Privacy Policy — Forestate Technologies Inc.

Last updated: June 6, 2026

1. Overview / Controller

Forestate Technologies Inc. (“Forestate”, “we”, “us”, “our”) operates Forestate, a digital marketplace and management platform that:

• Connects woodlot owners with certified foresters and logging contractors
• Facilitates forest management planning and documentation
• Manages intake forms and government program applications
• Enables contract negotiations between parties
• Provides end-to-end timber supply chain tracing
• Maintains forest inventory and harvest records

Controller contact

• Legal entity: Forestate Technologies Inc.
• Address: 409 Jenkins Rd., Marshfield, PE, C1C 0J7, Canada
• Email: privacy@forestate.ca
• Privacy Officer: Juraj Milcak

2. Scope / Purpose of this Policy

This Privacy Policy explains:

• what personal data we collect,
• why we collect it,
• how we use, share, secure and retain it,
• third parties we work with,
• user rights and choices,
• how to contact us about privacy.

It applies to anyone who uses our services, signs up for an account, uploads data, or otherwise interacts with Forestate.

3. Definitions

• Personal data: information that identifies an individual (e.g., name, email).
• Sensitive personal data: where applicable, e.g., identifiers that reveal precise geolocation of private property — we treat property coordinates as sensitive for privacy/security reasons.
• Process / Processing: any operation on personal data (collect, use, store, disclose, delete).
• Marketplace data: information shared between Users for contract opportunities, including woodlot boundaries, timber specifications, and contact details.

Capitalized terms not defined here have the meanings given in our Terms of Service.

4. Legal bases

We rely on these legal bases for processing:

• Consent — when you expressly opt-in (e.g., program application sharing, or submitting a demo/contact request so we can reach out to you).
• Contractual necessity — to provide services you request (account creation, data storage, submission of forms).
• Legitimate interests — for platform operations, fraud prevention, analytics (balanced against user rights).
• Legal obligations — to comply with laws, courts, or government program audits.

PIPEDA governs the handling of personal information by Forestate.

5. What data we collect

Account & identity

• Name, email, phone number, address, organization, postal address, password hash.

Property & forestry data

• Property/parcel identifiers, coordinates, acreage, ownership documents, forest management plan files (PDF, images, maps, shapefiles), grant application content.
• Woodlot boundaries, timber species and volumes, harvest specifications, access conditions.
• Contract terms, pricing information, completion records.
• Past harvest-operation records you choose to share — including uploaded logging contracts, photos of paper contracts, and details such as the year, contractor, cut type, species, area, volume, and price of prior operations.

User-generated content

• Uploaded files, notes, photos, assessment reports, logs you attach to your account.

Technical & usage

• IP address, device type, OS, browser, timestamps, activity logs, pages visited, feature usage, error logs.

Communications

• Messages with support and emails.
• Email addresses collected through mailing list/waitlist signup forms.
• Contact details and message content you submit through a “Book a demo” or contact/demo-request form (name, email address, phone number, and any message you include), so we can respond and arrange a demonstration.
• Marketing communication preferences.

Payment

• Billing name, billing address, subscription tier, payment history.
• Payments processed by Stripe (we do not store full card numbers or banking information).
• Transaction records for tax and accounting purposes.

Browser storage

• The application stores authentication tokens, refresh tokens, and UI preferences in browser localStorage and sessionStorage rather than cookies. Strictly-necessary security cookies (e.g., bot mitigation) may be set at the network edge by Cloudflare. See Section 14 for details.

Visitor/Non-User Data

• We do not use advertising trackers or third-party analytics on the public marketing website before account creation. The one exception is Cloudflare Turnstile, a bot-mitigation widget loaded on our “Book a demo” / contact form: when that form is shown, Turnstile may set a strictly-necessary security cookie and process device and browser signals to distinguish genuine visitors from automated abuse before a submission is accepted. Turnstile is used solely for security — never for advertising, profiling, or analytics (see Sections 7 and 14).
• Basic technical server logs (such as IP address, browser type, and request timestamps) may be recorded automatically for security, fraud prevention, and system operation.
• Cookieless, privacy-focused analytics may be used to measure aggregate page views and referral sources without identifying individual visitors.
• No personal identification unless you submit your details through a form on the site — for example your email via a mailing-list signup, or your name, email, phone number, and message via a “Book a demo” / contact request.

