This document is available in English only. / Ce document est disponible en anglais uniquement. / Este documento está disponible solo en inglés. / Αυτό το έγγραφο είναι διαθέσιμο μόνο στα Αγγλικά.

Last updated: April 2026

Privacy Policy

1. Data Controller

The data controller for your personal data is:

IN2050 Ltd
A company registered in the Republic of Cyprus
Email: privacy@askida.foundation

IN2050 Ltd operates the Askida platform ("Platform"), a digital service for anonymous charitable giving using parcel locker networks.

2. Data Protection Contact

Askida has designated a Data Protection Contact who can be reached at:
Email: privacy@askida.foundation

Note: Askida does not currently meet the criteria under Article 37 of the GDPR requiring the formal appointment of a Data Protection Officer (DPO). Should this change, we will update this policy accordingly.

3. Personal Data We Collect

3.1 Account Data

When you create an account, we collect:

Email address (required)
Name (optional)
Phone number (optional)

3.2 Item Data

When you post an item for donation, we collect:

Item title and description
Photographs of the item (1-3 images)
Category selection
Preferred locker location

3.3 Transaction Data

We record timestamps for key actions within the donation lifecycle:

Item posting, approval, and rejection timestamps
Claim timestamps
Deposit and collection timestamps

3.4 Recipient Data (Account-Free Claiming)

Recipients may claim items without creating an account. When claiming, we collect:

Email address (to deliver the Claim Code)
Phone number (optional, for locker notifications)

3.5 Technical Data

When you use the Platform, we automatically collect:

IP address
Browser type and version
Device type and operating system
Pages visited and actions taken on the Platform
Referring URL

3.6 Cookies

We use a limited number of cookies, detailed in our Cookie Policy:

Session cookie (authentication)
Locale preference cookie (NEXT_LOCALE — stores your language choice)

We do not use advertising, tracking, or third-party marketing cookies.

4. What We Do Not Collect

We believe in data minimisation. Askida does not collect, process, or store:

Payment or financial information (Askida is a free platform)
Government-issued identity documents
Location data beyond IP-derived approximate location
Biometric data
Data from other websites or apps (no cross-site tracking)
Advertising profiles

We do not sell personal data. We have never sold personal data. We will never sell personal data.

5. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we must have a lawful basis for processing your personal data:

Account data and service operation — Article 6(1)(b): Performance of a contract. Processing is necessary to perform the Terms of Service.

Recipient email (account-free claiming) — Article 6(1)(f): Legitimate interest. Processing the email address is necessary to fulfil the claim request.

Transactional emails — Article 6(1)(b): Performance of a contract. Emails are integral to the service.

Content moderation — Article 6(1)(f): Legitimate interest. Review ensures Platform safety and integrity.

Fraud prevention and platform security — Article 6(1)(f): Legitimate interest. Technical data processing to detect abuse.

Aggregated analytics — Article 6(1)(f): Legitimate interest. Anonymised data to improve the Platform.

Legal obligations — Article 6(1)(c): Where required by law.

6. How We Use Your Data

To operate the Platform: matching donors with recipients, managing item listings, facilitating collections.
To send transactional emails: claim codes, deposit confirmations, collection notifications, status updates.
To moderate content: admin review of item listings before they are made public.
To maintain platform security: detecting and preventing fraud, abuse, and unauthorised access.
To improve the Platform: aggregated, anonymised analytics.
To communicate with you: responding to support requests, notifying you of material changes.

7. Anonymity Protections

Donor anonymity: Recipients never see any identifying information about Donors.
Recipient anonymity: Donors never see any identifying information about Recipients.
Claim Codes: The sole link between a claimed item and a Recipient. Single-use and expire after collection.
Transaction logs: Record actions and timestamps but do not store cross-references between Donor and Recipient identities.

8. Data Sharing and Sub-Processors

8.1 Sub-Processors

Supabase Inc. — Database hosting and authentication. Data hosted in the EU (Frankfurt, Germany). DPA with Standard Contractual Clauses.

Vercel Inc. — Web application hosting. Primary compute in EU regions. DPA with Standard Contractual Clauses.

Resend Inc. — Transactional email delivery. Infrastructure in the United States. Transfers governed by Standard Contractual Clauses with Transfer Impact Assessment conducted.

8.2 No Other Sharing

We do not share personal data with advertisers, data brokers, social media platforms, or any other third party. We may disclose personal data if required by law.

9. International Data Transfers

Your personal data is primarily stored within the EU (Supabase, Frankfurt). Certain processing may occur outside the EU:

Vercel (edge network): Governed by Standard Contractual Clauses under Article 46(2)(c) GDPR.
Resend (United States): Governed by SCCs. Transfer Impact Assessment conducted with supplementary measures (TLS encryption, limited data scope).

10. Data Retention

Account data: Retained until account deletion. Erased within 30 days.
Item data: 12 months after collection/expiry, then anonymised.
Photographs: Deleted within 30 days of collection/expiry. 90 days if neither collected nor expired.
Transaction logs: 12 months, then permanently purged.
Recipient email (account-free): 30 days after collection/expiry, then permanently deleted.
Technical data: Maximum 90 days, then deleted.

11. Your Rights Under the GDPR

Right of access (Article 15): Obtain a copy of your data.
Right to rectification (Article 16): Correct inaccurate data.
Right to erasure (Article 17):Request deletion ("right to be forgotten").
Right to restrict processing (Article 18): Restrict processing in certain circumstances.
Right to data portability (Article 20): Receive data in a machine-readable format.
Right to object (Article 21): Object to processing based on legitimate interest.
Right to withdraw consent (Article 7(3)): Withdraw consent at any time (most processing is based on contract or legitimate interest).

11.1 How to Exercise Your Rights

12. Automated Decision-Making

Askida does not engage in automated decision-making or profiling that produces legal effects concerning you.

13. Data Security

Encryption in transit (TLS 1.2+)
Encryption at rest (Supabase)
Row-Level Security (RLS) database policies
Secure authentication protocols
Regular access control reviews
Fire-and-forget email delivery

14. Data Breach Notification

In the event of a personal data breach, Askida will notify the relevant supervisory authority within 72 hours (Article 33 GDPR) and affected data subjects without undue delay where high risk exists (Article 34 GDPR).

15. Children's Privacy

The Platform is not directed at individuals under 18. We do not knowingly collect data from children.

16. Changes to This Privacy Policy

Material changes will be notified to registered users by email at least 14 days in advance.

17. Supervisory Authority

Office of the Commissioner for Personal Data Protection
Republic of Cyprus
Website: www.dataprotection.gov.cy

You also have the right to lodge a complaint with the supervisory authority in your EU Member State.

18. Language

This Privacy Policy is drafted in English. The English version prevails over any translation.

19. Contact Us

IN2050 Ltd
Data Protection Contact: privacy@askida.foundation
General enquiries: hello@askida.foundation
Website: https://askida.foundation