Attestly

Legal

Privacy Policy

Last updated: 2026-05-07

1. Introduction

Attestly is a B2B API for socio-environmental compliance. This policy describes how we handle data from organizations that purchase the service and the operators interacting with our platform. We do not market directly to end consumers.

2. Information We Collect

We collect only what is necessary to deliver, bill and audit the service.

Information provided by the organization:

  • Organization records (legal name, contact email, tax identifiers)
  • Payment data processed by Stripe (we do not store card data)
  • Geometries and parameters sent to API calls (required to execute the evaluation)
  • Communications with our support and commercial teams

Information collected automatically:

  • Request logs (IP, user agent, timestamps, API key identifier)
  • Usage metrics for billing and quotas
  • Error and performance telemetry via OpenTelemetry

3. How We Use Information

We use the information collected to:

  • Execute evaluations and deliver the contracted service
  • Compute consumption, issue charges and prevent fraud
  • Diagnose incidents and improve the platform
  • Send operational communications about the service
  • Detect abuse, suspicious activity and protect infrastructure
  • Comply with legal obligations and respond to lawful requests

4. Data Security

We apply appropriate technical and organizational measures:

Encryption in transit (TLS 1.2+) and at rest
Role-based access control with least privilege
Audit logs and continuous monitoring
API keys stored hashed; raw value revealed only on creation

5. Sharing and Sub-processors

We do not sell data. We share information only with sub-processors essential to operation:

  • Stripe — payment processing and subscription management
  • Hosting and CDN providers (Cloudflare, Vercel) to serve the application
  • Observability providers (Sentry, Grafana) for error diagnostics
  • Authorities, when required by law or court order

6. Data Retention

We retain data while the contractual relationship is active. Request logs are retained for up to 90 days for diagnostics and audit; billing records are retained for the applicable legal term. After account termination, data not required by law is deleted within 30 days.

7. Your Rights (LGPD / GDPR)

As a data subject, the contracting organization has the right to:

Access the data we hold
Correct inaccurate data
Request deletion (subject to legal retention)
Export data in a structured format
Object to certain processing

8. Cookies

The marketing site uses strictly necessary cookies (session, language, captcha). The API does not use cookies — authentication is via Bearer key.

9. International Transfers

Sub-processors such as Stripe and infrastructure providers may process data outside Brazil. We ensure adequate contractual clauses and rely on contract performance as the legal basis.

10. Changes to this Policy

We may update this policy. Material changes will be communicated by email to contracting organizations with reasonable notice.