Privacy Policy

This policy applies to all users of the CarbonConnect platform, including SME customers accessing the platform directly, individuals at organisations subscribed to CarbonConnect under a Professional or Enterprise plan, accountancy firms and other partners accessing the platform through our Partner Programme, and visitors to our website at carbonconnect.io

We collect and process the following data types:

• Account and company information: When you register for CarbonConnect, we collect information necessary to create and manage your account. This includes your name, job title, business email address, company name, company registration number, sector, employee count, and approximate annual revenue. For partner accounts, we also collect details about your firm and client referral activity.
• Carbon and emissions data: To deliver our core matching and eligibility services, we collect the emissions data you input into our carbon calculator. This includes Scope 1, 2, and 3 emissions estimates based on your energy and fuel consumption, operational activities, and supply chain inputs. This data is processed in accordance with the GHG Protocol standard via the Climatiq API.
• Funding and application data: We collect information about the funding programmes you search for, the eligibility checks you run, and the grant applications you draft or submit through the Platform. This includes application content generated by our AI Application Assistant.
• Usage and technical data: We collect data about how you interact with the Platform, including pages visited, features used, session duration, and actions taken. We also collect technical data such as your IP address, browser type, device type, and operating system for security monitoring and platform performance purposes.
• Payment information: For paid subscription plans, payment processing is handled by our third-party payment provider. We do not store your full payment card details on our systems. We retain records of subscription tier, billing cycle, and transaction history for account management and legal compliance purposes.
• Communications data: If you contact our support team, respond to surveys, or correspond with us by email, we retain records of those communications to resolve queries and improve our services.

We use the data we collect for the following purposes, each grounded in a lawful basis under the UK GDPR and EU GDPR:

To provide and operate the Platform, including running eligibility matching, generating AI-assisted application content, tracking funding opportunities, and managing your account. The lawful basis for this processing is the performance of a contract with you.

To improve and develop the Platform, including analysing usage patterns, identifying areas for product improvement, and training and refining our matching algorithms. The lawful basis for this processing is our legitimate interest in maintaining and improving a commercial service. We do not use individually identifiable personal data for model training without your explicit consent.

To communicate with you about your account, upcoming funding deadlines, platform updates, and relevant programme alerts. The lawful basis for transactional communications is the performance of a contract. For marketing communications, the lawful basis is your consent, which you can withdraw at any time.

To comply with legal obligations, including maintaining records required under applicable tax, financial, and data protection law. The lawful basis for this processing is legal obligation.

To detect and prevent fraud, security incidents, and misuse of the Platform. The lawful basis for this processing is our legitimate interest in protecting the Platform and its users.

We do not sell your personal data or your organisation's carbon data to third parties. We share data only in the following circumstances:

With technology sub-processors who help us deliver the Platform. These include Anthropic (AI application generation), Climatiq (emissions factor calculations and carbon data processing), Amazon Web Services (cloud infrastructure and data hosting in the eu-north-1 region), and Hedera (blockchain anchoring for VCRI certificates). All sub-processors are bound by data processing agreements and are required to handle your data only as instructed by us.

With accountancy firms or partners who have referred you to the Platform, where you have consented to your activity data being shared with that partner for commission tracking and client management purposes.

With public funding bodies or programme administrators, but only to the extent that you explicitly authorise this as part of submitting a grant application through the Platform.

With regulatory authorities or law enforcement bodies where we are legally required to do so.

In the event of a business transfer, merger, or acquisition, your data may be transferred to a successor entity, subject to equivalent privacy protections.

All CarbonConnect data is stored on AWS infrastructure in the eu-north-1 region (Stockholm, Sweden), within the European Economic Area. This ensures your data remains subject to EU data protection standards at all times.

We implement a range of technical and organisational security measures to protect your data, including role-based access controls (RBAC) and multi-tenant isolation to ensure no user or organisation can access another's data, automated security scanning across all code and infrastructure as part of our CI/CD pipeline, SHA-256 hashing for VCRI blockchain certificates to create tamper-proof records, and continuous monitoring via AWS CloudWatch and PagerDuty for anomalous activity.

No method of data transmission or storage is completely secure. While we take reasonable and appropriate measures to protect your data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with our obligations under applicable data protection law.

We retain your data for as long as your account is active or as needed to provide the Platform to you. On account closure, we will delete or anonymise your personal data within 90 days, except where we are required to retain it for longer to comply with legal, tax, or regulatory obligations. Aggregated and anonymised usage data, which cannot be used to identify you or your organisation, may be retained indefinitely for platform analytics and improvement purposes.

Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data. You have the right to access the personal data we hold about you. You have the right to rectify inaccurate or incomplete data. You have the right to erasure of your data where there is no legitimate reason for us to continue processing it. You have the right to restrict processing in certain circumstances. You have the right to data portability, meaning you can request your data in a structured, commonly used, and machine-readable format. You have the right to object to processing based on our legitimate interests. Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@carbonconnect.io. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). In the EU, this is the supervisory authority in the member state where you are based.

We use cookies and similar tracking technologies to operate the Platform and analyse usage. Please refer to our separate Cookie Policy for full details of the cookies we use and how to manage your preferences.

CarbonConnect is a business-to-business platform and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact privacy@carbonconnect.io and we will take steps to delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify registered users of material changes by email and by displaying a notice on the Platform. The date at the top of this policy reflects when it was last updated. Continued use of the Platform following notification of changes constitutes acceptance of the updated policy.

Replace this with the exact policy language.

For any questions about this Privacy Policy or how we handle your data, contact:

Connected Intelligence Ltd Data Protection;

Email: privacy@carbonconnect.io

Platform: www.carbonconnect.io