Privacy Policy
Effective Date: 10 Jul 2025 | Last Updated: 25 Sept 2025
CarbClex operates a two-sided carbon marketplace and enterprise climate software, including measurement, reporting, and verification (MRV) integrations, carbon accounting tools, and buyer-seller workflows (the "Services").
This Privacy Policy explains how we collect, use, disclose, and protect Personal Data in connection with the Services and our business operations.
If you do not agree with this Policy, please do not use the Services. Where legally required, we will obtain your consent separately (e.g., cookies, marketing).
1) Scope & Roles
Who this Policy covers. Marketplace users (buyers, sellers/project developers, brokers), enterprise clients and their authorized users, vendors, site visitors, job applicants, and B2B prospects.
- We act as a Controller for: marketplace accounts, KYC/AML screening, fraud prevention, platform security, our own marketing, and when we decide "why and how" Personal Data is processed.
- We act as a Processor for: enterprise clients' carbon accounting data, MRV inputs, and any data we process under a Data Processing Addendum (DPA) according to the client's documented instructions.
Affiliates. Our affiliates may process data on our behalf under this Policy and applicable DPAs.
2) Data We Collect
A. Identity & Contact
Full name, email, phone, organization, role, postal/billing addresses, government ID numbers (where permitted/required), KYC artifacts (e.g., PAN, GSTIN, passports, utility bills), and selfie/face match results (if used for verification).
B. Business & Financial
Company details, ownership/beneficial owner information, certificates, project authorization letters, tax IDs, bank/UPI details (tokenized where possible), invoices, payout logs.
C. Platform & Transaction
Account credentials, role/permissions, audit logs, listings, bids, orders, contracts, signatures, registry identifiers, retirement certificates, wallet addresses (if applicable), dispute records.
D. Carbon & MRV (may be Personal Data if linked to individuals)
Emissions activity data (Scope 1-3), device/loT telemetry, fuel/energy data, supplier declarations, geospatial references, satellite/remote sensing outputs and derived metrics, methodologies, verification reports, imagery metadata (not the raw imagery unless provided), and project documentation.
E. Technical & Usage
Device/OS/browser, IP address, timestamps, pages viewed, referral URLs, session IDs, clickstream, error logs, cookie identifiers, and analytics events.
F. B2B Prospecting & Recruitment
Public/provided business contact info, conference scans, lead enrichment from reputable providers; for hiring: CVs, references, interview notes.
Sensitive Data. We avoid collecting special category data unless required (e.g., sanctions checks) and will seek additional safeguards/consent where legally necessary.
Sources: You; your employer; counterparties; verifiers/registries; KYC/AML and fraud- prevention providers; PSPs; MRV partners; public records; events; cookies/SDKs.
3) Purposes & Legal Bases (Business-Mapped View)
| Purpose (Business Outcome) | Typical Data | Examples of Legal Basis* |
|---|---|---|
| Marketplace operation & deal execution (enable listings, bids, settlements, retirements) | Identity, business/financial, transaction | Contract; Legitimate Interests |
| KYC/AML & sanctions screening; fraud/risk scoring | Identity documents, watchlist results, device/IP | Legal Obligation; Legitimate Interests |
| Enterprise carbon accounting (SaaS) | MRV/activity data, user account data | Contract; Legitimate Interests; Consent where required |
| Security & abuse prevention (audit logs, rate limits) | Technical/usage, account, IP | Legitimate Interests; Legal Obligation |
| Analytics & product improvement | Usage/event data, feedback | Legitimate Interests; Consent (where required for cookies/SDKs) |
| Regulatory reporting & audits (registries, tax) | Transaction, identity, project data | Legal Obligation |
| Customer support & success | Account, communications | Contract; Legitimate Interests |
| B2B marketing & sales | Business contact info | Legitimate Interests; Consent (where required) |
| Payments & payouts | Billing, bank/UPI tokens, invoices | Contract; Legal Obligation |
* We reference GDPR-style bases; local laws (e.g., India DPDP Act, CCPA/CPRA) are addressed in the Regional Addenda below.
