Docs
IntegrationsGuides

Privacy & Masking

Data privacy controls — isPublic flag, sensitive data handling, and mask patterns.

The Carrot platform is designed to make supply chain logistics transparent and publicly verifiable. However, some data is sensitive for business or privacy reasons. This guide covers the privacy controls available at the document and event metadata levels.

Visibility flags are set when creating a document (see Documents API) and can be adjusted through UPDATE events (see Event Specification).

Visibility controls

  • isPublic: controls whether data is visible on public surfaces such as the Carrot Explorer.
  • isPubliclySearchable: controls whether records can be found through public search.

When a document or event is marked as public (isPublic: true), anyone with the document ID can view it on the Carrot Explorer (explore.carrot.eco). When private (isPublic: false), the data is hidden from public view but remains accessible to auditors for compliance verification.

Sensitive data handling

For metadata attributes that contain sensitive or personal data (e.g. license plates, driver identifiers), you have two options:

  • Full privacy — Set isPublic: false to hide the data entirely from public surfaces.
  • Partial masking — Send the full value, set isPublic: true, and set sensible: true in the metadata. The platform applies masking on public surfaces (e.g. AA*-A**A for a license plate) while preserving the full value for auditors.

Do not pre-mask or redact values in your payload. Send the complete data and let the platform handle the masking.

See Data Formats for the sensible attribute and mask format conventions.

Common private data patterns

The following table lists data fields that partners commonly configure as private, along with the rationale for each:

DataCategoryRationale
Waste Generator nameParticipant dataBusiness confidentiality — protects generator identity from competitors
Transport manifest (MTR)AttachmentDownload restricted for confidentiality; the existence of the document remains publicly visible
Final destination certificate (CDF)AttachmentDownload restricted for confidentiality; the existence of the document remains publicly visible
Vehicle license plateEvent metadataPersonal data — use sensible: true with isPublic: true for partial masking
Driver identifierEvent metadataPersonal data — use sensible: true with isPublic: true for partial masking

If you are unsure whether a field should be private or use partial masking, consult the Carrot team for guidance specific to your use case.

Practical masking strategy

  1. Keep sensitive values private by default.
  2. Expose only the minimum fields required by your business and public workflows.
  3. Use sensible: true for fields that need to be publicly visible in masked form.
  4. Audit public payloads regularly to ensure no unintended data exposure.

Related references:

Permissions

ACTOR events as permission grants — how to manage document access.

Error Handling

Error handling patterns — retry decisions, immutability, CANCEL and recreate, deduplication, and rate limits.

On this page

Visibility controls
Sensitive data handling
Common private data patterns
Practical masking strategy