Privacy & Data Protection

Privacy Policy

Your privacy is our priority. Learn how we collect, use, protect, and respect your personal data in full compliance with LGPD and international data protection regulations.

Last Updated: September 2025
Transparency and Commitment

At Trust Carbon Protocol, we believe transparency is fundamental to building trust. This Privacy Policy explains in clear and accessible language how we handle your personal data, what rights you have, and how we protect your information.

We are committed to complying with the Brazilian General Data Protection Law (LGPD - Law 13,709/2018), the European GDPR, and other applicable data protection regulations.

Table of Contents

1 Introduction and Scope

This Privacy Policy applies to all users of the Trust Carbon Protocol platform, including website visitors, mobile app users, and participants in our carbon credit verification pilot program.

Who We Are

Trust Carbon Protocol is operated by PIESKE ONE LTDA, a company duly registered in Brazil, dedicated to democratizing access to carbon credit markets through innovative technology.

Scope of This Policy

This policy covers:

  • Personal data collected through our website (trustcarbon.org)
  • Information gathered through our mobile application (iOS and Android)
  • Data obtained during the property verification process
  • Information from interactions with our support team
  • Data collected through cookies and similar technologies
  • Information from third-party integrations (CAR/SICAR, satellite providers, etc.)
Your Consent

By using Trust Carbon services, you acknowledge that you have read, understood, and agree to the data collection and use practices described in this Privacy Policy. If you do not agree, please discontinue use of our services immediately.

2 Data Controller and DPO

Data Controller

Under LGPD, the data controller is the entity responsible for decisions regarding the processing of personal data. For Trust Carbon Protocol, the data controller is:

PIESKE ONE LTDA

Registered Name: PIESKE ONE LTDA

Location: Santa Catarina, Brazil

Primary Contact: brayon@trustcarbon.org

Privacy Contact: legal@trustcarbon.org

Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) who is responsible for:

  • Ensuring compliance with LGPD and other data protection regulations
  • Acting as a point of contact between the company, data subjects, and the ANPD (National Data Protection Authority)
  • Overseeing data protection strategies and implementations
  • Conducting privacy impact assessments
  • Handling data subject requests and complaints

3 What Data We Collect

We collect different types of data depending on your interaction with our platform. Below is a comprehensive breakdown of all data categories:

👤
Personal Identification
Basic information to identify and communicate with you
  • Full name
  • Email address
  • Phone number
  • CPF/CNPJ (Brazil)
  • Date of birth
  • Profile photo (optional)
🏞️
Property Information
Details about the rural property being verified
  • GPS coordinates
  • Property boundaries
  • Total area (hectares)
  • Property documentation
  • CAR/SICAR registration
  • Land use information
  • Photos and videos
  • 360° captures
📍
Location Data
Real-time location during verification processes
  • Real-time GPS coordinates
  • Movement patterns
  • Timestamps of locations
  • Altitude data
  • Geographic region
📱
Device & Technical Data
Information about the devices you use to access our services
  • Device type and model
  • Operating system
  • IP address
  • Browser type and version
  • Device identifiers (IMEI, UUID)
  • Screen resolution
  • Language settings
📊
Usage & Interaction Data
How you interact with our platform
  • Pages visited
  • Time spent on pages
  • Click patterns
  • Feature usage
  • Search queries
  • Error logs
  • Access timestamps
💬
Communication Data
Records of your interactions with our support team
  • Support tickets
  • Email correspondence
  • Chat messages
  • WhatsApp conversations
  • Feedback and surveys
  • Call recordings (when applicable)
Verification & Analysis Data
Data generated during property verification
  • Satellite imagery analysis
  • NDVI calculations
  • Precipitation data
  • Vegetation health metrics
  • AI analysis results
  • Fraud detection scores
  • Certification documents
💳
Financial Data (Future)
Payment information when commercialization features are implemented
  • Payment method details
  • Transaction history
  • Banking information
  • Tax identification
  • Invoices and receipts
Not currently collected during pilot phase
Sensitive Data

We do NOT intentionally collect sensitive personal data such as:

  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union membership
  • Genetic or biometric data (except for security purposes)
  • Health data
  • Data about sexual orientation or sex life

If any such data is inadvertently collected, it will be immediately deleted upon discovery.

4 How We Collect Data

We collect data through various methods and sources:

1. Direct Collection (Information You Provide)

  • Account Registration: When you create an account on our platform
  • Verification Submissions: When you submit a property for verification
  • Mobile App Usage: When you use features like GPS, camera, 360° capture
  • Form Submissions: Contact forms, support requests, surveys
  • Communications: Emails, chats, phone calls with our team
  • Document Uploads: Property documentation, identification documents

2. Automatic Collection (Technology-Based)

  • Cookies and Similar Technologies: Tracking your website/app usage
  • Server Logs: Automatically recorded when you access our services
  • Mobile App Permissions: GPS, camera, storage, sensors (with your permission)
  • Analytics Tools: Google Analytics, Firebase, custom analytics
  • Error Tracking: Crash reports and performance monitoring

3. Third-Party Sources

  • CAR/SICAR Database: Property registration data from Brazilian government
  • Satellite Providers: Imagery and geospatial data from commercial providers
  • Public Records: Publicly available property and environmental data
  • Weather Services: Precipitation and climate data
  • API Integrations: Data from authorized third-party services
Mobile App Permissions

Our mobile application requests the following permissions:

  • Location (Required): To verify property boundaries and prevent GPS spoofing
  • Camera (Required): To capture photos and videos of the property
  • Storage (Required): To save verification data locally before upload
  • Sensors (Optional): For AR/LiDAR measurements and enhanced verification
  • Network (Required): To upload data and communicate with our servers

You can manage these permissions in your device settings at any time. However, denying required permissions will prevent the app from functioning properly.

5 Why We Use Your Data (Purposes)

We use your personal data for specific, explicit, and legitimate purposes. Here's exactly why we need your data:

Primary Purposes

Service Delivery
  • Process property verification requests
  • Conduct satellite and AI analysis
  • Perform on-site or remote inspections
  • Issue digital certifications
  • Generate detailed reports
  • Validate property eligibility for carbon credits
Fraud Prevention & Security
  • Detect and prevent GPS spoofing
  • Identify fake or manipulated photos
  • Verify authenticity of property documentation
  • Prevent duplicate submissions
  • Detect suspicious patterns and behaviors
  • Ensure integrity of the verification process
  • Protect against unauthorized access

Secondary Purposes

  • Account Management: Create and maintain your user account, authentication, password recovery
  • Communication: Send verification updates, system notifications, respond to support requests
  • Platform Improvement: Analyze usage patterns to enhance user experience and features
  • Algorithm Training: Improve AI models and analysis accuracy (anonymized data only)
  • Research & Development: Develop new features and verification methodologies
  • Customer Support: Provide technical assistance and resolve issues
  • Legal Compliance: Meet legal obligations, respond to authorities, enforce terms
  • Analytics: Understand how users interact with our platform
  • Quality Assurance: Monitor and improve service quality

Marketing & Communications (With Your Consent)

  • Send newsletters about platform updates
  • Inform about new features and improvements
  • Share educational content about carbon credits
  • Conduct surveys and request feedback
  • Promotional campaigns (only with explicit consent)
You Can Opt Out

You can unsubscribe from marketing communications at any time by clicking the "unsubscribe" link in emails or contacting us at legal@trustcarbon.org. This will not affect essential service communications.

Future Purposes (Post-Pilot)

When commercialization features are implemented, we may also use data to:

  • Facilitate carbon credit transactions
  • Connect sellers with buyers
  • Process payments and financial transactions
  • Generate invoices and tax documents
  • Provide market analytics and insights

We will request new consent before implementing these features if required by law.

6 Legal Bases for Processing (LGPD)

LGPD Compliance

Under Article 7 of the Brazilian LGPD, personal data processing must be based on at least one legal basis. Here are the legal bases we rely on for different types of processing:

Processing Activity Legal Basis LGPD Article
Account creation and management ✓ Consent Art. 7, I - Consent by data subject
Property verification service ✓ Contract Art. 7, V - Contract execution
Fraud detection and prevention ✓ Legitimate Interest Art. 7, IX - Legitimate interests
Legal compliance and audits ✓ Legal Obligation Art. 7, II - Legal obligation
Platform improvement and R&D ✓ Legitimate Interest Art. 7, IX - Legitimate interests
Marketing communications ✓ Consent Art. 7, I - Consent by data subject
Credit protection ✓ Credit Protection Art. 7, X - Credit protection
Security and protection of rights ✓ Rights Exercise Art. 7, VI - Exercise of rights
What This Means for You

Consent: You have the right to withdraw your consent at any time. However, this may limit your ability to use certain features.

Contract: Some processing is necessary to fulfill our service agreement with you. Without this processing, we cannot provide the verification service.