Automated Decisions/Profiling: We may use automated checks (e.g., sanctions matches, risk scores) to flag activity for human review. We do not make solely automated decisions that produce legal or similarly significant effects without a path for human intervention where required by law.
4) Cookies, Pixels & SDKs
We use strictly necessary cookies (auth, security), functional cookies (preferences), analytics (product usage), and advertising (B2B remarketing where permitted). You can manage preferences via our Cookie Settings (CMP) and/or your browser. See our separate Cookie Policy for details.
5) Disclosures (Who We Share With)
We do not sell Personal Data. We disclose only as needed:
- Service Providers / Sub-processors: cloud hosting/CDN, database and storage, analytics, email/SMS, customer support tools, KYC/AML, payment processors, e-signature, document management, security monitoring. Bound by confidentiality and DPAS.
- Verification & Registry Partners: accredited verifiers (VVBs), standards/registries to validate projects, issue/retire credits.
- Counterparties: as necessary to settle marketplace transactions and provide proof of ownership/retirement.
- Professional Advisors: auditors, accountants, lawyers, insurers.
- Regulators & Law Enforcement: where required by law or to defend our rights/users' safety.
- Corporate Transactions: merger, financing, acquisition, or bankruptcy-data transfers subject to this Policy and notice.
We maintain a current Sub-processor Overview at: [https://carbclex.com/legal/subprocessors] (update this path) and will notify material changes as required.
6) International Transfers
We operate globally. Where data moves across borders, we rely on recognized transfer mechanisms (e.g., SCCs under GDPR, country-specific adequacy, contractual safeguards). For India's DPDP Act, cross-border transfers comply with government notifications and contractual protections. We implement defense-in-depth security and access controls regardless of location.
7) Security (Business-Grade Controls)
We employ organizational and technical measures appropriate to the risk, including:
- Role-based access control (RBAC), MFA for privileged access, least-privilege, secure SDLC.
- Encryption in transit (TLS) and at rest for core data stores.
- Network segmentation, WAF, DDoS protection, and continuous monitoring.
- Vendor risk management and sub-processor DPAs.
- Audit logging and tamper-resistant trails for key transactions (e.g., issuance/retirements).
- Employee training, background checks where permissible, confidentiality agreements.
- Incident response and breach notification procedures aligned with applicable laws.
No system is 100% secure. If we discover a breach impacting your data, we will notify you and regulators as required.
8) Retention (Business-Aligned Schedules)
We retain Personal Data only as long as needed for the purposes above or as required by law/regulators, then delete or irreversibly anonymize.
| Data Category | Typical Retention |
|---|---|
| Account profiles, audit logs | Life of account + 3-7 years (regulatory / dispute windows) |
| KYC/AML records & screening results | 5-10 years post last transaction (jurisdiction-dependent) |
| Contracts, invoices, payouts | 7-10 years (tax/accounting) |
| MRV/project documentation | Project life + 7-10 years (standards/regulatory) |
| Support tickets, emails | 2-5 years |
| Analytics events | 6-24 months (aggregated thereafter) |
| Marketing (B2B) CRM | Until opt-out or inactivity (e.g., 24 months), then minimization |
Where retention mandates differ, we follow the longest applicable legal requirement.
9) Your Rights
Your rights depend on your location and role (data subject vs. enterprise client admin). Generally, you may request: access, correction, deletion, restriction, objection (to certain processing/marketing), and portability. You can also withdraw consent where we rely on consent.
- Marketplace/Direct Users: submit requests via [email protected] or the in-product privacy portal [link].
- Enterprise Users: please contact your employer (the Controller) first; we will support them as Processor.
- Marketing Opt-Out: use unsubscribe links or email us.
