and usage data: IP address (truncated where feasible), browser/OS, pages viewed, referral, timestamps for security and analytics.
• Communications: messages sent to us (support, privacy, or security reports).
• Optional: low-bandwidth or accessibility preferences; notification preferences.

If donating or registering for paid learning products on affiliated microsites, payment details are handled by payment processors; we receive only limited transaction metadata (e.g., success/failure, amount, timestamp).

• Provide and improve the service (account, login, submissions, search, display).
• Community safety and integrity (verification, endorsements/flags, duplicate detection, soft-locks, abuse prevention).
• Security (fraud monitoring, access control, audit logs, incident response).
• Analytics (privacy-preserving measurement; no third-party ad tracking).
• Legal compliance (responding to lawful requests; data-protection duties).
• Communications (transactional emails; optional digests/alerts).

• Consent for optional features (newsletters) or open-license choices on contributions.
• Contract to provide core features requested.
• Legitimate interests to keep services secure and useful (balanced against rights).
• Legal obligation / public interest when retention or disclosure is required to comply with law or protect users.

Services are for general audiences. If under 18, use only with parental/guardian consent. Avoid submitting information that could identify or endanger vulnerable individuals or groups.

• Service providers (“processors”): hosting, email delivery, analytics, error monitoring, file storage—bound by contracts to protect data and act only on instructions.
• Organizations (verification): limited sharing with the named organization to confirm affiliation when “Verified by Org” is requested.
• Public content: contributions and visible profile fields may be displayed publicly.
• Legal and safety: disclosure if required by law, or to protect users, communities, and services.
• Business continuity: permitted successors will honor this Notice if services are reorganized.

We may process data on infrastructure outside your country. When transferring personal data internationally, we apply appropriate safeguards (including data transfer agreements and technical controls) so your rights travel with your data. When transferring personal data out of Indonesia, we will comply with PDP Law Article 56: (i) send only to countries with equal or higher protection; or (ii) use adequate and binding safeguards (e.g., contracts/BCRs) when adequacy is absent; or (iii) obtain explicit consent if (i) and (ii) are not met. We disclose the applicable mechanism upon request.

Default initial targets:

• Account data: retained for the life of the account; delete or anonymize within 90 days after closure (unless legal retention applies).
• Community signals & moderation logs: 24 months (to support abuse prevention and appeals).
• Server logs & security telemetry: 12 months (shorter where feasible).
• Backups: rolling backups retained up to 90 days.
• Published contributions: retained while published. If removed, residual copies may remain in backups and in aggregated datasets not reasonably separable.

Subject to local law:

• Access (copy of personal data)
• Rectification (correct inaccuracies)
• Deletion (subject to legal/operational limits)
• Restriction / Objection (limit or object to processing based on legitimate interests)
• Portability (structured, machine-readable data where feasible)
• Withdraw consent (for consent-based processing)

Identity will be verified before certain requests are fulfilled. Target response time: 30 days.

Contact: [email protected] with your request and the email tied to your account. We may ask for additional verification to protect your data. Our target response time is 30 days.

• Philippines: may contact the National Privacy Commission.
• Indonesia: may contact the Ministry of Communication and Informatics (Kominfo).

Good-faith efforts will be made to resolve concerns.

• Encryption in transit; encryption at rest for primary storage where supported.
• Least-privilege access with admin 2FA; periodic access reviews; audit logging of sensitive actions.
• Secure development practices, vulnerability management, incident response.
• Responsible disclosure: report to [email protected]; avoid testing that harms users or disrupts services.
• Breach notifications:

• Where a notifiable personal data breach occurs in the Philippines, Zero Waste Asia will notify the National Privacy Commission and affected individuals within 72 hours of knowledge or reasonable belief, including the nature of the breach, data involved, remedial actions taken, and DPO contact details.
• Where a notifiable personal data breach occurs in Indonesia, Zero Waste Asia will notify the competent authority and affected individuals within 72 hours of discovery, in line with the Personal Data Protection Law.

• Avoid uploading government IDs, precise home addresses of private individuals, or medical/financial records.
• When mapping or listing facilities connected to vulnerable communities, use generalized locations or organizational contacts and obtain consent where needed.
• Use the flag function to report content that may expose people to risk.

• Essential: login sessions and security (cannot be turned off).
• Preferences: language and accessibility settings (optional).
• Analytics: first-party or privacy-preserving analytics; no third-party ad trackers.

Browser controls can manage cookies; blocking essential cookies may break core features. You can review or change non-essential cookie choices anytime in Settings ▸ Privacy Preferences.

Only submit information about others with consent or another legal basis, and only if sharing will not put them at risk. Anonymize where possible.

No legally significant decisions are made solely by automated processing. Community-verification thresholds are automated signals; Admins can review and override decisions. Appeals may be submitted via [email protected].

The “Last updated” date shows the latest revision. For material changes, notice will be provided through the service or by email. Continued use after changes indicates acceptance.

• General concerns: [email protected]
• Privacy, Reports and other concerns: [email protected]

Data Protection Officer: [email protected]

You may also write to “Data Protection Officer, Zero Waste Asia” via the postal address provided on our website.