6. How we use personal data

We use data to:

• provide and operate the service (user accounts, forms, file storage),
• facilitate marketplace connections between woodlot owners and service providers,
• display your listings and profile information to other Users (with your consent),
• process submissions to government or partner programs (with your consent),
• perform analytics, product improvements, and monitoring,
• send transactional emails, product notifications, and relevant marketplace opportunities,
• send marketing emails, product updates, and launch announcements to mailing list subscribers,
• manage waitlist and notify about platform availability,
• respond to “Book a demo” and other contact requests, and arrange and conduct product demonstrations,
• perform automated extraction of structured data from user-uploaded forest management plans using third-party AI services (see Section 7),
• use the past harvest-operation records and contracts you choose to share to plan future forestry operations, benchmark fair market terms, and negotiate logging contracts — improving the planning and pricing support we provide to woodlot owners (see “Use of shared harvest-operation data” below),
• prevent abuse, fraud, and maintain platform integrity,
• comply with legal obligations and enforce our Terms.

We will not sell personal data to third parties.

Use of shared harvest-operation data

Sharing past harvest records or contracts is always optional. When you do, you are consenting to Forestate using that information — beyond the immediate woodlot record — as independent grounding to plan future harvests, understand prevailing rates, and negotiate logging contracts in the interests of woodlot owners. We use this data in aggregate; we do not disclose an individual owner’s specific contract terms, pricing, or counterparties to other Users (such as foresters or loggers) without that owner’s consent, we do not sell it, and we do not use it to train artificial-intelligence or machine-learning models (see Section 16). You can ask us to delete a shared harvest record at any time (see Section 13).

Data Ownership

Users retain ownership of the forestry, property, and operational data they upload to the platform. Forestate processes this data to provide and improve the service — including the planning and negotiation support described above — and does not claim ownership of user content. The Terms of Service §5 and (for Foresters) the Forester Master Services Agreement §14 together govern Forestate’s licence rights and permitted uses of this data.

7. Sharing & third-party processors

We share personal data only in the following circumstances:

• Sub-processors — third-party services that process personal data on our behalf, listed below.
• Government or program partners — only with your explicit consent when submitting grant applications.
• Business transfers — if Forestate Technologies Inc. is involved in a merger, acquisition, financing, or sale of company assets, personal data may be transferred subject to the protections in this policy.
• Legal or safety — when required by law or to respond to lawful requests.

Sub-processors

• Supabase — database, authentication, and file storage (data: user accounts, files, property data).
• Digital Ocean — compute hosting for the forest management plan PDF generation pipeline, located in Canada (data: plan content during rendering, including parcel data, owner identification, photos, and GIS data).
• Anthropic — AI-assisted OCR and structured-data extraction from user-uploaded forest management plan PDFs via the Claude API, located in the United States (data: PDF contents of user-uploaded plans, which may include parcel data, owner identification, and addresses).
• Cloudflare — CDN, DNS, edge computing via Workers, and Turnstile bot-mitigation on public forms (including the “Book a demo” / contact form); processes requests in transit and may set strictly-necessary security cookies and read device/browser signals for bot mitigation (data: requests in transit and bot-mitigation signals; no persistent user-data storage).
• PostHog — product analytics and session tracking for authenticated users, configured cookie-free using localStorage (data: in-app usage events, feature interactions).
• Sentry — error monitoring and performance (data: error reports, device info, request context).
• Stripe — payment processing (data: billing info, transaction records).
• Zoho — transactional email delivery via ZeptoMail (data: email addresses, message content).

Sub-processor changes. We will provide reasonable notice on this page before a new sub-processor begins processing personal data.

Access controls. Access to personal data within Forestate is restricted to employees and contractors who require the information to operate, support, and improve the service. We require sub-processors to maintain appropriate security and to process data only as instructed.

8. Mailing List & Marketing Communications

Email Collection:

• We collect email addresses through signup forms on our website for users interested in receiving updates about Forestate.
• Submitting your email constitutes consent to receive marketing communications from us.

