Privacy Policy

Protection of your personal data — GDPR Compliant

Last updated: January 2025

VeraTrace SAS (hereinafter 'VeraTrace', 'we', 'our') is committed to protecting your privacy and personal data. This privacy policy explains how we collect, use, store, and protect your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation or 'GDPR') and French Law No. 78-17 of January 6, 1978, as amended, relating to data processing, files, and individual liberties.

Scope

This policy applies to all personal data we collect through our websites veratrace.xyz (main site), veratrace.eu (Europe site) and veratrace.net (international site), our mobile applications, our contact forms, and any other interaction with our services.

This policy does not cover the privacy practices of third-party sites to which we may link. We encourage you to read the privacy policies of any third-party sites you visit.

Data Controller

The controller of your personal data is:

VeraTrace SAS

35 rue de la République, 95110 Sannois, France

Represented by Frédéric Georjon, President

DPO Contact: [email protected]

Our Data Protection Officer (DPO) can be reached for any questions regarding the protection of your personal data.

Data Collected

We collect the following categories of data:

Data Categories

Identification data

Last name, first name, email address, phone number, company name, SIRET (for professionals), postal address

Registration forms, contact requestsPartially required

Professional data

Type of activity (producer, restaurant, distributor), farm size, number of employees, certifications held (Organic, HVE, AOP, IGP, Label Rouge), appellations, cultivated areas

User profile, SI integrationRequired for producers

Traceability data

Production batches, harvest/production dates, product journey, recorded temperatures, delivery geolocation, blockchain timestamps

NFC tags, IoT trackers, manual entry, partner APIsRequired for the service

Transaction data

Order history, invoices, payment methods (tokenised), VRT points accumulated, pioneer status

VeraTrace platform, payment providersRequired for transactions

Navigation data

IP address (anonymised after 13 months), browser type, operating system, pages visited, visit duration, traffic source, actions performed

Cookies, server logsPartially optional (analytics cookies)

Connection data

Login credentials (hashed), connection logs, session history, devices used

Authentication systemRequired for users with an account

Communication data

Content of messages sent to support, exchange history, communication preferences, newsletter consents

Contact forms, emails, support chatOptional

IoT data

Sensor identifiers, temperature readings, tracker geolocation, battery status, triggered alerts

VeraTrace IoT hardwareAutomatic for equipped users

Sensitive Data

We do not collect sensitive data within the meaning of Article 9 GDPR (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, etc.) unless strictly necessary and with your explicit consent.

Minors

Our services are not directed at minors under 16 years of age. We do not knowingly collect personal data concerning minors. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at [email protected] so that we may delete it.

Data Sources

  • Directly from you (forms, manual entry)
  • Automatically (cookies, logs, IoT sensors)
  • Via third parties (partner APIs, connected information systems)
  • Public sources (official registers for verification)

Processing Purposes

Your personal data is processed for the following purposes:

Contact request management

Responding to your questions, information requests, or complaints

Legitimate interest

Pre-order processing

Managing your order, delivery, and after-sales service

Contract performance

Newsletter and marketing communications

Informing you about our news, new products, and special offers

Consent

Service improvement

Analyzing site usage to improve user experience

Legitimate interest

Legal obligations

Complying with our accounting, tax, and regulatory obligations

Legal obligation

Security

Protecting our site and users against fraud and cyberattacks

Legitimate interest

Legal Basis for Processing

In accordance with GDPR, all personal data processing must be based on a legal basis. Here are the legal bases on which we base our processing:

Consent (Art. 6.1.a GDPR)

For sending newsletters, marketing communications, and using non-essential cookies. You may withdraw your consent at any time.

Contract performance (Art. 6.1.b GDPR)

For processing pre-orders, account creation, and providing our services.

Legal obligation (Art. 6.1.c GDPR)

To comply with our accounting, tax, and regulatory obligations (invoice retention, etc.).

Legitimate interest (Art. 6.1.f GDPR)

For service improvement, site security, fraud prevention, and anonymized statistics.

Balancing of Interests

When we invoke legitimate interest, we have carried out a balance between our interests and your rights and freedoms. This analysis is documented and available upon request from our DPO.

Retention Period

We retain your personal data only for as long as necessary for the purposes for which it was collected:

DonnéesDuréeJustification
Contact data (prospects)3 years after last contact
Customer dataDuration of contractual relationship + 5 years (legal statute of limitations)
Billing data10 years (accounting obligation)
Navigation data13 months maximum
Consent recordsDuration of consent + 5 years (proof)
Newsletter dataUntil consent withdrawal + 3 years

Archiving

At the end of the active retention periods, certain data may be archived in intermediate storage with restricted access in order to meet our legal obligations or for the establishment, exercise, or defence of legal claims.

