Privacy Policy

Evergreen Exchange Enterprises, LLC ("The Evergreen Exchange," "we," "us," or "our") is committed to being transparent about how we collect, use, and protect information in connection with our product authentication and verification services. This Privacy Policy explains our data practices across all touchpoints — including our main website, client dashboard, and the end-user verification portal that consumers access by scanning Evergreen Certified labels.

This Policy applies to two distinct groups: (1) Clients — businesses that purchase and use our authentication and verification services; and (2) End Users — consumers who scan Evergreen Certified labels and interact with our verification portal. We address each group separately where our practices differ.

This Policy describes how we handle your information when you use our services or access our verification portal. By continuing to use our services, you acknowledge that you have read and understood these practices.

This Policy should be read together with our Terms of Service, available at theevergreenexchange.com/terms, which govern your use of our Services and contain definitions that apply throughout this Policy. Capitalized terms not defined in this Policy have the meanings given to them in the Terms of Service.

If you are an End User accessing our verification portal, your use is also governed by our Verification Portal Terms, available at theevergreenexchange.com/portal-terms.

1. WHO WE ARE AND HOW TO CONTACT US

Evergreen Exchange Enterprises, LLC is the data controller for personal information collected through our services. With respect to personal data submitted by Clients in connection with their use of the Services, The Evergreen Exchange acts as a data processor operating on the Client's instructions; in that context, the Client is the data controller responsible for the lawfulness of the underlying data.

For privacy-related questions, requests, or concerns, contact us at:

Email: privacy@theevergreenexchange.com
Website: theevergreenexchange.com

We will respond to all privacy-related inquiries within 30 days. Where applicable law requires a shorter response window, we will comply with that shorter period.

2. INFORMATION WE COLLECT

2A. Information Collected from Clients

When a business enters into a service relationship with The Evergreen Exchange, we collect:

Business contact information (name, title, email, phone number, company name, billing address)
Account credentials for any client-facing portal or dashboard
Product and claims data submitted for inclusion in verification records
Payment and billing information (processed through third-party payment processors)
Communications and correspondence related to service delivery

Clients are responsible for ensuring that any personal data they submit to The Evergreen Exchange in connection with product claims has been collected lawfully and with appropriate rights to share.

2B. Information Collected from End Users

When a consumer scans an Evergreen Certified label and accesses the verification portal, we automatically collect:

Security and Anti-Fraud Data

Device type, operating system, and browser information
IP address and approximate geographic location derived from IP
Unique device identifiers used for fraud detection
Scan timestamp and scan frequency per label serial code
Duplicate scan detection signals

This data is collected to protect the integrity of the Evergreen Certified verification system, detect counterfeit activity, and maintain the reliability of authentication records. It is retained for a period of three (3) years from the date of collection. IP addresses, unique device identifiers, and scan timestamps collected in this context constitute personal data under applicable law, including CCPA, and are processed by The Evergreen Exchange as data controller for security and fraud prevention purposes.

Analytics Data

Page views, session duration, and navigation behavior on the verification portal
Referring source (i.e., that the visit originated from a QR code scan)
Interaction data including clicks and content engagement
Session interaction recordings captured via PostHog — anonymized behavioral replays of user interactions on the verification portal, used for internal product development, improvement, and inclusion in aggregate pilot results reports provided to the client brand whose product was scanned. No session recording is linked to or identifiable by any individual user

We use Google Analytics 4 (GA4) and PostHog to collect analytics data on both our main marketing website and the verification portal. These tools may set cookies or use similar tracking technologies. Analytics data is used to improve the functionality and user experience of our services.

For information on Google Analytics data practices, visit: policies.google.com/technologies/partner-sites. For PostHog: posthog.com/privacy.

Voluntarily Provided Data — Email Opt-In

End users may voluntarily provide their email address to access offset tracking features. By providing your email, you can view your cumulative carbon offset total attributed to your product scans across Evergreen Certified products.

By providing your email, you also agree that The Evergreen Exchange may send you communications related to your offset tracking and, from time to time, verified offers or announcements from brands whose Evergreen Certified products you have scanned. Every such communication will include a clear and easy method to opt out.

Email opt-in is entirely voluntary. Declining to provide your email does not affect your ability to access the verification portal or view product authentication information.

In the future, The Evergreen Exchange may offer optional account creation to expand the features available to registered users. Any such account will be subject to updated terms disclosed at the time of creation.

