Privacy Policy
Last updated: April 11, 2026
The 30-second version
Your data lives in Frankfurt, never gets sold, never feeds an advertising tracker, and you can take it back at any time. The numbered sections below are the same thing said the way lawyers like it said.
1. Who we are
CarbonTrace is operated by Simplinity, based in The Netherlands. We provide carbon footprint calculation and reporting services for IT assets. For privacy-related inquiries, contact us at privacy@carbontrace.cloud.
2. What data we collect
We collect data you provide directly: account information (name, email, password), organisation details, and IT asset data submitted for carbon footprint calculations. We also collect technical data automatically: IP address, browser type, and usage analytics to improve our service. We do not collect sensitive personal data, biometric data, or data about minors.
3. How we use your data
We use your data to: provide and improve our carbon footprint calculation service, generate certificates and reports, manage your account and billing, send transactional emails (account confirmations, invoices), and comply with legal obligations. We do not sell your data to third parties. We do not use your data for advertising.
4. Legal basis (GDPR)
We process your data under the following legal bases: contract performance (providing the service you signed up for), legitimate interest (improving our service, preventing fraud), legal obligation (tax and accounting requirements), and consent (marketing communications, which you can withdraw at any time).
5. Data residency & transfers
Your data is stored in the European Union (Frankfurt, eu-west-1) on Supabase infrastructure. We do not transfer personal data outside the EU/EEA unless required by a sub-processor with adequate safeguards (Standard Contractual Clauses). Payment processing is handled by Mollie B.V., a Dutch payment service provider, fully within the EU.
6. Data retention
Account data is retained while your account is active and for 30 days after deletion. Calculation data and certificates are retained for the duration of your subscription. Audit logs are retained for 7 years to comply with Dutch accounting regulations. You can request earlier deletion of non-mandatory data at any time.
7. Your rights
Under GDPR, you have the right to: access your personal data, rectify inaccurate data, erase your data (‘right to be forgotten’), restrict processing, data portability (export in machine-readable format), object to processing, and withdraw consent. To exercise any of these rights, contact privacy@carbontrace.cloud. We will respond within 30 days.
8. Cookies
We use essential cookies for authentication and session management. We use analytics cookies (privacy-friendly, no cross-site tracking) to understand how people use our service. We do not use advertising cookies or trackers. You can disable non-essential cookies in your browser settings.
8a. Anonymous sector benchmarks
CarbonTrace offers a sector benchmark feature that shows how your carbon footprint compares against other organisations in the same sector. These comparisons are computed from aggregated, anonymised data: every bucket contains at least 5 contributing organisations before any statistic is shown (k-anonymity, k≥5). We never display individual organisation names or data. Your organisation's data contributes to these aggregates by default, on the basis of our legitimate interest in improving the service and helping organisations benchmark responsibly; you can opt out at any time in Settings → Privacy & Data, in which case your contributions are removed on the next nightly refresh. The aggregates themselves — percentiles, sample sizes, and medians — are available to all opted-in organisations via /reports/benchmark.
9. Sub-processors
We use the following sub-processors: Supabase (database & authentication, EU), Vercel (hosting, edge network), Mollie (payments, NL), and Resend (transactional email). All sub-processors are bound by data processing agreements. Our full DPA is available at carbontrace.cloud/dpa.
10. Security
We protect your data with: encryption in transit (TLS 1.3) and at rest (AES-256), row-level security on all database tables, hash-chained audit logging, regular security reviews, and strict access controls. If we discover a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours.
11. Changes to this policy
We may update this privacy policy from time to time. We will notify you of material changes via email or an in-app announcement. The latest version is always available at this URL.
12. Contact & complaints
For privacy questions or to exercise your rights: privacy@carbontrace.cloud. If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
Questions about your data? Contact us