Privacy Policy | Ameru - Revolutionizing Waste Management with AI Technology

Current version: Nov 4, 2025

Introduction

Ameru OOD (“Ameru”, “we”, “us”, or “our”) is a Bulgarian limited liability company (UIC 207071475) that develops and manufactures AI-powered smart bins designed to revolutionize waste management. Our smart bins enable precise waste sorting and recycling with over 95% accuracy across more than 90 categories, promoting sustainability and a zero-waste future. The Service includes hardware (smart bins equipped with cameras, computing units, and connectivity) and software (real-time waste detection, user feedback, and interactive web-based analytics reports) provided to corporate customers such as offices, co-working spaces, and other organizations.

This Privacy Policy explains in detail how we collect, use, disclose, store, and protect personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Bulgarian Personal Data Protection Act, the ePrivacy Directive (2002/58/EC as amended), and all other applicable EU and national data protection laws. We are committed to principles such as data minimization (collecting only what is necessary), purpose limitation (using data only for specified purposes), and transparency.

Personal data means any information relating to an identified or identifiable natural person (e.g., name, email, IP address). This Policy applies when you:

Visit our website www.ameru.ai (the “Website”);
Register for or use our smart bin services and associated web platform (the “Platform” or “Service”);
Interact with our smart bins (e.g., disposing waste, which may involve incidental data capture);
Contact our sales, support, or marketing teams via email, forms, or events;
Subscribe to newsletters or marketing materials; or
Otherwise interact with us, including through third-party integrations.

If you are an end-user interacting with our smart bins installed by a customer (e.g., in an office), the customer (your organization) is typically the data controller, and we act as a processor. Please refer to their privacy policy for details.

1. Data Controller and Data Protection Officer

Data Controller:
Ameru OOD
bul. Simeonovsko Shose 110B, floor 3, office 13A
1700 Sofia, Bulgaria
E-mail: privacy@ameru.ai

We are the data controller for personal data processed through the Website, direct communications, and marketing activities. For data processed via the Platform or smart bins on behalf of our customers, we act as a data processor under a Data Processing Agreement (DPA).

Data Protection Officer (DPO):
Our DPO can be contacted at dpo@ameru.ai or via the postal address above. The DPO oversees compliance, handles inquiries, and ensures accountability.

2. Categories of Personal Data We Collect, Sources, and Collection Methods

We collect personal data through automated means (e.g., logs), directly from you (e.g., forms), or from third parties (e.g., public sources for verification). We adhere to data minimization by collecting only what is strictly necessary.

Context	Categories of Personal Data	Source	Collection Method
Website visitors	IP address (used temporarily for geolocation derivation and hashing; not stored long-term in analytics), browser type/version, operating system, device type, approximate location (derived from IP, at city/country level), pages viewed, time/date of visit, referral source, clickstream data	Automatically collected	Server logs, analytics tools (e.g., Vercel Analytics with IP anonymization)
Billing & invoicing	Company name, VAT ID, billing address, payment method details (e.g., last four digits of card; full details handled by processor), transaction history	Provided by you or your finance team	Secure payment gateways (e.g., Stripe), invoicing systems
Customer support & communications	Name, email, company details, support ticket content (may include attachments or personal data you share), chat transcripts	Provided by you	Support platforms (e.g., Intercom), email, phone calls (if recorded, with consent)
Marketing & newsletters	Name, email, company, job title, marketing preferences, event attendance details, interaction history (e.g., email opens/clicks)	Provided by you or inferred from interactions	Subscription forms, CRM tools (e.g., HubSpot), trade shows, direct e-mail communication
Smart bin interactions (incidental)	Images or video frames from the bin's camera (for waste detection; may incidentally capture hands, clothing, or faces if visible), timestamps, device IDs	Automatically collected via bins	On-device AI processing and cloud upload (anonymized where possible)
Analytics & reports (Platform)	Aggregated usage data from bins (e.g., waste types, volumes; no personal data unless uploaded by customer), but if customer datasets include personal data (e.g., employee IDs in custom reports), we process as instructed	Provided by customer or generated by Service	Cloud-connected bins, customer uploads to Platform
Other	Publicly available data for verification (e.g., business contact info from registries)	Third parties (e.g., Bulgarian Commercial Register)	API queries during enrichment

We do not collect sensitive personal data (e.g., racial origin, health data) unless strictly necessary for legal compliance, and only with explicit consent.

3. Purposes and Legal Bases for Processing (Art. 6 GDPR)

We process personal data only for specified, explicit, and legitimate purposes. If a new purpose arises, we will seek consent or rely on another basis.

