Skip to content
ReNieuw

Privacy Policy

Last updated: [date]

1. Who we are

This Privacy Policy explains how [ReNieuw legal entity name] ("ReNieuw", "we", "us", "our") collects, uses, shares, and protects personal data when you use our website and the ReNieuw application (together, the "Service"). ReNieuw provides software for modelling Extended Producer Responsibility (EPR) packaging fees and packaging-compliance assessments (currently focused on the United Kingdom pEPR regime).

  • Data controller: [ReNieuw legal entity name], company number [company number], registered at [registered address], [country of establishment].
  • Contact for privacy matters: [privacy@ email].
  • EU representative (Art. 27 GDPR, if applicable): [EU representative].
  • UK representative (Art. 27 UK GDPR, if applicable): [UK representative].

We are not required to appoint a Data Protection Officer, but you can reach our privacy contact at the address above for any data protection question. This policy is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR and the Data Protection Act 2018, and the cookie/consent rules in the ePrivacy Directive (PECR in the UK).

2. The personal data we collect

We collect only the data we need to run the Service. The table below sets out each category, examples, and where it comes from.

CategoryExamplesSource
Account & authenticationEmail address; hashed password; account ID; email-verification statusYou, at sign-up (via our authentication provider)
Profile & settingsDisplay name; company name; default markets; display currency; plan (free/paid); notification preferencesYou, in Settings
Organisation dataOrganisation name; team members; member rolesYou and your organisation administrators
Content you createPackaging designs, material specifications, fee calculations, RAM/PPWR assessment answers, scenario comparisons, and customer records you enter (which may include your clients' company name, contact name, contact email and free-text notes)You
Product analytics (only with your consent)Pages viewed, features used, in-app events (e.g. sign-up, calculation run), device/browser typeCollected via our analytics provider only after you accept analytics cookies
Email & communicationsEmail address and message content for service emails and, if you opt in, our newsletterYou / our email provider
Technical & security dataIP address and request logs; a signed, http-only anonymous-visitor cookie (rn_visitor) used for our public toolsAutomatically, via our hosting provider and our own server

We do not knowingly collect special-category data (e.g. health, biometric, or political data) and ask you not to enter such data into free-text fields. Our analytics does not collect your IP address: it is configured to discard client IP data at the client, server, and analytics-provider level, so we do not record IP-derived geolocation for analytics purposes.

3. How and why we use your data (legal bases)

PurposeData usedLegal basis
Create and manage your account; provide the Service; store your designs, assessments and other contentAccount, profile, organisation, contentContract (Art. 6(1)(b))
Send service/transactional emails (verification, password reset, account and security notices)Email address, account dataContract / legitimate interests (Art. 6(1)(b)/(f))
Keep the Service secure; prevent fraud and abuse; enforce rate limits; maintain anonymous-visitor sessions for our public toolsTechnical & security data, rn_visitor cookieLegitimate interests (Art. 6(1)(f))
Understand how the Service is used and improve itProduct analyticsConsent (Art. 6(1)(a))
Send our newsletter / marketing emailsEmail address, newsletter preferenceConsent (Art. 6(1)(a))
Comply with legal, tax, and accounting obligationsAccount and transaction recordsLegal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms, and you can object to this processing (see Section 8). Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal — by changing your analytics choice on the site, using the unsubscribe link in any marketing email, or updating your notification preferences in Settings.

4. Our role: controller and processor

  • For your account, profile, organisation and analytics data, ReNieuw is the data controller.
  • For the customer records and other content you enter about your own clients or third parties, your organisation is the data controller and ReNieuw acts as a data processor that processes that data on your behalf and on your documented instructions. If you require a Data Processing Agreement (DPA), contact us at [privacy@ email].

You are responsible for having a lawful basis to enter third-party personal data into the Service and for informing those individuals as required.

5. Cookies and similar technologies

We use a small number of cookies and similar technologies:

Name / typePurposeCategoryConsent needed?
Authentication cookiesKeep you signed inStrictly necessaryNo
rn_visitor (signed, http-only)Maintains an anonymous visitor session for our public tools; supports security and rate-limitingStrictly necessaryNo
Analytics cookieProduct analytics (usage measurement)AnalyticsYes

No analytics cookie is set, and no analytics code runs, unless you accept analytics on our cookie banner. If you reject analytics, no analytics cookie is written and no analytics data is sent. You can change your choice at any time via the cookie banner.

