Privacy Policy

1. INTRODUCTION

Tree Geo Data ("we," "us," or "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you access or use our websites, mobile applications, geospatial data services, and other related services (collectively referred to as "Services").

This Privacy Policy is designed to comply with applicable data protection regulations, including:

• The General Data Protection Regulation (GDPR) for users located in the European Economic Area (EEA)
• The Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia
• Other relevant international data protection laws

By using our Services, you consent to the practices described in this Privacy Policy. If you do not agree to this policy, you must discontinue your use of the Services.

2. DATA CONTROLLER INFORMATION

The data controller responsible for processing your personal data under this Privacy Policy is:

Data Protection Officer (DPO): For inquiries regarding this policy or to exercise your data protection rights, you may contact our Data Protection Officer at: dpo@treegeodata.com

3. PERSONAL DATA WE COLLECT

We collect various types of personal data to provide and improve our geospatial data services:

3.1 Data You Provide Directly

You may provide personal data when you:

• Create an account, including your name, email address, phone number, company information, and password
• Subscribe to our geospatial data services or place orders
• Upload geospatial data, maps, or location-based content
• Communicate with us through inquiries, feedback, or customer support
• Participate in surveys, webinars, or training sessions

3.2 Data Collected Automatically

When you use our Services, we automatically collect:

• Technical Data: IP address, browser type, device type, operating system, referral sources, and access logs
• Usage Data: Pages viewed, features used, time spent on our platform, clickstream data, and user interactions
• Location Data: Geospatial coordinates, GPS data, general or precise geolocation (subject to your device settings and explicit consent)
• Geospatial Analytics Data: Spatial analysis patterns, map viewing behavior, and geographic search queries
• Cookies and Tracking Technologies: Information collected through cookies, pixels, web beacons, and similar technologies

3.3 Geospatial Data

Given the nature of our services, we may process:

• Geographic coordinates and location information
• Satellite imagery and aerial photography metadata
• Cadastral and land registry information
• Environmental and geological data
• Transportation and infrastructure mapping data
• Demographic and socioeconomic spatial data

3.4 Special Categories of Data

Tree Geo Data does not intentionally collect sensitive personal data (such as health information, political opinions, racial or ethnic origin, religious beliefs, trade union membership, genetic data, biometric data, or data concerning sexual orientation) unless explicitly required and authorized by you for specific legitimate purposes and with appropriate safeguards.

4. LEGAL BASIS FOR PROCESSING

4.1 For EEA Users (GDPR Compliance)

Under GDPR, we process your personal data based on the following legal grounds:

• Performance of a Contract: To fulfill our contractual obligations, such as providing geospatial services
• Consent: For specific activities, such as location tracking, marketing communications, or processing special categories of data
• Legitimate Interests: For purposes such as improving our services, ensuring security, fraud prevention, and conducting spatial analytics
• Legal Obligations: To comply with applicable laws and regulatory requirements
• Vital Interests: To protect the life or physical safety of individuals
• Public Task: When processing is necessary for tasks carried out in the public interest

4.2 For Saudi Arabia Users (PDPL Compliance)

Under PDPL, we process your personal data based on the following legal grounds:

• Consent: Explicit consent for the collection and processing of personal data
• Contractual Necessity: Processing necessary for the performance of a contract
• Legal Obligation: Compliance with legal or regulatory requirements
• Vital Interests: Protection of the vital interests of the data subject or another person
• Legitimate Interests: Processing necessary for legitimate interests pursued by the controller (subject to restrictions for sensitive data)

5. HOW WE USE YOUR DATA

We use your personal data for the following purposes:

5.1 Service Provision

• To provide geospatial data services, mapping solutions, and spatial analytics
• To process and fulfill service subscriptions and orders
• To manage user accounts and authentication
• To enable geographic data visualization and analysis tools
• To provide customer support and technical assistance

5.2 Service Improvement

• To conduct spatial analytics and improve our mapping algorithms
• To enhance user experience and develop new geospatial and other product and services features
• To perform quality assurance and testing of our services
• To analyze usage patterns and optimize service performance

5.3 Communications

• To send service-related notifications and updates
• To provide technical support and respond to inquiries
• To send marketing communications and newsletters (with opt-in consent)
• To deliver personalized content and recommendations

