Privacy policy

CONTROLLER IDENTIFICATION

*(In accordance with Art. 4(7) GDPR & Cyprus Law 125(I)/2018)*

Role

Entity

Data Controller (Project Period: until 31 March 2027)

LIFE Food Connect Project Consortium 

(Joint Controllers) comprising: DIAS Media Group (Lead Coordinator), Friends of the Earth Cyprus (Filoi tis Gis Kyprou), ZERO – Associação do Sistema Terrâneo (Portugal), INOVA+ Business Consulting Company (Portugal), and Friends of the Earth Malta (Malta).

Primary Contact for Data Protection

Friends of the Earth Cyprus (Filoi tis Gis Kyprou)

Future Sole Controller (from 31 March 2027)

Friends of the Earth Cyprus (Filoi tis Gis Kyprou)

Data Protection Officer (DPO)

Sara Mariza Vryonidi

DPO Email

dpo@foecyprus.org

DPO Postal Address

Friends of the Earth Cyprus, 361, Agiou Andreou, Limassol, Cyprus

General/Operational Contact

apps@foecyprus.org 

Legal/Compliance Contact

legal@foecyprus.org 

1. INTRODUCTION & SCOPE

Food Connect ("we", "us", "our", the "Platform") is a non-profit digital intermediary platform (as defined in our Terms & Conditions) co-funded by the European Union under the LIFE Programme (Project No. 101148772). The Platform connects food donors and food recipients in Cyprus, Malta, and Portugal to reduce food waste.

We process your personal data in strict compliance with:

  • The General Data Protection Regulation (EU) 2016/679 (GDPR) ;
  • The Cyprus Personal Data Protection Law 125(I)/2018 ;
  • The Cyprus Electronic Communications and Postal Regulation Law of 2004 (112(I)/2004) (regarding cookies);
  • Regulation (EC) No 178/2002 (General Food Law) regarding traceability.

This Privacy Policy is legally binding and incorporated by reference into our Terms & Conditions (available on the Platform). By using the Platform, you acknowledge that you have read, accept and understand this policy.

Important Note on Consent: Your consent for this policy is not a prerequisite for using core Platform services (Art. 7(4) GDPR). However, your explicit consent is required for specific activities such as receiving newsletters, participating in surveys, or accepting non-essential cookies.

2. CATEGORIES OF DATA WE PROCESS

We process the following categories of personal data, strictly limited to what is necessary for the purposes described below (Data Minimization – Art. 5(1)(c) GDPR).

2.1 User-Provided Data

(Legal Basis: Art. 6(1)(b) GDPR – Performance of a Contract)

Data Category

Specific Data Points

Identity Data

Full name, User type (Donor or Recipient), profile photo (optional)

Business/Organisational Data

Business registration number (for Donors), charity registration number (for Organisational Recipients), VAT number (if applicable)

Contact Data

Email address, phone number, postal address

Location Data

Collection point address, city, area, specific pick-up instructions

Donation Data

Food items, quantity/portions, allergen declarations, collection window, handling/storage notes

Account Data

Username, password hash, account creation date, last login date

2.2 Automatically Collected Data

(Legal Basis: Art. 6(1)(f) GDPR – Legitimate Interests)

Data Category

Specific Data Points

Purpose

Device Data

IP address, device ID/UDID, operating system, app version, device model

Security, fraud prevention, debugging

Usage Data

Logs, timestamps, clicks, screens visited, features used

Platform improvement, user experience optimization

Technical Events

Crash reports, error logs, performance metrics

Troubleshooting, stability

Misconduct Data

Records of No-Shows, late cancellations, ToS violations, account warnings

Community protection, enforcement of ToS Clause 4.6 & 6.5

2.3 Traceability Data (Food Safety)

(Legal Basis: Art. 6(1)(c) GDPR – Legal Obligation)

Pursuant to Article 18 of Regulation (EC) No 178/2002 (General Food Law) and our Terms & Conditions Clause 13.3, we retain the following data for a minimum of 5 years:

  • Donor identity (name and business registration)
  • Food type and description
  • Quantity
  • Date and time of donation
  • Recipient identity

⚠️ IMPORTANT: This traceability retention overrides the "right to be forgotten" (Art. 17 GDPR) where food safety legislation requires retention

2.4 Special Category Data (Sensitive Data – Art. 9 GDPR)

We do not intentionally collect or process special category data (health data, religious beliefs, biometric data, etc.) for our own purposes.