6. Who we share your data with (sub-processors)

We do not sell your personal data. We share it only with the service providers ("sub-processors") that help us run the Service, under contracts that require them to protect it and use it only on our instructions.

Category of recipientPurposeData processedLocation / safeguards
Cloud database, authentication & storage providerDatabase, authentication, and file storageAccount, profile, organisation, and all content dataData hosted in the [confirm region — e.g. EU]; international transfers covered by SCCs / UK Addendum where applicable
Application hosting & content-delivery providerHosting and content deliveryIP address, request logsInternational transfers covered by SCCs / UK Addendum and applicable adequacy frameworks
Product analytics providerProduct analytics (consent only)In-app usage events, device/browser type (no IP / geolocation)EU-hosted; routed via a same-origin proxy
Email service providerTransactional and marketing emailRecipient email address, email contentEU-based provider

We may also disclose personal data where required by law, to enforce our terms, or to protect our rights, users, or the public. We name the specific providers behind these categories in our up-to-date sub-processor list, which is available on request at [privacy@ email] and is provided to our business customers as part of our Data Processing Agreement.

7. International data transfers

Some of our sub-processors are located outside the UK and EEA (for example, in the United States). Where personal data is transferred internationally, we rely on appropriate safeguards such as UK/EU adequacy decisions, the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, or other lawful transfer mechanisms. You can request more detail at [privacy@ email].

8. Your rights

Under the GDPR and UK GDPR you have the right to:

  • Access — the personal data we hold about you;
  • Rectify — inaccurate or incomplete data;
  • Erase — your data ("right to be forgotten") in certain circumstances;
  • Restrict — processing in certain circumstances;
  • Data portability — receive your data in a structured, machine-readable format;
  • Object — to processing based on legitimate interests, and to direct marketing at any time;
  • Withdraw consent — at any time where we rely on it (e.g. analytics, newsletter);
  • Not be subject — to a decision based solely on automated processing that produces legal or similarly significant effects on you.

ReNieuw does not make automated decisions that produce legal or similarly significant effects on individuals. EPR fee calculations and assessments relate to your packaging and business data, not to profiling individuals.

To exercise any right, contact [privacy@ email]. We will respond within one month, as required by law. You can also access and update much of your data directly in your account Settings.

If you are unhappy with how we handle your data, you may lodge a complaint with a supervisory authority:

  • UK: Information Commissioner's Office (ICO) — ico.org.uk;
  • EU: your local Data Protection Authority, or the lead authority where ReNieuw is established [confirm — e.g. Autoriteit Persoonsgegevens (Netherlands)].

We would, however, appreciate the chance to address your concerns first.

9. How long we keep your data

We keep personal data only as long as necessary for the purposes set out above:

  • Account, profile and content data: for as long as your account is active. When you close your account, we delete or anonymise it within [retention period — e.g. 30 days], except where we must retain certain records to meet legal, tax or accounting obligations.
  • Backups: residual copies may persist in encrypted backups for up to [retention period — e.g. 30–90 days] before being overwritten.
  • Analytics data: retained according to our analytics provider's configuration for [retention period — confirm].
  • Email/marketing records: until you unsubscribe or withdraw consent, plus a short suppression record to honour your opt-out.

10. How we protect your data

We use technical and organisational measures appropriate to the risk, including:

  • Encryption in transit (TLS) and encryption at rest at our database provider;
  • Row-Level Security so each user and organisation can access only their own data;
  • Hashed passwords and signed, http-only session/visitor cookies;
  • A strict Content-Security-Policy and other security headers;
  • Server-side authentication checks and rate limiting on sensitive routes;
  • Least-privilege handling of service credentials (server-only secrets are never exposed to the browser).

No system is perfectly secure, but we work to protect your data and to notify you and the relevant authority of any qualifying personal data breach as required by law.

11. Children

The Service is a business tool and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. We will post the updated version here with a new "Last updated" date and, for material changes, take additional steps to notify you (e.g. by email or an in-app notice).

13. Contact us

  • Privacy/data protection: [privacy@ email].
  • General support: [support@ email].
  • Postal: [ReNieuw legal entity name], [registered address].