Privacy Policy - GreenTrust® EUDR-X

1. Introduction

GreenTrust EUDR-X ("we", "us", "our") is committed to protecting your personal data in compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the GreenTrust EUDR-X platform ("Platform").

2. Data Controller

The data controller for this Platform is:

                GreenTrust EUDR-X

                Email: privacy@greentrust.eu

                Data Protection Officer: dpo@greentrust.eu

3. Data We Collect

3.1 Account Data

Email address
Full name / Company name
Password (encrypted, managed by Auth0)
Role (Operator/Supplier)

3.2 Business Data

Company address, country, VAT number
Due diligence form submissions
Plot of land data (coordinates, size, products)
Product information and HS codes
GeoJSON polygon data for plots

3.3 Technical Data

IP address (for security and audit logging)
Browser user agent
Authentication session tokens — issued by Auth0 and stored in HttpOnly, Secure, SameSite=Lax cookies on your browser. JavaScript running on the platform cannot read these cookies. See Section 11 for the cookie inventory.
Session timestamps

4. Legal Basis for Processing

We process your data under one of the following legal bases (GDPR Article 6). The basis depends on the data category, not on a blanket choice across the platform:

Data category	Legal basis
Account credentials (email, password hash, Auth0 sub)	Contract performance — Art. 6(1)(b). Required to provide the service you signed up for.
Operator company profile, supplier declarations, plot geolocation, due-diligence evidence, DDS records	Legal obligation — Art. 6(1)(c) read with Articles 4, 9, 10, 12 of EU Reg. 2023/1115 (EUDR). The regulation creates the obligation to collect, retain, and produce this data.
Audit logs, IP address, user-agent, security telemetry	Legal obligation under EUDR Art. 12(4) (record-keeping) plus legitimate interest — Art. 6(1)(f) — in security monitoring and fraud detection. A documented Legitimate-Interest Assessment is available on request.
Marketing or analytics communications	Consent — Art. 6(1)(a). Currently the platform does not run marketing or analytics processing; if it ever does, an explicit opt-in will be requested.

5. How We Use Your Data

Providing the EUDR due diligence compliance platform
User authentication and role-based access control
Operator-supplier relationship management
Generating compliance reports and analytics
Security monitoring and audit logging
Responding to your support requests

6. Data Sharing

We do not sell your personal data. We share data only with:

Auth0 (Okta): Authentication provider — processes email, name, and password for login purposes.
Linked Operators/Suppliers: When you are linked to an operator or supplier, relevant business data is shared as necessary for EUDR compliance.
EU Authorities: When required by EUDR regulation for compliance verification.

For a complete list of sub-processors and their roles, see our Sub-processor List. A Data Processing Agreement (DPA) template is also available.

7. Data Retention

Account data: Retained while your account is active. Deleted within 30 days of an erasure request, subject to the EUDR carve-out below.
Submission data (DDS, supplier forms, plot geolocation, supporting documents): Retained for at least 5 years from the date of submission, as required by Article 12(4) of EU Reg. 2023/1115. This obligation overrides erasure requests for the duration of the retention period — see GDPR Art. 17(3)(b)+(e).
Audit logs: Retained for 5 years to align with the EUDR evidence-trail retention obligation under Article 12(4) of Reg. 2023/1115 and to meet GDPR accountability requirements.
Session cookies: Access tokens expire after one hour; refresh tokens are invalidated on logout, on Auth0 token rotation, or after 30 days, whichever comes first.

EUDR carve-out from erasure. If you exercise your Right to Erasure (Art. 17 GDPR) on data that we are required to keep under EUDR Art. 12(4), we will: (a) anonymise your identifying fields where doing so does not break the audit chain; (b) retain the underlying due-diligence record for the remainder of its 5-year retention window; and (c) delete the record fully once the retention period ends. We will tell you which data was retained on this basis when we respond to your request.

8. Your Rights (GDPR Articles 15-22)

You have the following rights regarding your personal data:

Right of access (Art. 15): Request a copy of all personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
Right to restrict processing (Art. 18): Request limitation of how we use your data.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interest.
Right to withdraw consent (Art. 7(3)): Withdraw your consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

                To exercise any of these rights, use the "My Data" section in your account settings,
                or contact us at privacy@greentrust.eu. We will respond within 30 days as
                required by GDPR.
            

9. Data Security

All data is encrypted in transit using TLS 1.2 or TLS 1.3.
PII fields (operator/supplier addresses, phone numbers, contact names, VAT numbers, EORI numbers, audit-log subject emails, etc.) are encrypted at rest with Fernet (AES‑128‑CBC + HMAC‑SHA256). Account email lookup uses an HMAC‑SHA256 blind index so the plaintext email is never required at the database boundary.
Authentication uses Auth0 OIDC with PKCE S256 (Backend-for-Frontend pattern). Access tokens are issued by Auth0 and stored in HttpOnly, Secure, SameSite=Lax cookies (__eudr_access, __eudr_id, __eudr_refresh) — JavaScript on the platform cannot read them.
JWT signatures are validated with RS256 against Auth0's JWKS on every request.
Role-based access control (RBAC) is enforced on every API endpoint.
Multi-factor authentication is required for administrator accounts.
Same-origin enforcement on every state-changing request defends against cross-site request forgery.

10. International Transfers

The platform's primary data-processing infrastructure (application hosting at Hetzner DC Nuremberg, application database at Appwrite Cloud Frankfurt) operates within the European Economic Area (EEA).

Our identity provider, Auth0, is hosted in the EU (Frankfurt) but is owned by Okta, Inc., a US-headquartered company. To address the residual risk that US authorities could compel disclosure under the CLOUD Act, we rely on the European Commission's EU 2021/914 Standard Contractual Clauses (SCCs) contained in our Auth0 Data Processing Addendum and supplementary technical measures — encryption-at-rest, MFA on admin accounts, and minimisation of the identity attributes shared with Auth0 (email, name, MFA secret only). A Transfer Impact Assessment summarising the residual risk is available on request.

Some Forest Watch / satellite tiles consumed when an operator opens a plot map are loaded directly from Global Forest Watch (data‑api.globalforestwatch.org / tiles.globalforestwatch.org), which is hosted by the World Resources Institute (US). Those tile requests carry your IP address and the plot's lat/lng to the tile server. No personal data attached to your account is sent. We may later proxy these tile requests through our own backend to remove this transfer entirely.

11. Cookies

We set only strictly-necessary cookies required for the platform to function:

__eudr_access — access token issued by Auth0; HttpOnly, Secure, SameSite=Lax; expires after 1 hour.
__eudr_id — OIDC ID token; HttpOnly, Secure, SameSite=Lax.
__eudr_refresh — refresh token; HttpOnly, Secure, SameSite=Lax, Path=/api/auth/; expires after 30 days or on logout.
__Host-session — Flask CSRF/session cookie; HttpOnly, Secure, SameSite=Lax.
theme — your dark/light mode choice. Stored in browser localStorage, not in a cookie. UI preference only.

We do not set analytics or advertising cookies and we do not embed third-party trackers. Strictly-necessary cookies are exempt from prior-consent requirements under EDPB Guidelines 05/2020.

12. Children's Privacy

This Platform is not intended for individuals under 16 years of age. We do not knowingly collect data from children.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or an in-app notification. The "Last updated" date at the top indicates when this policy was last revised.

14. Contact & Complaints

If you have questions about this Privacy Policy or wish to exercise your data rights:

                Email: privacy@greentrust.eu

                Data Protection Officer: dpo@greentrust.eu

You also have the right to lodge a complaint with your national Data Protection Authority (DPA) if you believe your data protection rights have been violated.

← Back to Platform