Privacy Policy
Last updated: 27 March 2026
This Privacy Policy explains how A4 Commerce FZE trading as CarbonPass.co (“CarbonPass.co”, “we”, “us”) collects, uses, stores, and protects your personal data when you use our Service. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
The data controller is A4 Commerce FZE, a company registered in the United Arab Emirates.
Data protection contact: hello@carbonpass.co
2. What Data We Collect
We collect the following categories of personal data:
| Category | Data | Lawful Basis |
|---|---|---|
| Account data | Name, email address, company name | Contract performance |
| Company data | Legal name, industry, address, employee count, Companies House number | Contract performance |
| Emission data | Utility bills, fuel receipts, energy consumption data, emission calculations | Contract performance |
| Payment data | Stripe customer ID, subscription status, plan type (we do not store card numbers) | Contract performance |
| Usage data | Pages visited, features used, session duration | Legitimate interest |
| Technical data | IP address, browser type, device information | Legitimate interest |
3. How We Use Your Data
- Providing and operating the Service, including generating emission reports and CRP documents
- Processing payments and managing your subscription
- Sending transactional emails (account confirmation, password resets, payment receipts, dunning notices)
- Publishing your Carbon Passport (only when you explicitly choose to publish)
- Improving the Service through aggregated, anonymised analytics
- Complying with legal obligations
We do not sell your personal data to third parties. We do not use your data for advertising or profiling purposes.
4. AI Processing
The Service uses Anthropic's Claude AI to process uploaded documents and generate reports. When you upload a bill or interact with the AI session:
- Document content is sent to Anthropic's API for processing
- Anthropic processes data in accordance with their data processing agreement with us
- Anthropic does not use your data to train their models (per our enterprise agreement)
- Extracted data is stored in our database; the original API request is not retained by Anthropic beyond their standard processing period
5. Data Sharing
We share personal data with the following categories of recipients:
- Stripe — payment processing (PCI DSS compliant)
- Clerk — authentication and identity management
- Anthropic — AI document processing
- Resend — transactional email delivery
- Vercel — hosting and infrastructure
- Supabase — database hosting (PostgreSQL)
All sub-processors are bound by data processing agreements. We conduct due diligence on each provider's data protection practices.
6. International Transfers
Some of our sub-processors (Anthropic, Vercel, Clerk) process data in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office, or by the sub-processor's participation in an approved transfer mechanism.
7. Data Retention
- Active accounts: Data is retained for the duration of your account.
- Closed accounts: Personal data is deleted within 30 days of account closure, except where retention is required by law (e.g. financial records retained for 6 years).
- Published Carbon Passports: Unpublished on account closure. Cached versions may persist in search engine indexes beyond our control.
- Anonymised data: Aggregated, anonymised usage statistics may be retained indefinitely for service improvement.
8. Your Rights
Under UK GDPR, you have the following rights:
- Right of access — request a copy of your personal data
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data (“right to be forgotten”)
- Right to restrict processing — request limitation of how we use your data
- Right to data portability — request your data in a machine-readable format
- Right to object — object to processing based on legitimate interest
To exercise any of these rights, use the self-service tools in your Account Settings or email hello@carbonpass.co. We will respond within 30 days.
9. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication via Clerk
- Regular security reviews of infrastructure and dependencies
- Database hosted on Supabase with automated backups and point-in-time recovery
10. Children
The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children.
11. Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email. The “Last updated” date at the top of this page indicates when the policy was last revised.
13. Contact
For any privacy-related enquiries, contact us at hello@carbonpass.co.