Privacy Policy

1. Information We Collect

We collect minimal necessary data: account details (name, email, payment info), device info (IP, browser type, serial numbers), usage/activity data (searches, interactions, location via GPS/IP), and sensitive data like health or biometrics only with explicit consent. Sources include direct user input, third-party partners (e.g., carriers), and public web data via crawlers, without re-identification. For Indian users, data must remain accurate and complete per DPDPA.

Account Information

When you create a recyclr account, we collect:

• Name, email address, and phone number
• Profile photo and optional bio information
• Device unique identifiers and technical specifications
• Location information (with your explicit consent)
• Government-issued ID (only for identity verification, when required)

Transaction Information

When you buy or sell on recyclr:

• Item details, photos, and descriptions
• Transaction history and payment information
• Communication with other users
• Delivery and pickup preferences

Usage and Technical Information

• IP address and browser information
• Device information and operating system
• App usage patterns and interaction data
• Crash reports and performance data
• Cookie and similar technology data

Data Sources

• Direct user input and voluntary submissions
• Third-party partners and service providers
• Public web data via automated crawlers
• Device and platform analytics

3. Legal Basis and Use

Processing occurs only with lawful basis: consent, contract fulfillment, legitimate interests (e.g., service improvement, fraud prevention), or legal obligations. Uses include powering services, personalization (with opt-in), security (encryption, access controls), analytics, and compliance reporting. No algorithmic decisions significantly affecting users without human review; AI governance includes bias assessments. HIPAA-protected health data (e.g., medical history, PHI like addresses/dates/SSN) is limited to permitted disclosures.

Core Service Operations

• To create and manage your recyclr account
• To facilitate buying and selling transactions
• To connect buyers and sellers securely
• To process payments and verify transactions
• To provide customer support and resolve disputes

Service Improvement and Analytics

• To analyze usage patterns and improve our services
• To conduct research and develop new features
• To ensure platform security and prevent fraud
• To personalize your experience (with your consent)
• To conduct AI bias assessments and governance reviews

Legal Compliance and Security

• To comply with applicable laws and regulations
• To respond to legal requests and court orders
• To protect our rights, property, and safety
• To prevent fraudulent or illegal activities
• To maintain HIPAA compliance for protected health information

Automated Decision Making

We do not make significant automated decisions affecting users without human review. All algorithmic processes that could substantially impact your rights are subject to human oversight, bias assessments, and regular audits to ensure fairness and transparency.

3. Legal Basis for Processing (DPDPA & GDPR)

We process your personal data based on the following legal grounds:

Consent

When you voluntarily provide information and explicitly consent to its processing for specific purposes. You can withdraw consent at any time.

Contractual Necessity

When processing is necessary to fulfill our contractual obligations to provide the recyclr service.

Legal Obligation

When required by law, such as for anti-money laundering compliance or tax reporting.

Legitimate Interests

When processing serves our legitimate business interests, such as fraud prevention, network security, or service improvement, provided these interests don't override your fundamental rights and freedoms.

4. Data Sharing and Disclosure

Data is shared only with affiliates, service providers (under strict contracts), partners (e.g., for subscriptions), or at user direction—with no marketing sales. Disclosures for legal reasons (e.g., law enforcement) or emergencies follow regulations. Processors must comply with our instructions; international transfers use Standard Contractual Clauses.

With Other Users

Limited contact information is shared between buyers and sellers to facilitate transactions. This includes only what is necessary to complete the transaction.

Service Providers and Processors

We work with trusted third-party service providers who process data on our behalf:

• Payment processors (Razorpay, Google Play)
• Cloud hosting providers
• Analytics and support tools
• Communication platforms

All providers are contractually bound to protect your data and use it only for specified purposes. Processors must comply with our instructions and applicable data protection laws.

Affiliates and Partners

We may share data with corporate affiliates and business partners for operational purposes, always under strict contractual obligations and only as necessary for the services you use.

Legal Requirements and Emergencies

We may disclose information when:

• Required by law, regulation, or court order
• Necessary to protect our rights, property, or safety
• To prevent fraud or illegal activities
• In connection with a business transfer or merger
• In emergency situations to protect vital interests

International Data Transfers

For international transfers, we use Standard Contractual Clauses (SCCs), adequacy decisions, and comply with DPDPA cross-border transfer requirements to ensure adequate protection.

5. User Rights

Users can access, correct, delete, port, restrict processing, or withdraw consent anytime via privacy@recyclr.in or a dedicated portal like Apple's privacy.apple.com. DPDPA/GDPR rights include Data Subject Access Requests (DSARs) within 72 hours for breaches; HIPAA adds accounting of disclosures. Opt-out of personalized ads, tracking (e.g., GPC signals), and sales/sharing (no selling occurs). California users get "Do Not Sell/Share" links; non-discrimination applies.

Right to Access

You can request a summary of your personal data, including what we collect, why we collect it, and who we share it with. Access requests are processed within 30 days as required by GDPR and DPDPA.

