Privacy Policy

Last updated: March 24, 2026

1. Information We Collect

1.1 Information You Provide

• Account information: name, email address, password (hashed), and profile photo when you create an account
• Payment information: processed securely by Stripe. We never store your card number, CVV, or full card details on our servers
• Carbon tracking data: flight routes, vehicle trips, and activities you voluntarily log to calculate your carbon footprint
• User-generated content: posts, comments, and photos you share on the social feed
• Role-specific data: NGO registration details, planter verification documents, enterprise team information, or ambassador campaign data depending on your role

1.2 Information Collected Automatically

• Device information: device type, operating system, app version, and unique device identifiers
• Usage data: features used, screens visited, and interaction patterns to improve the app experience
• Crash and performance data: error logs and performance metrics collected via Sentry to maintain app stability (no personal data included)
• Approximate location: used only when you explicitly grant location permission for GPS-based tree verification or map features

1.3 Information We Do NOT Collect

• We do not collect precise location data without your explicit permission
• We do not access your contacts, camera, or microphone without your explicit permission for a specific feature
• We do not sell, rent, or trade your personal information to third parties for marketing purposes
• We do not use your data for targeted advertising

2. How We Use Your Information

Purpose	Legal Basis (GDPR)
Provide and maintain the Service	Contract performance
Process payments for tree planting	Contract performance
Calculate and display your carbon footprint	Contract performance
Verify GPS-based tree planting proofs	Legitimate interest
Send transactional emails (receipts, verifications)	Contract performance
Improve app performance and fix bugs	Legitimate interest
Comply with legal obligations	Legal obligation

3. Data Sharing

We share your information only in these limited circumstances:

• Stripe: payment processing. Subject to Stripe's Privacy Policy
• Supabase: database and authentication infrastructure, hosted in secure cloud environments
• Sentry: error monitoring. Receives only anonymized crash data — no personal information
• Tree verification: when you fund a tree, your display name (not email) may appear on the public tree page as a contributor, unless you opt out
• Legal requirements: if required by law, court order, or governmental authority

We do not sell your personal data. We do not share your data with advertisers.

4. Data Storage and Security

• Data is stored on secure, encrypted servers via Supabase (hosted on AWS infrastructure)
• All data in transit is encrypted via TLS/SSL
• Passwords are hashed using industry-standard algorithms (bcrypt) — we cannot read your password
• Payment data is handled entirely by Stripe (PCI DSS Level 1 certified) — card details never touch our servers
• Access to production data is restricted to authorized personnel only

5. Your Rights

Depending on your location, you may have the following rights:

5.1 All Users

• Access: request a copy of your personal data
• Correction: update or correct inaccurate data
• Deletion: request deletion of your account and associated data
• Export: receive your data in a portable format

5.2 European Economic Area (GDPR)

• Right to restrict processing
• Right to object to processing based on legitimate interest
• Right to withdraw consent at any time
• Right to lodge a complaint with your local Data Protection Authority

5.3 California Residents (CCPA/CPRA)

• Right to know what personal information is collected and how it is used
• Right to delete personal information
• Right to opt out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your privacy rights

5.4 How to Exercise Your Rights

Contact us at uynghiem@earthsama.com with your request. We will respond within 30 days. You can also delete your account directly in the app under Profile → Settings → Delete Account.

6. Data Retention

• Active accounts: data is retained as long as your account is active
• Deleted accounts: personal data is deleted within 30 days of account deletion. Anonymized tree planting records (GPS coordinates, CO₂ data) are retained permanently as part of the public environmental record
• Payment records: retained for 7 years as required by financial regulations
• Crash logs: automatically deleted after 90 days

7. Children's Privacy

TreeCodex is not directed at children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

8. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required by GDPR.

9. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

10. Push Notifications

We may send push notifications about tree planting updates, verification statuses, and account activity. You can disable push notifications at any time through your device settings.

11. Cookies and Tracking (Website)

Our website uses minimal, essential cookies only. We do not use advertising cookies or third-party tracking pixels. No personal data is collected via cookies.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via in-app notification or email. The "Last updated" date at the top reflects the most recent revision.

13. Contact Us

For privacy-related questions, data requests, or concerns:

• Email: uynghiem@earthsama.com
• App: Profile → Settings → Contact Support