Deletion

Upon expiry of the retention and archiving periods, your data is securely deleted or irreversibly anonymised.

Data Recipients

Your personal data may be communicated to the following recipients:

Internally

Only VeraTrace team members who need access to your data in the course of their duties have access (sales team, customer support, technical team).

  • Technical team (support, development)
  • Sales team (customer relations)
  • Administrative team (billing, accounting)
  • Management (oversight)

Access is controlled according to the least privilege principle and tracked in our audit logs.

Service providers and subcontractors

We work with technical providers for the operation of our services. All are subject to strict contractual obligations (Article 28 GDPR):

Hetzner Online GmbH

Website hosting and CDN

Germany (European Union)EU hosting

Make (formerly Integromat)

Form automation

European Union

Brevo (formerly Sendinblue)

Email and newsletter delivery

France

Stripe

Payment processing

United States (Privacy Shield certified)

This list is regularly updated. Last review: January 2026.

Partners (with your consent)

With your explicit consent, certain data may be shared with our partners:

  • Agricultural cooperatives of which you are a member
  • Partner local authorities (aggregated data only)
  • Certification bodies (for verification)

Authorities and legal obligations

Your data may be communicated to competent authorities (tax administration, judicial authorities) upon legal request or as part of our legal obligations.

  • Tax authorities (audits)
  • Judicial authorities (requisitions)
  • CNIL (French data protection authority) (inspections)
  • Food regulation authorities (DGCCRF, DDPP)

Data Sale

We NEVER sell your personal data to third parties. We do not share it for advertising purposes without your explicit consent.

Transfers outside the EU

Some of our service providers are located outside the European Union. In such cases, we ensure that appropriate safeguards are in place:

Safeguards in Place

Standard Contractual Clauses (SCCs)

Clauses approved by the European Commission (decision 2021/914) signed with our US-based providers

Additional measures

Encryption of data in transit and at rest, pseudonymisation where possible, Transfer Impact Assessment (TIA)

EU hosting preferred

We systematically favour providers that host data within the EU

Countries Concerned

United States

Stripe, Airtable

SCCs + additional measures

You can obtain a copy of the safeguards in place by contacting us at [email protected]

Automated Decisions and Profiling

In accordance with Article 22 GDPR, we inform you of processing involving automated decisions:

Traceability Score Calculation

We automatically calculate a traceability score (from A to E) based on the data you provide: information completeness, certifications, chain coverage, etc.

This score is informational and has no significant legal effect. It does not affect your ability to use the service.

You may contest this score by contacting our support team.

VRT Points Allocation

Points are calculated automatically according to an algorithm taking into account: distance travelled, certifications, product type, cold chain, etc.

This calculation affects the number of points you accumulate.

You may request a manual review if you believe an error has been made.

No Exclusively Automated Decision

No decision producing legal effects or significantly affecting you is made exclusively by automated means. Human intervention is always possible upon request.

Your Rights

In accordance with GDPR and the French Data Protection Act, you have the following rights over your personal data:

Right of access (Art. 15 GDPR)

Obtain confirmation that data concerning you is being processed and receive a copy.

Right to rectification (Art. 16 GDPR)

Have inaccurate data corrected or incomplete data completed.

Right to erasure (Art. 17 GDPR)

Request deletion of your data under certain conditions ('right to be forgotten').

Right to restriction (Art. 18 GDPR)

Request restriction of processing of your data under certain circumstances.

Right to data portability (Art. 20 GDPR)

Receive your data in a structured format and transmit it to another controller.

Right to object (Art. 21 GDPR)

Object to the processing of your data, particularly for direct marketing purposes.

Right to withdraw consent

Withdraw your consent at any time for processing based on consent.

Right to define post-mortem directives

Define directives regarding the retention and communication of your data after your death.

How to exercise your rights

To exercise your rights, several options are available to you:

Online

Via your personal account, in the “My Data” section (for users with an account)

By email

By writing to [email protected]

By post

VeraTrace SAS - DPO, 35 rue de la République, 95110 Sannois, France

Please include a copy of your ID with any request.

We undertake to respond to your request within one month. This period may be extended by two months given the complexity and number of requests.

