GNV is a multi-tenant platform. Multiple organisations, their staff, their suppliers, and their customers all operate within the same system. This creates a responsibility: we must be clear about what data belongs to whom, what we do with it, and why.
How Data Separation Works in Practice
Every piece of data in the platform belongs to a category. These categories determine who can see it, how it can be used, and what happens to it over time:
Your operational data (menus, pricing, order volumes, procurement decisions, staff information) — this is yours. It is isolated to your tenant. Other organisations on the platform cannot see it. GNV does not share it externally. It is deleted when you leave.
Reference data (what a product is, what ingredients it contains, what allergens are declared, who the supplier is) — this is factual information about the world. When you add a product to the system, the factual information about that product becomes part of the platform's shared reference layer. This is how we maintain accurate allergen and nutrition data across the network.
Verification data (certificates, attestations, evidence that a claim is true) — this is preserved to maintain trust continuity. If a supplier's organic certification expires, that fact needs to persist in the system regardless of whether any individual customer leaves.
Network intelligence (patterns, canonical records, resolved identities) — this is what emerges when the platform processes data across multiple participants. For example: resolving that "Kerry Gold Butter 250g" and "Kerrygold Butter (250g)" are the same product.
Why We Maintain Reference Data
A common question: "Why does GNV retain data after I leave?"
The answer is food safety. Consider this scenario: Organisation A adds a product to the system with allergen declarations. Organisation B uses the same product and relies on those allergen declarations. Organisation A leaves the platform.
If we deleted all reference data when A left, Organisation B would lose allergen information that people depend on for their safety. That is not acceptable.
This is why factual reference data (what a product contains, what allergens are present) is maintained as shared infrastructure. Your operational data (what you ordered, how much you paid, your internal decisions) is always yours and is removed when you leave.
What Tenant Isolation Means
In practice, tenant isolation on the GNV platform means:
— Every database query is scoped to your tenant_id — you cannot accidentally or intentionally access another organisation's data
— API requests are validated against your authenticated tenant context at every layer
— Role-based access controls restrict what users within your organisation can see and do
— Site-level isolation further restricts access within multi-site organisations
— Audit logs record who accessed what and when
This is not a policy — it is an architectural constraint enforced at the database, API, and authentication layers.
What We Do Not Do
— We do not sell your data to third parties
— We do not share your operational data with other tenants
— We do not use your operational data to benefit your competitors
— We do not allow other organisations to see your menus, pricing, volumes, or procurement decisions
— We do not use AI on safety-critical data (see AI & Verification Principles)
What We Do
— Maintain accurate, canonical reference data (products, ingredients, allergens, suppliers) that all participants benefit from
— Resolve inconsistencies in product and supplier data across the network (e.g. normalising product names, matching duplicate entries)
— Preserve verification evidence so that trust claims remain auditable over time
— Generate anonymised, aggregated insights that improve the platform for everyone (e.g. identifying commonly mislabelled allergens)
— Maintain the integrity of the shared reference layer even as individual participants join or leave
Anonymisation in Practice
When we generate network-level insights, we apply anonymisation so that no individual organisation's operational patterns are identifiable, no individual user is identifiable, and insights are derived from aggregate patterns, not individual records.
For example: we might identify that a particular supplier's allergen declarations are inconsistent across the network. We would not reveal which customers reported the inconsistency or what their order volumes are.
Governance as We Grow
We are an early-stage company. Our governance practices today include architectural enforcement of tenant isolation, clear data category definitions in our Platform Terms, audit logging of administrative and data-access operations, transparent public documentation, and dedicated privacy and security contact channels.
As we grow, we intend to add independent third-party audits of our data separation controls, formal data governance framework documentation, customer advisory input on governance evolution, and published transparency reports on network intelligence usage.
Contact
For questions about data governance, how your data is handled, or our separation controls: privacy@globalnutritionvalue.com