Legal

Privacy Policy

Last updated: April 2026

1. Data Controller

UPPYA is operated by Naam Consulting S.à r.l., a company registered in Luxembourg.

For any data protection inquiry, contact us at: privacy@uppya.lu

2. Data We Process

UPPYA processes data strictly necessary for the orchestration of recycling logistics flows:

  • Account data: name, email, company, role — for authentication and role-based access
  • Operational data: delivery plans, dispatches, shipments, weighing records — for logistics orchestration
  • Compliance data: EWC codes, DIWASS notification IDs, Annex VII documents — for regulatory compliance
  • Operator identifiers: EORI, DIWASS Operator IDs, VAT numbers — for cross-border waste shipment traceability
  • Driver data: name, license number, phone, safety certification status — for driver safety protocol
  • Audit logs: timestamped records of all actions — for full traceability and compliance audits

3. Legal Basis

We process personal data under the following legal bases per GDPR (EU) 2016/679:

  • Contractual necessity (Art. 6(1)(b)): processing required to provide the UPPYA platform services
  • Legal obligation (Art. 6(1)(c)): compliance with EU Regulation 1013/2006 (waste shipment), DIWASS requirements, and national waste tracking regulations
  • Legitimate interest (Art. 6(1)(f)): audit trail, fraud prevention, and platform security

4. Data Residency & Security

All data is hosted within the European Union. For on-premise deployments, data remains within the client's own infrastructure.

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Role-based access control (RBAC) with 7 distinct roles
  • Multi-tenant isolation: each organization's data is strictly separated
  • BCrypt password hashing (cost factor 12)
  • CSRF protection on all forms
  • Complete audit trail of all user actions

5. Data Sharing

UPPYA shares data only when required:

  • DIWASS (EU Hub): waste shipment notifications and movement documents, as required by Regulation 1013/2006
  • Client's ERP: order and goods receipt data, via the client-configured integration
  • Competent Authorities: only through the DIWASS platform, never directly

We do not sell, rent, or share personal data with third parties for marketing purposes.

6. Data Retention

Operational data is retained for the duration of the service contract. Audit logs are retained for 7 years after the last transaction, in compliance with EU waste shipment record-keeping requirements. Upon contract termination, data is exported to the client and securely deleted within 90 days.

7. Your Rights

Under GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure (subject to legal retention obligations)
  • Restrict processing
  • Data portability
  • Object to processing
  • Lodge a complaint with the CNPD (Commission Nationale pour la Protection des Données, Luxembourg)

Contact us at privacy@uppya.lu to exercise any of these rights.

8. Cookies

UPPYA uses only strictly necessary session cookies for authentication and CSRF protection. We do not use tracking cookies, analytics pixels, or advertising cookies.