Purpose	Examples	Legal Basis
Provide and maintain the Service	Account creation, bin deployment, real-time waste detection, generating analytics reports, troubleshooting	Performance of a contract (Art. 6(1)(b))
Process payments and manage finances	Invoicing, payment processing, tax reporting	Performance of a contract & Legal obligation (Art. 6(1)(b), (c)) – e.g., Bulgarian Accountancy Act
Communicate with you	Respond to inquiries, send service updates, security alerts, product notifications	Performance of a contract & Legitimate interests (Art. 6(1)(b), (f)) – balancing our interest in efficient communication against your rights
Improve and develop the Service	Analyze usage patterns (e.g., via server-side analytics), aggregate anonymized data for AI training (excluding personal data), conduct A/B testing	Legitimate interests (Art. 6(1)(f)) – improving user experience; we conduct Legitimate Interests Assessments (LIAs)
Marketing and promotions	Send newsletters, product updates, event invites; personalize content based on interactions	Consent (Art. 6(1)(a)) for direct marketing; Legitimate interests (Art. 6(1)(f)) for B2B soft opt-in under ePrivacy rules
Security and fraud prevention	Monitor for threats, detect anomalies, investigate incidents, IP logging for abuse prevention	Legitimate interests (Art. 6(1)(f)) & Legal obligation (Art. 6(1)(c)) – e.g., NIS2 Directive for critical infrastructure
Compliance and legal defense	Audit trails, responding to authorities, defending claims, anti-money laundering checks	Legal obligation (Art. 6(1)(c)) & Legitimate interests (Art. 6(1)(f))
Research and analytics	Anonymized aggregate statistics for sustainability reports (e.g., waste trends)	Legitimate interests (Art. 6(1)(f))

For incidental camera data from smart bins, processing is limited to waste detection and immediately deleted or anonymized (e.g., blurring any non-waste elements) when identified.

4. Data Processing as a Processor (Smart Bins & Platform)

When customers use our Service:

You (the customer) are the controller for any personal data in uploaded datasets or generated reports.
We process only on your documented instructions, as per the DPA (available upon request or during onboarding).
Purposes: Waste analysis, enrichment with external data (e.g., sustainability benchmarks), report generation.
We do not use data for our own purposes, such as marketing or AI training without explicit consent in the DPA.
Data is pseudonymized where possible (e.g., hashing IDs).
Sub-processing: Only with authorized sub-processors (see Section 5); customers can object per DPA.
Assistance: We help with data subject requests, impact assessments (DPIAs), and audits.

5. Recipients of Personal Data and Sub-Processors (Art. 28 GDPR)

We share data only when necessary, with safeguards. Categories of recipients:

Internal: Authorized employees (need-to-know basis).
External: Sub-processors for hosting, support, etc. (e.g., Vercel for website hosting and server-side analytics).
Authorities: If required by law (e.g., court orders).
Advisors: Lawyers, auditors (under confidentiality).

Full sub-processor list and DPAs available upon request. We notify customers of changes per DPA.

6. International Data Transfers (Chapter V GDPR)

EU/EEA transfers: No additional safeguards needed.
To third countries (e.g., USA): We use EU Standard Contractual Clauses (SCCs), Transfer Impact Assessments (TIAs), and supplementary measures like encryption, access restrictions, and regular audits.
No transfers to countries without adequacy decisions unless protected.
For smart bin data: Processed on-device where possible to minimize transfers.

7. Your Data Protection Rights (Arts. 15–22 GDPR)

As a data subject, you have rights. We facilitate them free of charge unless requests are manifestly unfounded or excessive.

Access (Art. 15): Obtain confirmation of processing and a copy of your data.
Rectification (Art. 16): Correct inaccurate or incomplete data.
Erasure (“Right to be Forgotten”, Art. 17): Delete data if no longer needed or consent withdrawn.
Restriction (Art. 18): Limit processing (e.g., during verification).
Portability (Art. 20): Receive data in machine-readable format and transfer to another controller.
Objection (Art. 21): Object to processing based on legitimate interests or marketing (we stop unless compelling reasons).
Withdraw Consent (Art. 7): At any time, via unsubscribe links or email; does not affect prior processing.
Not to be subject to automated decisions (Art. 22): We do not use solely automated decisions with legal effects.

How to Exercise: Email privacy@ameru.ai with your request, identity proof (e.g., ID copy, redacted), and details. We respond within 1 month (extendable to 3 months for complexity), keeping records per Art. 12.

Complaints: Lodge with the Bulgarian Commission for Personal Data Protection (CPDP) at www.cpdp.bg or your local supervisory authority.

8. Tracking and Similar Technologies

We do not use cookies or similar client-side technologies on our Website. Instead, we rely on server-side analytics (e.g., Vercel Analytics) to collect anonymized usage data for improving our Service. This does not store information on your device and respects signals like Global Privacy Control (GPC). Data collected includes temporary IP-derived information for geolocation and short-term session hashing, which is discarded after 24 hours.

9. No Processing of Children's Data

Our Services are B2B and not directed to individuals under 16. We do not knowingly collect children's data. If identified, we delete it immediately and notify the controller if applicable.

10. Automated Decision-Making and Profiling

We use AI for waste detection but not for decisions producing legal or significant effects on individuals (Art. 22). Any profiling (e.g., for marketing) is based on consent and allows opt-out. Bin cameras do not perform biometric processing (e.g., facial recognition).

11. Third-Party Links and Integrations

Our Website/Platform may link to third-party sites (e.g., partners). We are not responsible for their privacy practices. Review their policies before interacting.

12. Changes to this Policy

We review this Policy annually or as needed. Updates are posted with a new effective date. For material changes (e.g., new purposes), we notify via email or Platform notice at least 30 days in advance. Continued use constitutes acceptance.

13. Governing Law and Dispute Resolution

This Policy is governed by Bulgarian law, without prejudice to your rights under GDPR. Disputes may be resolved amicably or through CPDP mediation.

By using our Website, Platform, or Services, you acknowledge reading and understanding this Policy. For questions, contact privacy@ameru.ai.

This Policy complies with GDPR, Bulgarian law, and best practices as of 4 November 2025.