Privacy Policy

1. Introduction

Carbonable SAS ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our CBAM Compliance Platform.

We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws. Our registered office is in Paris, France, and we operate throughout the European Union.

2. Information We Collect

Personal Information

• Name and contact details (email, phone number)
• Organization name and business information
• Account credentials and authentication data
• Payment and billing information
• Communication preferences

Business Data

• Import and export data related to CBAM compliance
• Carbon emissions calculations and reports
• Supply chain and vendor information
• Compliance documentation and certificates
• Audit trails and activity logs

Technical Information

• IP addresses and device information
• Browser type and version
• Usage patterns and analytics data
• Cookies and similar tracking technologies

3. Legal Basis for Processing

We process your data based on:

• Contract: To provide our services and fulfill our agreement with you
• Legal Obligation: To comply with CBAM regulations and reporting requirements
• Legitimate Interest: To improve our services and prevent fraud
• Consent: For marketing communications and optional features

4. How We Use Your Information

We use your information to:

• Provide and maintain our CBAM compliance services
• Calculate carbon emissions and generate reports
• Process transactions and manage your account
• Communicate service updates and important notices
• Ensure platform security and prevent fraud
• Improve our services through analytics
• Comply with legal and regulatory requirements
• Send marketing communications (with consent)

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information with:

• Service Providers: Third parties who help us operate our platform
• Regulatory Authorities: When required for CBAM compliance reporting
• Legal Requirements: To comply with laws or legal processes
• Business Transfers: In case of merger, acquisition, or asset sale
• Your Consent: When you explicitly authorize sharing

6. Data Security

We implement industry-standard security measures including:

• Encryption of data in transit and at rest (AES-256)
• Regular security audits and penetration testing
• Access controls and authentication protocols
• ISO 27001 certified information security management
• SOC 2 Type II compliance for security and availability
• Regular backups and disaster recovery procedures

7. Your Rights Under GDPR

You have the right to:

• Access: Request copies of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Limit processing of your data
• Portability: Receive your data in a portable format
• Object: Object to certain processing activities
• Withdraw Consent: Withdraw previously given consent
• Complaint: Lodge a complaint with supervisory authorities

To exercise these rights, contact us at privacy@carbonable.io

8. Data Retention

We retain your data for as long as necessary to:

• Provide our services and maintain your account
• Comply with legal obligations (minimum 10 years for CBAM records)
• Resolve disputes and enforce agreements
• Support legitimate business interests

After the retention period, we securely delete or anonymize your data.

9. International Data Transfers

Your data is primarily stored within the European Economic Area (EEA). If we transfer data outside the EEA, we ensure appropriate safeguards through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions for countries with equivalent protection
• Your explicit consent for specific transfers

10. Cookies and Tracking

We use cookies and similar technologies for:

• Essential Cookies: Required for platform functionality
• Analytics Cookies: To understand usage patterns
• Preference Cookies: To remember your settings
• Marketing Cookies: For targeted advertising (with consent)

You can manage cookie preferences through your browser settings or our cookie banner.

11. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

12. Updates to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or platform notification. Your continued use of our services constitutes acceptance of the updated policy.

13. Contact Information

For privacy-related inquiries or to exercise your rights:

Supervisory Authority: Commission Nationale de l'Informatique et des Libertés (CNIL)