Privacy Policy

1. Introduction

Trazo ("we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our agricultural transparency platform.

This policy applies to our website, mobile applications, QR code scanning services, and all related software and services (collectively, the "Platform").

2. Information We Collect

2.1 Personal Information

We collect personal information that you provide directly to us:

• Account Information: Email address, first and last name, phone number (optional)
• Profile Data: Profile images, user preferences, notification settings
• Authentication Data: Email verification status, password (encrypted), social login IDs

2.2 Business Information (Producer Accounts)

• Company Details: Business name, trade name, description, industry classification
• Business Address: Street address, city, state, country, postal code
• Tax Information: Tax ID, EIN, RUT, or other fiscal identification numbers
• Contact Information: Business email, phone, website, social media profiles
• Business Metadata: Employee count, certifications, sustainability practices

2.3 Agricultural Production Data

• Farm Information: Establishment names, locations, geospatial coordinates
• Crop Data: Crop types, production methods, agricultural practices
• Transparency & Carbon Data: Transparency scores, emission factors, carbon footprint estimates
• Production Events: Agricultural timelines, equipment usage, chemical applications
• Environmental Data: Weather conditions, soil data, irrigation information

2.4 Usage and Analytics Data

• Platform Usage: Feature utilization, session duration, user interactions
• QR Code Analytics: Scan counts, geographic data, consumer engagement metrics
• Device Information: Browser type, device model, operating system, IP address
• Educational Engagement: Content viewed, time spent, quiz scores, course progress

2.5 Payment and Subscription Data

• Billing Information: Subscription plans, billing cycles, payment history
• Usage Metrics: Storage used, QR scans, productions tracked for billing
• Payment Processing: Payment methods handled securely by Stripe (we do not store credit card numbers)

3. How We Use Your Information

3.1 Platform Services

• Provide transparency scores and carbon footprint estimates using published EPA/USDA emission factors
• Generate and manage QR codes for consumer transparency access
• Blockchain-record production verification hashes on the Polygon network (optional add-on)
• Track agricultural production events and sustainability metrics

3.2 Account Management

• Create and maintain user accounts with role-based access control
• Process subscription payments and manage billing cycles
• Send service-related notifications and account updates
• Provide customer support and technical assistance

3.3 Platform Improvement and Research

• Analyze usage patterns to improve Platform functionality
• Create aggregated, anonymized datasets for agricultural research
• Develop new features and carbon calculation methodologies
• Monitor Platform performance and security

3.4 Legal Compliance

• Comply with applicable tax, financial, and regulatory record-keeping requirements
• Maintain agricultural data integrity for certification and audit purposes
• Respond to legal requests and prevent fraud
• Maintain audit trails for regulatory compliance

3.5 Legal Basis for Processing (GDPR Art. 6)

For users in the European Economic Area (EEA) and United Kingdom, we process your personal data under the following legal bases:

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal. To withdraw consent, contact privacy@trazo.io.

4. How We Share Your Information

4.1 Third-Party Service Providers

We share information with trusted service providers who assist in operating our Platform:

• USDA APIs — Crop types, production methods for emission factor validation and compliance
• Stripe — Billing information, usage metrics for payment processing and subscription management
• DigitalOcean — Application hosting and managed database services
• AWS — Media file storage (S3) for images, documents, and QR codes
• Polygon Network — Production verification hashes blockchain-recorded for tamper-proof data integrity (optional add-on)
• OpenAI — Voice recordings, text data for AI-powered data processing (Trazo has opted out of model training; your data is not used to train OpenAI models)
• Vercel Analytics — Anonymized page view and performance data for platform improvement (no PII collected)

4.2 Consumer Transparency Sharing

As directed by Producer users, we share specific carbon and sustainability data with consumers through:

• QR code scanning providing transparency scores and farming practice summaries
• Public sustainability metrics and certification status
• Agricultural practice information for transparency
• Farm location and establishment information as authorized

4.3 Legal Requirements

We may disclose information when required by law or to: comply with legal process or government requests; protect against fraud or security threats; enforce our Terms of Service; protect the rights, property, or safety of Trazo, users, or the public.

4.4 Aggregated Data

We may share aggregated, anonymized data that cannot identify individual users or businesses for research, industry reports, and platform improvement purposes.

