Privacy Policy - Forestate

1. Overview / Controller

Forestate Technologies Inc. ("Forestate", "we", "us", "our") operates Forestate, a digital marketplace and management platform that:

Connects woodlot owners with certified foresters and logging contractors
Facilitates forest management planning and documentation
Manages intake forms and government program applications
Enables contract negotiations between parties
Provides end-to-end timber supply chain tracing
Maintains forest inventory and harvest records

Controller contact

Legal entity: Forestate Technologies Inc.
Address: 115 Richmond St #307, Charlottetown, PE, C1A 1H7, Canada
Email: privacy@forestate.ca
Data Protection Officer: Juraj Milcak

2. Scope / Purpose of this Policy

This Privacy Policy explains:

what personal data we collect,
why we collect it,
how we use, share, secure and retain it,
third parties we work with,
user rights and choices,
how to contact us about privacy.

It applies to anyone who uses our services, signs up for an account, uploads data, or otherwise interacts with Forestate.

3. Definitions

Personal data: information that identifies an individual (e.g., name, email).
Sensitive personal data: where applicable, e.g., identifiers that reveal precise geolocation of private property — we treat property coordinates as sensitive for privacy/security reasons.
Process / Processing: any operation on personal data (collect, use, store, disclose, delete).
Marketplace data: information shared between Users for contract opportunities, including woodlot boundaries, timber specifications, and contact details.

4. Legal bases

We rely on these legal bases for processing:

Consent — when you expressly opt-in (e.g., program application sharing).
Contractual necessity — to provide services you request (account creation, data storage, submission of forms).
Legitimate interests — for platform operations, fraud prevention, analytics (balanced against user rights).
Legal obligations — to comply with laws, courts, or government program audits.

For Canadian users, PIPEDA governs commercial activities; for EU/UK residents we will honor GDPR rights as described below where applicable.

5. What data we collect

Account & identity

Name, email, phone number, address, organization, postal address, password hash.

Property & forestry data

Property/parcel identifiers, coordinates, acreage, ownership documents, forest management plan files (PDF, images, maps, shapefiles), grant application content.

Woodlot boundaries, timber species and volumes, harvest specifications, access conditions.

Contract terms, pricing information, completion records.

User-generated content

Uploaded files, notes, photos, assessment reports, logs you attach to your account.

Technical & usage

IP address, device type, OS, browser, timestamps, activity logs, pages visited, feature usage, error logs.

Communications

Messages with support, emails, phone call logs (metadata).

Email addresses collected through mailing list/waitlist signup forms.

Marketing communication preferences.

Payment

Billing name, billing address, subscription tier, payment history.

Payments processed by Stripe (we do not store full card numbers or banking information).

Transaction records for tax and accounting purposes.

Cookies / tracking

Session cookies, authentication cookies, analytics cookies, performance cookies, optional marketing cookies.

Visitor/Non-User Data

We do not track visitors to our website (including splash page) before account creation.

No personal data is collected unless you submit your email via our signup form.

6. How we use personal data

We use data to:

provide and operate the service (user accounts, forms, file storage),
facilitate marketplace connections between woodlot owners and service providers,
display your listings and profile information to other Users (with your consent),
process submissions to government or partner programs (with your consent),
perform analytics, product improvements, and monitoring,
send transactional emails, product notifications, and relevant marketplace opportunities,
send marketing emails, product updates, and launch announcements to mailing list subscribers,
manage waitlist and notify about platform availability,
verify optional credentials for verification badges,
prevent abuse, fraud, and maintain platform integrity,
comply with legal obligations and enforce our Terms.

We will not sell personal data to third parties.

7. Sharing & third-party processors

We share data with:

Cloud & hosting: Supabase.
Integrations / automation: Internal workflow tools.
Payment processors: Stripe.
Government/Program Partners: only with explicit user consent when submitting grant applications.
Legal / safety: when required by law or to respond to lawful requests.

Processor list:

Supabase — database and auth (data: user account, files).
Amazon SES — email delivery.
Stripe — payment data.

We require processors to maintain appropriate security and to process data only as instructed.

8. Mailing List & Marketing Communications

Email Collection:

We collect email addresses through signup forms on our website for users interested in receiving updates about Forestate.
Submitting your email constitutes consent to receive marketing communications from us.

What We Send:

Product launch announcements
Platform updates and new features
Forest industry insights and tips
Marketplace opportunities (once you're a User)

Your Rights:

Unsubscribe at any time via link in every email
Update your communication preferences
Request deletion of your email from our mailing list by emailing privacy@forestate.ca

Retention:

Mailing list emails retained until you unsubscribe or request deletion
After unsubscribe: removed within 30 days

Legal Basis:

Consent — by submitting your email through our signup form
You can withdraw consent at any time by unsubscribing

9. Marketplace Data Visibility

When you create or respond to marketplace listings:

What's Shared: Company name, contact information, woodlot boundaries, timber specifications, harvest requirements, and access conditions.
Who Sees It: Other verified Users who match your criteria (e.g., contractors see owner listings, owners see contractor profiles).
Your Control: You choose what information to include in each listing and can modify or remove listings anytime.
Consent: Creating a listing constitutes consent to share the included information with relevant Users.
Data Retention by Other Users: Other Users may retain information from your listings in their own records.
Verification Badge Data: If you pursue verification, submitted credentials are visible as badges on your profile.

9.2 Geolocation Precision and Property Location Privacy

Default Privacy:

Property data, boundaries, and location information you upload are private by default and visible only to you.
Your property information is not shared with other Users unless you create a Marketplace listing.