Legitimate Interest: We balance our legitimate interests with your rights and freedoms. You can object to processing based on legitimate interest.

7 Data Sharing and Third Parties

We value your privacy and only share your data when necessary and with trusted partners. We NEVER sell your personal data to third parties.

Who We Share Data With

☁️
Cloud Service Providers
For hosting, storage, and infrastructure
  • Amazon Web Services (AWS)
  • Google Cloud Platform
  • Microsoft Azure
Purpose: Data storage and processing
🛰️
Satellite & Geospatial Providers
For imagery and analysis
  • Sentinel Hub
  • Planet Labs
  • Google Earth Engine
Purpose: Property analysis
🤖
AI & Analytics Partners
For machine learning and analysis
  • OpenAI / Anthropic
  • Google AI
  • Custom ML models
Purpose: Fraud detection, analysis
📊
Analytics Services
For usage tracking and insights
  • Google Analytics
  • Firebase Analytics
  • Mixpanel
Purpose: Platform improvement
🇧🇷
Government Authorities
When legally required
  • ANPD (Data Protection)
  • Environmental agencies
  • Tax authorities
  • Law enforcement
Purpose: Legal compliance
💼
Business Partners (Future)
For commercialization features
  • Carbon credit exchanges
  • Verified buyers
  • Payment processors
  • Financial institutions
Purpose: Carbon credit transactions
Our Guarantee

All third-party partners are carefully selected and contractually bound to:

  • Process data only for the specified purposes
  • Implement appropriate security measures
  • Comply with LGPD and applicable data protection laws
  • Not use your data for their own purposes
  • Delete data when no longer necessary

When We Must Share Data

We may be legally required to share data in the following situations:

  • Court orders or legal processes
  • Investigations by regulatory authorities (ANPD, environmental agencies)
  • Tax audits and financial reporting requirements
  • Protection of our rights, property, or safety
  • Prevention of fraud or illegal activities
  • Compliance with environmental regulations

8 International Data Transfers

Some of our service providers and technology partners are located outside Brazil. This means your data may be transferred to and processed in other countries.

Countries Where Data May Be Processed

  • United States: Cloud services (AWS, Google Cloud), AI providers (OpenAI, Anthropic)
  • European Union: Satellite data providers, some cloud services
  • Other countries: Where service providers have infrastructure
LGPD Safeguards for International Transfers

According to Article 33 of LGPD, international data transfers are only permitted when:

  • The destination country provides an adequate level of data protection, OR
  • We implement appropriate safeguards such as:
    • Standard contractual clauses approved by the ANPD
    • Binding corporate rules
    • Specific certifications (e.g., Privacy Shield successors)
    • Explicit consent from you

How We Protect Your Data Internationally

  • All service providers sign Data Processing Agreements (DPAs)
  • We use standard contractual clauses where applicable
  • Data is encrypted in transit and at rest
  • We regularly audit our providers' security practices
  • We maintain copies of data within Brazil when possible
  • We minimize data shared with international providers
Your Right to Object

If you do not consent to international data transfers, you can contact us to discuss alternatives. However, this may limit our ability to provide certain services that rely on international infrastructure.

9 Data Security

We implement rigorous technical and organizational measures to protect your personal data against unauthorized access, accidental loss, destruction, alteration, or disclosure.

Security Measures We Implement

🔐

Encryption

End-to-end encryption for data in transit (TLS 1.3) and at rest (AES-256)

🛡️

Firewalls

Multi-layer firewall protection and intrusion detection systems

👁️

Access Control

Role-based access control (RBAC) and principle of least privilege

🔑

Authentication

Multi-factor authentication (MFA) for sensitive operations

📝

Audit Logs

Comprehensive logging and monitoring of all data access

🔄

Backups

Regular encrypted backups with disaster recovery plan

🎯

Penetration Testing

Regular security audits and vulnerability assessments

👨‍💻

Staff Training

Mandatory security and privacy training for all employees

📱

Mobile Security

App integrity checks, jailbreak/root detection, certificate pinning

🚨

Incident Response

24/7 security monitoring and incident response team

Data Breach Notification

In the unlikely event of a data breach that poses risk to your rights and freedoms, we will notify you and the ANPD (Brazilian Data Protection Authority) within 2 business days as required by LGPD Article 48.

