Skip to main content

Privacy Policy

Effective date: February 11, 2026

This Privacy Policy explains how Lodestar Verification OÜ ("Lodestar", "we", "us"), an Estonian company (registry code 17374696, VAT EE102925300), with its registered address at Läänekaare tn 1, Nõmme linnaosa, 11611 Tallinn, Harju maakond, Estonia, collects, uses, and protects your personal data when you use the Lodestar EPD quality review service at lodestar.ee ("the Service").

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller

Lodestar Verification OÜ is the data controller for all personal data processed through the Service. We have not appointed a Data Protection Officer as it is not required given the nature and scale of our processing. For privacy inquiries, contact us at info@lodestar.ee.

2. Personal Data We Collect

Account data — when you register for an Account, we collect your name, email address, and organization name.

Authentication data — session tokens and, if you use third-party login (such as Google or Microsoft), your OAuth identifiers. We do not store your third-party account passwords.

Uploaded documents — EPDs, LCA background reports, and supporting documents you submit for quality review. These may incidentally contain personal data such as author names or contact details.

Quality review results — the findings, verdicts, and reports generated by the Service for your uploaded documents.

Usage data — technical information collected automatically when you use the Service, including IP address, browser type, and access timestamps.

We do not collect or store payment card information. All payment processing is handled by our payment provider (see Section 5).

3. How We Use Your Data

We process your personal data for the following purposes and legal bases:

To provide the Service (legal basis: contract performance, Art. 6(1)(b) GDPR)

  • Creating and managing your Account
  • Processing uploaded documents using AI to generate quality reviews
  • Delivering quality review results

To process payments (legal basis: contract performance and legal obligation, Art. 6(1)(b) and (c) GDPR)

  • Sharing necessary account information with our payment provider for billing and invoicing

To maintain security and prevent abuse (legal basis: legitimate interest, Art. 6(1)(f) GDPR)

  • Session management and authentication
  • Logging access for security monitoring
  • Detecting and preventing misuse of the Service

To comply with legal obligations (legal basis: legal obligation, Art. 6(1)(c) GDPR)

  • Retaining records where required by Estonian law

4. Automated Processing

The Service uses artificial intelligence to analyze documents and generate quality review results. This processing is performed on documents, not on individuals. The Service does not make automated decisions about individuals that produce legal or similarly significant effects. Quality review results are informational guidance only.

5. Data Sharing

We share your personal data only with the categories of service providers necessary to operate the Service:

Payment provider — processes all payments, invoicing, and tax compliance as our merchant of record. Handles your billing information directly. We share your email, name, and organization name for invoicing purposes. The payment provider acts as an independent data controller for payment data. See their privacy policy for details on how they handle your payment information.

Authentication provider — manages user registration, login, and session management on our behalf. Processes your email address and authentication events.

AI service providers — process your uploaded documents to generate quality review results. These providers are contractually bound not to use your data for model training or any purpose other than providing their services to us.

Cloud hosting provider — hosts the Service infrastructure where your data is stored and processed.

A list of specific sub-processors is available on request by contacting info@lodestar.ee.

We do not sell your personal data or share it for marketing purposes.

6. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA), including in the United States. Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or the EU-US Data Privacy Framework.

7. Data Retention

Uploaded documents and quality review results are retained for up to one year and are deleted upon Account closure. You may delete your data at any time through the Service.

Account data is retained for the duration of your Account. Upon Account closure, account data is deleted within a reasonable period.

Some records may be retained beyond these periods where required by applicable law, such as financial record-keeping obligations.

8. Cookies

The Service currently uses only strictly necessary cookies for authentication and session management. These cookies are required for the Service to function and cannot be disabled.

We do not currently use any tracking, analytics, or marketing cookies. If we introduce non-essential cookies in the future, we will update this Privacy Policy and obtain your consent as required by applicable law.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption of data in transit, access controls, and secure authentication mechanisms. While we take reasonable steps to protect your data, no method of transmission or storage is completely secure.

10. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate personal data
  • Erasure — request deletion of your personal data
  • Restriction — request that we restrict processing of your personal data
  • Data portability — request your personal data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interest

To exercise any of these rights, contact us at info@lodestar.ee. We will respond within 30 days.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon):

  • Website: www.aki.ee
  • Email: info@aki.ee
  • Address: Tatari 39, 10134 Tallinn, Estonia

11. Children's Data

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at info@lodestar.ee and we will delete it.

12. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours as required by GDPR. If the breach poses a high risk to you, we will also notify you without undue delay.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be posted at lodestar.ee/privacy-policy with a revised effective date. For material changes, we will provide reasonable advance notice by email.

14. Contact

For questions about this Privacy Policy or how we handle your data, contact us at:

Lodestar Verification OÜ
Läänekaare tn 1, Nõmme linnaosa, 11611 Tallinn, Harju maakond, Estonia
Registry code: 17374696
VAT: EE102925300
Email: info@lodestar.ee