When You Create a Marketplace Listing:

Your listing becomes visible to appropriate entity types (e.g., contractors see harvest listings, foresters see management plan requests).
Location precision is reduced to protect your privacy and security:
- Property location is shown with ±1 kilometer fuzzy precision until you award a contract or approve contact.
- General location (municipality/region) and approximate acreage are visible.
- Exact property boundaries, coordinates, and access details remain hidden.
This protects against unauthorized property access, trespassing, and timber theft.

When You Award a Contract or Approve Contact:

Full property details, exact boundaries, and precise coordinates are shared with the selected contractor or service provider.
They receive access to all property data necessary to perform the contracted services.
Other Users who submitted proposals do not receive access to your precise location.

Your Control:

You can modify or remove Listings at any time to stop sharing location information.
Removing a Listing does not delete data already accessed by other Users.
You control what property details to include in each Listing.

Mobile Application and GPS Tracking:

Our mobile application collects GPS location data when you use field work features (taking photos, creating geotagged records, site assessments).
GPS data is used to:
- Geotag photos and field records for your property documentation
- Place field observations on property maps
- Improve location-based features
GPS location data is not shared with other Users unless you explicitly include geotagged content in a shared Listing or contract.
Mobile GPS tracking is only active when you use location-based features; we do not track your location continuously or in the background.

Third-Party Map Services:

Map tiles, base layers, and imagery are provided by third-party services (MapLibre GL, satellite providers).
Your interactions with maps (viewing, zooming, panning) may be logged by third-party providers according to their privacy policies.
We do not control third-party data collection from map services.

Retention:

Property location data is retained while your account is active.
After account deletion, property coordinates and boundaries are deleted within 90 days (except transaction records retained for 7 years per tax law).
GPS data from mobile field work is retained as part of your property records.

10. International transfers

Some processors are hosted outside Canada (e.g., US). Where transfers occur, we implement safeguards (contractual clauses, standard contractual clauses, or host in Canada where available). If you are an EU/UK resident, we rely on SCCs and appropriate measures; contact privacy@forestate.ca for specifics.

11. Data retention

We retain personal data only as long as necessary:

Active accounts & data: retained while account is active.
After account deletion: 90 days for most data to allow account recovery.
Transaction records: retained for 7 years per Canadian tax law requirements.
Government submission records: retained for 7 years if required by program rules.
Marketplace listings: removed immediately upon deletion, but other Users may retain previously shared information.
Mailing list emails: retained until unsubscribe or deletion request, then removed within 30 days.
Security and fraud prevention data: may be retained longer if necessary for platform security.

12. Security measures

We implement reasonable technical and organizational measures:

TLS/HTTPS for all data in transit,
At-rest encryption of storage (where supported),
Password hashing using industry-standard algorithms,
Role-based access controls, least privilege for staff,
Regular vulnerability assessments and security patching,
Logging and monitoring of access and modifications,
Incident response plan and breach notification procedures,
Regular security training for staff with data access.

13. Data subject rights & how to exercise them

You can:

Access the personal data we hold about you,
Request correction of inaccurate data,
Request deletion or export of your data (subject to legal retention requirements),
Withdraw consent wherever processing is based on consent,
Object to processing for legitimate interests,
Restrict processing in certain circumstances,
Data portability for data you provided to us,
Lodge a complaint with the Office of the Privacy Commissioner of Canada.

How to request: email privacy@forestate.ca with subject "Privacy request" and specify the request and account email. We will confirm receipt within 5 business days and respond within 30 days.

14. Cookies & trackers

Cookie types we use:

Authentication (JWT) — Required — Short-lived access tokens (typically 1 hour), automatically refreshed
Refresh Token — Required — Persistent token for session continuity (never expires but single-use)
Session Storage — Required — Maintains session state while browser is open
Preferences — Functional — Remembers user settings and choices
Analytics — Optional — Not currently used, would require explicit consent if implemented
Marketing — Optional — Not currently used, would require explicit consent if implemented

You can manage cookies through your browser settings. Disabling required cookies will prevent Service access.

15. Children

Service is not directed to children under 18. We do not knowingly collect data from minors; if discovered, we will delete it immediately.

16. Automated Decision-Making

We may use automated systems to:

Match woodlot owners with suitable contractors based on location and requirements
Flag suspicious account activity for review
Recommend relevant marketplace opportunities

You have the right to request human review of automated decisions that significantly affect you.

17. Changes to policy

We may update this policy from time to time. Material changes will be notified via email and prominent notice on the Service at least 30 days before taking effect. Continued use after the effective date constitutes acceptance of the updated policy.

18. Data breach notification

If we become aware of a breach affecting personal data, we will:

Assess scope, impact, and risk to affected individuals within 24 hours
Implement immediate containment and recovery measures
Notify affected users without undue delay, including:
- Nature of the breach and data affected
- Potential consequences
- Mitigation steps users should take
- Our remediation actions
Report to the Privacy Commissioner within 72 hours if the breach creates real risk of significant harm
Maintain records of all breaches for compliance and improvement

19. PIPEDA Compliance

This policy complies with the Personal Information Protection and Electronic Documents Act (PIPEDA). We adhere to PIPEDA's ten principles:

Accountability
Identifying purposes
Consent
Limiting collection
Limiting use, disclosure, and retention
Accuracy
Safeguards
Openness
Individual access
Challenging compliance

20. Contact

Privacy Officer: Juraj Milcak
Email: privacy@forestate.ca

Address:
Forestate Technologies Inc.
115 Richmond Street, Unit 307
Charlottetown, PE C1A 1H7
Canada

Privacy Commissioner of Canada:
30 Victoria Street
Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
Website: www.priv.gc.ca

← Back to Home