Privacy Policy - GreenTrust® EUDR-X

1. Introduction

GreenTrust EUDR-X ("we", "us", "our") is committed to protecting your personal data in compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the GreenTrust EUDR-X platform ("Platform").

2. Data Controller

The data controller for this Platform is:

                GreenTrust EUDR-X

                Email: privacy@greentrust.eu

                Data Protection Officer: dpo@greentrust.eu

3. Data We Collect

3.1 Account Data

Email address
Full name / Company name
Password (encrypted, managed by Auth0)
Role (Operator/Supplier)

3.2 Business Data

Company address, country, VAT number
Due diligence form submissions
Plot of land data (coordinates, size, products)
Product information and HS codes
GeoJSON polygon data for plots

3.3 Technical Data

IP address (for security and audit logging)
Browser user agent
Authentication tokens (stored in memory only, never persisted)
Session timestamps

4. Legal Basis for Processing

We process your data based on the following legal bases (GDPR Article 6):

Consent (Art. 6(1)(a)): You give explicit consent when creating your account and accepting this Privacy Policy.
Contract performance (Art. 6(1)(b)): Processing is necessary to provide the EUDR compliance services you have signed up for.
Legal obligation (Art. 6(1)(c)): We are required to maintain certain records under the EU Deforestation Regulation (EUDR).
Legitimate interest (Art. 6(1)(f)): Security logging and fraud prevention.

5. How We Use Your Data

Providing the EUDR due diligence compliance platform
User authentication and role-based access control
Operator-supplier relationship management
Generating compliance reports and analytics
Security monitoring and audit logging
Responding to your support requests

6. Data Sharing

We do not sell your personal data. We share data only with:

Auth0 (Okta): Authentication provider — processes email, name, and password for login purposes.
Linked Operators/Suppliers: When you are linked to an operator or supplier, relevant business data is shared as necessary for EUDR compliance.
EU Authorities: When required by EUDR regulation for compliance verification.

For a complete list of sub-processors and their roles, see our Sub-processor List. A Data Processing Agreement (DPA) template is also available.

7. Data Retention

Account data: Retained while your account is active. Deleted within 30 days of an erasure request.
Submission data: Retained for the duration required by EUDR regulation (minimum 5 years from submission).
Audit logs: Retained for 2 years for security and compliance purposes.
Session data: Stored in memory only, cleared on logout or browser close.

8. Your Rights (GDPR Articles 15-22)

You have the following rights regarding your personal data:

Right of access (Art. 15): Request a copy of all personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
Right to restrict processing (Art. 18): Request limitation of how we use your data.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interest.
Right to withdraw consent (Art. 7(3)): Withdraw your consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

                To exercise any of these rights, use the "My Data" section in your account settings,
                or contact us at privacy@greentrust.eu. We will respond within 30 days as
                required by GDPR.
            

9. Data Security

All data is encrypted in transit (TLS 1.2+)
Sensitive data is encrypted at rest using AES-256
Access tokens are stored in memory only (never in localStorage or cookies)
PKCE with S256 code challenge for authentication flows
Role-based access control (RBAC) on all API endpoints
JWT validation with RS256 signing (asymmetric keys)
Session cookies: Secure, HttpOnly, SameSite=Lax

10. International Transfers

Your data is processed within the European Economic Area (EEA). Our authentication provider (Auth0) processes data in accordance with GDPR and maintains appropriate safeguards including Standard Contractual Clauses (SCCs) for any transfers outside the EEA.

11. Cookies

We use only essential cookies required for the Platform to function:

Session cookie: Maintains your authenticated session (HttpOnly, Secure)
Theme preference: Stores your dark/light mode choice (localStorage)

We do not use analytics or advertising cookies.

12. Children's Privacy

This Platform is not intended for individuals under 16 years of age. We do not knowingly collect data from children.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or an in-app notification. The "Last updated" date at the top indicates when this policy was last revised.

14. Contact & Complaints

If you have questions about this Privacy Policy or wish to exercise your data rights:

                Email: privacy@greentrust.eu

                Data Protection Officer: dpo@greentrust.eu

You also have the right to lodge a complaint with your national Data Protection Authority (DPA) if you believe your data protection rights have been violated.

← Back to Platform