Privacy Policy

1. Introduction and Scope

Carbon Trace ("Carbon Trace", "Company", "we", "our", or "us"), operated as a sole proprietorship, provides a digital platform for measuring, analyzing, and managing greenhouse gas (GHG) emissions ("Platform").

This Privacy Policy ("Policy") explains how we collect, use, store, share, and protect your personal information and operational data when you access or use our Platform, visit our website (www.carbontraceglobal.com), or communicate with us. This Policy applies to all users worldwide, including individuals and organizations.

By accessing or using Carbon Trace, you acknowledge that you have read, understood, and consent to the collection, use, processing, and transfer of your information as described in this Policy. If you do not agree to this Policy, you must immediately cease using the Platform and delete your account.

This Policy should be read together with our Terms of Use, which govern your use of the Platform.

2. Data Controller

For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws, the data controller responsible for your personal data is:

Carbon Trace, operating as a sole proprietorship Email: hello@carbontraceglobal.com Website: www.carbontraceglobal.com

If you have any questions about how we process your personal data, or wish to exercise your data protection rights, please contact us at the email address above.

3. Information We Collect

We collect and process the following categories of information:

3.1 Account Information (provided by you) When you create an account, we collect: full name, email address, profile picture (if provided via Google or Microsoft sign-in), organizational name and affiliation (if provided), role/job title (if provided), and authentication credentials (managed via our authentication provider, Supabase).

3.2 Emissions and Operational Data (provided by you) Data you enter into the Platform for emissions tracking, including: energy consumption figures, fuel usage records, water consumption data, waste generation data, transportation and fleet data, flight and travel records, and any other environmental metrics you input.

3.3 Derived and Calculated Data (generated by the Platform) Data generated through processing your inputs, including: calculated GHG emissions (Scope 1, 2, and 3), analytics, dashboards, trends, and reports, benchmarking and comparison data, and data quality assessments.

3.4 Technical and Usage Data (collected automatically) When you access the Platform, we may automatically collect: IP address, device type, operating system, and browser type, pages visited, features used, and interaction patterns, timestamps, session duration, and referral sources, error logs and performance data, and cookies and similar tracking technologies (see Section 10).

3.5 Communication Data If you contact us or use any in-app communication features, we may collect: email correspondence, support inquiries and feedback, and any information you voluntarily provide in communications.

3.6 Third-Party Authentication Data If you sign in using Google, Microsoft, or another third-party provider, we receive: your name, email address, profile picture, and a unique identifier from the provider. We do not receive or store your third-party account password.

3.7 Consequences of Not Providing Personal Data Providing certain personal data is necessary for us to operate the Platform and comply with applicable laws. If you choose not to provide required personal data, this: - May prevent us from processing your application and/or delivering our products and services. - May hinder our ability to respond to your inquiries regarding our products and services. - May restrict or block access to certain features on our website, links, or digital platforms. - May prevent us from providing you with updates on promotions, product or service offerings, or new launches. - May result in your exclusion from invitations to promotional events organized by us. - May impair our ability to maintain effective communication with you. - May constitute non-compliance with applicable laws or regulations requiring the collection of such personal data.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions that require a legal basis for processing personal data, we rely on the following grounds:

4.1 Performance of a Contract (Article 6(1)(b) GDPR) Processing your account information and operational data is necessary to provide the Platform services you have requested, including account creation, emissions calculations, dashboard access, and report generation.

4.2 Legitimate Interests (Article 6(1)(f) GDPR) We process certain data based on our legitimate business interests, including: improving and developing the Platform, ensuring security and preventing fraud, generating aggregated analytics and benchmarks, providing customer support, and conducting internal research and analysis. We have conducted balancing tests to ensure our legitimate interests do not override your fundamental rights and freedoms.

4.3 Consent (Article 6(1)(a) GDPR) Where required by law, we obtain your consent before processing personal data, including for: sending marketing communications, using certain cookies and tracking technologies, and processing special categories of data (if applicable). You may withdraw your consent at any time by contacting us or adjusting your account settings. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

4.4 Legal Obligation (Article 6(1)(c) GDPR) We may process data where necessary to comply with legal obligations, such as tax, accounting, or regulatory requirements.