Exception – Voluntary Disclosure: If you, as a Donor, voluntarily disclose allergen information (e.g., "contains nuts") or dietary restrictions in a Listing, you are explicitly consenting to that sensitive data being published and visible to Recipients. You may withdraw this consent by deleting or editing the Listing.

2.5 General Privacy Statements 

 The following data shall be retained from the web version (Donors):

  • Business Name
  • Country (Cyprus, Malta ή Portugal)
  • Tax Identification Number
  • Business Address (Number, City, Postcode)
  • Location (pin on the map and conversion to latitude και longitude)
  • Business phone number
  • Email (unique identifier)

The following data shall be retained from the Mobile Application (Receivers):

  • Full name
  • Country (Cyprus, Malta ή Portugal)
  • Address (Number, City, Postcode)
  • Location (pin on the map and conversion to latitude και longitude)
  • Phone number
  • Email (unique identifier)

Important Note: Receivers may register multiple addresses, while Donors may register only one.

In addition, data relating to boxes, bags, claims, cancellations, pickups, and similar transactions will also be collected.

Privacy Statements – Account Deletion:

  • Users may request the deletion of their account and associated personal data by sending an email from the registered email address of their account.

3. LEGAL BASES & PURPOSES (Harmonized with Terms & Conditions)

The table below sets out the specific legal bases for each processing activity, cross-referenced to the relevant clause of our Terms & Conditions.

Purpose

Legal Basis (GDPR)

Corresponding ToS Clause

Explanation

Account creation, registration, and management

Art. 6(1)(b) – Contract

Clause 2, 4

Processing necessary to set up and maintain your user account

Facilitating food donations, listings, and claims

Art. 6(1)(b) – Contract

Clause 3, 5, 6

Enabling Donors to list food and Recipients to claim it

Direct messaging between Donors and Recipients

Art. 6(1)(b) – Contract

Clause 3.1

Communication necessary to arrange collection logistics

Food safety traceability and recall management

Art. 6(1)(c) – Legal Obligation

Clause 5.6, 7.4, 13.3

Compliance with EU Food Law (Regulation 178/2002)

Enforcing No-Show penalties, suspensions, and bans

Art. 6(1)(f) – Legitimate Interests

Clause 4.6, 6.5

Protecting the community from misuse of the Platform

EU LIFE Programme reporting and impact monitoring

Art. 6(1)(c) – Legal Obligation

Clause 3.4, 13.3

Compliance with grant agreement with the European Commission

Security logging, fraud prevention, and cyber incident response

Art. 6(1)(f) – Legitimate Interests

Clause 9.2

Protecting the Platform, Users, and our systems

Platform improvement, analytics, and debugging

Art. 6(1)(f) – Legitimate Interests

Clause 1 (Introduction)

Ensuring the Platform functions correctly and improves over time

Sending newsletters and marketing communications

Art. 6(1)(a) – Consent

(Marketing provisions)

Only sent if you explicitly opt in; you may withdraw consent at any time

Surveys and optional feedback activities

Art. 6(1)(a) – Consent

Clause 26.6

Only processed with your explicit opt-in consent

Cookies and similar technologies (non-essential)

Art. 6(1)(a) – Consent (per Cyprus Law 112(I)/2004)

(Cookie provisions)

You must opt in to analytical or functional cookies via our cookie banner

Legal claims, litigation, and regulatory defence

Art. 6(1)(f) – Legitimate Interests

Clause 5.7, 6.6, 15

Protecting our legal rights and defending against claims

4. DATA SHARING & RECIPIENTS

We share personal data only where necessary and only to the extent required for the Platform to function, for legal compliance, or for project operations.