5.4 Security and Compliance

• To monitor accounts for suspicious activities and prevent fraud
• To ensure security and protect against unauthorized access
• To comply with legal obligations and regulatory requirements
• To enforce our terms of service and protect our legal rights

6. SHARING YOUR PERSONAL DATA

Tree Geo Data does not sell your personal data. However, we may share your data with the following entities:

6.1 Service Providers (Data Processors)

We share your personal data with trusted third parties that perform services on our behalf, including:

• Cloud hosting and infrastructure providers (e.g., AWS, Google Cloud, Microsoft Azure)
• Geospatial data providers and mapping services
• Payment processors (e.g., Stripe, PayPal)
• Customer support platforms and help desk services
• IT security and monitoring services
• Email and communication service providers
• Analytics providers (e.g., Google Analytics, with IP anonymization)

6.2 Legal and Regulatory Authorities

We may disclose your personal data to comply with legal obligations or respond to valid legal requests from law enforcement or regulatory bodies.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of our business, your personal data may be transferred to the acquiring entity, subject to appropriate safeguards.

7. INTERNATIONAL DATA TRANSFERS

7.1 For EEA Users (GDPR Compliance)

When transferring data outside the EEA, we implement appropriate safeguards such as:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules (BCRs) within our organization
• Data transfer agreements ensuring adequate protection levels

7.2 For Saudi Arabia Users (PDPL Compliance)

When transferring data outside Saudi Arabia, we ensure:

• Explicit consent from data subjects for cross-border transfers
• Adequate protection levels in the receiving country
• Implementation of appropriate safeguards through contractual measures
• Compliance with data localization requirements where applicable
• Written agreements with recipients ensuring data protection standards

8. YOUR RIGHTS

8.1 Rights Under GDPR (for EEA Users)

You have the following rights regarding your personal data:

• Right to Access: Request access to your personal data and obtain a copy
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data (subject to legal obligations)
• Right to Restriction: Request limitation of processing in certain circumstances
• Right to Data Portability: Receive your personal data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time for consent-based processing
• Rights Related to Automated Decision-Making: Rights regarding automated processing and profiling

8.2 Rights Under PDPL (for Saudi Arabia Users)

You have the following rights regarding your personal data:

• Right to Information: Be informed about how your personal data is collected and used
• Right to Access: Request access to your personal data and obtain a copy
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data (subject to legal obligations)
• Right to Restrict Processing: Request limitation of processing in certain circumstances
• Right to Object: Object to processing for direct marketing purposes
• Right to Withdraw Consent: Withdraw consent at any time

8.3 Exercising Your Rights

To exercise your rights, contact us at privacy@treegeodata.com or our DPO at dpo@treegeodata.com. We will respond within the timeframe required by applicable law (typically 30 days for GDPR and PDPL).

9. DATA RETENTION

We retain your personal data only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

9.1 Retention Periods

• Account Data: Retained for the duration of your account plus 7 years for legal compliance
• Geospatial Data: Retained according to your service agreement terms or until deletion is requested
• Transaction Records: Retained for 7 years for financial and tax compliance
• Communication Records: Retained for 3 years for customer service purposes
• Marketing Data: Retained until consent is withdrawn plus 1 year for suppression purposes
• Security Logs: Retained for 2 years for security monitoring purposes

10. SECURITY OF YOUR DATA

We employ comprehensive technical and organizational measures to safeguard your personal data:

10.1 Technical Measures

• Encryption of data at rest and in transit using industry-standard protocols
• Multi-factor authentication and access controls
• Regular security audits and penetration testing
• Secure cloud infrastructure with redundancy and backup systems
• Network security measures including firewalls and intrusion detection

10.2 Organizational Measures

• Staff training on data protection and security practices
• Clear data handling procedures and policies
• Regular risk assessments and security reviews
• Incident response procedures and breach notification protocols
• Vendor security assessments and data processing agreements

11. GEOSPATIAL DATA SPECIFIC PROVISIONS

Given the nature of our geospatial services, we implement additional protections for location-based data:

11.1 Location Data Processing

• We process location data only with explicit consent or other lawful basis
• We implement spatial anonymization techniques where possible
• We provide granular controls for location data sharing
• We use data minimization principles to collect only necessary location information

11.2 Geospatial Data Accuracy and Quality

• We maintain accuracy standards for geospatial data
• We provide mechanisms for users to report and correct location data errors
• We implement data validation procedures for spatial information

12. COOKIES AND TRACKING TECHNOLOGIES

Tree Geo Data uses cookies and similar technologies to enhance your experience, analyze usage, and deliver personalized content.