5. Data Storage and Security

5.1 Data Storage Locations

• Primary Database: PostgreSQL hosted on DigitalOcean Managed Database
• File Storage: AWS S3 for images, documents, and QR codes
• Blockchain Records: Polygon network (global, immutable storage)
• Security Logs: Rotating log files with limited retention

5.2 Security Measures

• Authentication: JWT tokens with 15-minute access and 7-day refresh periods (30 days with Remember Me)
• Access Control: Role-based permissions with granular user roles
• Rate Limiting: 100 requests/hour for anonymous users, 1000/hour for authenticated users
• Encryption: HTTPS for all data transmission, secure cookie handling
• Input Validation: Comprehensive validation, especially for carbon calculation data

5.3 International Data Transfers

Your data may be transferred to and processed in countries other than your own, including the United States where our primary servers are located. For these transfers, we implement:

• EU-US Data Privacy Framework: Compliance with adequacy decisions where applicable
• Standard Contractual Clauses (SCCs): EU Commission-approved transfer mechanisms
• Technical Safeguards: Encryption, access controls, and monitoring systems
• Contractual Protections: Data processing agreements with all third-party processors

EU residents can request details about specific transfer mechanisms and safeguards applicable to their data.

6. Data Retention

We retain your information for different periods depending on the type of data and legal requirements:

• Account Information: Until account deletion + 90 days
• Agricultural Data: 7 years or until deletion request
• Blockchain Records: Permanent (immutable by design)
• Payment Records: 7 years (tax and financial compliance)
• Usage Analytics: 2 years
• Security Logs: 1 year

7. Your Privacy Rights

7.1 Access and Control

You have the following rights regarding your personal information:

• Access: Request a copy of your personal information
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal information (subject to limitations)
• Portability: Receive your data in a portable format
• Restriction: Limit how we process your information

7.2 California Consumer Privacy Act (CCPA) Rights

California residents have additional rights under the CCPA:

• Right to know what personal information is collected and how it's used
• Right to delete personal information (with certain exceptions)
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising CCPA rights

7.3 European Union GDPR Rights

EU residents have rights under the General Data Protection Regulation (GDPR):

• Legal basis for processing (legitimate interest, consent, contract performance)
• Right to withdraw consent where processing is based on consent
• Right to object to processing based on legitimate interests
• Right to file complaints with supervisory authorities

7.4 Limitations on Rights and GDPR Compliance

Some privacy rights may be limited by technical and legal constraints:

• Blockchain Immutability: Verification hashes blockchain-recorded on the Polygon network cannot be deleted due to the immutable nature of blockchain technology
• Legal Requirements: Data required for compliance with agricultural regulations and audit trails
• Aggregated Data: Information that has been anonymized and cannot identify individuals
• Active Legal Proceedings: Data subject to litigation hold or investigation requirements

Important: While blockchain records are immutable, we only store cryptographic hashes and verification status on-chain, not personal information. Personal data associated with these records can still be deleted from our traditional databases. We will provide detailed explanations of any limitations when processing your requests.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience and analyze Platform usage:

• Essential Cookies: Required for Platform functionality and security
• Analytics Cookies: Help us understand how the Platform is used (opt-in only)
• Functional Cookies: Remember your preferences and settings

You can control cookie settings through the cookie consent banner displayed on your first visit, or through your browser preferences. For detailed information about specific cookies, see our Cookie Policy.

9. Data Breach Notification

In the event of a data breach that may affect your personal information, we will:

• Authority Notification: Report to supervisory authorities within 72 hours when required by law
• Individual Notification: Notify affected users without unreasonable delay if high risk to rights and freedoms
• Remedial Actions: Implement immediate containment and recovery measures
• Documentation: Maintain records of breach assessment and response actions

10. Children's Privacy and Age Verification

Our Platform is not intended for children under 18. We implement age verification during registration and do not knowingly collect personal information from children under 18.

If we become aware that we have collected information from a child under 18, we will delete it promptly. Parents or guardians who believe their child has provided information to us should contact us immediately at privacy@trazo.io.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes by:

• Email notification to your registered email address
• Prominent notice on our Platform
• Updated "Last modified" date at the top of this policy

For changes that affect consent-based processing (such as analytics or voice recording), we will seek your affirmative consent before applying the new terms. For other changes, continued use of the Platform after the notice period constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights, please contact us:

We will respond to your privacy requests within 30 days (or as required by applicable law). For verification purposes, we may need to confirm your identity before processing certain requests.