4.1 Sharing with Other Users

Scenario

Data Shared

Legal Basis

Donor publishes a Listing

Donor's business name, collection address, collection window, food details

Art. 6(1)(b) – Contract

Recipient claims a Donation

Recipient's name and contact details (as necessary for collection)

Art. 6(1)(b) – Contract

Post-collection rating/feedback

Pseudonymized User ID (no direct identifiers)

Art. 6(1)(f) – Legitimate Interests

4.2 Sharing with Project Partners (Joint Controllers)

During the LIFE project period, data is shared among the Consortium members (DIAS Media Group, Friends of the Earth Cyprus, ZERO, INOVA+, Friends of the Earth Malta) for:

  • Operational support and troubleshooting
  • Impact monitoring and reporting to the European Commission
  • Cross-border food waste reduction analytics

Joint Controllership Arrangement (Art. 26 GDPR) is in effect. The essence of this arrangement is available upon request to the DPO.

4.3 Sharing with Technical Processors

We engage the following categories of data processors under GDPR-compliant Data Processing Agreements (DPA) (Art. 28 GDPR):

Processor Category

Purpose

Location of Processing

Hosting and cloud infrastructure provider

Storage of all Platform data

European Union (EU)

Email service provider

Sending transactional emails and notifications

EU (or third country with SCCs)

Support ticketing system

Managing user support requests

EU

Analytics provider (privacy-focused)

Anonymous usage statistics

EU

Crash reporting service

Debugging and stability monitoring

EU

International Transfers: If any processor is located outside the European Economic Area (EEA), we implement Standard Contractual Clauses (SCCs) approved by the European Commission, together with supplementary technical measures, to ensure an adequate level of data protection.

4.4 Sharing with Public Authorities

We will disclose personal data to competent authorities only where:

  • Required by law, regulation, or court order (e.g., Cyprus Police, Ministry of Health)
  • Necessary for food safety investigations (e.g., food poisoning outbreak)
  • Required for fraud prevention or criminal proceedings
  • Necessary to protect the vital interests of a data subject or others

Specific authorities include:

  • Office of the Commissioner for Personal Data Protection (Cyprus)
  • Cyprus Police (where a criminal offence is suspected)
  • Ministry of Health (for food safety incidents)
  • European Commission (for audit of LIFE Programme grant – anonymized or aggregated data only)

4.5 Sharing with Delivery Partners

THE USE OF DELIVERY PARTNERS IS EXPLICITLY PROHIBITED

4.6 What We DO NOT Do

We explicitly state that we do NOT:

  • Sell your personal data to any third party
  • Rent or lease your personal data
  • Share your personal data for advertising, marketing, or commercial purposes unrelated to the Platform
  • Disclose more personal information than is necessary for the specific purpose

5. DATA RETENTION (Specific & Mandatory Schedule)

We retain personal data only for as long as necessary for the purposes described in this policy. Retention periods are based on legal requirements, contractual obligations, and operational needs.

Data Category

Retention Period

Legal Basis / Justification

Active User Account Data

Duration of active account + 3 years of inactivity

After 3 years of inactivity, we will notify you and delete the account unless you re-activate it.

Deleted/Closed Account Data

30 days after deletion request (except traceability data)

Grace period for recovery; permanent deletion after 30 days.

Food Donation & Claim Records (Traceability)

Minimum of 5 years from date of donation

ToS Clause 13.3; Regulation (EC) No 178/2002, Art. 18. This overrides right to erasure.

Technical Logs (IP addresses, device IDs)

12 months

Security auditing, fraud investigation.

No-Show & Misconduct Records

2 years from date of last incident

Enforcement of ToS; community protection.

