Legal
Privacy Policy
Last updated: 7 June 2025
DeCarbonOPS (โweโ, โusโ, โourโ) operates the website and platform at decarbonops.com. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and applicable EU data protection law.
1. Who is the data controller?
DeCarbonOPS is the data controller for personal data processed through this platform. You can contact us at: ask@decarbonops.com
2. What data we collect
Account data
- Full name and email address (required for account creation)
- Company name, VAT number, industry, country, number of employees, and annual revenue
- Profile photo (optional, uploaded by you)
- Password (stored as a one-way hash โ we never see your plain-text password)
Emissions data
- Energy consumption figures (electricity, gas, fuel) you enter into the platform
- Business travel data (flights, rail, hotel nights, commuting distances)
- Calculated Scope 1, 2 and 3 emissions totals derived from your inputs
Technical data
- IP address, browser type, and device information collected automatically
- Usage logs (pages visited, features used, timestamps)
- Authentication tokens stored in secure HTTP-only cookies
3. Why we collect it and our legal basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the platform and generating Carbon Passports | Contract performance (Art. 6(1)(b)) |
| Account management and authentication | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (account confirmation, password reset) | Contract performance (Art. 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance and record-keeping | Legal obligation (Art. 6(1)(c)) |
| Product improvement and analytics | Legitimate interests (Art. 6(1)(f)) |
4. Who we share data with
We do not sell your personal data. We share data only with the following processors:
- Supabase โ database, authentication, and transactional email delivery (EU region data hosting)
- Vercel โ web hosting and CDN infrastructure
- Cloudflare โ bot protection (Turnstile challenge; no personal data retained)
All processors are bound by Data Processing Agreements and process data only on our instructions.
5. Public Carbon Passports
When you generate a Carbon Passport, you choose to publish it at a public URL (e.g. decarbonops.com/verify/[token]). This public page contains your company name, country, industry, reporting year, and emissions totals. By generating a passport, you consent to this information being publicly accessible via that URL.
You can delete your account at any time to remove public passport pages.
6. Data retention
- Account data: retained while your account is active; permanently and immediately deleted when you delete your account via Settings
- Emissions reports: deleted immediately together with your account upon deletion request
- Server logs: retained for 90 days for security purposes
7. Where your data is stored
All personal data is stored on servers located within the European Union. We do not transfer personal data to countries outside the EEA without appropriate safeguards.
8. Your rights under GDPR
You have the following rights regarding your personal data:
- Access โ request a copy of all personal data we hold about you
- Rectification โ correct inaccurate or incomplete data
- Erasure โ request deletion of your account and all associated data
- Portability โ receive your data in a machine-readable format
- Objection โ object to processing based on legitimate interests
- Restriction โ request that we limit how we process your data
- Withdraw consent โ where processing is based on consent, withdraw it at any time
To exercise any of these rights, email ask@decarbonops.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.
9. Cookies
We use the following cookies:
- Authentication cookies โ strictly necessary, used to keep you signed in
- Preference cookies โ remember your settings
We do not use advertising cookies or third-party tracking pixels.
10. Security
We implement industry-standard security measures including TLS encryption in transit, encrypted storage at rest, and row-level security policies on all database tables. Passwords are stored using secure one-way hashing. We conduct regular security reviews.
11. Changes to this policy
We may update this policy from time to time. We will notify you by email at least 14 days before any material changes take effect. Continued use of the platform after that date constitutes acceptance of the updated policy.
12. Contact
For any privacy-related questions, contact us at ask@decarbonops.com.
Also see our Terms of Service. Questions? Email ask@decarbonops.com.