Greene Comply
Legal

Privacy Policy

Effective: January 1, 2026What we collect, why we collect it, and the levers you have to control or delete it.

1. What we collect

  • Account data: email, full name, profile metadata.
  • Identity data: government-issued document image, selfie, and OCR-extracted fields (name, ID number, expiration date).
  • Operational data: vaults, guardrails, agents, transactions, delegate tokens (stored as SHA-256 hashes only — we never see plaintext tokens).
  • Usage data: standard server logs, IP address, user agent, timestamps. Retained for 90 days.
  • Billing data: handled directly by Stripe. We store only the customer ID.

2. Why we collect it

  • To provide the Service: authorize transactions, enforce guardrails, surface activity.
  • To verify identity before vault funding (legal compliance + fraud prevention).
  • To produce the immutable audit trail you and your auditor depend on.
  • To improve product reliability — aggregated, anonymized metrics only.

3. Where it lives

Application data is stored in Supabase (Postgres) with encryption at rest. Identity documents are stored in the private identity-vault bucket with signed-URL access only. Server logs live with our hosting provider (Vercel).

4. Who we share with

We share data only with the sub-processors strictly required to operate the Service:

  • Supabase — database, auth, storage, realtime.
  • Vercel — application hosting and edge functions.
  • Stripe — payment processing for paid plans.
  • Resend — transactional email (contact and lead notifications; auth-related mail may go through Supabase SMTP or Resend depending on project configuration).

We do not sell or rent your data. We do not run third-party advertising trackers on the dashboard.

5. Your rights

  • Access: export your full dataset from /settings.
  • Deletion: delete your account from /settings; data is purged within 30 days except for audit records required by law.
  • Correction: edit your profile or re-run identity verification at any time.
  • Portability: export transactions, audit logs, and identity decisions as JSON.
  • EU residents: rights under GDPR Articles 15–22. CA residents: rights under CCPA.

6. Retention

  • Active account data: kept while your account is active.
  • Audit log: retained for 7 years (regulatory requirement).
  • Identity verification artifacts: 7 years from last verification, then purged.
  • Server logs: 90 days rolling.

7. Cookies

We use a single first-party session cookie for authentication. We do not use third-party advertising cookies. Anonymized analytics may be added later — if so, we'll update this policy and the /changelog.

8. Security

See our /security page for full details. Suspected vulnerabilities: security@greenecomply.com.

9. Children

The Service is not intended for users under 18. We do not knowingly collect data from minors.

10. Contact

Privacy questions or data requests: privacy@greenecomply.com

Questions? legal@greenecomply.com