Right to Correction

You can request correction of inaccurate, incomplete, or outdated personal information. We will update your records promptly upon verification.

Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data, subject to legal obligations and legitimate business interests. HIPAA requires specific procedures for PHI deletion.

Right to Data Portability

You can request your data in a structured, machine-readable format to transfer to another service. We provide data in common formats like JSON, CSV, or XML.

Right to Withdraw Consent

You can withdraw consent at any time, though this may affect your ability to use certain services. Withdrawal is as easy as giving consent.

Right to Nominate

Under DPDPA, you can nominate someone to exercise your rights in case of your death or incapacity.

HIPAA-Specific Rights

For protected health information, you have additional rights including accounting of disclosures and restrictions on certain uses and disclosures.

Marketing and Tracking Opt-Out

You can opt-out of personalized advertising, tracking technologies, and data sharing. We respect Global Privacy Control (GPC) signals and provide "Do Not Sell/Share" options for California users.

Non-Discrimination

You will not be discriminated against for exercising your privacy rights, including through denial of service, different prices, or reduced quality of service.

Data Breach Notification

In case of personal data breaches, we notify affected users within 72 hours as required by GDPR and DPDPA, with specific information about the breach and protective measures.

6. Data Security Measures

We implement administrative, technical, and physical safeguards: encryption in transit/rest, access controls, regular audits, breach response plans (notify within 72 hours per GDPR/DPDPA), and AI bias reviews. Like Amazon, we use procedural safeguards against unauthorized access. Data integrity prevents loss/damage; HIPAA requires PHI protections.

Technical Safeguards

• End-to-end encryption for sensitive data transmission
• Encryption at rest for stored personal information
• Regular security audits and penetration testing
• Secure authentication and access controls
• Network security monitoring and intrusion detection
• Data integrity checks and backup systems

Organizational Measures

• Employee privacy training and background checks
• Principle of least privilege access
• Data minimization and purpose limitation
• Regular privacy impact assessments
• Incident response procedures
• AI governance and bias assessment programs

Breach Response and Notification

We maintain comprehensive breach response plans with notification within 72 hours as required by GDPR and DPDPA. Response includes containment, investigation, user notification, and remediation measures.

HIPAA Security Requirements

For protected health information, we implement additional safeguards including administrative, physical, and technical protections as required by HIPAA Security Rule.

Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy, unless required by law to retain it longer. We regularly review and delete unnecessary data.

7. Data Retention and Deletion

Retain data only as needed for purposes or law (e.g., tax records), then delete securely—user-initiated or auto after periods (e.g., 180 days for inactive subscriptions). Export/delete requests processed promptly; backups purged post-deletion. No indefinite retention.

Retention Periods

• Account data: Retained while account is active
• Transaction data: Retained for 7 years for tax compliance
• Inactive accounts: Deleted after 180 days of inactivity
• Marketing data: Deleted immediately upon opt-out

Deletion Procedures

• User-initiated deletion processed within 30 days
• Automatic deletion for inactive accounts
• Secure deletion with backup purging
• Certificate of deletion available upon request

8. Children's Data

Children under 13 (or local equivalent) require verifiable parental consent for accounts; Managed IDs for schools follow disclosures. Delete unauthorized child data immediately.

Age Restrictions

recyclr is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information immediately.

Parental Consent

For users aged 13-17, we require verifiable parental consent for account creation and data processing in accordance with applicable laws. Parents can review, modify, or delete their child's information.

Educational Accounts

For school-managed accounts, we follow specific disclosure requirements and provide additional privacy protections for educational settings.

9. Cookies and Tracking

We use cookies/beacons for functionality, analytics, ads (personalized opt-out available), and security. Disable via browser settings; no cross-site tracking without consent.

Cookie Types

• Essential Cookies: Required for basic site functionality
• Analytics Cookies: Help us understand how you use our services
• Advertising Cookies: Used for personalized advertising (opt-out available)
• Security Cookies: Help protect against fraud and abuse

Control Options

• Browser settings to control or disable cookies
• Privacy preferences for personalized advertising
• Global Privacy Control (GPC) signal recognition
• Do Not Track browser settings honored

10. Compliance and Updates

Compliant with DPDPA (audits for Significant Data Fiduciaries), GDPR (DPO contact), HIPAA (PHI rules), and 2026 trends like state laws. Updates posted 7+ days in advance with notice. Contact DPO at privacy@recyclr.in for inquiries/complaints. Effective March 26, 2026.

Regulatory Compliance

• DPDPA compliance for Indian users
• GDPR compliance for EU/EEA users
• HIPAA compliance for health-related data
• Regular audits and assessments
• Data Protection Officer (DPO) available

Policy Updates

• Updates posted on website with 7+ days notice
• Significant changes notified via email/app
• Material changes require new consent
• Continued use constitutes acceptance

Effective Date

This privacy policy is effective March 26, 2026, and replaces all previous versions.

11. Contact Information