Privacy Policy

1. Who We Are

LeafTracker (“we”, “us”, “our”) is a sustainability-certification tracking platform headquartered in Singapore. We help building owners, facility managers, and sustainability professionals track progress toward certifications such as NABERS, WELL Building Standard™, BCA Green Mark, AWS Standard, SGLS, and LEED v5.

For privacy-related inquiries, contact us at team@leaftracker.app.

2. Information We Collect

We collect information in the following ways:

a) Account Information

When you sign up, we collect your email address and any profile information you choose to provide. Authentication is handled by Supabase; we do not store passwords directly.

b) Certification Data

Data you enter into our certification trackers (scores, notes, phase progress) is stored in your browser's local storage and, where applicable, in our Supabase database linked to your account.

c) Document Uploads

You may upload supporting documents (PDFs, images, spreadsheets) to our secure storage buckets. These files are associated with your account and the relevant certification.

d) Usage Data

We collect standard server logs (IP address, browser type, pages visited, timestamps) to maintain service reliability. We do not currently use third-party analytics tools.

e) Notifications & Reminders

If you enable notifications, we store your notification preferences, reminders, and certification expiry dates to deliver timely alerts.

3. How We Use Your Information

• Provide and maintain the LeafTracker platform and your account
• Display your certification progress and generate reports
• Send certification-expiry reminders and in-app notifications
• Process payments and manage subscriptions (via Stripe, when activated)
• Respond to support requests and privacy inquiries
• Improve the platform based on aggregated, anonymised usage patterns
• Comply with legal obligations

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we process your data on the following bases:

• Contract: Processing necessary to provide the services you signed up for
• Legitimate interest: Service improvement, security monitoring, and fraud prevention
• Consent: Marketing communications (you may withdraw consent at any time)
• Legal obligation: Where required by applicable law

5. Third-Party Services

We work with trusted third-party service providers to operate LeafTracker. These providers only process your data as necessary to deliver their services to us:

• Authentication & database provider: Manages user accounts, stores certification data, and hosts uploaded documents
• Cloud hosting provider: Serves the LeafTracker platform and processes standard server logs (IP addresses, page requests)
• Payment processor: Handles billing and subscription transactions securely
• Email delivery provider: Sends transactional notifications such as certification expiry reminders

We do not sell, rent, or trade your personal data to any third party.

6. Data Storage & International Transfers

Our services are hosted on infrastructure located in various regions. If you access LeafTracker from the EEA or UK, your data may be transferred to and processed in countries outside your jurisdiction. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required by GDPR.

7. Data Retention

We retain your account data and certification records for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where we are required by law to retain certain records.

Uploaded documents are deleted when you remove them from the platform or when your account is deleted.

8. Your Rights

Depending on your location, you may have the following rights:

Under GDPR (EEA & UK)

• Access, rectify, or erase your personal data
• Restrict or object to processing
• Data portability (receive your data in a structured, machine-readable format)
• Withdraw consent at any time
• Lodge a complaint with your local data protection authority

Under Singapore's PDPA

• Access and correct your personal data
• Withdraw consent for the collection, use, or disclosure of your data
• Request information about how your data has been used or disclosed in the past year
• Lodge a complaint with the Personal Data Protection Commission (PDPC)

To exercise any of these rights, email us at team@leaftracker.app. We will respond within 30 days.

9. Cookies & Local Storage

LeafTracker uses essential cookies and browser local storage to maintain your session and store certification progress locally. We do not use advertising or tracking cookies.

10. Security

We implement industry-standard security measures including HTTPS encryption, secure authentication via Supabase, signed URLs with short-lived expiry for document access, server-side auth guards, and security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy).

While we take reasonable steps to protect your data, no system is 100% secure. If you discover a security vulnerability, please report it to team@leaftracker.app.

11. Children's Privacy

LeafTracker is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or in-app notification. The “Last updated” date at the top of this page reflects the most recent revision.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: