Privacy Policy

This Privacy Policy describes how EcoVeraZ, Inc. (“EcoVeraZ”, “we”) collects, uses, and protects information when you use the EcoVeraZ marketing site at ecoveraz.com and the customer-facing platform at app.ecoveraz.com.

When you become a paying customer, the EcoVeraZ Data Processing Addendum (DPA) governs how we process Customer Personal Data on your behalf. This Privacy Policy describes how we process data where EcoVeraZ is the controller.

From marketing-site visitors

• Demo-request form submissions: name, email, company, role.
• ROI-calculator inputs: industry, evidence sources, headcount band.
• Anonymized analytics: page views, referrer, screen size (via Plausible — no cookies, no cross-site tracking).

From platform users

• Account information: name, email, role, tenant binding.
• Authentication artifacts: OAuth2 token, session cookie, login timestamps.
• Audit trail: actions taken in the platform (uploads, downloads, role changes).

We do NOT collect

• Payment card numbers (Stripe handles these directly).
• Social Security numbers or national identifiers.
• Protected health information (PHI) outside the scope of a customer's signed DPA.
• Biometric identifiers.

• To respond to demo requests and qualified inquiries.
• To operate the customer-facing platform.
• To meet our security and audit obligations (audit trail, evidence-chain integrity).
• To improve the platform via aggregated, anonymized usage signals.

We do not sell personal data. We share personal data only with:

• Subprocessors that operate parts of our platform (hosting, monitoring, email delivery, see our Subprocessor List).
• Our customer's tenant administrator (within their tenant scope).
• Law enforcement or regulatory bodies when required by valid legal process.

Depending on your jurisdiction, you may have rights to:

• Request a copy of the data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Object to or restrict certain processing.
• Receive your data in a portable format.
• Withdraw consent where processing relies on consent.

Submit requests to privacy@ecoveraz.com. We aim to respond within 30 days.

The EcoVeraZ platform is hosted in our primary region (currently Microsoft Azure Central India). Customer tenants may select a different primary region (EU, US) at onboarding. Cross-border transfers are governed by Standard Contractual Clauses (SCCs) where applicable.

Marketing-site form submissions are retained for 24 months. Customer platform data is retained per the terms of the customer's MSA + DPA. Audit logs are retained for 7 years to support SOC 2 + ISAE 3000 readiness.

We apply technical and organizational measures appropriate to the risk, including: encryption in transit (TLS 1.2+), encryption at rest, role-based access control, audit logging, malware scanning of customer uploads, content-addressed evidence storage with SHA-256 and RFC 3161 trusted timestamping. The full security posture is documented in our SOC 2 readiness package, available to prospects under NDA.

The marketing site uses Plausible for analytics, which does not set cookies or track users across sites. The customer-facing platform sets a single session cookie (httpOnly, secure, SameSite=Lax) for authentication. No third-party advertising cookies are set on either property.

The EcoVeraZ services are not directed at children under 18. We do not knowingly collect personal data from anyone under 18.

We will post updates to this Privacy Policy at this URL. Material changes will also be notified via email to active customer-tenant administrators.

For privacy questions, requests, or to reach our Data Protection Officer, contact privacy@ecoveraz.com.