3. HOW WE USE INFORMATION

Client Information

Delivering, maintaining, and improving our authentication and verification services
Processing orders, billing, and managing contractual relationships
Communicating about service updates, renewals, and support
Providing clients with aggregate analytics about their verification portal performance

End User Information

Verifying the authenticity of scanned labels and detecting fraudulent or duplicate scan activity
Maintaining the integrity and accuracy of verification records
Analyzing and improving the verification portal experience
Attributing carbon offset totals to voluntarily provided email addresses
Sending offset summaries and, where consented, verified offers from participating brands
Developing aggregated, anonymized benchmarking data to improve our services

4. INFORMATION SHARING AND DISCLOSURE

The Evergreen Exchange does not sell personal information. We do not share personal information except as described below:

Service Providers

We engage third-party service providers who assist in operating our services, including cloud infrastructure, payment processing, analytics platforms (including Google Analytics 4 and PostHog), and email delivery. These providers are authorized to use information only as necessary to perform services on our behalf. A current list of our key service providers and their applicable privacy policies is available upon request at privacy@theevergreenexchange.com.

Client Portal Analytics

Clients have access to aggregate, non-personally-identifiable analytics related to their verification portal — including total scan volume, scan timing, and general geographic distribution. Clients do not have access to individual end user emails or personally identifiable scan records. The aggregate analytics made available to clients are derived from underlying server-side scan records — including IP addresses, device identifiers, and scan timestamps — which The Evergreen Exchange processes as personal data as described in Section 2B of this Policy.

Client-Directed Communications

Where an end user has opted in to receive brand communications, The Evergreen Exchange may send emails on behalf of client brands to that user. The Evergreen Exchange controls and manages this communication process. End user email addresses are not transferred to clients directly.

Legal and Safety Disclosures

We may disclose information if required by law, court order, or government authority, or if we believe disclosure is necessary to prevent fraud, protect the safety of any person, or enforce our Terms of Service.

Business Transfers

In the event of a merger, acquisition, or sale of substantially all of our assets, personal information may be transferred to the acquiring entity. We will provide notice of such a transfer via email to the address associated with your account (for Clients) or via a prominent notice on our website at theevergreenexchange.com (for End Users) no later than thirty (30) days prior to the transfer becoming effective, to the extent practicable. The acquiring entity will be required to honor this Privacy Policy or provide you with a new privacy policy at least as protective as this one.

5. COOKIES AND TRACKING TECHNOLOGIES

Our main website and verification portal use cookies and similar tracking technologies, including those set by GA4 and PostHog, to collect analytics data and support portal functionality.

Types of cookies we use:

Essential cookies — necessary for the portal to function (e.g., session management)
Analytics cookies — set by GA4 and PostHog to collect usage and engagement data

Most browsers allow you to control cookie settings. Disabling analytics cookies will not affect your ability to view verification information but may limit our ability to improve the portal experience.

For a complete list of cookies used across our website and verification portal, including technical details on each cookie's purpose and duration, please see our Cookie Policy at theevergreenexchange.com/cookies.

6. DATA RETENTION

We retain information for as long as necessary to fulfill the purposes for which it was collected, subject to the following guidelines:

