Back to Greenfile

⟶ Legal

Privacy Policy

How we collect, use, and protect your data.

Last updated · 24 May 2026

1. Who we are

Greenfile (“Greenfile”, “we”, “us”) is a software-as-a-service platform that helps Indian D2C brands compute their Extended Producer Responsibility (EPR) liability under the Plastic Waste Management Rules, 2016 (as amended) and prepare the accompanying filings for the Central Pollution Control Board (CPCB).

As of the date of this policy, Greenfile is operated as Greenfile India, an unincorporated sole-proprietorship business based in Mumbai, India. A formal sole-proprietorship registration will be completed on or before the onboarding of our first paying customer. We are the “Data Fiduciary” under the Digital Personal Data Protection Act, 2023 (“DPDPA”) in respect of personal data of users of the Greenfile platform.

You are the “Data Principal” in respect of your own personal data.

2. What this policy covers

This policy applies to personal data we collect through:

  • The Greenfile website at greenfile.co;
  • The Greenfile application accessed after sign-in;
  • Email communications you send to us at addresses ending in @greenfile.co.

It does not cover websites operated by third parties that we link to, or data your organisation processes about other persons using Greenfile as a tool (that data is governed by your organisation's own privacy notice — see Section 9).

3. What we collect

3.1 Account data

When you sign up we collect:

  • Your email address;
  • A password (stored as a one-way hash; we never see the plaintext);
  • Optionally, your full name and phone number (if you provide them).

3.2 Workspace data

When you create or join a Greenfile workspace, we collect or you provide:

  • Organisation display name and registered legal name;
  • GSTIN (Goods and Services Tax Identification Number), if you choose to provide it for filings;
  • Legal form (Pvt Ltd, LLP, etc.) and primary EPR role (Producer, Importer, Brand Owner, etc.);
  • Membership records linking users to organisations and their role within (admin, member, viewer).

3.3 Product data

You upload or generate the following data through normal use:

  • SKU catalogues (product names, descriptions, categories);
  • Packaging component breakdowns (materials, weights, plastic categories);
  • Sales declarations (units sold per period);
  • Liability calculation snapshots, filing packs, and audit-log entries.

3.4 Technical data

We automatically collect:

  • IP address and approximate location (city level, derived from IP);
  • Browser user-agent string and screen resolution;
  • Server-side error logs (which may incidentally include the URL you were on when the error occurred).

We do not use third-party analytics, advertising, or marketing trackers as of the date of this policy.

3.5 Communications

When you email us, we retain the contents of your message and our reply, together with the email address it was sent from.

4. Why we collect it

We process the data above for the following purposes, and on the following lawful bases under DPDPA § 6:

  • Performance of the contract. To create and authenticate your account, host your workspace, run the EPR classifier, compute your liability, generate filing packs, and store the audit trail.
  • Legal obligation. To maintain records that we are required to keep under tax or audit law, and to respond to lawful requests from authorities.
  • Legitimate use (DPDPA § 7). To keep the service secure, detect and prevent abuse, debug errors, and notify you of material changes to the service or to this policy.
  • Consent. For anything outside the above — currently nothing, but if we ever add product-update or marketing email, it will be opt-in and you can withdraw consent at any time from within the app or by emailing the Grievance Officer below.

5. Who we share it with

We use the following sub-processors. Each is bound by contract to process data only on our instructions and to apply security measures appropriate to the data.

  • Supabase — database, authentication, file storage. Primary data store. Hosted in ap-south-1 (Mumbai, India).
  • Vercel — application hosting. Serves the Greenfile website and app. Serverless functions execute in bom1 (Mumbai, India).
  • Resend — transactional email (account confirmations, invitations, password resets). Processes recipient email address and message body.
  • Anthropic, PBC — large-language-model provider used to classify packaging components. Receives SKU descriptions for the duration of a classification request only; Anthropic has contractually committed not to train models on this data. Anthropic processes data in the United States.

We do not sell your personal data and we do not share it with advertisers.

We may disclose data to a government authority if compelled by a valid legal order, subject to challenging overbroad requests.

6. International transfers

Your primary data lives in India (Mumbai). The one cross-border flow is the SKU descriptions sent to Anthropic for classification, which travel to the United States for the duration of a single request. We rely on contractual safeguards with Anthropic to protect that data; the Central Government has not yet notified the countries to which transfers are restricted under DPDPA § 16, so the transfer is presently permitted.

7. How long we keep it

  • Active accounts. Data is retained for as long as your workspace is active.
  • Closed accounts. If you delete your account or workspace, we soft-delete your personal data within 30 days. Some records (audit-log entries, filing packs, billing records) are retained for up to 7 years to comply with our own audit, tax, and regulatory obligations — but in pseudonymised form where possible.
  • Server logs. Retained for 30 days.

8. How we keep it safe

  • All data in transit is encrypted with TLS 1.2 or higher.
  • Data at rest is encrypted by Supabase's platform encryption.
  • Row-level security (RLS) policies in the database scope every read and write to the requesting user's organisation. No application code path can return another organisation's data.
  • The audit log is append-only — even our own service-role key cannot update or delete an entry.
  • Passwords are stored only as one-way hashes; we cannot recover your password and will never ask for it.

We will notify you and the appropriate authority of a personal-data breach without undue delay, and in any event within the timelines prescribed by DPDPA § 8(6) and the rules made under it.

9. Your rights as a Data Principal

Under DPDPA you may, at any time:

  • Access a summary of your personal data and the sub-processors with whom we have shared it (§ 11);
  • Correct or update inaccurate or incomplete personal data (§ 12);
  • Erase personal data that is no longer necessary for the purpose it was collected (§ 12), subject to our retention obligations above;
  • Nominate another person to exercise these rights on your behalf in the event of death or incapacity (§ 14);
  • Raise a grievance with our Grievance Officer (§ 13).

Many of these can be exercised directly inside the application (Settings → Account). For anything else, contact the Grievance Officer below. We will acknowledge your request within 7 days and resolve it within 30 days, as required by DPDPA § 13(7).

If you are unsatisfied with our response, you may complain to the Data Protection Board of India once it is constituted.

10. Your organisation's data

When your organisation uses Greenfile to track SKUs, sales, and packaging, the data your organisation enters about its own operations is processed by us on behalf of your organisation. Your organisation is the Data Fiduciary for that data; we are the Data Processor. We process it only on your organisation's instructions and only for the purposes of providing the Greenfile service.

If you are an individual whose personal data your employer has entered into Greenfile, please contact your employer in the first instance; we can act only on your employer's instructions.

11. Cookies

We use a small number of strictly-necessary cookies — primarily an authentication session cookie and an organisation-selection cookie (gf_current_org) — to keep you signed in and on the right workspace. See our Cookies Policy for the full list. We do not use analytics or advertising cookies.

12. Children

Greenfile is a business tool and is not directed at children. We do not knowingly collect personal data from any person under the age of 18. If you believe we have inadvertently done so, please contact the Grievance Officer and we will delete it promptly.

13. Changes to this policy

We may update this policy from time to time. If we make changes that materially reduce your rights or change how we process your personal data, we will notify you by email and inside the application at least 14 days before the changes take effect. The “Last updated” date at the top of this page always reflects the most recent revision.

14. Grievance Officer

For any question, request, or grievance relating to your personal data or this policy:

Grievance Officer: Greenfile India (a named officer will be appointed on formal sole-proprietorship registration)
Email: hello@greenfile.co
Acknowledgement: within 7 working days
Resolution: within 30 days