Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Account Registration: When you create an account, we collect your full name, work email address, password, company affiliation, job title, and industry classification.
• Contact Form Submissions: When you submit our contact form, we collect your first and last name, work email, company, job title, industry, area(s) of interest (supply chain mapping, AI models, circular economy, sustainability tracking, operations hub, product demo), and any message you include.
• Profile Information: You may optionally provide a profile photo, biography, department, phone number, and other professional information.
• Subscription & Billing: When you subscribe to our services, we collect billing address, credit card information (processed securely through third-party payment processors), invoice preferences, and usage quotas.
• Content You Create: Supply chain maps, queries, saved searches, notes, workflow configurations, and any data you upload to our Platform.

1.2 Information Collected Automatically

• Log Data: IP address, browser type, operating system, referring URL, pages visited, time spent on pages, and search queries.
• Device Information: Device type, mobile device identifiers, device model, and hardware details.
• Geolocation Data: Approximate geographic location based on IP address (not precise GPS location without consent).
• Usage Analytics: Features accessed, buttons clicked, workflows initiated, API calls made, and search patterns (for AI model improvement).
• Cookies & Similar Technologies: Session identifiers, preference settings, authentication tokens, and analytics tracking.

1.3 Information from Third Parties

• OAuth Providers: When you sign in via Google or Microsoft, we receive your email address, name, and profile picture.
• Public Data Sources: We collect and aggregate publicly available industrial data (company information, contact details, supply chain relationships) from public sources and databases for our platform services.
• Business Partners: Information you provide when purchasing through resellers or partners.

1.4 Data Categories in Our Platform

The Material Transition Platform indexes data across the following categories to provide comprehensive supply chain insights:

• Raw Materials & Feedstocks: Biopolymers, biodegradable plastics, biobased composites, seaweed databases, sustainable materials, post-consumer/post-industrial recycled plastics.
• Manufacturing & Contract Services: Electronics contract manufacturing, aerospace contract manufacturing, plastic injection molding, compression molding, metal forming, general contract machining, pharmaceutical manufacturing, rubber product manufacturing, textile manufacturing.
• Consumer Products: Personal care products, cosmetics, food ingredients, beverages, cleaning products, building products, paints & coatings, lubricants, adhesives, sealants.
• Sustainability & Compliance: Food safety certifications (GFSI), organic certifications, cruelty-free certifications, REACH compliance, sustainable sourcing, environmental engineering services.
• Recycling & Waste Management: Plastic recycling facilities, metal recycling services, glass recycling, textile recycling, paper recycling, hazardous waste management, waste disposal services.
• Industrial Resources & Intelligence: Industry sustainability reports, investor databases, government resources, trade policy, environmental regulations, supply chain analytics.

2. How We Use Your Information

2.1 Service Provision & Account Management

• Creating and managing your account
• Authenticating your identity
• Processing subscriptions and payments
• Delivering the Platform's core services (supply chain mapping, AI agents, semantic search)
• Providing customer support and responding to inquiries

2.2 Platform Improvement & Analytics

• Analyzing Platform usage patterns to improve features
• Conducting A/B testing and user experience optimization
• Developing new features based on user behavior
• Creating aggregated, de-identified analytics reports
• Debugging technical issues and maintaining Platform security

2.3 AI Model Training & Optimization

• Training machine learning models for semantic search, supply chain forecasting, and predictive analytics (performed on de-identified or aggregated data)
• Fine-tuning vector embeddings for material similarity matching and supplier scoring algorithms
• Improving AI agent responses and automation accuracy
• Creating proprietary supply chain intelligence models (we do not use individual user data directly in training without explicit consent)

2.4 Communication & Marketing

• Sending transactional emails (account confirmations, receipts, password resets)
• Sending product updates, feature announcements, and platform notifications
• Sending marketing communications if you've opted in (including newsletters, case studies, webinars, industry insights)
• Responding to your inquiries and support requests
• Conducting surveys and gathering feedback

2.5 Legal & Compliance Obligations

• Complying with legal process, court orders, and regulatory requests
• Enforcing our Terms of Service and other agreements
• Protecting against fraud, abuse, and illegal activity
• Establishing, exercising, or defending legal claims
• Maintaining audit logs for compliance (GDPR, CCPA, SOC 2, HIPAA where applicable)

2.6 Aggregated & De-Identified Data

• Creating industry benchmarks and supply chain reports
• Publishing anonymized case studies and research findings
• Building public datasets for sustainability research
• Generating insights about supply chain trends

3. Data Sharing & Disclosure

3.1 Data We Do Not Share

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We do not share your account credentials, API keys, or proprietary supply chain maps without your explicit consent.

3.2 Service Providers & Processors

We share personal information with carefully vetted service providers who process data on our behalf under strict data processing agreements:

• Supabase: Cloud hosting, database management, and authentication services (PostgreSQL database hosting, row-level security, user authentication)
• OpenAI: Semantic search embeddings (we send material data and search queries to OpenAI's text-embedding-3-small API; see our Embeddings Policy for details)
• Payment Processors: Stripe, PayPal, or similar providers for billing (we do not store credit card data directly)
• Email Service Providers: SendGrid, Mailgun, or similar for transactional and marketing emails
• Analytics Providers: Vercel Analytics, Mixpanel, or similar for usage analytics
• Hosting Providers: Vercel, AWS, or similar for Platform infrastructure

3.3 Aggregated & De-Identified Data

We may share aggregated, anonymized, or de-identified data with third parties, partners, researchers, and the public without restriction. This includes:

• Industry benchmarks and supply chain trend reports
• Academic research on circular economy and sustainability
• Public datasets used for AI training (fully anonymized)
• Case studies (anonymized or with explicit consent)

3.4 Legal Compliance & Law Enforcement

We may disclose personal information when required by law or to protect our legal rights:

• Responding to valid subpoenas, court orders, or legal process
• Complying with regulatory inquiries from government agencies
• Preventing fraud, abuse, or illegal activity
• Protecting the safety, property, or rights of Material Transition, users, or the public
• Enforcing our Terms of Service and other agreements

3.5 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your personal information becomes subject to a different privacy policy.

3.6 With Your Consent

We may share your information with third parties when you explicitly authorize us to do so, such as:

• Integrating with n8n workflows or third-party automation platforms
• Connecting to API endpoints managed by partner organizations
• Authorizing specific data exports to your enterprise systems

4. Data Security

4.1 Security Measures

We implement industry-standard security controls to protect your information:

• Encryption in Transit: TLS 1.2+ encryption for all data transmitted to and from the Platform (HTTPS)
• Encryption at Rest: PostgreSQL encryption for sensitive data in our database
• Authentication: Supabase Auth with JWT tokens, password hashing via bcrypt, optional MFA support
• Access Controls: Row-level security (RLS) to ensure users only access their own data; role-based access control (RBAC) for admin functions
• Network Security: Firewalls, DDoS protection, VPC isolation, and regular penetration testing
• Monitoring: Real-time security monitoring, anomaly detection, and incident response procedures
• Compliance: SOC 2 Type II certified infrastructure; HIPAA-ready configurations available for healthcare customers

4.2 Limitations

No method of transmission over the internet or electronic storage is 100% secure. While we implement robust security measures, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

4.3 Security Incident Notification

If we discover a security breach affecting your personal information, we will notify you in accordance with applicable laws (generally within 30 days for GDPR, 60 days for CCPA, and as required by state breach notification laws).

5. Data Retention

5.1 Account & Usage Data

• Active Accounts: Personal information is retained for the duration of your account relationship plus a grace period of 30 days after account deletion.
• Deleted Accounts: Backup copies are retained for 90 days for disaster recovery; production data is deleted within 30 days of account termination.
• Log Files: Server logs are retained for 30-90 days; aggregated usage analytics are retained for up to 7 years for compliance purposes.

5.2 Billing & Payment Records

• Subscription Records: Retained for 7 years to comply with accounting and tax regulations
• Payment Card Data: We do not store credit card data; payment processors retain tokenized data according to their policies (typically 7 years for PCI DSS compliance)

5.3 Marketing Communications

• Email Lists: Retained until you unsubscribe; suppression lists maintained for 2 years to honor opt-out requests

5.4 Legal Hold & Litigation

• Legal Requests: Data subject to legal hold, regulatory investigation, or litigation is retained until the matter is resolved

5.5 Aggregated & De-Identified Data

• Historical Analytics: Retained indefinitely for research, benchmarking, and public reporting purposes

5.6 User Request to Delete

You may request deletion of your account and associated data at any time by contacting privacy@altlaboratories.com. We will process your request within 30 days (or as required by applicable law), subject to exceptions for legal compliance, contractual obligations, and legitimate business interests.

