Privacy Policy

This Privacy Policy explains how GreenBio.app ("GreenBio", "we", "us", or "our"), a service operated by CarbonSix.ai, collects, uses, discloses, and protects information about you when you use our website at greenbio.appand any related features, applications, or services (collectively, the "Service").

We have written this policy to comply with applicable data protection laws, including the European Union General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"), the United Kingdom General Data Protection Regulation (the "UK GDPR"), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"), the Virginia Consumer Data Protection Act (the "VCDPA"), the Colorado Privacy Act (the "CPA"), the Connecticut Data Privacy Act (the "CTDPA"), the Utah Consumer Privacy Act (the "UCPA"), and the Children's Online Privacy Protection Act of 1998 (the "COPPA"), 15 U.S.C. §§ 6501–6506.

By using the Service, you agree to the collection, use, and disclosure of your information as described in this Policy. If you do not agree, please do not use the Service.

Plain English overview, provided as a courtesy and not as a substitute for the rest of this Policy:

• You can use the core scanning feature without creating an account. We do not ask for your name, email, or phone number to scan a label.
• When you scan a product, we send the photo to Google's Gemini API for ingredient extraction and store an anonymized copy of the result in our database.
• We use cookies and similar technologies for product analytics (PostHog) and error monitoring (Sentry), and we apply per-IP rate limiting to prevent abuse.
• We do not sell your personal information, and we do not share it with advertisers.
• If, in the future, you create an account, we will additionally store your email address and a list of scans you choose to save. You can delete your account and data at any time.
• You have rights under applicable privacy laws — including the right to access, correct, delete, and port your data. Contact privacy@greenbio.app to exercise them.

For the purposes of the GDPR and UK GDPR, the data controller of personal data processed under this Policy is CarbonSix.ai, operating the GreenBio service. For the purposes of the CCPA, GreenBio is a "business" that determines the purposes and means of processing personal information.

You can contact our privacy team at privacy@greenbio.app.

4.1 Information you provide directly

• Photos of product labels.When you use the scanning feature, you submit a photo of an ingredient list. The photo is transmitted to Google's Gemini API for processing and is not retained by us in long-term storage. The extracted ingredient text and analysis result are stored.
• Feedback.When you submit feedback through the "we got something wrong" widget, we store your vote (thumbs up / thumbs down), any free-text comment you add, and the ingredient or product the feedback relates to.
• Support requests. When you submit a support request, we collect your email address, your question, and contextual information about the related scan to enable a response.
• Account information (when accounts launch). If you create an account in a future release, we will collect your email address and a hashed authentication credential. We will store the scans you choose to associate with your account.

4.2 Information collected automatically

• Device and browser data. Your user-agent string, browser type, operating system, screen size, and approximate locale.
• IP address. Used for rate limiting (to prevent abuse), security logging, and approximate geolocation. We do not store IP addresses tied to individual scans beyond what is necessary for rate-limit windows.
• Usage data. Pages visited, scan completions, feedback events, and similar interaction events, captured by our analytics provider (PostHog).
• Error data. If something goes wrong, our error monitoring provider (Sentry) records the error type, stack trace, browser context, and a session identifier. We configure Sentry to scrub URLs and form values that may contain personal information.
• Performance data. Per-scan latency and cache statistics, used to measure and improve service quality.

4.3 Cookies and similar technologies

We use cookies, local storage, and similar technologies to operate the Service. The specific categories we use are:

• Strictly necessary. Required for the Service to function (e.g., administrative session cookies; CSRF protection where applicable).
• Analytics.PostHog assigns a pseudonymous identifier ("distinct ID") to your browser to associate page views and events with a single visitor over time. This identifier is not tied to your real identity.
• Error monitoring. Sentry uses a session identifier to group related error events.

Where required by law (e.g., in the EEA and UK), we will obtain consent before setting non-essential cookies.

We use the categories of information described above to:

• Provide, operate, and maintain the Service, including running ingredient analyses;
• Improve the Service, including measuring performance and tuning our hazard data;
• Authenticate users (when accounts launch) and protect accounts from unauthorized access;
• Detect, prevent, and respond to fraud, abuse, security incidents, and other harmful or unlawful activity;
• Send transactional communications you request (e.g., support replies, account verification);
• Comply with legal obligations and enforce our terms;
• Conduct aggregate, de-identified analytics and research to inform product decisions.

We do not use your information for behavioral advertising, and we do not allow our service providers to do so on our behalf.

If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases under Article 6 of the GDPR / UK GDPR:

• Performance of a contract (Art. 6(1)(b)) — to provide the Service you requested, including processing your scan submissions.
• Legitimate interests (Art. 6(1)(f)) — for analytics, error monitoring, security, fraud prevention, and product improvement, balanced against your privacy interests.
• Consent (Art. 6(1)(a)) — where required for non-essential cookies or marketing communications. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — where we must process data to comply with applicable law.

7.1 Service providers (sub-processors)

We share information with carefully selected service providers who process data on our behalf, under written contracts that restrict them to the purposes we specify. Our current sub-processors are:

7.2 Legal and safety disclosures

We may disclose your information when we believe in good faith that disclosure is necessary to (a) comply with a legal obligation, court order, subpoena, or other valid legal process; (b) protect our rights, property, or safety, or that of our users or the public; (c) investigate fraud, security incidents, or technical issues; or (d) enforce our terms of service.

