Privacy Policy
Last updated: 10 July 2026
This policy explains what personal data CanopyProof collects, why we process it and the rights you have. CanopyProof is operated by Talivio Technology OÜ (registry code 16991406), Ahtri tn 12, Kesklinna linnaosa, Tallinn, Harju maakond, 15551, Estonia — the data controller for the information described below, except where this policy says we act as a processor.
1. Data we collect
We collect only what we need to run the service:
- Account data — your name, email address and a hashed password.
- Operator details — your legal entity name, country, contact email and any identifier you enter (such as an EORI or VAT number).
- TRACES credentials — the EU Login username and authentication key you connect. The authentication key is stored encrypted at rest and is never shown again after you save it.
- Supplier and plot data — supplier names, countries and emails you add, and the plot geolocation (coordinates or boundaries) suppliers submit through their collection link. This data usually relates to people other than you; see section 3.
- Due diligence records — the statements you build, the reference and verification numbers TRACES issues, and screening results.
- Technical data — IP address, browser information and server logs, used for security and to operate the service.
2. Why we process it and our legal basis
We process your data on the following legal bases under Article 6(1) GDPR: to perform our contract with you — providing the service, your account and billing (Article 6(1)(b)); to comply with legal obligations, including the record-keeping expected under the EU Deforestation Regulation and accounting law (Article 6(1)(c)); and for our legitimate interest in keeping the service secure and reliable (Article 6(1)(f)).
3. Supplier and plot data — our role
Supplier contact details and plot geolocation usually relate to people other than the account holder — for example a farmer, cooperative or exporter. The importer using CanopyProof decides to collect this data and enters or requests it; for this data the importer is the data controller and we act as its processor, handling it only to provide the service. We will, on request, enter into a GDPR Article 28 data processing agreement with business customers for this processing; our standard DPA is available at [email protected].
If you are a supplier who received a collection link: the link was sent by the importer named on the page, who is responsible for the collection. We store the plot names and geolocation you submit, make them available to that importer, include them in the importer's due diligence statements and send the geolocation to the screening service described below. The link is not password-protected — anyone who has it can view and add the data behind it — so do not share it further. To access, correct or delete your data, contact the importer, or email us at the address below and we will pass your request on.
4. Recipients — processors acting on our behalf
We do not sell your data. The following recipients process personal data only on our documented instructions, as our processors:
- Our hosting provider, which stores the data that runs the service. We host within the European Union.
- Our own mail infrastructure (mail.talivio.com), which delivers transactional and notification emails on our behalf, within the European Union.
5. Recipients — independent controllers acting on their own account
The following recipients decide for themselves how they process the data we send them; they act as independent (separate) controllers, not as our processors:
- The European Commission / EU TRACES information system, which receives the due diligence statements you submit under your own operator identity. The Commission is an independent controller of the data held in TRACES.
- Whisp (FAO / Open Foris), which receives plot geolocation and screens it against open forest-loss data. As a service of the FAO, an international organisation, it acts on its own account; see section 6 for the transfer basis.
- Stripe, our payment provider, which processes subscription payments as an independent controller for the payment data it needs. We do not sign a controller-processor DPA with Stripe for the payment flow.
6. Where your data is held and transfers
We host your data within the European Union, and we do not transfer your personal data outside the EEA ourselves. Two recipients are located outside the EEA or are international organisations, and rely on the safeguards below:
- Stripe processes payment data partly outside the EEA as an independent controller; those transfers rely on an adequacy decision or the European Commission's standard contractual clauses.
- Whisp / FAO: as the FAO is an international organisation (not a third country), standard contractual clauses are not an available transfer tool. Where the plot data qualifies as personal data, the transfer relies on the operator's explicit consent and/or performance of a contract under Article 49(1) GDPR; we monitor the European Commission's forthcoming standard clauses for transfers to international organisations.
7. How long we keep it
We keep account and operator data while your account is active and delete or anonymise it within 90 days after your account is closed, unless a longer period is legally required. Accounting and invoicing records are kept for seven years from the end of the financial year under the Estonian Accounting Act. Due diligence statements and their supporting records — including the plot geolocation contained in them — are retained for five years, reflecting the EUDR record-keeping period. You can remove connected TRACES credentials at any time; they are then deleted.
8. Your rights
Under the GDPR you can request access to your data, correction, erasure, portability, restriction of processing and object to processing. You may lodge a complaint with a supervisory authority — for us that is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee) — but you may also contact the authority in your own country. To exercise a right, email us using the address below. Where we process data as a processor for an importer (see section 3), we will forward your request to that importer.
9. Security
Passwords are hashed, sensitive credentials are encrypted at rest, and traffic is served over TLS. No system is perfectly secure, but we take reasonable measures to protect your data.
10. Cookies
We use only essential first-party cookies: a session cookie that keeps you signed in (your language choice is stored in the same session), a CSRF cookie that protects forms against abuse and — if you choose "remember me" — a persistent sign-in cookie. Supplier collection pages use the same essential cookies only. We do not use analytics or advertising cookies.
11. Changes to this policy
We may update this policy from time to time. The date at the top shows when it last changed; material changes will be communicated where appropriate.
Questions about this document? Email [email protected]. CanopyProof is a product of Talivio Technology OÜ (registry code 16991406), Ahtri tn 12, Kesklinna linnaosa, Tallinn, Harju maakond, 15551, Estonia.