Privacy Policy

1. Who We Are (Data Controller)

This Privacy Policy applies to personal data processed through the OrgMesh membership platform ("Platform") deployed for the Organisation you are a member of ("Organisation" or "Controller"). The Organisation is the data controller responsible for your personal data.

The Platform is developed and operated by:

OrgMesh UK / Green Route Cambodia Enterprise (GRC) (Platform Operator and Data Processor, as applicable)
Email: legal@greenroutecambodia.com

If you have questions about how your data is handled, contact your Organisation's administrator or write to the address above.

2. Data We Collect and Why (GDPR Articles 13–14)

2.1 Identity and Contact Data

DataPurposeLegal Basis (GDPR Art. 6)
Full name, job title, organisation nameMembership registration and directory listingContract (6(1)(b))
Email address, phone number, postal addressCommunications, invoicing, event notificationsContract (6(1)(b))
Profile photographMember directory (optional)Consent (6(1)(a))
Nationality, language preferenceMember categorisation and communicationsContract (6(1)(b))

2.2 Financial Data

DataPurposeLegal Basis
Membership tier, invoice amounts, payment statusBilling and financial recordsContract + Legal obligation (6(1)(b,c))
Payment proof uploads (receipt images)Payment verificationContract (6(1)(b))
Invoice PDFs and receipt PDFsAccounting records (7-year retention)Legal obligation (6(1)(c))

We do not collect or store raw payment card numbers. Card processing is handled by third-party payment providers subject to their own privacy policies.

2.3 Technical Data

DataPurposeLegal Basis
IP addressSecurity logging, fraud preventionLegitimate interest (6(1)(f))
Browser type, device, OSPlatform compatibility and securityLegitimate interest (6(1)(f))
Login timestamps, session tokensAuthentication and access controlContract + Legitimate interest (6(1)(b,f))

2.4 Usage Data

DataPurposeLegal Basis
Pages visited, features usedPlatform improvementLegitimate interest (6(1)(f))
Event registrations, attendance recordsEvent management and historyContract (6(1)(b))
Email open tracking (pixel)Communication effectivenessLegitimate interest (6(1)(f))

2.5 Communications Data

DataPurposeLegal Basis
Email subscription statusNewsletter and announcement deliveryConsent or Legitimate interest (6(1)(a,f))
Contact form submissionsResponding to enquiriesLegitimate interest (6(1)(f))

3. How Long We Keep Your Data (Retention Schedule)

CategoryRetention Period
Member profile dataDuration of membership + 3 years
Invoice and financial records7 years (legal obligation)
Event registration records5 years
Login and security logs90 days
Email logs12 months
Payment proof uploads7 years (legal obligation)
Deleted account data30-day grace period, then purged
Consent records5 years after consent withdrawn

4. Who We Share Your Data With

We do not sell your personal data. We may share it with:

All third-party processors are bound by Data Processing Agreements ensuring GDPR-equivalent protections.

5. International Data Transfers

The Platform is hosted in servers within the Organisation's chosen jurisdiction. Where any sub-processor is located outside the European Economic Area (EEA), transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission, or an applicable adequacy decision.

6. Your Rights Under GDPR (EU/EEA Residents)

You have the following rights regarding your personal data:

To exercise any of these rights, use our data request portal. We will respond within 30 days.

You also have the right to lodge a complaint with your national data protection supervisory authority if you believe your rights have been violated.

7. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following additional rights:

Do Not Sell or Share My Personal Information

To exercise CCPA rights, contact us at legal@greenroutecambodia.com or use the data request portal. We will verify your identity and respond within 45 days.

8. Cookies

We use cookies to operate the Platform. See our Cookie Policy for details and to manage your preferences.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encrypted connections (HTTPS/TLS), hashed password storage, access controls, session security, and regular security reviews. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

10. Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours where required by GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay.

11. Children's Privacy

The Platform is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before the changes take effect. The most current version will always be available at this URL with the date of last update.

13. Contact and DPO

For privacy enquiries, to exercise your rights, or to contact our data protection representative:

OrgMesh UK / Green Route Cambodia Enterprise (GRC)
Privacy Team / Data Protection
Email: legal@greenroutecambodia.com

Or use our data request portal.