Privacy Policy

Effective date: 20 April 2026 · Version: 1.0

1. Who we are

This privacy policy describes how Eco Heroes International SL (“Eco Heroes”, “we”, “us”, “our”) collects and processes personal data when you use the Eco Heroes DMA platform at https://assessment.eco-heroes.org.

• Legal name: Eco Heroes International SL
• Spanish CIF: B44915940
• Registered office: Girona, Catalonia, Spain
• Contact for data matters: info@eco-heroes.org

We are the data controller for the personal data described in this policy under Article 4(7) of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

2. What data we collect and why

We collect only the data needed to deliver the certification service you purchased.

2.1 Account data

• Your name, email address, password (stored as a bcrypt hash — we never see the plaintext)
• Your preferred language
• Session identifiers

Purpose: to create and authenticate your account. Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

2.2 Company data

• Business legal name and trade name
• Sector (hotel, restaurant, tour operator, DMO, corporate)
• Size tier (Micro, Small, Medium) and employee count
• Country, region, city, tax ID, website
• Contact name and role

Purpose: to run the Double Materiality Assessment correctly for your business type and size, and to issue your certificate. Legal basis: Art. 6(1)(b) — performance of a contract.

2.3 Assessment data

• Your answers to the sustainability questions
• Stakeholder responses (anonymous — we do not collect stakeholder names or emails)
• Calculated scores and certification tier

Purpose: to compute your sustainability score and issue your certificate. Legal basis: Art. 6(1)(b) — performance of a contract.

2.4 Payment data

• Transaction identifiers, amount, invoice reference
• We never store your card number, CVC, or bank details. All payment processing is handled by Stripe Payments Europe Ltd., which is PCI-DSS certified.

Purpose: to process payment and issue invoices. Legal basis: Art. 6(1)(b) — contract — and Art. 6(1)(c) — legal obligation (Spanish invoicing law 37/1992).

2.5 Technical data

• IP address, browser user-agent, timestamps
• Stored only in server logs for up to 30 days
• Used exclusively for security and debugging

Legal basis: Art. 6(1)(f) — legitimate interest in service security.

3. Eco Heroes Registry (public listing)

When you complete certification, your business is automatically listed in the public Eco Heroes Registry at https://assessment.eco-heroes.org/registry.php. The registry is a core deliverable of your certification — a transparent, publicly verifiable record that clients, partners, regulators and the public can consult.

3.1 What we publish

• Business legal or trade name
• Sector and country (city / region if you provided them)
• Certification tier
• Certificate issue and expiry dates
• Certificate verification link (scannable QR token)

3.2 What we do NOT publish

• Your personal name, email, phone, or any contact information
• Tax ID, VAT number, or any financial data
• Individual assessment answers, detailed scores, or stakeholder responses
• User account credentials

3.3 Legal basis

Art. 6(1)(b) GDPR — performance of contract. The Eco Heroes certificate is by design a public, verifiable credential. Without a public record, third-party verification would not be possible, and the certificate would have no value.

3.4 How long your listing stays public

Your listing is visible for the 12-month validity of your certificate. After expiry, your entry is removed from the registry within 30 days unless you renew.

3.5 Early removal

You may request early removal at any time by emailing info@eco-heroes.org. Early removal invalidates the certificate — the public verification link will thereafter report “certificate withdrawn.” This is an inherent property of the service: a verifiable certificate cannot exist without a public record.

4. Who we share data with

We share your personal data only with service providers strictly necessary to operate the platform. All providers are contractually bound by a Data Processing Agreement (“DPA”) under Art. 28 GDPR.

We do not sell, rent, or trade your personal data to anyone, for any purpose.

We do not use your data for advertising, profiling, or automated decision-making.

5. International data transfers

Data is primarily processed within the European Economic Area. The only non-EEA transfer is to Resend Inc. (USA), which is certified under the EU–US Data Privacy Framework, providing an adequate level of protection as recognised by European Commission Decision (EU) 2023/1795.

6. How long we keep your data

When the retention period expires, data is either hard-deleted or anonymised. Anonymised data may be retained indefinitely for statistical purposes and cannot be linked back to you.

7. Your rights under GDPR

You have the following rights, which you can exercise at any time by emailing info@eco-heroes.org or by using the self-service tools in your account at /gdpr.php:

• Right of access (Art. 15) — obtain a copy of your personal data
• Right to rectification (Art. 16) — correct inaccurate data
• Right to erasure (Art. 17) — delete your account and personal data (see “Early removal” for certificate implications)
• Right to restriction (Art. 18) — limit our processing
• Right to data portability (Art. 20) — receive your data in machine-readable format (JSON)
• Right to object (Art. 21) — object to specific processing activities
• Right to withdraw consent (Art. 7) — where processing is based on consent
• Right to lodge a complaint with the Spanish Data Protection Agency (AEPD) or your local supervisory authority

We will respond to any request within 30 days (extendable to 90 days for complex requests, Art. 12(3) GDPR). No fee applies unless requests are manifestly unfounded or excessive.

8. Security

• Encryption in transit: TLS 1.3 with HSTS preload (2-year max-age)
• Encryption at rest: AES-256 for database storage
• Access controls: strict least-privilege role separation
• Password hashing: bcrypt with per-record salt
• Security monitoring: continuous headers audit, CSP, COOP, CORP enforced
• Independent verification: SSL Labs A+, Mozilla Observatory A+, Security Headers A+

In the event of a personal data breach likely to result in a risk to your rights, we will notify the AEPD within 72 hours (Art. 33 GDPR) and affected users without undue delay (Art. 34 GDPR).

9. Cookies

The platform uses only strictly necessary cookies:

• PHPSESSID — session authentication (expires when you close the browser)
• eco_cookie_consent — remembers your cookie banner choice (1 year)

We do not use analytics cookies, advertising cookies, or tracking pixels. We do not need your consent to use strictly necessary cookies under ePrivacy Directive Art. 5(3).

10. Children

The platform is intended for business use only and is not directed at children under 16. We do not knowingly collect personal data from children.

11. Changes to this policy

Material changes will be announced via email to registered users at least 30 days before taking effect. Non-material changes (typos, clarifications) are published immediately and reflected in the version number and effective date at the top of this page.

Previous versions are archived and available on request.

12. Contact & supervisory authority

Controller contact:
Eco Heroes International SL
CIF B44915940 · Girona, Spain
Email: info@eco-heroes.org

Spanish supervisory authority:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6 · 28001 Madrid · Spain
Web: https://www.aepd.es