Privacy Policy — ScopeZero

1. Data Controller

ScopeZero is operated by ScopeZero Ltd. For any privacy-related enquiries, please contact us at privacy@scopezero.com.

2. Data We Collect

Account information: email address, name, and organisation name provided during registration.
Carbon & energy data: utility bills, facility details, emission records, and travel/accommodation data you enter or upload.
Usage data: timestamps of actions performed within the platform (stored in our audit log for security purposes).

We do not use third-party tracking cookies or analytics scripts. Session cookies are used solely for authentication.

3. How We Use Your Data

Calculate and report carbon emissions (Scope 1, 2 & 3).
Process uploaded utility bills using AI-based extraction.
Provide recommendations to reduce your carbon footprint.
Send transactional emails (invitations, notifications).
Maintain security and detect abuse (audit logging, rate limiting).

4. Legal Basis for Processing

Contract performance: processing your carbon data is necessary to provide the service you signed up for.
Legitimate interest: security logging and abuse prevention.
Consent: where required (e.g., optional data-sharing features).

5. Third-Party Processors

We share data only with the service providers necessary to operate the platform:

Provider	Purpose	Location
Supabase	Database, authentication, file storage	AWS eu-central-1 (Frankfurt)
Google Cloud	Bill data extraction (Cloud Run)	us-central1 (Iowa)
OpenAI	AI-powered bill data extraction	US
Resend	Transactional emails	US

OpenAI processes bill content solely for data extraction. Per our API agreement, OpenAI does not use this data to train its models.

6. Data Retention

Active accounts: data is retained for the duration of your account.
Deleted accounts: all personal data and associated records are purged within 30 days of account deletion.
Audit logs: retained for 2 years for security and compliance purposes.

7. Your Rights

Under GDPR and applicable data protection law, you have the right to:

Access your data — view all data associated with your account within the platform.
Rectification — update your account and facility information at any time.
Erasure — delete your account via Account Settings. This removes all your data.
Portability — export your emissions data in standard formats via the export feature.
Restriction / Objection — contact us to restrict or object to specific processing.

To exercise any of these rights, email privacy@scopezero.com. We will respond within 30 days.

8. Cookies & Tracking

We use only essential session cookies for authentication. We do not use any third-party analytics, advertising, or tracking cookies. No cookie consent banner is required.

9. Security Measures

We implement industry-standard security measures including encryption in transit (TLS), row-level database security, rate limiting, audit logging, and Content Security Policy headers. See our Terms of Service for more details.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users. The “last updated” date at the top reflects the latest revision.

11. Contact

For privacy enquiries, data requests, or complaints, contact us at privacy@scopezero.com.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.