Privacy Policy
1. Who We Are (Data Controller)
This Privacy Policy applies to personal data processed through the OrgMesh membership platform ("Platform") deployed for the Organisation you are a member of ("Organisation" or "Controller"). The Organisation is the data controller responsible for your personal data.
The Platform is developed and operated by:
OrgMesh UK / Green Route Cambodia Enterprise (GRC) (Platform Operator and Data Processor, as applicable)
Email: legal@greenroutecambodia.com
If you have questions about how your data is handled, contact your Organisation's administrator or write to the address above.
2. Data We Collect and Why (GDPR Articles 13–14)
2.1 Identity and Contact Data
| Data | Purpose | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Full name, job title, organisation name | Membership registration and directory listing | Contract (6(1)(b)) |
| Email address, phone number, postal address | Communications, invoicing, event notifications | Contract (6(1)(b)) |
| Profile photograph | Member directory (optional) | Consent (6(1)(a)) |
| Nationality, language preference | Member categorisation and communications | Contract (6(1)(b)) |
2.2 Financial Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Membership tier, invoice amounts, payment status | Billing and financial records | Contract + Legal obligation (6(1)(b,c)) |
| Payment proof uploads (receipt images) | Payment verification | Contract (6(1)(b)) |
| Invoice PDFs and receipt PDFs | Accounting records (7-year retention) | Legal obligation (6(1)(c)) |
We do not collect or store raw payment card numbers. Card processing is handled by third-party payment providers subject to their own privacy policies.
2.3 Technical Data
| Data | Purpose | Legal Basis |
|---|---|---|
| IP address | Security logging, fraud prevention | Legitimate interest (6(1)(f)) |
| Browser type, device, OS | Platform compatibility and security | Legitimate interest (6(1)(f)) |
| Login timestamps, session tokens | Authentication and access control | Contract + Legitimate interest (6(1)(b,f)) |
2.4 Usage Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Pages visited, features used | Platform improvement | Legitimate interest (6(1)(f)) |
| Event registrations, attendance records | Event management and history | Contract (6(1)(b)) |
| Email open tracking (pixel) | Communication effectiveness | Legitimate interest (6(1)(f)) |
2.5 Communications Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Email subscription status | Newsletter and announcement delivery | Consent or Legitimate interest (6(1)(a,f)) |
| Contact form submissions | Responding to enquiries | Legitimate interest (6(1)(f)) |
3. How Long We Keep Your Data (Retention Schedule)
| Category | Retention Period |
|---|---|
| Member profile data | Duration of membership + 3 years |
| Invoice and financial records | 7 years (legal obligation) |
| Event registration records | 5 years |
| Login and security logs | 90 days |
| Email logs | 12 months |
| Payment proof uploads | 7 years (legal obligation) |
| Deleted account data | 30-day grace period, then purged |
| Consent records | 5 years after consent withdrawn |
4. Who We Share Your Data With
We do not sell your personal data. We may share it with:
- Email delivery providers (SMTP relay) — to send transactional and membership emails.
- Payment processors — for invoice payment where applicable.
- PDF generation libraries — operating locally on our servers, no data transferred externally.
- Legal or regulatory authorities — where required by applicable law.
All third-party processors are bound by Data Processing Agreements ensuring GDPR-equivalent protections.
5. International Data Transfers
The Platform is hosted in servers within the Organisation's chosen jurisdiction. Where any sub-processor is located outside the European Economic Area (EEA), transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission, or an applicable adequacy decision.
6. Your Rights Under GDPR (EU/EEA Residents)
You have the following rights regarding your personal data:
- Right of access (Art. 15) — Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17) — Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
- Right to restriction (Art. 18) — Request that we restrict processing of your data in certain circumstances.
- Right to data portability (Art. 20) — Receive your data in a machine-readable format.
- Right to object (Art. 21) — Object to processing based on legitimate interests.
- Right to withdraw consent — Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
To exercise any of these rights, use our data request portal. We will respond within 30 days.
You also have the right to lodge a complaint with your national data protection supervisory authority if you believe your rights have been violated.
7. Your Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following additional rights:
- Right to know — Know what personal information we collect, use, disclose, and sell.
- Right to delete — Request deletion of personal information we have collected from you.
- Right to correct — Request correction of inaccurate personal information.
- Right to opt-out of sale or sharing — We do not sell or share personal information. You may nonetheless submit a request via our data request portal.
- Right to non-discrimination — We will not discriminate against you for exercising your privacy rights.
- Right to limit use of sensitive personal information — We limit use of sensitive data to service delivery only.
Do Not Sell or Share My Personal Information
To exercise CCPA rights, contact us at legal@greenroutecambodia.com or use the data request portal. We will verify your identity and respond within 45 days.
8. Cookies
We use cookies to operate the Platform. See our Cookie Policy for details and to manage your preferences.
9. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encrypted connections (HTTPS/TLS), hashed password storage, access controls, session security, and regular security reviews. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.
10. Data Breach Notification
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours where required by GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay.
11. Children's Privacy
The Platform is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before the changes take effect. The most current version will always be available at this URL with the date of last update.
13. Contact and DPO
For privacy enquiries, to exercise your rights, or to contact our data protection representative:
OrgMesh UK / Green Route Cambodia Enterprise (GRC)
Privacy Team / Data Protection
Email: legal@greenroutecambodia.com
Or use our data request portal.
Platform developed and commercialised by OrgMesh UK and Green Route Cambodia Enterprise (GRC). © 2026 All rights reserved.