7.3 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

7.4 We do not sell your personal information

We do not sell your personal information for monetary consideration as the term "sale" is defined under the CCPA, and we do not engage in cross-context behavioral advertising or share your personal information with third parties for such advertising. Some state laws define "sharing" or "sale" broadly to include disclosures to service providers; we believe our use of service providers under written processing agreements does not constitute a sale or share under applicable laws, but we describe our disclosures here for transparency.

7.5 Affiliate links

The Service may, in the future, include affiliate links to third-party retailers (such as Amazon Associates and similar programs). When you click an affiliate link, the destination retailer receives a referral identifier that may allow them to attribute a resulting purchase to GreenBio for commission purposes. We do not transmit your name, email, or other directly identifying information through affiliate links. Once you arrive at the third-party site, the third party's own privacy policy applies.

We retain personal information for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. In particular:

• Anonymous scan records (no associated account): retained indefinitely for aggregate analytics, in a form that does not directly identify you.
• Scan photos: not retained in long-term storage; processed in transit by the Gemini API and discarded after analysis.
• Account-associated scans (when accounts launch): retained until you delete the scan or your account.
• Support emails: retained for up to 24 months from the date of last contact for quality and dispute resolution.
• Rate-limit logs: retained for the length of the active rate-limit window (typically 1 hour to 24 hours).
• Error logs (Sentry): retained per Sentry's default retention, typically 30 to 90 days.

9.1 Rights under U.S. state privacy laws (CCPA, VCDPA, CPA, CTDPA, UCPA)

Subject to verification and any limitations in applicable law, residents of California, Virginia, Colorado, Connecticut, Utah, and other U.S. states with comprehensive privacy laws may have the following rights regarding their personal information:

• Right to know / access. Request confirmation of whether we process your personal information and a copy of the specific pieces of personal information we have collected about you.
• Right to delete. Request deletion of personal information we have collected about you, subject to exceptions in applicable law.
• Right to correct. Request correction of inaccurate personal information we maintain about you.
• Right to data portability. Receive a copy of your personal information in a structured, commonly used, and machine-readable format.
• Right to opt out of sale or sharing. Direct us not to sell or share your personal information. As stated above, we do not sell or share your personal information for cross-context behavioral advertising.
• Right to non-discrimination. We will not deny services, charge a different price, or provide a different level of service because you exercised a privacy right.
• Right to limit use of sensitive personal information (CCPA). We do not use sensitive personal information for purposes that would trigger this right.

9.2 Rights under the GDPR / UK GDPR

If you are located in the EEA or UK, in addition to the rights above, you have the right to:

• Object to processing based on legitimate interests;
• Restrict processing under certain conditions;
• Withdraw consent at any time where processing is based on consent;
• Lodge a complaint with your local data protection authority. A list of EU authorities is available at edpb.europa.eu; in the UK, the Information Commissioner's Office at ico.org.uk.

9.3 How to exercise your rights

To exercise any of these rights, email privacy@greenbio.app with your request and the email address or distinct identifier you used. We may need to verify your identity before fulfilling certain requests. You may designate an authorized agent to make a request on your behalf where permitted by law; we will require proof of authorization.

We will respond within the timeframes required by applicable law (generally 45 days under the CCPA, with a possible 45-day extension; and one month under the GDPR / UK GDPR, extendable by two further months for complex requests).

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 in the United States, in compliance with COPPA. If you are located outside the United States, the Service is not directed to children under the age applicable in your jurisdiction (which may be 14, 15, or 16, depending on local law).

If you become aware that a child has provided us with personal information without parental consent, please contact us at privacy@greenbio.app and we will delete the information promptly.

We maintain administrative, technical, and organizational measures designed to protect your personal information from unauthorized access, disclosure, alteration, and destruction, including:

• Encryption in transit using TLS 1.3 across all public endpoints;
• Encryption at rest for our primary database;
• Row-Level Security policies that isolate user data at the database layer;
• Per-IP rate limiting on sensitive endpoints to mitigate abuse;
• HTTP security headers (HSTS, Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy);
• Multi-factor authentication for administrative access;
• Continuous error and anomaly monitoring;
• Automated dependency security scanning.

No security program can guarantee absolute security. If you believe your interaction with the Service is no longer secure, or you would like to report a potential vulnerability, please email security@greenbio.app.

GreenBio is operated from the United States, and our service providers are primarily located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards under Article 46 of the GDPR, including the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) and the UK International Data Transfer Addendum, where applicable. You may request a copy of these safeguards by contacting privacy@greenbio.app.

The Service may link to third-party websites, applications, or services that are not operated by GreenBio. This Policy does not apply to the practices of those third parties. We encourage you to review the privacy policies of any third-party site before providing them with your information.

Some browsers transmit "Do Not Track" (DNT) signals or Global Privacy Control (GPC) signals. Where required by applicable law (including under the CCPA regulations), we treat a recognized GPC signal as a request to opt out of the sale or sharing of personal information. Because we do not sell or share personal information as those terms are defined under the CCPA, no further action is needed for users who transmit a GPC signal.

We may update this Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If we make material changes, we will provide additional notice (for example, by posting a prominent notice on the Service or, if you have an account, by emailing the address associated with your account).

Your continued use of the Service after a revised Policy takes effect constitutes acceptance of the revised Policy.

If you have questions about this Policy or our privacy practices, please contact us:

• Privacy inquiries: privacy@greenbio.app
• Security disclosures: security@greenbio.app
• General support: support@greenbio.app