Privacy Policy

Last updated: 2 March 2026

1. Data Controller

CarbonCounter Ltd (Company No. 17061500) is the data controller for your personal data. Registered office: 3rd Floor, 86-90 Paul Street, London, England, EC2A 4NE.

Data Protection Contact: contact@countercarbon.co.uk

2. Data We Collect

Account Data

  • Email address (required for registration)
  • First name, last name (optional)
  • Company name and company email domain (optional; required for manufacturer accounts)
  • Hashed password (we never store plaintext passwords)
  • Account tier and subscription status

Product & Usage Data

  • Products you view, search, and add to collections
  • Carbon calculations you perform
  • Products and material data you contribute to the database
  • Community votes you cast on contributed data

Technical Data

  • IP address, browser type, device information, operating system
  • Pages visited, time spent, referral source
  • Cookies and similar tracking technologies (see Section 7)

Payment Data

If you subscribe to a paid tier, payment is processed by our third-party payment processor (Stripe). We do not store your full card number, CVV, or bank account details. We receive only a transaction reference, billing email, and subscription status.

3. How We Use Your Data

  • Service delivery: Account management, authentication, carbon calculations, report generation, collection management.
  • Subscription management: Processing payments, managing billing cycles, issuing receipts.
  • Platform improvement: Aggregate usage analytics to improve features and user experience.
  • Communications: Essential service updates and security alerts. Marketing emails only with your explicit consent.
  • Legal compliance: Compliance with UK GDPR, the Data Protection Act 2018, and other applicable laws.
  • Fraud prevention: Detecting and preventing abuse, spam, or fraudulent use of the platform.

4. Legal Basis for Processing (UK GDPR)

We process your personal data on the following lawful bases:

  • Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service you registered for, including account management, calculations, and report generation.
  • Legitimate interests (Art. 6(1)(f)): Platform improvement, security monitoring, fraud prevention, and aggregate analytics. We conduct balancing tests to ensure our interests do not override your rights.
  • Consent (Art. 6(1)(a)): Marketing communications and non-essential cookies. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): Where processing is required to comply with applicable law (e.g., tax records).

5. Data Sharing

We do not sell your personal data to third parties. We may share data with:

  • Service providers: Hosting (Vercel Inc.), database (Supabase Pte. Ltd.), payment processing (Stripe Inc.), email delivery (when applicable). These providers process data on our behalf and are bound by data processing agreements.
  • Legal requirements: If required by law, court order, or to protect our legal rights.
  • Business transfer: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change.

Product data you contribute to the database is visible to other users but is not linked to your personal identity unless you choose to display your company name.

6. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request, except where retention is required by law.
  • Product contributions: Retained indefinitely as part of the public database. If you delete your account, contributions are anonymised (your name and personal identifiers are removed).
  • Payment records: Retained for 7 years to comply with UK tax obligations (HMRC requirements).
  • Usage logs: Retained for 12 months, then aggregated and anonymised.
  • Marketing consent records: Retained for the duration of consent plus 12 months after withdrawal.

7. Cookies

We use the following categories of cookies:

  • Strictly necessary: Session and authentication cookies. Required for the Service to function. Cannot be disabled.
  • Analytics: Anonymous usage tracking to understand how visitors use the platform. Only placed with your consent.

You can manage cookie preferences via the cookie banner shown on first visit, or through your browser settings. See our Cookie Policy for details.

8. Your Rights (UK GDPR)

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
  • Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (e.g., JSON or CSV).
  • Right to object (Art. 21): Object to processing based on legitimate interest, including direct marketing.
  • Right to withdraw consent: Withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, email contact@countercarbon.co.uk. We will respond within one calendar month of receiving your request, as required by UK GDPR. We may request verification of your identity before processing your request.

9. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • Encrypted connections (TLS/HTTPS) for all data in transit
  • Passwords hashed using bcrypt with a cost factor of 12
  • Role-based access controls and authentication via secure JWT tokens
  • Regular security reviews of application code
  • Database hosted on managed infrastructure with encryption at rest

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but will notify affected users and the ICO within 72 hours in the event of a personal data breach, as required by UK GDPR.

10. International Data Transfers

Your data may be processed by service providers located outside the United Kingdom. Where data is transferred internationally, we ensure appropriate safeguards are in place, including:

  • UK International Data Transfer Agreements (IDTAs)
  • EU Standard Contractual Clauses (SCCs) with UK addendum
  • Adequacy decisions by the UK Secretary of State

11. Children's Data

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 14 days before they take effect. The "Last updated" date at the top of this page will be revised accordingly.

13. Contact & Complaints

For questions, data requests, or complaints about this Privacy Policy, contact us at: contact@countercarbon.co.uk

If you are not satisfied with our response, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

CarbonCounter Ltd · Company No. 17061500 · 3rd Floor, 86-90 Paul Street, London, EC2A 4NE

← Back to Home