What We Send:

• Product launch announcements
• Platform updates and new features
• Forest industry insights and tips
• Marketplace opportunities (once you’re a User)

Your Rights:

• Unsubscribe at any time via link in every email
• Update your communication preferences
• Request deletion of your email from our mailing list by emailing privacy@forestate.ca

Retention:

• Mailing list emails retained until you unsubscribe or request deletion
• After unsubscribe: removed within 30 days

Legal Basis:

• Consent — by submitting your email through our signup form
• You can withdraw consent at any time by unsubscribing

CASL Compliance:

• Our commercial electronic messages comply with Canada’s Anti-Spam Legislation (CASL).
• We obtain express consent before sending marketing messages, identify Forestate as the sender, provide a working unsubscribe link in every message, and maintain consent records as required.

9. Marketplace Data Visibility

9.1 Listing Disclosure

When you create or respond to marketplace listings:

• What’s Shared: Company name, contact information, woodlot boundaries, timber specifications, harvest requirements, and access conditions.
• Who Sees It: Other verified Users who match your criteria (e.g., contractors see owner listings, owners see contractor profiles).
• Your Control: You choose what information to include in each listing and can modify or remove listings anytime.
• Consent: Creating a listing constitutes consent to share the included information with relevant Users.
• Data Retention by Other Users: Other Users may retain information from your listings in their own records.
• Verification Badge Data: If you pursue verification, submitted credentials are visible as badges on your profile.

9.2 Geolocation Precision and Property Location Privacy

Default Privacy:

• Property data, boundaries, and location information you upload are private by default and visible only to you.
• Your property information is not shared with other Users unless you create a Marketplace listing.

When You Create a Marketplace Listing:

• Your listing becomes visible to appropriate entity types (e.g., contractors see harvest listings, foresters see management plan requests).
• Location precision is reduced to protect your privacy and security:
  • Property location is shown with ±1 kilometer fuzzy precision until you award a contract or approve contact.
  • General location (municipality/region) and approximate acreage are visible.
  • Exact property boundaries, coordinates, and access details remain hidden.
• This protects against unauthorized property access, trespassing, and timber theft.

When You Award a Contract or Approve Contact:

• Full property details, exact boundaries, and precise coordinates are shared with the selected contractor or service provider.
• They receive access to all property data necessary to perform the contracted services.
• Other Users who submitted proposals do not receive access to your precise location.

Your Control:

• You can modify or remove Listings at any time to stop sharing location information.
• Removing a Listing does not delete data already accessed by other Users.
• You control what property details to include in each Listing.

Mobile Application and GPS Tracking:

• Our mobile application collects GPS location data when you use field work features (taking photos, creating geotagged records, site assessments).
• GPS data is used to:
  • Geotag photos and field records for your property documentation
  • Place field observations on property maps
  • Improve location-based features
• GPS location data is not shared with other Users unless you explicitly include geotagged content in a shared Listing or contract.
• Mobile GPS tracking is only active when you use location-based features; we do not track your location continuously or in the background.

Third-Party Map Services:

• Map tiles, base layers, and imagery are provided by third-party services (MapLibre GL, satellite providers).
• Your interactions with maps (viewing, zooming, panning) may be logged by third-party providers according to their privacy policies.
• We do not control third-party data collection from map services.

Retention:

• Property location data is retained while your account is active.
• After account deletion, property coordinates and boundaries are deleted within 90 days (except transaction records retained for 7 years per tax law).
• GPS data from mobile field work is retained as part of your property records.

10. International transfers

Some sub-processors are hosted outside Canada (see Section 7 for jurisdictions). When personal information is transferred to a foreign jurisdiction, we maintain contractual obligations on each processor consistent with PIPEDA.

11. Data retention

We retain personal data only as long as necessary:

• Active accounts & data: retained while account is active.
• Forest management plans (created in Forestate or uploaded): retained for the life of your account; not automatically deleted. Forestate is intended to serve as your central document repository for your woodlot. You may delete individual plans at any time.
• After account deletion: 90 days for most data to allow account recovery.
• Transaction records: retained for 7 years per Canadian tax law requirements.
• Government submission records: retained for 7 years if required by program rules.
• Demo & contact requests: contact details submitted through a “Book a demo” or contact form are retained while we follow up and for a reasonable period afterward; you may request deletion at any time by emailing privacy@forestate.ca.
• Marketplace listings: removed immediately upon deletion, but other Users may retain previously shared information.
• Security and fraud prevention data: may be retained longer if necessary for platform security.