The notification will include:

  • Nature of the incident
  • Categories and approximate number of data subjects affected
  • Measures taken to mitigate the breach
  • Steps you should take to protect yourself
  • Contact point for further information

Your Security Responsibilities

While we implement strong security measures, you also play a crucial role:

  • Strong Passwords: Use unique, complex passwords (minimum 12 characters)
  • Account Security: Never share your login credentials
  • Device Security: Keep your devices and apps updated
  • Phishing Awareness: Be cautious of suspicious emails or messages
  • Secure Networks: Avoid using public Wi-Fi for sensitive operations
  • Log Out: Always log out from shared devices
  • Report Suspicions: Contact us immediately if you notice unusual activity

10 Data Retention

We only retain your personal data for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

Retention Periods

Data Type Retention Period Reason
Account information Duration of account + 5 years Legal compliance (Civil Code Art. 205)
Verification data 10 years Environmental regulations and audit requirements
Certifications issued Permanent (with anonymization option) Historical record and proof of certification
Financial records (future) 5 years after transaction Tax law requirements
Communication records 3 years Consumer protection law
Usage logs 6 months to 2 years Security and fraud prevention
Marketing consent Until consent withdrawal LGPD compliance
Anonymous analytics Indefinite Does not identify individuals
What Happens After Retention Period

When the retention period expires, your data will be:

  • Deleted: Permanently removed from our active systems
  • Anonymized: Stripped of all identifiable information (for statistical purposes)
  • Archived: Stored in secure, isolated systems (only if legally required)

Exceptions to Deletion

We may retain data beyond the standard retention period if:

  • Required by law (e.g., court orders, investigations)
  • Necessary for legal claims or defense
  • You explicitly consent to extended retention
  • Needed to comply with legal obligations
  • Anonymized for statistical or research purposes

Early Deletion Requests

You can request deletion of your data before the retention period expires by contacting legal@trustcarbon.org. However, we may need to retain certain data to comply with legal obligations or for legitimate business purposes (e.g., maintaining certification records).

11 Your Rights Under LGPD

Your Data Rights

The Brazilian LGPD (Article 18) grants you comprehensive rights regarding your personal data. Here's what you can do:

Right to Access

Request confirmation of data processing and obtain a copy of your data

Right to Correction

Request correction of incomplete, inaccurate, or outdated data

Right to Deletion

Request deletion of unnecessary, excessive, or unlawfully processed data

Right to Object

Object to processing based on legitimate interest or consent

Right to Portability

Request your data in a structured, commonly used format

Right to Withdraw Consent

Revoke consent at any time (affects future processing only)

Right to Information

Be informed about public/private entities with whom data is shared

Right to Anonymization

Request anonymization, blocking, or deletion of unnecessary data

Right to Review

Request review of automated decisions affecting your interests

Right to Complain

File a complaint with ANPD about our data practices

How to Exercise Your Rights

Contact Our Privacy Team

To exercise any of your rights, contact us through:

What to Include in Your Request:

  • Your full name and email address associated with your account
  • Specific right(s) you wish to exercise
  • Description of your request
  • Proof of identity (for security purposes)
  • Preferred method of response

Response Timeline

  • Acknowledgment: Within 48 hours of receiving your request
  • Response: Within 15 days (may be extended to 30 days for complex requests)
  • Free of Charge: First request is always free; subsequent requests may incur reasonable fees

When We May Refuse a Request

We may deny your request if:

  • We cannot verify your identity
  • The request is manifestly unfounded or excessive
  • Legal obligations require us to retain the data
  • The data is necessary for exercising our legal rights
  • Public safety or health is at risk

If we refuse your request, we will explain the reasons and inform you of your right to complain to the ANPD.

12 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, analyze usage patterns, and improve our services.

What Are Cookies?

Cookies are small text files stored on your device when you visit our website or use our app. They help us remember your preferences and understand how you use our platform.

Types of Cookies We Use

Cookie Type Purpose Duration Consent Required?
Strictly Necessary Essential for platform functionality (login, security, sessions) Session No
Functional Remember your preferences (language, theme, settings) 1 year Yes
Analytics Understand usage patterns and improve user experience 2 years Yes
Marketing Personalize ads and measure campaign effectiveness 1 year Yes

Third-Party Cookies

Some cookies are set by third-party services we use:

  • Google Analytics: Website traffic analysis
  • Firebase: Mobile app analytics and crash reporting
  • Mixpanel: User behavior tracking
  • Hotjar: Heatmaps and session recordings
Managing Cookies

You can control cookies in several ways:

  • Cookie Banner: Accept or reject non-essential cookies when you first visit
  • Cookie Settings: Manage preferences in your account settings
  • Browser Settings: Block or delete cookies through your browser
    • Chrome: Settings → Privacy and security → Cookies
    • Firefox: Settings → Privacy & Security → Cookies
    • Safari: Preferences → Privacy → Cookies

Note: Blocking strictly necessary cookies may prevent the platform from functioning properly.

