Privacy Policy

01Who we are (Data Controller)

For the personal data described in this Policy, the controller is:

We have not appointed a statutory Data Protection Officer, as our processing activities do not meet the criteria that require one under Article 37 GDPR. You can raise any data-protection matter with us at info@greenmesh.org.

02Scope of this Policy and our two roles

GreenMesh acts in two different capacities depending on the data concerned. This distinction determines who is responsible for the data.

2.1 Where GreenMesh is the Controller

For the personal data of website visitors, prospects, newsletter and lead-magnet subscribers, demo requesters, customer account contacts, partners, and job applicants, GreenMesh determines why and how the data is processed and is therefore the controller. Sections 3 to 9 of this Policy apply to that data.

2.2 Where GreenMesh is the Processor

When a customer uses the Platform to connect devices and process data, the customer decides what data is collected and why. For that data, the customer is the controller and GreenMesh acts as a processor on the customer's documented instructions. The Platform is designed to process device telemetry (such as sensor readings, device identifiers, and operational metrics), not the personal data of a customer's end-users or building occupants.

03Personal data we collect (as Controller)

3.1 Data you provide to us

• Identity and contact data — name, business email, phone number, company name, job title, and country, when you book a demo, complete a contact or subscription form, or correspond with us.
• Account data — username, credentials, and account settings, where you hold a Platform account.
• Commercial data — enquiry details, purchase and billing information, and records of our communications.
• Marketing preferences — your consent choices and subscription status.

3.2 Data collected automatically

• Usage and device data — IP address, browser type and version, operating system, pages visited, referring URLs, timestamps, and diagnostic data.
• Cookies and similar technologies — see Section 8.

3.3 Data from third parties

We may receive limited data from business partners and referral sources, and from publicly available professional sources such as LinkedIn where you have engaged with us through those channels.

04Why we process your data and our legal bases

Under Article 6 GDPR we rely on the following legal bases. We do not process your data without a valid basis.

Where we rely on legitimate interests, we have balanced those interests against your rights and will provide details of that assessment on request. Where we rely on consent, you may withdraw it at any time (Section 7).

05Who we share data with

We do not sell your personal data. We share it only as described here:

• Service providers (processors) — hosting, infrastructure, email, analytics, and payment providers who process data on our behalf under Article 28 GDPR contracts.
• Professional advisers — lawyers, accountants, and auditors, where necessary.
• Authorities — where required by law or to protect our rights.
• Business transfers — in connection with a merger, acquisition, or asset sale, subject to this Policy.

5.1 Service providers we use

Each processes personal data under a data-processing agreement, and where data is transferred outside the EEA, under an appropriate safeguard (see Section 6):

We keep this list current. Website contact and subscription forms are operated by GreenMesh on our own infrastructure (AWS); form submissions are stored and routed through our own systems.

06International transfers

Our infrastructure provider, AWS, hosts data in the European Union (Germany) and, for certain services, in the United States and Australia. Some of our email and analytics providers are based in the United States. Where personal data is transferred outside the European Economic Area, we ensure a lawful transfer mechanism under Chapter V GDPR is in place — typically the European Commission's Standard Contractual Clauses, the EU–US Data Privacy Framework where the recipient is certified, and additional safeguards where required. You may request details of the safeguards we use by contacting us.

07Your rights

Subject to the conditions in the GDPR, you have the right to:

• Access — the personal data we hold about you (Art. 15)
• Rectify — inaccurate or incomplete data (Art. 16)
• Erase — your data in certain circumstances (Art. 17)
• Restrict — processing in certain circumstances (Art. 18)
• Receive — your data in a portable format (Art. 20)
• Object — to processing based on legitimate interests, and to direct marketing at any time (Art. 21)
• Withdraw consent — at any time, without affecting prior lawful processing (Art. 7(3))
• Not be subject — to solely automated decisions producing legal or similarly significant effects (Art. 22) — we do not carry out such decision-making

To exercise any right, contact us at info@greenmesh.org. We respond within one month, as required by Article 12(3) GDPR. You also have the right to lodge a complaint with the Slovenian supervisory authority, the Information Commissioner (Informacijski pooblaščenec, ip-rs.si), or with your local EEA supervisory authority.

08Cookies and similar technologies

We use cookies and similar technologies to operate the Website, remember your preferences, and — with your consent — to analyse usage. We distinguish:

• Strictly necessary cookies — required for the site to function; no consent required.
• Functionality cookies — remember your choices; used where permitted.
• Analytics cookies — (e.g. Google Analytics) — set only after you consent through our cookie banner.

Non-essential cookies, including analytics, are set only after you give consent, and you can change or withdraw your preferences at any time through the cookie settings on the Website. A detailed list of the cookies we use, their purpose, provider, and duration is maintained on our cookie settings page.

09Data retention

We keep personal data only as long as necessary for the purposes it was collected for, then delete or anonymise it. Our retention periods are:

10Security

We implement appropriate technical and organisational measures to protect personal data, in accordance with Article 32 GDPR. These include role-based access controls, unique credentials and least-privilege access, encryption of data in transit (TLS), network security and monitoring, logging and audit trails, regular backups, and the use of ISO 27001-certified infrastructure providers. No method of transmission or storage is completely secure, but we maintain measures appropriate to the risk.

11Platform data and the Data Processing Agreement

Where GreenMesh processes personal data on behalf of a customer through the Platform (Section 2.2), that processing is governed by a Data Processing Agreement (“DPA”) between GreenMesh (processor) and the customer (controller), which forms part of the customer's contract. The DPA sets out the subject-matter, duration, nature and purpose of processing, the categories of data and data subjects, the customer's instructions, confidentiality, security, sub-processing, assistance, breach notification, and the return or deletion of data, as required by Article 28 GDPR. A copy is available to customers on request, and the standard terms are published here.

12Children

Our Website and Platform are intended for businesses and professionals. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

13Changes to this Policy

We may update this Policy from time to time. We will post the updated version here and revise the “Last updated” date, and — where changes are material — take reasonable steps to notify you.

14Contact

For any question or request regarding this Policy or your personal data: