G
GreenLightz

Privacy Policy

Last updated: March 2026

GreenLightz LLC ("GreenLightz," "we," "us," or "our") operates the GreenLightz governance API service. This Privacy Policy explains how we collect, use, and protect information when you use our service.

1. Information We Process

Information you provide:

  • Business contact information (name, email, company) provided during onboarding
  • API requests sent to our governance endpoint for evaluation
  • Policy configurations (YAML policy packs) you define
  • Communications with our team

Information collected automatically:

  • API usage metrics (request counts, latency, error rates)
  • Standard HTTP headers for security and rate limiting

2. How We Handle API Data

GreenLightz is designed with a Privacy-First architecture:

  • All identifiers are hashed. Actor IDs, target IDs, and tenant IDs in audit logs and evidence trails are stored as cryptographic hashes (SHA-256 with HMAC), not plaintext.
  • No PII in logs. Our logging, monitoring, and API responses never contain personally identifiable information.
  • No content storage. We evaluate the action metadata you send (amount, type, reason) but do not store or index free-text content beyond the evaluation window.
  • Evidence is tamper-evident. Evaluation records are cryptographically signed and immutable. They contain hashed IDs only.

3. How We Use Your Information

  • To provide the governance evaluation service
  • To enforce your policy configurations
  • To generate audit trails and evidence packets
  • To detect and prevent abuse of the API
  • To improve service reliability and accuracy

We do not sell your data to third parties. We do not use your policy configurations or evaluation data to train machine learning models.

4. Third-Party Services

We use the following services to operate:

  • Vercel — website hosting and CDN.
  • Render — API hosting and infrastructure.
  • AI providers (optional) — LLM-enhanced classification. When enabled, only hashed metadata is sent. Core governance operates offline-first without any AI provider dependency.

5. Data Retention

Evaluation evidence is retained per your policy configuration. Default retention is 90 days for audit records. You can configure shorter retention periods via your policy pack. Hashed, aggregated metrics may be retained for service improvement.

6. Data Security

  • HTTPS encryption for all data in transit
  • HMAC-signed evidence packets (tamper-evident)
  • All identifiers hashed with per-tenant keys
  • API key authentication with pepper-hardened storage
  • Rate limiting and circuit breakers on all endpoints

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the data we hold about your organization
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your evaluation history

Contact us at support@greenlightz.com to exercise any of these rights. We will respond within 30 days.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify customers of material changes via email. The "Last updated" date at the top reflects the most recent revision.

9. Contact

GreenLightz LLC
For privacy-related inquiries: support@greenlightz.com