Consent Records (e.g., newsletter opt-in)

5 years from date of consent

Demonstrating compliance with Art. 7(1) GDPR.

Newsletter Subscription Data

Until consent is withdrawn

Art. 6(1)(a) GDPR.

Cookie Consent Preferences

12 months

Compliance with Cyprus Law 112(I)/2004.

Legal & Compliance Records

7 years from end of financial year

Cyprus tax and corporate law requirements.

Backup & Archive Systems

Up to 7 years (encrypted)

Disaster recovery; access is restricted and data is not actively processed.

5.1 Data Deletion Upon Account Closure

When you request account deletion:

  • Your profile and active data will be deleted within 30 days.
  • Your traceability data (Donor identity, food type, quantity, date) will be retained for 5 years as required by food safety law.
  • Your anonymized donation statistics (e.g., "Donor X donated 100kg in 2026") may be retained for project reporting.

6. YOUR RIGHTS (DATA SUBJECT RIGHTS – CYPRUS SPECIFIC)

Under the GDPR (Articles 15–22) and the Cyprus Personal Data Protection Law 125(I)/2018, you have the following rights. These rights are subject to the limitations set out in Terms & Conditions Clause 13.3 (traceability retention override).

6.1 Summary of Your Rights

Right

GDPR Article

Description

Limitations / Exceptions

Right to Access

Art. 15

Obtain confirmation of whether we process your data, and receive a copy.

May not apply if providing access would adversely affect others' rights.

Right to Rectification

Art. 16

Correct inaccurate or incomplete personal data.

Must provide supporting documentation for corrections.

Right to Erasure (Right to be Forgotten)

Art. 17

Request deletion of your personal data.

Does not apply to traceability data required for 5 years under food safety law.

Right to Restriction of Processing

Art. 18

Limit how we use your data while a dispute is resolved.

You may ask us to "freeze" your data instead of deleting it.

Right to Data Portability

Art. 20

Receive your data in a structured, machine-readable format (CSV/JSON).

Applies only to data you provided, based on consent or contract.

Right to Object

Art. 21

Object to processing based on Legitimate Interests (Art. 6(1)(f)).

We may continue processing if we have compelling legitimate grounds.

Right to Withdraw Consent

Art. 7(3)

Withdraw consent at any time where processing is based on consent.

Withdrawal does not affect lawfulness of processing before withdrawal.

Right to Lodge a Complaint

Art. 77

Complain to the Cyprus Data Protection Commissioner.

See contact details in Section 10.

6.2 How to Exercise Your Rights

Step 1: Send an email to our Data Protection Officer at: dpo@foecyprus.org

Step 2: Use the following subject line format: GDPR REQUEST – [Right you wish to exercise] – [Your Name]

Examples:

  • GDPR REQUEST – Right to Access – Maria Christodoulou
  • GDPR REQUEST – Right to Erasure – John Demetriou

Step 3: Include in your email:

  • Your full name
  • The email address associated with your Food Connect account
  • A clear description of your request
  • Any supporting documentation (if applicable)

Step 4: We will verify your identity before responding. Verification may require:

  • Responding from your registered email address
  • Providing a government-issued ID (for high-risk requests such as deletion or correction of sensitive data)

6.3 Response Times

Request Type

Standard Response Time

Maximum Extension

Simple requests (access, rectification, withdrawal)

30 days

Not applicable

Complex requests (erasure, portability, objection)

30 days

60 additional days (with notice)

Refusal of request (with reasons)

30 days

Not applicable

We shall make every effort to comply within 30 days. If we need an extension, we will notify you within the initial 30-day period, explaining the reason for the delay.

6.4 Restrictions on Information

We may be unable to provide you with all requested information where:

  • Providing the information would adversely affect the rights and freedoms of others (Art. 15(4) GDPR)
  • The data is subject to legal privilege or ongoing legal proceedings
  • Disclosure would prejudice the prevention or detection of crime
  • The request is manifestly unfounded or excessive (Art. 12(5) GDPR) – in which case we may charge a reasonable administrative fee or refuse to act

If we restrict information, we will notify you of the reasons in writing.

