1. Introduction
This Privacy Policy explains how BioQredyt LLC, a Virginia limited liability company ("BioQredyt," "we," or "us"), handles information in connection with our website and services (the "Service"). BioQredyt provides a pre-feasibility ecological risk screening tool for environmental, engineering, land, and development professionals, for business use in the United States. Capitalized terms not defined here have the meaning given in our Terms of Service.
This Policy is our notice of information practices, not a contract.
2. Our Roles
- We are an independent controller for account, authentication, security, support, and marketing information.
- We act as a processor / service provider for the project information you create in the Service ("Customer Content" — the parcel boundaries you draw or coordinates you enter, project names, and settings), which we process on your behalf under our Terms of Service. Our Terms govern all Customer Content; a data processing addendum, if you require one, supplements them for any personal data we process on your behalf.
- We do not use your Customer Content to train or develop our model.
3. Age
The Service is for businesses and for individuals at least 18 years old acting professionally. We do not permit accounts for anyone under 18, do not knowingly collect personal information from children under 13, and the Service is not directed to children. If you believe an underage person created an account, contact bioqredyt@gmail.com and we will delete it, retaining only minimal records where required for security or legal purposes.
4. Information We Collect
Information you provide
- Account information: your email address and any name or organization you choose to provide.
- Password: we store your password only as a bcrypt hash. We do not use a third-party identity provider, and we never store or have access to your plaintext password.
- Customer Content: parcel and project boundaries you draw or coordinates you enter, project names and descriptions, settings, and annotations. The Service does not accept file uploads. Your generated reports are stored in your account.
- Communications: the contents of any message you send us.
Information collected automatically
- Session cookie: a signed session token (JWT) in an HttpOnly, Secure, SameSite=Strict cookie, valid for 7 days. This is strictly necessary to keep you logged in.
- Server logs: IP address, browser and operating system, request timestamps, and error information generated by our hosting providers.
- Usage events: the number and timing of screens you run, used to enforce plan allowances.
- Acceptance records: the Terms version, date, IP address, and acceptance text when you accept our Terms.
What we do NOT collect
- We do not use analytics, advertising pixels, session-replay, or any cross-site tracking.
- We do not currently process payments and do not collect payment card data. If we launch paid plans, we will use a third-party payment processor, update this Policy, and will not store full card numbers.
- We do not collect precise device geolocation. Parcel coordinates are project data you enter, not your device's location — though they may be commercially sensitive.
Property information. A parcel, address, or ownership detail tied to an identifiable individual may be personal information even when drawn from public records.
5. How We Use Information
To create and secure your account and keep you signed in; to generate screens and reports from the Customer Content you enter; to enforce plan allowances; to maintain security, prevent abuse, and apply rate limits; to respond to your messages and provide support; to send you Service-related messages; and to comply with law and enforce our agreements.
We use Service Data (logs and usage events) and data we are legally and contractually authorized to use to operate and improve the Service. We do not use your Customer Content to train or develop our model.
6. Cookies, GPC, and Do Not Track
6.1 We use one cookie.
| Cookie | Provider | Purpose | Type | Duration | Category |
|---|---|---|---|---|---|
| Session token (JWT) | BioQredyt (first-party) | Keeps you signed in; authenticates requests | First-party; HttpOnly, Secure, SameSite=Strict | 7 days | Strictly necessary |
6.2 We use no analytics, advertising, or tracking cookies. Because we set only a strictly necessary cookie, we do not present a cookie-consent banner.
6.3 Global Privacy Control (GPC). We do not currently detect or respond to GPC signals. This is because we do not sell or share personal information and do not use targeted advertising, so there is no sale or sharing to opt out of.
6.4 Do Not Track (DNT). We do not currently respond to browser DNT signals. We do not permit any third party to collect personal information about your online activities over time and across third-party websites through the Service. Note that when the map loads, your browser requests basemap tiles directly from our basemap providers (see Section 8), which necessarily reveals your IP address and the map area you are viewing to those providers; they do not use this to track you across other websites on our behalf.
6.5 We do not sell personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under state privacy laws.
7. How We Disclose Information
We do not sell your personal information. We disclose information only:
- to the service providers in Section 8, which process it to operate the Service for us;
- to the data services in Section 8 — generating a screen requires transmitting the parcel coordinates you enter to third-party ecological and geospatial data services so they can return the data used in your report. This is necessary to provide the Service;
- for legal and safety reasons, where required by law or to protect rights, property, or safety;
- in a business transfer (merger, financing, or sale of assets), subject to this Policy;
- at your direction or with your consent; and
- as aggregated or de-identified information that cannot reasonably identify you.
8. Service Providers and Data Services
| Provider | Function | What it receives | Region |
|---|---|---|---|
| Supabase | Database (Postgres) — accounts, screens, usage events | Account and Customer Content | United States |
| Vercel | Frontend hosting and CDN | Web requests, IP address | United States (US-East) |
| Render | Backend compute (screening engine) | Parcel coordinates, request data | United States (US-West, Oregon) |
| CARTO and/or OpenFreeMap | Basemap map tiles (requested by your browser) | IP address, map view area | United States / EU |
| U.S. Census Bureau Geocoder | Address lookup (if you use address search) | Address you enter | United States |
| GBIF | Species occurrence data | Parcel coordinates / bounding box | International |
| NatureServe | Species-risk information | Parcel coordinates / species queries | United States |
| OpenStreetMap / Overpass API | Roads, buildings, protected-area features | Parcel coordinates / bounding box | International |
| ESA WorldCover | Land-cover data | Parcel coordinates (processed server-side) | International |
| Global Forest Watch (optional) | Tree-cover-loss data | Parcel coordinates | United States |
We do not use analytics, error-monitoring, CRM, advertising, or AI-model vendors. See our Third-Party Data Schedule for the licenses governing the data services.
9. Retention
| Category | Retention |
|---|---|
| Account information | While your account is open, then deleted within 60 days of closure |
| Customer Content and generated reports | While your account is open; on termination, available for export for 30 days, then deleted within 30 additional days |
| Session cookie | 7 days |
| Server logs | Per our hosting providers' standard log retention |
| Usage events | While needed to enforce plan allowances, then deleted or aggregated |
| Acceptance records | Retained while your account is open and for the period in which a claim may be brought |
| Support messages | Retained while needed to support you and resolve disputes |
Any copies persisting in our infrastructure providers' managed backups are deleted according to those providers' backup cycles. We do not currently operate an independent backup system and do not guarantee a specific backup deletion date.
10. How We Protect Information
We maintain the following safeguards:
- Encryption in transit — TLS everywhere, with HTTP Strict Transport Security (HSTS).
- Encryption at rest — provided by our infrastructure providers (Supabase, Render, Vercel).
- Passwords — stored only as bcrypt hashes; never stored or transmitted in plaintext by us.
- Sessions — signed JWTs verified in constant time, delivered in HttpOnly, Secure, SameSite=Strict cookies.
- Security headers — Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, and Permissions-Policy.
- Input sanitization and validation, plus rate limiting and request-size limits.
- Row-level security enabled on our database tables, and usage checks that fail closed.
Limitations we want you to know about. No method of transmission or storage is completely secure, and we do not guarantee absolute security. We do not currently offer multi-factor authentication for user accounts, and we do not currently maintain a formal security audit log, an independent backup and restore program, automated vulnerability scanning, or a documented incident-response plan. We are a small early-stage company and will strengthen these as we grow.
If a breach occurs. If we determine that your personal information was, or is reasonably believed to have been, subject to unauthorized access, acquisition, loss, alteration, or disclosure, we will notify you and any regulators as, and within the timeframes, required by applicable law. Where we process Customer Content on your organization's behalf, we will notify your organization so it can notify affected individuals.
11. Your Privacy Rights
Depending on where you live and applicable law, you may have rights to access, correct, delete, obtain a portable copy of your personal information, opt out of sale or targeted advertising, withdraw consent, and not be discriminated against for exercising your rights. We do not sell personal information or use it for cross-context behavioral advertising.
How to exercise your rights. Email bioqredyt@gmail.com from the address associated with your account, or provide enough detail for us to verify your identity. We ask only for the information reasonably necessary to verify you, and we do not require government identification. An authorized agent may submit a request with proof of authority.
Where a comprehensive state privacy law applies to us — including the Virginia Consumer Data Protection Act — we honor its rights within the statutory timeframes and provide an appeal process; to appeal a decision, reply to our response with the subject line "Privacy Appeal." Most such laws exclude individuals acting in a business or employment context.
California. We do not sell or share personal information as defined by California law. Our CalOPPA disclosures about cookies and Do Not Track are in Section 6. Where the CCPA applies to us, we provide the additional disclosures and rights it requires.
Organizational data. Requests about Customer Content submitted by an organization are directed to that organization as the controller; we will refer or forward such requests and act on the organization's instructions.
12. Marketing and Outreach
We contact environmental, engineering, and land-development professionals about BioQredyt. When we do, we collect business-contact information — name, work email, job title, and employer — from public professional sources such as company websites, public project pages, and public postings. We do not currently use a commercial data-enrichment provider or a CRM; we manage outreach from our own email inbox.
Our commercial emails identify us, include our valid postal address, and offer an opt-out that we honor within 10 business days; we maintain a suppression list. We do not send text or SMS marketing.
13. International Users
BioQredyt operates in, and offers the Service to users in, the United States, and processes information there. We do not offer the Service to, price for, or market to individuals in the EU or UK, and this Policy does not establish an international data-transfer mechanism. Some of the public data services we query (Section 8) are operated internationally; we transmit only the parcel coordinates necessary to retrieve data.
14. Third-Party Websites
The Service may link to third-party sites we do not control. This Policy does not apply to them.
15. Changes to This Policy
If we make material changes to how we process personal information — for example, when we launch payment processing — we will update the effective date and, where appropriate, notify you by email or in the Service, and obtain consent where required before applying new processing to information already collected.
16. Contact Us
BioQredyt LLC
42841 Creek View Plaza, Ashburn, VA 20147
bioqredyt@gmail.com