Privacy policy

1. Introduction

Proba is a certification body for greenhouse gas (GHG) emission reduction and removal projects. We help organisations quantify, verify, and certify environmental outcomes according to our standard and methodologies.

This Privacy Policy explains how Proba collects, uses, stores, and shares personal data in connection with:

• Our certification services (including the processing of project data submitted by customers); and
• Our commercial and marketing activities (including our website, communications, and business development).

This policy applies to all individuals whose personal data we process, including representatives of our customers and partners, and any individuals whose data is contained within project submissions.

We are committed to protecting personal data and complying with applicable privacy laws wherever we operate. Our primary framework is the EU General Data Protection Regulation (GDPR). We also observe applicable requirements under Brazilian data protection law (Lei Geral de Proteção de Dados — LGPD) and the privacy laws of other jurisdictions in which our customers and partners are based.

2. Who We Are and How to Contact Us

Controller: Proba World B.V., Laan van Kronenburg 14, 1183 AS Amstelveen (NL)

Contact for privacy matters: Email: privacy@proba.earth Website: proba.earth

3. Scope of This Policy

This policy applies to:

• Customer contacts and representatives: People at the organisations that engage Proba for certification services.
• Project data subjects: Individuals whose personal data (such as GPS coordinates) may be contained within project documentation submitted to Proba, even where Proba does not collect that data directly (for example, data relating to farmers or landowners).
• Website visitors and commercial contacts: People who interact with Proba's website or marketing channels.

This policy does not apply to the processing activities of our customers or to the Validation and Verification Bodies (VVBs) which our customers contract. Those parties are responsible for their own privacy practices.

4. Personal Data We Collect

4.1 Certification Services

In the course of certifying GHG projects, we receive project documentation from our customers. The nature of this data depends on the relevant methodology, but may include:

• Field and site data: GPS coordinates, field boundaries and sizes, land-use type, crop types, and crop yields.
• Agricultural practice data: Fertilizer types applied, application rates and timing, soil types, and other agronomic parameters required by the applicable Proba methodology. This data relates to practices at specific sites; Proba typically does not require the names or personal addresses of the land operators.
• Product information: Technical data sheets and specifications for agricultural inputs (e.g. fertilizers). This information is usually publicly available from manufacturers.
• Process descriptions: Technical details on manufacturing processes and associated emissions.
• Project documentation: Monitoring reports, project design documents, protocols, and other records prepared by or for our customers. By default, these documents are published on the Proba public registry, unless marked as confidential.
• Customer contact details: Names, professional email addresses, telephone numbers, and job titles of the individuals we work with at customer organisations.

Important note on indirect identification: Although Proba does not intentionally collect personal data about individual farmers or landowners, GPS coordinates and field-level data may, in some circumstances, be capable of identifying a specific farm or operator. Where this is the case, Proba treats such data with the same care as directly identifying personal data.

4.2 Commercial and Marketing Activities

When you interact with Proba outside of a certification project — for example, by visiting our website, signing up for updates, or contacting us for business purposes — we may collect:

• Name, email address, organisation, and job title.
• Information you provide in contact forms or enquiries.
• Website usage data (see Section 9 on cookies).
• Records of communications and meetings.

5. How and Why We Use Personal Data

5.1 Certification Services

Where project data contains information about individuals who are not direct parties to our contracts (for example, farmers whose field data is included in a submission), our legal basis is legitimate interests. Proba has a legitimate interest in processing such data to perform its certification function, and we take reasonable steps to ensure that the volume and sensitivity of such data is proportionate to that purpose.

5.2 Commercial and Marketing Activities

6. Data We Make Public

Proba operates a public project registry. When a GHG project is certified, certain project information is published on this registry. This typically includes:

• Project name, location (at a general level), and description.
• Certified emission reductions or removals.
• Applicable methodology and project period.
• Project design documents and monitoring reports, to the extent they have not been marked as confidential.

Customers are informed about what information will be made public as part of the certification process. Confidential information — including proprietary protocols, commercially sensitive data, and any personal data — is not published without appropriate authorisation.

7. Data Sharing and Third Parties

7.1 Cloud Infrastructure

Proba uses Google Cloud services for data storage and processing. Google acts as a data processor on our behalf under a Data Processing Agreement. Data may be stored on servers within the European Economic Area or in other regions where Google operates, subject to appropriate safeguards (see Section 8).

7.2 Validation and Verification Bodies (VVBs)

As part of the certification process, project data is made available to VVBs (third-party auditors). VVBs are contracted directly by our customers, not by Proba. By designating a VVB for their project, customers authorise Proba to share the relevant project data with that party. This includes all project documentation required for the verification scope, which may comprise confidential materials such as field-level GPS coordinates, monitoring addenda, and site-specific protocols, regardless of whether those documents are published on the Proba public registry. Proba is not responsible for the VVB's own processing of personal data.

7.3 Use of Artificial Intelligence Tools

Proba uses AI-powered tools to support internal work, including building data conversion and validation tools, researching emission factors, and drafting technical documentation. These tools are used by Proba staff to improve the efficiency and quality of our work. We do not feed customer project data — including field data, GPS coordinates, or any other personal data submitted as part of a certification project — into external AI systems. Customer data remains within Proba's controlled infrastructure as described in Section 7.1.

7.4 Other Disclosures

We may disclose personal data to:

• Regulatory authorities, courts, or law enforcement bodies where required by law.
• Professional advisors (lawyers, accountants) bound by confidentiality.
• A successor entity in the event of a merger, acquisition, or restructuring, subject to appropriate protections.

We do not sell personal data to third parties, nor do we share it with third parties for their own marketing purposes.

7.5 Customer Data Processing Agreements

Where required or agreed, Proba enters into a Data Processing Agreement (DPA) with customers that governs the specific terms under which project data is processed. Such DPAs supplement this Privacy Policy and, in the event of a conflict, the terms of the applicable DPA take precedence for the customer relationship in question.

8. International Data Transfers

Proba operates internationally and may transfer personal data to countries outside the European Economic Area (EEA). Where personal data originating in the EEA is transferred to a country that has not been deemed to provide an adequate level of protection by the European Commission, we ensure that appropriate safeguards are in place.

The transfer mechanisms we rely on include:

• Standard Contractual Clauses (SCCs): The EU's standard data transfer clauses, incorporated into our agreements with processors such as Google, and used for transfers to countries including the United States and Brazil.
• Adequacy decisions: Canada's private sector privacy law (PIPEDA) has been recognised by the European Commission as providing adequate protection for commercial data transfers from the EU, so transfers to Canada do not require additional safeguards.

Details of the transfer mechanisms applicable to a specific transfer are available upon request.

Note for Brazilian data subjects: Where Proba processes personal data of individuals located in Brazil, we do so in accordance with the LGPD. Brazilian data subjects may exercise their rights as described in Section 12, and may also contact the Autoridade Nacional de Proteção de Dados (ANPD, www.gov.br/anpd) if they have concerns about our processing.

9. Cookies and Website Tracking

Our website uses cookies and similar tracking technologies. These may include:

• Strictly necessary cookies: Required for the website to function and cannot be disabled.
• Analytics cookies: Help us understand how visitors use our website (e.g. pages visited, time spent). 
• Marketing cookies: Used to track visitors across websites and share relevant content.

You can manage your cookie preferences through the cookie banner on our website or through your browser settings. Withdrawing consent for non-essential cookies does not affect the lawfulness of processing that occurred before withdrawal.

A full Cookie Policy is available at our website, including an overview of tools we use.

10. Data Retention

Proba retains personal data for as long as is necessary for the purposes described in this policy. For project-related data, retention periods are governed by Proba's own certification standards and methodologies, which require that data remains available for audit and verification purposes throughout the crediting period and for a defined period thereafter. These obligations take precedence over any shorter retention period that might otherwise apply, and cannot be shortened at the request of a customer or data subject where doing so would compromise the integrity of a certified project. Retention periods may therefore span several decades.

The retention periods applicable to different categories of data can be found below:

When data is no longer needed, we securely delete or anonymise it in accordance with our retention schedule.

11. Data Security

Proba takes appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit and at rest.
• Access controls and role-based permissions.
• Regular security reviews.
• Data processing agreements with all third-party processors.

In the event of a personal data breach that is likely to result in a risk to individuals, we will notify the relevant supervisory authority within 72 hours and, where required, inform affected individuals without undue delay. Where a customer Data Processing Agreement imposes a stricter notification timeline for notifying the customer, Proba will comply with that shorter period for customer notification while meeting its independent regulatory obligations within the statutory timeframe.

12. Your Rights

Depending on your location and the applicable law, you may have the following rights in relation to your personal data:

• Right of access: To obtain confirmation that we process your data and to receive a copy of it.
• Right to rectification: To have inaccurate data corrected.
• Right to erasure ("right to be forgotten"): To request deletion of your data, subject to legal and contractual retention obligations.
• Right to restriction: To request that we limit processing in certain circumstances.
• Right to data portability: To receive your data in a structured, machine-readable format (where applicable).
• Right to object: To object to processing based on legitimate interests, including for direct marketing.
• Right to withdraw consent: Where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@proba.earth.

We will respond within one month. Where a request is complex, we may extend this period by a further two months, in which case we will notify you.

EU/EEA residents have the right to lodge a complaint with the supervisory authority in your member state (in the Netherlands: Autoriteit Persoonsgegevens, www.autoriteitpersoonsgegevens.nl). The Brazilian equivalent is addressed in Section 8.

If you are subject to privacy laws in your jurisdiction that grant rights not listed above, please contact us and we will endeavour to accommodate them.

13. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or applicable law. We will indicate the date of the most recent update at the top of the policy. For significant changes, we will provide notice through our website or by direct communication where appropriate.

14. Contact Us

For any questions, concerns, or requests relating to this policy or our data practices, please contact:

Proba World B.V., Laan van Kronenburg 14, 1183 AS Amstelveen (NL) Email: privacy@proba.earth