Privacy Policy

Global Data Protection Notice — GDPR Compliant

Version 3.0Effective Date: 5 May 2026CarbonCore AI Limited

Contents

1. WHO WE ARE2. WHAT DATA WE3. LEGAL BASIS FOR4. HOW WE USE5. DATA SHARING AND6. INTERNATIONAL DATA TRANSFERS7. DATA RETENTION8. SECURITY9. YOUR RIGHTS10. CHILDREN'S PRIVACY11. CHANGES TO THIS
1

WHO WE ARE

CarbonCore AI Limited ("CarbonCoreAI") is the Data Controller for all personal and organisational data processed through the CarbonCoreAI platform. We are incorporated in Dublin, Ireland and operate under GDPR and the Irish Data Protection Act 2018.

Data Controller Contact: info@carboncoreai.tech | Landscape House, Baldonnell, Dublin, D22 P3K7, Ireland

2

WHAT DATA WE COLLECT

2.1 Data You Provide Directly

  • Organisation data — company name, industry, employee count, revenue, country of registration
  • User account data — name, work email, hashed password, role
  • Operational data — utility bills, energy records, transport data, financial statements uploaded for carbon calculation
  • CSRD project data — materiality assessments, ESRS data points, governance disclosures
  • Grant application data — questionnaire responses, project descriptions, budget information
  • White label partner data — branding configuration, subdomain settings, client organisation data
  • Communications — emails, support requests, feedback

2.2 Automatically Generated Data

  • Login and access logs — timestamps, IP addresses, browser and device type
  • Platform usage data — features used, pages visited, session duration
  • Audit trail data — who created, edited, or approved specific records
  • Technical data — error logs, performance metrics

2.3 Data We Do NOT Collect

We do not collect sensitive personal data (health, biometric, political, religious data), payment card numbers (handled exclusively by Stripe), personal data of individuals under 18, or data unrelated to business sustainability purposes.

4

HOW WE USE YOUR DATA

4.1 Service Delivery

  • Process emissions data to calculate carbon footprints
  • Match organisation profiles against grant and funding opportunities
  • Generate ESG reports, CSRD disclosures, and grant application drafts
  • Operate AI consultant chatbot and narrative generation features
  • Enable team collaboration within Organisation accounts
  • Operate white label deployments for partner organisations

4.2 AI Processing

Where AI features process your data, we apply data minimisation principles. We do not use your Organisation's proprietary data to train our AI models. AI sub-processors (OpenAI, Anthropic) are contractually prohibited from using your data for model training.

4.3 Anonymised Benchmarking

CarbonCoreAI may use aggregated, anonymised, non-personally identifiable data to generate industry benchmarks and market intelligence. Individual Organisations are never identifiable from such outputs. CarbonCoreAI retains full rights to commercialise anonymised benchmark data.

4.4 Absolute Restrictions

We will never sell, rent, or trade your personal data. We will never use your data for advertising profiling. We will never share your Organisation's data with competitors.

5

DATA SHARING AND THIRD PARTIES

5.1 Service Providers

  • AWS eu-west-1 (Ireland) — primary data hosting
  • Stripe — payment processing (does not access platform content)
  • OpenAI API and Anthropic API — AI generation tasks (see Section 5.2)
  • Customer support tooling — only data relevant to the support query

5.2 AI Sub-processors

OpenAI and Anthropic APIs receive only the data necessary to complete each specific AI task. They are contractually prohibited from using this data for model training. We use API configurations that minimise data retention by sub-processors.

5.3 White Label Partners

White label partners are independent data controllers for their end user relationships. CarbonCoreAI acts as data processor under a separately executed DPA. White label partners are contractually required to maintain equivalent data protection standards.

5.4 Legal Disclosure

We may disclose your data where required by law, court order, or regulatory authority. We will notify you of such requests where legally permitted to do so.

5.5 Business Transfers

In a merger, acquisition, or asset sale, your data may transfer to a successor entity under equivalent privacy protections. You will be notified of such transfers.

6

INTERNATIONAL DATA TRANSFERS

Where data is transferred outside the EEA, appropriate safeguards are in place including Standard Contractual Clauses (SCCs), EU adequacy decisions, and contractual safeguards with partners.

Users in Nigeria, Kenya, UAE, Saudi Arabia, and other regions should note that data is processed primarily on EU infrastructure. We respect applicable local data protection laws in all markets we serve.

7

DATA RETENTION

We retain your data only as long as necessary for the purposes outlined in this Policy or as required by law. Active account data is retained for the duration of your subscription plus 30 days. After account termination, data is permanently deleted within 30 days upon request. Financial transaction records are retained for 7 years per Irish tax law. Anonymised usage analytics may be retained indefinitely as they cannot identify individuals.

8

SECURITY

  • Encryption in transit — TLS 1.3 for all data transmission
  • Encryption at rest — AES-256 for all stored data
  • Role-Based Access Control (RBAC) — users access only what their role permits
  • Tenant isolation — Organisation data is strictly isolated at all times
  • Multi-factor authentication — available for all accounts, required for admin roles
  • Regular penetration testing and OWASP Top 10 compliance checks
  • Incident response plan with documented breach response procedures
  • Sub-processor security reviews — all third-party processors assessed against security standards

In a personal data breach posing risk to your rights, we will notify the Irish Data Protection Commission within 72 hours and notify affected Organisations without undue delay per GDPR Article 33.

9

YOUR RIGHTS

The following rights apply to all users regardless of location. EU users have these rights under GDPR:

  • Right of Access — request a copy of personal data held about you
  • Right to Rectification — correct inaccurate personal data
  • Right to Erasure — request deletion of personal data (subject to legal retention obligations)
  • Right to Restriction — request limitation of processing in certain circumstances
  • Right to Data Portability — receive your data in JSON format (available in-platform)
  • Right to Object — object to processing based on legitimate interests
  • Right to Withdraw Consent — where processing is consent-based, withdraw at any time without penalty

To exercise rights: email info@carboncoreai.tech with subject line 'GDPR Data Request'. Response within 30 days. EU users may complain to the Irish Data Protection Commission at www.dataprotection.ie.

10

CHILDREN'S PRIVACY

The Platform is for business use by individuals aged 18 and over. We do not knowingly collect data from minors. If you believe we have inadvertently collected data about a minor, contact us immediately.

11

CHANGES TO THIS POLICY

Material changes will be notified by email and in-platform notice at least 14 days before effect. Continued use after that date constitutes acceptance. Current version always at carboncoreai.tech/privacy.

12. CONTACT

Data Controller

CarbonCore AI Limited

info@carboncoreai.tech
Landscape House, Baldonnell, Dublin, D22 P3K7, Ireland

GDPR Enquiries

Use subject line: 'Data Protection Enquiry'

Irish Data Protection Commission

Effective 5 May 2026 | CarbonCore AI Limited