7. COOKIES & TRACKING TECHNOLOGIES

*(Compliance with Cyprus Law 112(I)/2004 implementing the e-Privacy Directive)*

Our website and mobile application use cookies and similar technologies (e.g., local storage, SDKs) to enhance functionality, analyse usage, and improve security.

7.1 Categories of Cookies

Category

Description

Legal Basis

Consent Required?

Strictly Necessary Cookies

Required for core functionality: login, authentication, security, network management.

Art. 6(1)(f) GDPR / e-Privacy exemption (Cyprus Law 112(I)/2004, Art. 4)

No – These cannot be disabled.

Functional / Preference Cookies

Remember your language selection, region, or interface preferences.

Art. 6(1)(a) GDPR (Consent)

Yes – Opt-in required.

Analytics / Performance Cookies

Collect anonymised data on how users interact with the Platform (e.g., pages visited, time spent). We use privacy-focused analytics (e.g., Matomo or anonymised Google Analytics).

Art. 6(1)(a) GDPR (Consent)

Yes – Opt-in required.

Marketing / Advertising Cookies

We do not use these.

Not applicable

Not applicable

7.2 Managing Cookie Preferences

  • Website: On your first visit, a cookie banner will appear allowing you to accept or reject non-essential cookies. You may change your preferences at any time via the "Cookie Settings" link in the website footer.
  • Mobile App: You may manage tracking permissions in your device settings (iOS: Settings > Privacy > Tracking; Android: Settings > Apps > Food Connect > Permissions).

7.3 Third-Party Cookies

We do not permit third-party advertising networks or social media platforms to place cookies on our website. Any third-party cookies (e.g., embedded maps or videos) will be disclosed in our Cookie Policy.

8. CHILDREN'S DATA (UNDER 18)

The Food Connect Platform is intended for use by adults only (minimum age 18).

  • In compliance with Art. 8 GDPR and our Terms & Conditions Clause 10, we do not knowingly collect personal data from persons under the age of 18.
  • If a parent or guardian believes that a minor has registered on the Platform without appropriate consent, please contact our DPO immediately at dpo@foecyprus.org with the subject line MINOR ACCOUNT – [Child's Name].
  • Upon verification, we will:
  • Immediately suspend the minor's account
  • Delete all associated personal data (subject to traceability retention obligations)
  • Confirm deletion to the parent/guardian

9. DATA SECURITY & PROTECTION MEASURES

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration, or disclosure, as required by Art. 32 GDPR.

9.1 Technical Measures

Measure

Implementation

Encryption in transit

TLS 1.3 (HTTPS) for all web and API traffic

Encryption at rest

AES-256 encryption for databases and backups

Access controls

Role-based access control (RBAC); principle of least privilege

Authentication

Strong password policies; optional 2FA (planned)

Logging & monitoring

Centralised logging with anomaly detection

Backups

Encrypted daily backups stored in separate EU region

Vulnerability management

Regular penetration testing and dependency scanning

9.2 Organisational Measures

  • All personnel with access to personal data sign confidentiality agreements
  • Mandatory annual data protection training for all staff
  • Data Protection Impact Assessments (DPIAs) conducted for high-risk processing
  • Data breach response plan in place, including 72-hour notification to Cyprus Commissioner (Art. 33 GDPR)

9.3 User Responsibilities

While we take security seriously, no digital system is 100% secure. You are responsible for:

  • Maintaining the confidentiality of your password
  • Not sharing your login credentials with any third party
  • Logging out after each session on shared or public devices
  • Notifying us immediately of any suspected unauthorised access to your account

10. COMPLAINTS TO SUPERVISORY AUTHORITY (CYPRUS)

If you believe that we have not responded appropriately to your data protection concerns, or that we have violated your rights under GDPR or Cyprus law, you have the right to lodge a complaint with the Cyprus supervisory authority.