The exercise of your rights is free of charge. However, in the case of requests that are manifestly unfounded or excessive, in particular due to their repetitive nature, we may require the payment of a reasonable fee or refuse to act on the request.

Complaint to the CNIL

If you believe that the processing of your personal data constitutes a violation of your rights, you may lodge a complaint with the French Data Protection Authority (CNIL):

CNIL - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07, France

www.cnil.fr

You may also lodge a complaint online on the CNIL (French data protection authority) website.

Cookies and Trackers

Our site uses cookies and similar technologies. A cookie is a small text file stored on your device when you visit a website.

What is a Cookie?

A cookie allows the site to recognise your browser and remember certain information (preferences, session, etc.). Cookies cannot execute programs or transmit viruses.

Types of cookies used

Strictly necessary cookies

Session or 12 months maximumEssentiel

Analytics cookies

13 months maximumConsentement requis

Preference cookies

12 monthsConsentement requis

What We Do NOT Use

  • Advertising or targeting cookies
  • Social media trackers (Facebook Pixel, etc.)
  • Google Analytics or any Google tracking service
  • Third-party cookies for marketing purposes

Cookie management

You can change your cookie preferences at any time:

Consent banner

Accessible via the “Manage cookies” link at the bottom of each page

Browser settings

You can configure your browser to refuse all cookies or to alert you when a cookie is sent

Links to the settings of the main browsers

Chrome: chrome://settings/cookiesFirefox: about:preferences#privacySafari: Preferences > PrivacyEdge: edge://settings/privacy

Disabling certain cookies may affect the functioning of the site and your browsing experience.

Data Security

We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access:

Technical Measures

  • Encryption of data in transit (HTTPS/TLS 1.3)
  • Encryption of sensitive data at rest (AES-256)
  • Password hashing (bcrypt with salt)
  • Strong authentication for system access (mandatory 2FA)
  • Web Application Firewall (WAF) and DDoS protection
  • Intrusion monitoring and detection (IDS/IPS)
  • Daily encrypted backups with monthly restoration testing
  • Separate development, test, and production environments

Organisational Measures

  • Strict access control based on the least privilege principle
  • Traceability of data access (audit logs)
  • Regular security and data protection training for our teams
  • Security incident management policy
  • Regular review of access rights
  • Confidentiality clauses for all employees and providers

Tests and Audits

We regularly conduct security tests (penetration tests, vulnerability scans) and audits of our practices.

Data Breach

In the event of a personal data breach likely to pose a risk to your rights and freedoms, we undertake to notify the CNIL within 72 hours and to inform you as soon as possible if the risk is high.

  1. We notify the CNIL (French data protection authority) within 72 hours of becoming aware of the breach
  2. We inform you as soon as possible if the risk to your rights and freedoms is high
  3. We document any breach in our internal register
  4. We take measures to remedy the breach and limit its consequences

Blockchain-Specific Considerations

VeraTrace uses blockchain technology to certify traceability data. Here is what you need to know:

What Is Stored on the Blockchain

  • Only cryptographic hashes (digital fingerprints)
  • Timestamps of records
  • Batch identifiers (anonymised)

What is NOT stored on the blockchain

  • Your personal data (name, address, etc.)
  • Commercial details (prices, volumes)
  • Sensitive data about your farm

Immutability

Hashes recorded on the blockchain are by nature immutable and cannot be deleted. However, these hashes cannot be used to reconstruct your personal data. Deleting your data from our systems makes these hashes unusable.

Right to erasure and blockchain

If you exercise your right to erasure, we delete all your personal data from our databases. Blockchain hashes remain but can no longer be linked to your identity and cannot be used to reconstruct your data.

Changes to this policy

We reserve the right to modify this privacy policy at any time to reflect changes in our practices or regulatory requirements.

How you will be notified

  • Email notification for material changes (users with an account)
  • Information banner visible on the site for 30 days
  • Update of the 'last updated' date at the top of this document

Continued use of our services after publication of changes constitutes acceptance of the new policy.

Version history is available on request from our DPO.

Contact us

For any questions about this privacy policy or the processing of your personal data:

Data Protection Officer (DPO)

[email protected]

GDPR questions, exercise of rights, complaints

Technical support

[email protected]

Account issues, data access via the application

General contact

[email protected]

General enquiries

Postal address

VeraTrace SAS - DPO, 35 rue de la République, 95110 Sannois, France

Registered mail for formal requests

We undertake to respond to any request within 5 business days for an initial acknowledgement, and within the legal deadline of one month for a full response.