12.1 Types of Cookies We Use

• Essential Cookies: Required for the platform to function properly
• Performance Cookies: Gather information on service usage for improvements
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand user behavior patterns
• Marketing Cookies: Provide tailored advertisements (with consent)

13. CHILDREN'S PRIVACY

Our Services are intended for business and professional use. We do not knowingly collect personal data directly from children under the age of 16 (or 13 for Saudi Arabia users) without explicit parental or guardian consent.

If we become aware that personal data has been collected from a child without proper consent, we will take immediate steps to delete the data. Parents and legal guardians are responsible for supervising their children's use of our Services.

14. DATA PROTECTION IMPACT ASSESSMENTS

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, particularly when:

• Processing large volumes of location data
• Using automated decision-making systems
• Processing special categories of data
• Implementing new technologies that may impact privacy

15. BREACH NOTIFICATION

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected data subjects without undue delay when required by law
• Document all breaches and remedial actions taken
• Implement measures to prevent future breaches

16. COMPLIANCE AND REGISTRATION

16.1 GDPR Compliance

We maintain compliance with GDPR through:

• Implementation of privacy by design and by default principles
• Regular data protection training for staff
• Maintenance of comprehensive processing records
• Appointment of a qualified Data Protection Officer

16.2 PDPL Compliance (Saudi Arabia)

For Saudi Arabia operations, we ensure compliance by:

• Registering with the Saudi Data & AI Authority (SDAIA) as required
• Maintaining records of processing activities on the National Data Governance Platform
• Appointing a qualified Data Protection Officer
• Implementing appropriate technical and organizational security measures
• Conducting risk assessments for personal data processing activities

17. AUTOMATED DECISION-MAKING AND PROFILING

We may use automated processing and profiling for:

• Personalizing geospatial content and recommendations
• Detecting fraudulent or suspicious activities
• Optimizing service performance and user experience

You have the right to be informed about, request human intervention in, and challenge automated decisions that significantly affect you.

18. DISPUTE RESOLUTION AND GOVERNING LAW

18.1 For EEA Users

Disputes related to GDPR compliance will be resolved in accordance with the laws of the EU member state where our main establishment is located. You may lodge complaints with the relevant Data Protection Authority.

18.2 For Saudi Arabia Users

Disputes related to PDPL compliance will be resolved in accordance with the laws of the Kingdom of Saudi Arabia. You may file complaints with the Saudi Data & AI Authority (SDAIA) through their official channels.

18.3 General Dispute Resolution

For other disputes, resolution will be governed by the jurisdiction where Tree Geo Data is incorporated and will follow applicable arbitration procedures.

19. CHANGES TO THIS PRIVACY POLICY

Tree Geo Data may update this Privacy Policy periodically to reflect changes in our business practices, legal requirements, or technology developments.

19.1 Notification of Changes

We will notify you of significant changes through:

• Email notification to registered users
• Prominent notice on our website
• In-app notifications where applicable

Updated versions will be posted on our website with a revised "Effective Date." Continued use of our Services after the effective date constitutes acceptance of the updated policy.

20. CONTACT INFORMATION

20.1 General Privacy Inquiries

20.2 Data Protection Officer

20.3 Supervisory Authorities

• For EEA Users: Contact your local Data Protection Authority
• For Saudi Arabia Users: Saudi Data & AI Authority (SDAIA)
• Website: https://sdaia.gov.sa

21. RECORD KEEPING AND ACCOUNTABILITY

In accordance with GDPR and PDPL requirements, we maintain comprehensive records of:

• Processing activities and their purposes
• Legal basis for each processing operation
• Data sharing and transfer activities
• Data subject requests and responses
• Security measures and breach incidents
• Staff training and awareness activities

These records are available to supervisory authorities upon request and are regularly reviewed to ensure ongoing compliance.