Office of the Commissioner for Personal Data Protection (Cyprus)

Detail

Information

Physical Address

Ippokratous 11, 1061, Nicosia, Cyprus

Postal Address

P.O. Box 23378, 1682 Nicosia, Cyprus

Telephone

+357 22 818 456

Fax

+357 22 304 565

Email

commissioner@dataprotection.gov.cy

Website

www.dataprotection.gov.cy

Complaint Procedure:

  • You may lodge a complaint in writing (by post or email) in Greek or English.
  • The Commissioner will acknowledge receipt within 15 days.
  • A decision is typically issued within 6–9 months, depending on complexity.

We encourage you to contact us first at dpo@foecyprus.org before lodging a complaint with the Commissioner, so that we may attempt to resolve your concern directly.

11. CHANGES TO THIS PRIVACY POLICY

We keep this Privacy Policy under regular review and will notify you of changes as follows:

Type of Change

Notice Period

Method of Notification

Material changes (affecting your rights, new processing activities, new data sharing)

30 days in advance

Email + in-app notification

Non-material changes (typos, clarifications, updated contact details)

Effective immediately

Updated "Last Updated" date on Platform and website

Continued use of the Platform after any material change takes effect constitutes acceptance of the amended Privacy Policy. If you do not accept a material change, you must stop using the Platform and close your account before the change's effective date.

The current version of this Privacy Policy is always available at:

12. CONTACT INFORMATION

12.1 Data Protection Officer (DPO)

For all data protection inquiries, GDPR rights requests, or privacy concerns:

Method

Details

Email (Primary)

dpo@foecyprus.org 

Postal Address

Data Protection Officer, Friends of the Earth Cyprus, 361, Agiou Andreou, Limassol, Cyprus

12.2 Operational & General Inquiries

Method

Details

Email

apps@foecyprus.org

Platform Support

In-app support chat or email

12.3 Legal & Compliance Notices

For formal legal notices, law enforcement requests, or regulatory correspondence:

Method

Details

Email

legal@foecyprus.org

Subject Line Required

FORMAL LEGAL NOTICE – FOOD CONNECT

12.4 Food Safety Incident Reporting

Method

Details

Email

apps@foecyprus.org

Subject Line Required

FOOD SAFETY INCIDENT – [Donor/Recipient Name]

12.5 DSA Illegal Content Notices

Method

Details

Email

apps@foecyprus.org

Subject Line Required

DSA ILLEGAL CONTENT NOTICE

13. GOVERNING LANGUAGE

This Privacy Policy is issued in English, which is the governing language for all purposes, including interpretation and legal enforcement.

In the event of any conflict or inconsistency between this English version and any future translation (whether official or unofficial) into Greek, Maltese, Portuguese, or any other language, the English text shall always prevail.

14. SCHEDULE: DATA PROCESSING SUMMARY (For Your Records)

Processing Activity

Data Subjects

Categories of Data

Recipients

Retention Period

Account registration

Donors, Recipients

Name, email, phone, address, business registration

Technical processors

Active + 3 years

Donation listing

Donors

Food description, quantity, allergens, location, time

Other Users, Recipients, Consortium

5 years (traceability)

Claiming donations

Recipients

Name, contact details

Donors, 

5 years (traceability)

No-show enforcement

Donors, Recipients

Misconduct records, account history

Platform Operator (internal)

2 years

Project reporting

Donors, Recipients

Anonymised metrics only

European Commission, Consortium

Anonymised (indefinite)

Newsletters

Opt-in Users

Email address

Email processor

Until consent withdrawn

*Food Connect is co-funded by the European Union under the LIFE Programme (Project No. 101148772). Views expressed on this platform are those of the consortium and do not necessarily represent the views of the European Commission.*

*This Privacy Policy was last updated on [May 2026] and prepared in accordance with the GDPR and Cyprus Law 125(I)/2018.*