Privacy Policy

How we collect, use, and protect your personal data

Last updated: November, 2025

This Privacy Policy explains how Genvision Inc. ("Genvision," "we," "us," or "our") collects, uses, shares, and protects personal data when you use our websites, applications, APIs, and services that provide aggregated project information, analytics, and AI-generated insights about carbon credit projects (the "Service"). The Service is available at registry.genvision.com.

Contact Information

  • Controller: Genvision Inc., 40 W 25th St, New York, NY 10010, USA.
  • Privacy contact: privacy@genvision.com.
  • EU establishment: For EU users, processing occurs in the context of our EU establishment, Genvision BV, Petrusberg 22, 3001 Leuven, Belgium.
  • UK contact: Elitsa Marinova, Flat 19, Dawkins Court, 2 Garland Close, SE1 6AY, United Kingdom, elitsa@genvision.com. UK individuals may contact our representative in addition to contacting us directly at privacy@genvision.com.

Scope

This Policy covers personal data we process when you visit or use the Registry, including browsing projects, using the AI chatbot, accessing the API, viewing stakeholder profiles, communicating with us, or creating and managing an account. The Service is intended for business users and is not directed to children.

1. Data We Process

1.1 Account and Contact Data

We collect the following when you create an account, join a free or paid plan, or communicate with us:

  • Name
  • Business email address
  • Company name and role
  • Authentication identifiers
  • Billing and invoicing contacts

1.2 Stakeholder Data from Public Project Documents

The Registry displays stakeholder information that appears in publicly available carbon project documentation (for example, Verra or Gold Standard project pages, PDDs, MRVs, and auditor reports).

This may include:

  • Name
  • Organization
  • Role or function
  • Professional contact details where they appear as such in the public documents

We do not intentionally collect or display sensitive personal data, private numbers, home addresses, or personal emails. When source documents contain such details, we take reasonable steps to exclude them.

1.3 Customer Data

Customer Data includes any content you or your organization submit to the Service, including:

  • Prompts, queries, and inputs to the chatbot
  • Filters, notes, and interactions in dashboards
  • Any content you submit in text fields or future upload features

The Registry currently does not allow you to upload your own project files, but if such functionality is introduced, those files will also be treated as Customer Data.

1.4 Service Data

We automatically collect operational and technical data generated through use of the Service, including:

  • Device, browser, and network information
  • IP address and general location derived from IP
  • Timestamps, session identifiers, and access logs
  • Click paths, usage patterns, and feature interactions
  • API calls, parameters, and rate limits
  • Performance, diagnostic, and error data

Where possible, we use de-identified or aggregated forms of this data.

1.5 Payment Data

If you purchase a paid subscription or enterprise plan, payments are handled by our payment provider. We receive:

  • Billing contact information
  • Partial payment identifiers
  • Payment status and history

We do not store full card numbers.

1.6 Communications

If you contact us, we process:

  • Your contact details
  • The content of your communication
  • Attachments you provide
  • Internal notes relating to your request

2. Purposes and Legal Bases

2.1 Provide and Operate the Service

We process personal data to:

  • Create and maintain accounts
  • Authenticate users
  • Provide dashboards, browsing, chatbot responses, and API returns

Legal basis: performance of a contract and our legitimate interests to operate a B2B Service.

2.2 Stakeholder Transparency and Market Integrity

We process publicly available stakeholder information to:

  • Increase transparency in carbon markets
  • Help users understand project governance
  • Support investor, buyer, and developer due diligence

Because stakeholder information is extracted from public project documents, and some extraction steps use automated tools and AI, we cannot guarantee accuracy or completeness of stakeholder entries.

Legal basis: legitimate interests under Article 6(1)(f) GDPR. You may object to this processing at any time (see Section 7).

2.3 Security and Abuse Prevention

We process data to:

  • Detect fraud and misuse
  • Prevent scraping and unauthorized access
  • Monitor outages and performance
  • Protect our systems and data

Legal basis: legitimate interests and legal obligations.

2.4 Product Improvement and Analytics

We analyze usage to improve reliability, understand user behavior, and develop new features. We use aggregated and de-identified data where possible.

Legal basis: legitimate interests.

2.5 Billing and Legal Compliance

We process data to handle subscriptions, payments, accounting, taxes, compliance, and legal claims.

Legal bases: performance of a contract and legal obligations.

2.6 Communications and Marketing

We may send operational messages (service updates, security alerts) and optional marketing communications.

Legal basis: legitimate interests for operational messages; consent for marketing where required.

3. AI and Model Usage

  • We do not train or fine-tune any large language models on Customer Data.
  • AI providers we use (e.g., OpenAI, Google AI, Perplexity) are configured or contractually required not to train on your data.
  • We may parse public project documents to structure stakeholder data and metadata.
  • We may review limited interactions manually for debugging and quality control.
  • We use aggregated and de-identified Service Data to improve reliability, security, and performance.

We do not create models intended to memorize or reproduce your confidential content for other users.

4. Sharing and Sub-processors

We share personal data with service providers ("sub-processors") that process it on our behalf under data-protection agreements and with appropriate transfer safeguards. Categories include:

  • Cloud infrastructure and storage
  • Application hosting and CDN
  • Authentication and access management
  • Email and communications
  • Payments processing
  • AI inference APIs
  • Monitoring, logging, and analytics

A current list of our sub-processors is maintained in Annex C of the Terms and Data Protection Addendum.

We may also share data:

  • With legal, tax, and professional advisers
  • In connection with a merger, acquisition, or corporate transaction
  • When required by law or to comply with lawful requests

We do not sell personal data.

5. International Transfers

Where personal data is transferred outside the EEA, UK, or Switzerland, we rely on:

  • The EU Standard Contractual Clauses (SCCs)
  • The UK International Data Transfer Addendum
  • The Swiss Addendum
  • Other lawful transfer mechanisms

Copies of applicable safeguards are available upon request.

6. Retention

We retain personal data as follows:

  • Account and contact data: for the duration of your account and a reasonable period thereafter for recordkeeping and compliance.
  • Stakeholder data: as long as it is relevant to the public project record or until removal is requested.
  • Customer Data: while the account is active and for a limited period afterward for troubleshooting, audit logs, and product quality improvements that do not involve LLM training.
  • Service Data: retained for operational, analytics, and security purposes and then aggregated or de-identified.
  • Marketing data: retained until you unsubscribe or withdraw consent.

Encrypted backups may persist for longer and are accessed only for security or disaster recovery.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access your personal data
  • Correct inaccurate or incomplete data
  • Request deletion
  • Request restriction of processing
  • Data portability
  • Object to processing based on legitimate interests (including stakeholder transparency)
  • Withdraw consent for optional communications

Stakeholder-specific rights

If your information appears as a stakeholder, you may request:

  • Access
  • Correction
  • Removal or suppression

Contact privacy@genvision.com or use the "Request removal" feature where available. We respond within one month or as allowed by law.

You have the right to lodge a complaint with your local data protection authority.

8. Security

We maintain administrative, technical, and physical safeguards designed to protect personal data, including:

  • Encryption in transit and at rest
  • Access controls and MFA for administrative access
  • Logging and monitoring
  • Vulnerability management
  • Secure development practices
  • Incident response and business continuity procedures

Details are provided in Annex B (Security Measures) of the Terms and Data Protection Addendum.

9. Children

The Service is not directed to children and is intended for business users. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@genvision.com and we will delete it.

10. Changes

We may update this Privacy Policy from time to time. For material updates, we will provide reasonable advance notice by email or in-product notice. Continued use of the Service after the effective date constitutes acceptance.