6. Your Privacy Rights

6.1 GDPR Rights (European Residents)

If you are a resident of the EU/EEA, you have the following rights under GDPR:

• Right of Access: Obtain a copy of your personal data and information about how we process it
• Right to Rectification: Correct inaccurate or incomplete personal data
• Right to Erasure: Request deletion of your data (subject to legal exceptions)
• Right to Restrict Processing: Limit how we use your data pending investigation or correction
• Right to Data Portability: Receive your data in a structured, commonly used format for transfer to another service
• Right to Object: Opt out of direct marketing, automated decision-making, and profiling
• Right to Lodge a Complaint: File a complaint with your national Data Protection Authority

6.2 CCPA Rights (California Residents)

If you are a California resident, you have the following rights under CCPA:

• Right to Know: Request what personal information we collect, use, and share
• Right to Delete: Request deletion of personal data (subject to exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information (we do not sell personal information for monetary consideration; "sharing" may apply to analytics and advertising)
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

6.3 Other State Privacy Laws

Similar rights may apply under Virginia (VDPA), Colorado (CPA), Utah (UCPA), Connecticut (CTDPA), and other emerging state privacy laws.

6.4 How to Exercise Your Rights

To exercise any of the above rights, please submit a written request to: privacy@altlaboratories.com or contact our Data Protection Officer below.

Include:

• Your full name and email address
• Your account ID (if available)
• A detailed description of your request
• Verification of your identity (driver's license, passport, or utility bill)

We will respond within 30-45 days (or as required by applicable law).

6.5 Parental Rights

The Platform is not intended for children under 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will delete such information promptly. Parents who believe their child's information has been collected may contact us at privacy@altlaboratories.com.

7. Cookies & Tracking Technologies

7.1 Types of Cookies We Use

• Essential Cookies: Required for authentication, session management, and Platform functionality (cannot be disabled)
• Performance Cookies: Measure how users interact with the Platform (e.g., Google Analytics, Vercel Analytics)
• Marketing Cookies: Track cross-site behavior for retargeting and analytics (only with consent)
• Preference Cookies: Remember your settings, theme preference, and language selection

7.2 Third-Party Tracking

We use third-party analytics providers (e.g., Vercel Analytics, Mixpanel) that may set their own cookies. These providers are contractually obligated not to use your information for their own marketing purposes.

7.3 Do Not Track Signals

Some browsers support "Do Not Track" (DNT) signals. While we respect user privacy preferences, we do not currently change our data collection practices based on DNT signals.

7.4 Cookie Consent & Opt-Out

When you first visit the Platform, you will be shown a cookie consent banner. You can accept all cookies, reject non-essential cookies, or customize your preferences. You can also manage cookies through your browser settings.

8. Third-Party Services & Integrations

8.1 OAuth & Authentication Providers

When you sign in via Google or Microsoft, we receive basic profile information. These providers have their own privacy policies. We recommend reviewing their privacy practices:

• Google Privacy Policy
• Microsoft Privacy Statement

8.2 API & Data Services

• OpenAI: We use OpenAI's embedding API to generate vector representations of materials for semantic search. Review OpenAI's Privacy Policy
• n8n: If you integrate with n8n workflows, your data may flow through n8n's infrastructure. Review n8n's Privacy Policy

8.3 External Links

The Platform may contain links to external websites (e.g., supplier websites, industry resources). We are not responsible for the privacy practices of third-party websites. Please review their privacy policies before providing information.

8.4 Your Control Over Integrations

You control which third-party integrations you authorize. You can revoke access to integrations at any time through your account settings.

9. International Data Transfers

9.1 Data Location

Material Transition is based in the United States. Your personal information is stored on servers located in the United States and may be accessed by our team members and service providers in the US and internationally.

9.2 GDPR & Standard Contractual Clauses (SCCs)

For EU/EEA residents, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to transfer data from the EU to the United States. These clauses include commitments to maintain the same level of data protection as required under GDPR.

9.3 International Compliance

We comply with applicable data protection laws in jurisdictions where we operate, including GDPR (EU), CCPA (California), PIPEDA (Canada), and others. If data protection laws conflict, we apply the most stringent requirements.

9.4 Your Explicit Consent

By using the Platform, you consent to the transfer and processing of your personal information in the United States and other countries as described in this Privacy Policy. If you do not consent to these transfers, please do not use the Platform.

10. Contact Us

Data Protection Officer & Privacy Inquiries

If you have questions about this Privacy Policy or our privacy practices, please contact our Data Protection Officer:

Response Time

We aim to respond to all privacy inquiries and data subject requests within 30 days. For GDPR and CCPA requests, we will respond within the legally required timeframe (typically 30-45 days).

Dispute Resolution

If you are unsatisfied with our response, you have the right to lodge a complaint with your national Data Protection Authority (GDPR) or the California Attorney General (CCPA).

Legal Jurisdiction

This Privacy Policy is governed by the laws of the United States and shall be interpreted according to applicable federal and state privacy laws. Any legal disputes shall be subject to the jurisdiction and venue specified in our Terms of Service.