We will verify identity before fulfilling requests and respond within legal timeframes.
10) Children
Our Services are for business and professional use and are not directed to children under 18. We do not knowingly collect children's data.
11) Government & Lawful Requests
We may disclose data if legally required (court order, warrant, regulator demand). Unless prohibited, we will notify affected customers before disclosure and limit scope to what is legally compelled.
12) Changes to This Policy
We may update this Policy to reflect operational, legal, or regulatory changes. We will post updates here and, for material changes, provide additional notice (e.g., email or in- product). Continued use after the effective date constitutes acceptance.
13) Contact & Governance
Data Protection Contact / DPO:
CarbClex Privacy OfficeBengaluru, Karnataka, 560001, India
Email: [email protected]
For EU/UK: If required, we will appoint an EU/UK Representative and publish details here.
For India: Our Data Protection Officer (if mandated under DPDP rules) will be listed here.
Regional Addenda (Business-Ready Summaries)
A) European Economic Area (EEA) & UK (GDPR/UK GDPR)
- Controller: CarbClex [entity name and address].
- Legal Bases: contract, legitimate interests (e.g., security, product improvement, B2B marketing), legal obligation, consent (cookies/marketing where required).
- Rights: access, rectification, erasure, restriction, portability, objection (including to profiling/marketing), and the right not to be subject to certain solely automated decisions.
- Transfers: safeguarded via SCCs, adequacy where available, and supplemental measures.
B) California (CCPA/CPRA)
We do not "sell" Personal Information as defined by CCPA/CPRA; we may "share" for cross-context behavioral advertising only with consent (managed via Cookie Settings).
- Rights: know/access, delete, correct, opt-out of sharing/targeted ads, limit use of sensitive Pl (if applicable), non-discrimination.
- Categories Collected: identifiers, commercial info, internet activity, geolocation (coarse), professional info, inferences for fraud/security.
C) India (Digital Personal Data Protection Act, 2023)
- Data Fiduciary: CarbClex [entity].
- Consent & Legitimate Use: We rely on consent where required and legitimate uses permitted under DPDP (e.g., compliance, employment, voluntary data by the user).
- Cross-Border: Transfers comply with government notifications and contractual safeguards.
- Grievance Redressal: [email protected] (we will publish our Grievance Officer details and process on the website).
- Rights: access to information, correction/deletion, grievance redressal, and consent withdrawal subject to lawful processing grounds.
These summaries do not limit your rights under applicable law; where there is a conflict, local law prevails.
Processor Terms Snapshot (for Enterprise Clients)
When acting as Processor, we will:
- process Personal Data only on your documented instructions;
- maintain confidentiality and require the same from personnel;
- implement appropriate technical and organizational measures;
- assist with data subject requests and DPIAS;
- inform you of sub-processors and obtain appropriate flow-down commitments;
- notify you without undue delay of data incidents;
- delete or return data at termination, subject to legal retention;
- make available information for audits subject to confidentiality and reasonable limits.
For full details, see our Data Processing Addendum (DPA): [https://carbclex.com/legal/dpa] (replace with actual URL).
Practical Controls You Can Configure (Business Value)
- Privacy & Security Settings: MFA, IP allowlists, SSO/SAML, session timeouts.
- Data Minimization: field-level controls for user roles; project-level redaction for public artifacts.
- Transparency: downloadable audit trails for bids, issuances, and retirements.
- Data Portability: export emissions datasets and certificates in standard formats (CSV/JSON/PDF).
- Cookie Choices: fine-grained toggles for analytics/ads SDKs.
Definitions (Plain-English)
- Personal Data/Personal Information: any information that identifies or relates to an identifiable person.
- Processing: any operation performed on Personal Data (collection, storage, use, disclosure, deletion).
- Controller/Fiduciary | Processor: the party determining "why/how" vs. the party processing on instructions.
- MRV: measurement, reporting, and verification data supporting carbon claims.