Other Tracking Technologies

Besides cookies, we also use:

  • Web Beacons: Small graphic images to track email opens and clicks
  • Local Storage: HTML5 storage for app functionality
  • SDKs: Software development kits in our mobile app for analytics
  • Fingerprinting: Device characteristics for fraud prevention (not for tracking)

13 Children and Minors

Age Restriction

Trust Carbon Protocol is NOT intended for use by children under 18 years of age. We do not knowingly collect personal data from minors without parental/guardian consent.

LGPD Protection for Minors

According to LGPD Article 14, the processing of personal data of children and adolescents must be carried out in their best interest, with:

  • Specific consent from at least one parent or legal guardian
  • Information provided in clear and accessible language
  • Minimum collection of data necessary for the service

If You Are a Minor

If you are under 18 years old and wish to use Trust Carbon:

  1. You must have your parent or legal guardian create the account
  2. All communications will be directed to the adult account holder
  3. The adult is responsible for supervising all platform activities
  4. Verification processes must be conducted by the adult

If You Are a Parent/Guardian

If you discover that your child has provided personal data without consent:

  • Contact us immediately at legal@trustcarbon.org
  • We will delete the data within 48 hours
  • We will investigate how the data was collected
  • We will implement additional safeguards to prevent recurrence
Our Commitment to Child Safety

We take child protection seriously. If we become aware that we have inadvertently collected personal data from a child without proper consent, we will take immediate steps to delete such information from our records and notify the relevant parties.

14 Policy Updates and Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

How We Notify You of Changes

Notification Methods

When we make changes, we will:

  • Update the "Last Updated" date at the top of this policy
  • Post the updated version on our website
  • Send email notification for material changes
  • Display a prominent notice on the platform
  • Request new consent if required by law

What Constitutes a "Material Change"

Material changes include:

  • New types of personal data being collected
  • Changes in how we use your data
  • New third parties receiving your data
  • Changes in data retention periods
  • International data transfer to new countries
  • Significant changes to your rights
  • Changes in our security practices

Your Options

If you disagree with the updated policy:

  • You can close your account before the changes take effect
  • Contact us to discuss your concerns
  • Exercise your LGPD rights (e.g., data deletion, withdrawal of consent)

Continued use of Trust Carbon after the effective date of changes constitutes acceptance of the updated Privacy Policy.

Previous Versions

We maintain an archive of previous versions of this Privacy Policy. You can request access to historical versions by contacting legal@trustcarbon.org.

15 Contact and Complaints

We are committed to addressing your privacy concerns and questions. If you have any inquiries about this Privacy Policy or our data practices, please contact us.

Contact Information

📧
General Privacy Inquiries
🛡️
Data Protection Officer (DPO)
  • Response within 72 hours
👨‍💼
General Contact

Filing a Complaint with ANPD

If you are not satisfied with our response to your privacy concerns, you have the right to file a complaint with the Brazilian National Data Protection Authority (ANPD):

ANPD - National Data Protection Authority

Website: www.gov.br/anpd

Email: comunicacao@anpd.gov.br

Phone: 0800 727 2436

What to Expect

When you contact us:

  1. Acknowledgment: We will acknowledge receipt of your inquiry within 48 hours
  2. Investigation: We will investigate your concern thoroughly
  3. Response: We will provide a substantive response within 15 days (may extend to 30 days for complex matters)
  4. Resolution: We will work with you to resolve the issue
  5. Follow-up: We may contact you for clarification or additional information

Questions About Your Privacy?

Our Data Protection Officer and privacy team are here to help. Contact us for any questions, concerns, or to exercise your LGPD rights.

legal@trustcarbon.org brayon@trustcarbon.org +55 47 99769-2127 Back to Website
Our Privacy Commitment

At Trust Carbon Protocol, we believe that privacy is a fundamental right. We are committed to:

  • Being transparent about our data practices
  • Collecting only the data we truly need
  • Protecting your data with the highest security standards
  • Respecting your rights under LGPD and other data protection laws
  • Never selling your personal data to third parties
  • Responding promptly to your privacy concerns
  • Continuously improving our privacy practices

Thank you for trusting us with your personal data. Together, we're building a more transparent and sustainable future for carbon credit markets.