Privacy

Privacy Policy

Last updated: April 15, 2026

1. What RINdesk is

RINdesk is a web application and companion Chrome extension that helps operators of renewable fuel accounts on the EPA EMTS system automate trade acceptance, inventory tracking, and compliance reporting. We operate the service. We do not work for or represent the EPA.

2. Data we collect

From you directly:

  • Email address and password (hashed) for your RINdesk account
  • Organization name you supply during signup
  • EMTS session cookies relayed by the RINdesk Connector browser extension

From EMTS on your behalf:

  • Your EMTS organization name and org ID
  • Your RIN holdings, trades, and transaction history
  • Counterparty organization names on trades you accept or initiate

We never collect your EPA CDX or login.gov credentials. They remain in your browser.

3. How the browser extension works

After you authenticate with login.gov and log into emts.epa.gov, the RINdesk Connector reads the session cookies for the emts.epa.gov domain and securely transmits them to RINdesk over HTTPS using an API token you generated and pasted into the extension. The extension requests no other data from your browser or any other site.

4. How we store and protect data

  • EMTS session cookies are encrypted at rest with AES-256-GCM using per-deployment keys
  • API tokens are stored as SHA-256 hashes, never in plaintext
  • Data is isolated per customer organization via Postgres row-level security
  • All traffic is served over HTTPS with TLS 1.2+
  • Hosting on Vercel (US regions) and Supabase (US regions)

5. Who we share data with

We do not sell your data. We share it only with:

  • EPA EMTS — for the actions you direct RINdesk to perform (accept trades, retire, etc.)
  • Vercel & Supabase — infrastructure providers, bound by their own privacy terms
  • Resend — if you opt into email alerts
  • Law enforcement — only under a valid subpoena or court order

6. Your rights

You can revoke API tokens, clear stored EMTS sessions, and delete your account at any time from Settings. On account deletion we remove all organizational data within 30 days, subject to any legal retention obligations.

7. Children

RINdesk is not intended for users under 18.

8. Changes to this policy

We will update the “last updated” date and notify active users by email if material changes are made.

9. Contact

Questions: support@rindesk.com