English
Loading…
P7CO EcoResupply Privacy Policy
1. Who we are
P7CO EcoResupply is a brand operated by pH7x Systems JOAO P.S.V.T. LIVIO.
Tax ID 198690851
Registered office Rua Pulido Valente, 24 RC DTO, 2910-642 Setúbal, Portugal
Privacy contact privacy@ph7x.com
DPO contact (if applicable) abuse@p7co.org
This Policy applies to P7CO EcoResupply websites, applications, and support channels targeted at the European Union and the European Economic Area. The main legal framework is the Regulation (EU) 2016/679 — GDPR, complemented in Portugal by Law No. 58/2019, Law No. 41/2004 (electronic communications and cookies), and Law No. 93/2021 (whistleblower protection). For intermediary services and due diligence, the Regulation (EU) 2022/2065 — DSA applies where relevant.
The lead supervisory authority is the CNPD — Comissão Nacional de Proteção de Dados in Portugal (GDPR one-stop-shop mechanism). Users may also file complaints with their local supervisory authority in the EEA.
2. Purposes and legal bases
We process personal data for specific and legitimate purposes. Below are representative examples.
| Category | Examples | Purpose | Legal basis |
|---|---|---|---|
| Account | name, email, password hash, language | account creation and management, authentication, abuse prevention | contract performance (GDPR Art. 6/1-b) and legitimate interest (6/1-f) |
| Transactions | messages, proposals, files, records | enabling surplus and reuse offers, service performance | contract performance (6/1-b) |
| Support | requests, attachments, optional recordings | assistance, evidence, process improvement | legitimate interest (6/1-f) |
| Analytics | technical events, minimal metrics | service improvement | consent (6/1-a) when required by ePrivacy |
| Cookies | non-essential identifiers | preferences, statistics, advertising | consent (6/1-a), see section 9 |
| Compliance | logs, audits, invoices | legal and security compliance | legal obligation (6/1-c) |
| Whistleblowing | reports, attachments, metadata | handling environmental reports | legal obligation (6/1-c) and public interest (6/1-e), under Directive (EU) 2019/1937 and national laws |
Special categories of data (GDPR Art. 9) are not requested. If provided by the user (e.g., in reports), they will only be processed when strictly necessary, with an appropriate legal basis (e.g., exercise of legal rights) and enhanced safeguards.
3. Children and digital consent ages
When processing depends on a minor’s consent for information society services, the minimum age is set by the law of their country of residence.
| Country | Minimum age |
|---|---|
| Portugal | 13 |
| Spain | 14 |
| France | 15 |
| Germany | 16 |
| Italy | 14 |
| Netherlands | 16 |
| Ireland | 16 |
| Norway | 13 |
| Iceland | 13 |
| Liechtenstein | 16 |
If the child is below the minimum age, verifiable parental consent is required (GDPR Art. 8).
4. Data retention
Data are retained only as long as necessary for the purposes or legal/contractual obligations. Examples:
- Account and transaction records: while active + up to 5 years for legal defense
- Security logs: 12 months, longer in case of incidents
- Invoices/accounting records in Portugal: 10 years (Decree-Law No. 28/2019)
- Whistleblowing files: up to 2 years after closure, unless required longer by law or litigation
- Recruitment applications: up to 12 months with consent to retain CVs
In other jurisdictions, specific commercial or tax retention periods may apply.
5. Recipients and processors
We share data with processors under GDPR Art. 28 contracts and written instructions. Examples:
Microsoft Azure (EU/EEA regions)
Transactional email providers in the EU/EEA (e.g., Mailjet, Brevo)
Cloudflare (CDN/security with regional controls)
GitHub (code repositories without personal production data)
When required, Standard Contractual Clauses 2021/914 and supplementary technical/organizational measures are used.
6. International transfers
Where possible, processing stays within the EU/EEA. If transfers to third countries are required:
- EU adequacy decisions apply where available
- Standard Contractual Clauses 2021/914 with supplementary safeguards are applied otherwise
- Pseudonymization/minimization before transfer whenever feasible
7. Data subject rights
Under GDPR Arts. 12–22, users may exercise the right of access, rectification, erasure, restriction, portability, objection, and not to be subject to automated decisions with legal or similar significant effects (Art. 22).
Requests: privacy@ph7x.com. Response deadline: 1 month (extendable). Identity verification may be required.
8. Automated decisions and profiling
We do not carry out automated decisions with legal effects. If profiling with relevant impact is used, we will provide clear information, human intervention, the right to contest, and opt-out mechanisms (GDPR Art. 22, EDPB guidance).
9. Cookies and similar technologies
We comply with the ePrivacy Directive 2002/58/EC and national laws.
- Strictly necessary cookies: no consent required
- Preference, analytics, and advertising cookies: require explicit consent
- Banner allows accept, refuse, or configure per category; refusal as easy as acceptance
- Consent record kept; renewal every 12 months or when cookie scope changes
References: CNIL cookie guide, AEPD cookie guide
10. Security
Measures per GDPR Art. 32: TLS ≥ 1.2, data at rest encryption, least privilege, MFA for admins, monitoring, audits, pseudonymization where possible.
11. Data breaches
Supervisory authority notified within 72 hours (Art. 33); data subjects informed when required (Art. 34). Internal plan and register maintained (EDPB guidelines).
12. Whistleblowing channels
In compliance with Directive (EU) 2019/1937 and national transpositions:
Portugal — Law No. 93/2021
Spain — Ley 2/2023
France — Loi 2022-401
Germany — HinSchG 2023
13. Supervisory authorities
Portugal — CNPD
Spain — AEPD
France — CNIL
Germany — BfDI
Italy — Garante
Netherlands — AP
Ireland — DPC
Norway — Datatilsynet
Iceland — Persónuvernd
Liechtenstein — Datenschutzstelle
14. Data Protection Officer
If appointed: abuse@p7co.org.
If not mandatory: privacy@ph7x.com.
15. Changes
We may update this Policy to reflect legal or operational changes. Material changes will be notified on the website/app and, where appropriate, by email. Previous versions are available upon request.
16. Annex A — common legal bases
- Contract performance: account creation, transactions
- Consent: non-essential cookies, marketing communications
- Legitimate interest: security, fraud prevention, service improvement (balancing test applied)
- Legal obligation: tax, regulatory compliance, whistleblowing channels
- Public interest/exercise of rights: handling reports, litigation defense
17. Annex B — processing records
Maintained per GDPR Art. 30: purposes, categories of data/subjects, recipients, international transfers, retention, safeguards; available to authorities on request.
18. Annex C — transfers outside the EEA (example)
| Recipient | Country | Mechanism | Additional safeguards |
|---|---|---|---|
| Transactional email provider | United States | Adequacy decision or SCCs 2021/914 | TLS, encryption at rest, key management, minimization |
| Azure | European Union | intra-EU processing | encryption, key management, logging, environment segregation |
19. Exercising rights
Send request to privacy@ph7x.com. Include:
- Right being exercised
- Minimal identifying information
- Context (e.g., account ID)
Identity verification may be requested. Responses within legal deadlines.