Security and anti-fraud data — server-side records (IP addresses, device identifiers, scan frequency signals held in The Evergreen Exchange's own systems): retained for three (3) years from the date of collection, after which they are deleted or anonymized.
Authentication and verification records: retained permanently and indefinitely. Records anchored to the Bitcoin blockchain contain only commercial data: label identifiers, product and brand identifiers, offset allocation amounts, offset pool references, manifest identifiers, anchor timestamps, and, where recorded, cryptographic hashes of claim documentation or compiled documentation packages (such as Certificates of Analysis) submitted by the Client. No claim content, personal data, scan metadata, device information, or geographic data is embedded on-chain, only the hash and timestamp. These records are written to a public Bitcoin blockchain ledger as part of The Evergreen Exchange's tamper-evident authentication system. By the immutable nature of Bitcoin blockchain technology, they cannot be altered, removed, or deleted by The Evergreen Exchange or any other party once recorded. No personal data, scan metadata, device information, or geographic data is embedded on-chain. Scan logs — including scan timestamps, approximate geographic region derived from IP address, and device information — are server-side records held in The Evergreen Exchange's own systems. They are distinct from, and not part of, the blockchain-anchored Verification Record. These records are retained for three (3) years from the date of collection and are then deleted or anonymized as set out in the schedule above. Deletion requests cannot be fulfilled with respect to blockchain-anchored records; however, all server-side scan logs and associated data are subject to deletion as described in this Policy.
Records anchored to the Bitcoin blockchain cannot be altered or deleted by The Evergreen Exchange or any other party. This is an absolute technical property of blockchain infrastructure, not a policy decision. This immutability is a core architectural requirement of the Evergreen Certified verification system and the foundation of its value as a tamper-evident proof infrastructure. Records embedded in Bitcoin blockchain infrastructure contain only commercial data (label identifiers, product and brand identifiers, offset allocation amounts, offset pool references, manifest identifiers, and anchor timestamps) and do not constitute personal data as defined under applicable data protection laws including GDPR.
Analytics data: subject to default retention settings of GA4 and PostHog, which can be configured and are disclosed in those platforms' respective privacy policies.
Client account and contractual data: retained according to the following category-specific timelines: (a) account credentials, API keys, and payment method details are deleted within sixty (60) days of termination; (b) Client contact information and account history are retained indefinitely for legitimate business purposes including dispute resolution and re-engagement, consistent with our Terms of Service; and (c) Verification Records and Authentication Label records associated with Client engagements are retained as part of The Evergreen Exchange's permanent operational record as described above.
End user email and offset data: until the user requests deletion, or for three (3) years from the date of the user's last scan interaction, whichever occurs first, after which the data is deleted or anonymized.

When data is no longer needed, we delete or anonymize it in accordance with our internal data management procedures.

7. YOUR PRIVACY RIGHTS

California Residents — CCPA/CPRA Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

Right to Know — You may request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.
Right to Delete — You may request deletion of personal information we have collected from you. Records embedded in Bitcoin blockchain infrastructure contain only anonymized label identifiers and allocation data that do not constitute personal information under applicable law, and cannot be altered or deleted by any party as an absolute technical property of blockchain infrastructure. Accordingly, deletion requests cannot be fulfilled with respect to blockchain-embedded records. All associated server-side personal data will be deleted upon a valid deletion request. For more information, see Section 6 (Data Retention)
Right to Correct — You may request correction of inaccurate personal information.
Right to Opt Out of Sale or Sharing — The Evergreen Exchange does not sell personal information. We do not share personal information for cross-context behavioral advertising.
Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights.

To exercise your rights, contact us at privacy@theevergreenexchange.com. We will verify your identity before processing requests and aim to respond within 30 days, and in all cases within the timeframe required by applicable law.

All US Users

Regardless of your state of residence, you may:

Opt out of marketing emails at any time by clicking the unsubscribe link in any email we send
Request deletion of your email address and associated offset data by contacting us directly
Request information about what data we hold associated with your email address

8. DATA SECURITY

The Evergreen Exchange implements commercially reasonable technical and organizational security measures to protect information against unauthorized access, disclosure, alteration, or destruction. These measures include encrypted data transmission, access controls, and regular security reviews of our systems.

In the event of a data breach that affects your personal information, we will notify affected individuals and relevant authorities as required by applicable law.

No method of transmission over the internet or electronic storage is 100% secure. While we work to protect your information, we cannot guarantee absolute security.

9. CHILDREN'S PRIVACY

Our services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will promptly delete it. If you believe we may have collected such information, please contact us at privacy@theevergreenexchange.com.

10. THIRD-PARTY LINKS AND SERVICES

Our verification portal and website may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party sites you visit. The Evergreen Exchange is not responsible for the privacy practices of third parties.

11. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the Effective Date at the top of this Policy and, where appropriate, notify clients directly.

Your continued use of our services following any update constitutes acceptance of the revised Policy. We encourage you to review this Policy periodically.

12. CONTACT US

For any questions, concerns, or requests related to this Privacy Policy or your personal information, please visit our Legal Contact Page at theevergreenexchange.com/legal, or contact us directly at privacy@theevergreenexchange.com.

We will respond to all privacy-related inquiries within the timeframe applicable to your request, as described in Section 7 above. Legal inquiries submitted via the Legal Contact Page at theevergreenexchange.com/legal or directed to legal@theevergreenexchange.com are subject to a ten (10) business day response commitment as described on that page.