Privacy Policy - GreenGate

Last updated: December 25, 2025

GreenGate ("we", "our") is committed to protecting the privacy and security of our users' data. This Privacy Policy describes how we collect, use, store, and protect information when you use our geospatial validation API.

1. Information We Collect

1.1. Technical Data

When you use our API, we collect:

GeoJSON geometries: Geographic coordinates of validated areas
Validation metadata: Results, scores, overlaps with official layers
API logs: Timestamps, API key used, IP address, user-agent
Generated reports: PDFs with maps and statistics

1.2. Optional Data Provided

You may optionally include:

property_name (property name): Free text field - treated as potentially sensitive and automatically redacted in public verification. Use only anonymous IDs (e.g., "Farm #12345").
metadata: CAR code (Rural Environmental Registry) and internal reference IDs.

⚠️ IMPORTANT - FREE TEXT FIELDS ARE TREATED AS POTENTIALLY SENSITIVE:

GreenGate does NOT process and does NOT accept sensitive personal data (CPF, CNPJ, owner names, residential addresses, etc.). The property_name field is free text and therefore treated as potentially sensitive - it will be automatically redacted to [REDACTED] in public verification.

Use only: Anonymous internal IDs (e.g., "Farm #12345", "Property A"). Sending real personal data violates our Privacy Policy and may result in account suspension.

1.3. Contact Data

When requesting API access, we collect:

Name and corporate email
Company name
Phone (optional)

2. How We Use Information

2.1. Purposes

Process validations: Execute geospatial analyses and generate reports
Audit and traceability: Ensure public verification via QR Code
Technical support: Diagnose errors and improve performance
Security: Detect and prevent API misuse
Billing: Calculate monthly usage per API key
Compliance: Meet legal and regulatory obligations

2.2. Legal Basis (GDPR)

We process your data based on:

Contract performance: Provision of validation service (Art. 6(1)(b) GDPR)
Legitimate interest: Security, audit, and service improvement (Art. 6(1)(f) GDPR)
Legal obligation: Retention for tax purposes (Art. 6(1)(c) GDPR)

3. Data Sharing

3.1. We Do Not Sell Your Data

GreenGate never sells customer data to third parties.

3.2. Limited Sharing

We may share data only with:

Infrastructure providers: Railway (hosting), Supabase (database) - subject to DPA (Data Processing Agreement)
Authorities: When legally required (court order, regulatory agencies, etc.)

3.3. Public Verification (Two-Level System)

To protect commercial confidentiality and privacy, we implement two-level verification:

Level 1: Public Verification (no authentication)

Reports verified via QR Code expose only minimal information:

Property name: ALWAYS redacted as [REDACTED] - treated as potentially sensitive
Risk score (0-100)
Validation date
Verification status (valid/invalid)

Level 2: Full Verification (requires API key)

Complete details available only with API key authentication from the client:

Property name (if provided)
PDF download link (digitally signed, expires in 7 days)
Complete metadata (CAR, internal IDs)

Important: Report codes use cryptographically secure high-entropy format (GG-{16+ random chars}) to prevent enumeration attacks. Public endpoint has aggressive rate limiting.

4. Storage and Retention

4.1. Retention Period

Active validations: Maintained while QR Code needs to remain valid for public audit and traceability. You may request deletion at any time, understanding that the PDF report and QR Code will cease to function.
API logs: 12 months
Billing data: 7 years (tax obligation)

4.2. Data Location

Data stored on servers located in the United States (Railway/Supabase), with daily encrypted backups.

5. Security

5.1. Technical Measures

Encryption: TLS 1.3 in transit, AES-256 at rest
Authentication: API keys with bcrypt hash
Rate limiting: Abuse protection (100 req/min)
Firewall: Suspicious IPs blocked automatically
Backups: Daily replication across multiple zones

5.2. Restricted Access

Only 2 authorized engineers have direct access to the production database, with audit logs.

6. Your Rights (GDPR)

You have the right to:

Access: Request a copy of all validations from your API key
Rectification: Update incorrect metadata
Erasure: Delete specific validations (QR Code will cease to function)
Data portability: Export data in JSON format
Object: Contest processing based on legitimate interest
Restriction: Limit processing in certain circumstances

To exercise your rights: Email greengatebrasil@gmail.com with subject "GDPR - [Requested right]"

7. Cookies and Tracking

7.1. REST API

Our API does not use cookies. Authentication via x-api-key header.

7.2. Website (www.greengate.com.br)

We only use:

localStorage: Language preference (PT/EN) and theme (light/dark)
No analytics: We do not use Google Analytics or similar tools

8. International Data Transfer

Data may be transferred to the USA (Railway, Supabase). We ensure:

Compliance with Standard Contractual Clauses (SCC)
SOC 2 Type II certified provider
Data portability right always available

9. Children's Privacy

We do not intentionally collect data from individuals under 18. Our service is B2B for companies.

10. Changes to This Policy

We may update this policy periodically. We will notify via email with 30 days' advance notice about material changes.

11. Data Protection Officer (DPO) Contact

For privacy questions:

Email: greengatebrasil@gmail.com
Subject: "DPO - Privacy"
Response time: Up to 15 business days

12. Supervisory Authority

EU residents may lodge complaints with their national supervisory authority:

Find your authority: EDPB Members

← Back to Home