Privacy & Masking
Data privacy controls — isPublic flag, sensitive data handling, and mask patterns.
Last updated on
The Carrot platform is designed to make supply chain logistics transparent and publicly verifiable. However, some data is sensitive for business or privacy reasons. This guide covers the privacy controls available at the document and event metadata levels.
Visibility flags are set when creating a document (see Documents API) and can
be adjusted through UPDATE events (see
Event Specification).
Visibility controls
isPublic: controls whether data is visible on public surfaces such as the Carrot Explorer.isPubliclySearchable: controls whether records can be found through public search.
The isPublic flag can appear at three levels:
- Event level — controls visibility of the entire event.
- Attribute level — overrides event-level visibility for a specific attribute.
metadata.attributeslevel — controls visibility of individual metadata entries.
Lower levels can override higher ones — e.g. an attribute can be marked private inside a public event. Override precedence is applied by the Carrot platform.
When a document or event is marked as public (isPublic: true), anyone with the document ID can
view it on the Carrot Explorer (explore.carrot.eco). When private (isPublic: false), the
data is hidden from public view but remains accessible to auditors for compliance verification.
Per-role visibility policy
The following defaults apply across all methodologies:
- Processor and recycler data must be public.
- Generator and hauler data — company information, addresses, PII, vehicle plates — must be private.
- Open-text fields must never contain sensitive data, regardless of event visibility.
For methodology-specific recommendations, follow the isPublic flags in the canonical examples:
Sensitive data handling
For metadata attributes that contain sensitive or personal data (e.g. license plates, driver identifiers), you have two options:
- Full privacy — Set
isPublic: falseto hide the data entirely from public surfaces. - Partial masking — Send the full value, set
isPublic: true, and setsensible: true(the API field name for sensitive-data masking) in the metadata. The platform applies masking on public surfaces (e.g.AA*-A**Afor a license plate) while preserving the full value for auditors.
Do not pre-mask or redact values in your payload. Send the complete data and let the platform handle the masking.
See Data Formats for the sensible
attribute and mask format conventions.
Common private data patterns
The following table lists data fields that partners commonly configure as private, along with the rationale for each:
| Data | Category | Rationale |
|---|---|---|
| Waste Generator name | Participant data | Business confidentiality — protects generator identity from competitors |
| Transport manifest (MTR) | Attachment | Download restricted for confidentiality; the existence of the document remains publicly visible |
| Final destination certificate (CDF) | Attachment | Download restricted for confidentiality; the existence of the document remains publicly visible |
| Vehicle license plate | Event metadata | Personal data — use sensible: true with isPublic: true for partial masking |
| Driver identifier | Event metadata | Personal data — use sensible: true with isPublic: true for partial masking |
If you are unsure whether a field should be private or use partial masking, consult the Carrot team for guidance specific to your use case.
Practical masking strategy
- Keep sensitive values private by default.
- Expose only the minimum fields required by your business and public workflows.
- Use
sensible: truefor fields that need to be publicly visible in masked form. - Audit public payloads regularly to ensure no unintended data exposure.
Related references: