§ Legal
Privacy Policy
Last updated: June 21, 2026
Envistat (“we”, “us”, “our”) operates the Envistat platform at envistat.com — a LEED v4.1 transit credit automation service for architects, engineers, and sustainability consultants. This policy explains what personal data we collect, why we collect it, and how we handle it. We do not sell your data. We do not share it for advertising. We collect only what is necessary to provide the service.
§ 01
What We Collect
We collect the following information when you create an account or use Envistat:
| Data | Why we collect it | Source |
|---|---|---|
| Full name | To identify your account and personalise your workspace | You (on signup) |
| Email address | Account login via Google OAuth; service communications | Google OAuth |
| Company / firm name | To contextualise your workspace and appear on exported reports | You (profile) |
| Position / title | To contextualise your workspace and appear on exported reports | You (profile) |
| Industry / sector | To understand which sectors use Envistat | You (profile) |
| Project name | To label and organise your LEED reports | You (per report) |
| Project address | To run the transit proximity analysis and generate the report | You (per report) |
| Credit balance | To enforce usage limits and record purchases | System generated |
| Report results | To store and retrieve your generated LEED reports | System generated |
We do not collect payment card numbers directly. Payment processing (when enabled) is handled by PayPal and governed by their privacy policy.
§ 02
How We Use Your Data
We use your data solely to provide and improve Envistat. Specifically:
- To authenticate you and maintain your account session
- To run LEED v4.1 LTc5 transit proximity analyses against your submitted project address
- To store and display your generated reports in your dashboard
- To calculate and enforce your credit balance
- To send transactional emails (e.g. receipts, account notices) — no marketing without explicit consent
- To diagnose bugs and improve reliability — using anonymised, aggregated usage patterns only
We do not use your data for advertising, profiling, or any purpose beyond delivering the service.
§ 03
Third-Party Services (Subprocessors)
To operate Envistat, we share limited data with the following trusted service providers. Each receives only the data necessary for their specific function.
User profiles, project data, report results, credit balances
Your Google account email and name (OAuth login); project address coordinates sent to Google Routes API to calculate walking distances to transit stops
Coordinates of your project location for rendering the interactive map in your report
Payment details handled directly by PayPal — Envistat never receives or stores card numbers
We do not sell, rent, or share your personal data with any other third parties.
§ 04
Data Retention
We retain your data for as long as your account is active.
- Account data (name, email, company, position, sector) — Kept while your account is active. Deleted within 30 days of an account deletion request.
- Project and report data — Kept while your account is active. Deleted with your account on request.
- Billing records — Retained for 7 years as required by US tax law, even after account deletion.
§ 05
Your Rights
Regardless of where you are located, you have the following rights over your personal data. To exercise any of them, email [email protected]. We respond within 30 days.
- Access — Request a copy of all personal data we hold about you.
- Correction — Request correction of inaccurate or incomplete data. Most profile fields can be updated directly in your account settings.
- Deletion — Request deletion of your account and all associated data (subject to legal retention requirements above).
- Portability — Request an export of your data in a machine-readable format.
- Opt-out of communications — Unsubscribe from any non-essential emails at any time via the link in any email we send.
California residents (CCPA/CPRA): You have additional rights including the right to know, delete, correct, and opt out of the sale or sharing of personal information. Envistat does not sell or share personal information for cross-context behavioural advertising. To submit a verifiable request, email [email protected].
EEA / UK residents (GDPR/UK GDPR): Our lawful basis for processing your data is contract performance (Art. 6(1)(b)) — your data is processed to deliver the service you signed up for. You also have the right to lodge a complaint with your local supervisory authority.
§ 06
We Do Not Sell Your Data
Envistat does not sell, rent, licence, or otherwise transfer your personal data to third parties for their own commercial purposes. Your data is used exclusively to operate and improve Envistat. No data is used for advertising targeting, data brokerage, or any form of monetisation beyond the direct provision of the Envistat service.
§ 07
Security
We implement industry-standard security measures including encrypted data transmission (TLS), encrypted storage at rest via Supabase, row-level security policies so users can only access their own data, and Google OAuth for authentication (we never store passwords). No method of transmission or storage is 100% secure — if you believe your account has been compromised, contact us immediately at [email protected].
§ 08
Changes to This Policy
We may update this policy to reflect changes in our practices or applicable law. When we do, we will update the “Last updated” date at the top of this page. For material changes, we will notify you by email or via a notice in your dashboard before the change takes effect. Continued use of Envistat after the effective date constitutes acceptance of the updated policy.
§ 09
Contact Us
For any privacy-related questions, requests, or concerns, contact us at:
We aim to respond to all privacy requests within 30 days. For CCPA verifiable consumer requests, we accept submissions by email at the address above.