12. Security measures

We implement reasonable technical and organizational measures:

• TLS/HTTPS for all data in transit,
• At-rest encryption of storage (where supported),
• Password hashing using industry-standard algorithms,
• Role-based access controls, least privilege for staff,
• Regular vulnerability assessments and security patching,
• Logging and monitoring of access and modifications,
• Incident response plan and breach notification procedures,
• Regular security training for staff with data access.

13. Data subject rights & how to exercise them

You can:

• Access the personal data we hold about you,
• Request correction of inaccurate data,
• Request deletion or export of your data (subject to legal retention requirements),
• Withdraw consent wherever processing is based on consent,
• Object to processing for legitimate interests,
• Restrict processing in certain circumstances,
• Data portability for data you provided to us,
• Lodge a complaint with the Office of the Privacy Commissioner of Canada.

How to request: email privacy@forestate.ca with subject “Privacy request” and specify the request and account email. We will confirm receipt within 5 business days and respond within 30 days.

14. Cookies & Browser Storage

14.1 Cookies

Forestate does not set first-party tracking, advertising, or marketing cookies on forestate.ca. Cloudflare may set strictly-necessary security cookies at the network edge (e.g., __cf_bm for bot mitigation, session-scoped); these are required for service security. In addition, when you view our “Book a demo” / contact form, Cloudflare Turnstile (a bot-mitigation widget) may set a strictly-necessary security cookie and process device and browser signals to confirm you are not an automated bot before your submission is accepted. These mechanisms are used only for security — never for tracking, advertising, profiling, or analytics.

14.2 Browser storage (localStorage and sessionStorage)

The application uses your browser’s localStorage and sessionStorage rather than cookies for authentication and application state. Stored items remain in your browser and are not transmitted to third parties except as part of authenticated requests to the Service.

localStorage (persists across sessions):

• Authentication token and refresh token (required to keep you signed in).
• Post-login redirect target and onboarding state.
• UI preferences (theme, accessibility settings).
• PostHog analytics distinct ID (PostHog is configured cookie-free).

sessionStorage (cleared on tab close):

• OAuth provisioning state and pre-authentication route.
• Document-signing flow state.
• Map viewport state.

14.3 Product analytics

Within the authenticated application, we use event-based product analytics (PostHog) tied to your user account to understand feature usage and improve workflows. PostHog is configured to use localStorage rather than cookies. No analytics tracking occurs on the public marketing website.

You can clear browser storage and cookies through your browser settings. Disabling required storage will prevent Service access.

15. Children

Service is not directed to children under 18 (or the age of majority in your province/territory, whichever is higher). We do not knowingly collect data from minors; if discovered, we will delete it immediately.

16. Automated Decision-Making and AI Processing

We may use automated systems to:

• Match woodlot owners with suitable contractors based on location and requirements
• Flag suspicious account activity for review
• Recommend relevant marketplace opportunities

Separately, we use a third-party AI service (Anthropic, via the Claude API — see Section 7) to perform OCR and structured-data extraction on user-uploaded forest management plan PDFs. This is a processing activity, not an automated decision; we do not use AI/ML to make decisions about your account, claim eligibility, or financial outcomes. We do not use your data to train artificial intelligence or machine-learning models.

You have the right to request human review of automated decisions that significantly affect you.

17. Changes to policy

We may update this policy from time to time. Material changes will be notified via email or prominent notice on the Service. Continued use after the effective date constitutes acceptance of the updated policy.

18. Data breach notification

If we become aware of a breach affecting personal data, we will:

• Assess scope, impact, and risk to affected individuals as soon as practicable
• Implement immediate containment and recovery measures
• Notify affected users without undue delay, including:
  • Nature of the breach and data affected
  • Potential consequences
  • Mitigation steps users should take
  • Our remediation actions
• Report the breach to the Office of the Privacy Commissioner of Canada as soon as feasible when required by law
• Maintain records of all breaches for compliance and improvement

19. PIPEDA Compliance

This policy is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).

20. Contact

Privacy Officer: Juraj Milcak Email: privacy@forestate.ca

Address: Forestate Technologies Inc. 409 Jenkins Rd. Marshfield, PE C1C 0J7 Canada

Privacy Commissioner of Canada: 30 Victoria Street Gatineau, Quebec K1A 1H3 Toll-free: 1-800-282-1376 Website: www.priv.gc.ca

Version 0.1 · Effective June 6, 2026. This is the current version. For previous versions and the full change history, see the legal centre.