5. How We Use Your Information

We use collected information for the following purposes:

5.1 Service Delivery: Providing, maintaining, and operating the Platform; performing emissions calculations and generating reports; enabling authentication and account management; processing user requests and support inquiries.

5.2 Platform Improvement: Analyzing usage patterns to improve features and performance; developing new features and functionality; conducting internal research and development; fixing bugs, errors, and security vulnerabilities.

5.3 Security and Integrity: Detecting, preventing, and responding to fraud, abuse, or security incidents; monitoring for unauthorized access or suspicious activity; enforcing our Terms of Use.

5.4 Communications: Sending transactional emails (account verification, password resets, magic link sign-in); notifying you of material changes to our Terms or Privacy Policy; responding to your inquiries and support requests; sending optional marketing or product update communications (with your consent, where required).

5.5 Aggregated Analytics and Research: Creating anonymized, aggregated datasets for benchmarking, research, and industry analysis. Such aggregated data does not identify any individual or organization and may be used without restriction.

5.6 Legal Compliance: Complying with applicable laws, regulations, and legal processes; responding to lawful requests from governmental authorities; establishing, exercising, or defending legal claims.

6. Data Sharing and Disclosure

6.1 We Do Not Sell Your Personal Data Carbon Trace does not sell, rent, or trade your personal information to third parties for their marketing purposes. For California residents: we do not "sell" or "share" personal information as defined under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA).

6.2 Service Providers (Processors) We engage trusted third-party service providers to support the operation of the Platform. These providers process data only on our behalf and under our instructions. The following are our major processors; additional processors may be engaged as the Platform develops and this list will be updated accordingly:

• Supabase — Authentication, database hosting, and real-time services (data processed in AWS regions) • Vercel — Application hosting and edge delivery • Google Cloud Platform — Infrastructure and AI services • Cloudflare — DNS, CDN, security, and content delivery • Resend/Postmark — Transactional email delivery

All processors are bound by data processing agreements requiring them to implement appropriate technical and organizational security measures and to process data only for specified purposes.

6.3 Legal and Compliance Disclosures We may disclose your information where required or permitted by law, including: to comply with a legal obligation, court order, or governmental request; to enforce our Terms of Use; to protect the rights, property, or safety of Carbon Trace, our users, or the public; and in connection with the detection, prevention, or investigation of fraud, security breaches, or illegal activity.

6.4 Business Transfers In the event of a merger, acquisition, restructuring, asset sale, or similar transaction, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Platform before your information is transferred and becomes subject to a different privacy policy.

6.5 With Your Consent We may share your information with third parties where you have provided explicit consent.

7. International Data Transfers

Given the global nature of our services, your personal data may be transferred to, stored in, and processed in countries other than your country of residence, including Australia, the United States, and other jurisdictions where our service providers operate.

These jurisdictions may have data protection laws that differ from, and may be less protective than, the laws of your country.

7.1 Safeguards for EEA/UK Transfers For transfers of personal data from the EEA or UK to countries not recognized as providing an adequate level of data protection, we rely on appropriate safeguards, including: Standard Contractual Clauses (SCCs) approved by the European Commission; UK International Data Transfer Agreements or Addendums; and sub-processor data processing agreements incorporating equivalent protections.

7.2 Safeguards for Other Jurisdictions For users in Singapore, Australia, and other jurisdictions with cross-border transfer requirements, we take reasonable steps to ensure that transferred data receives a standard of protection comparable to that required under applicable local law.

By using the Platform, you explicitly consent to the international transfer of your data as described in this section, to the extent that consent is a valid legal basis for such transfer in your jurisdiction.

8. Data Security

Carbon Trace implements technical and organizational security measures designed to protect personal and operational data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Technical Safeguards • Encryption of data in transit using TLS/HTTPS • Encryption of data at rest in managed cloud infrastructure • Row Level Security (RLS) policies ensuring users can only access their own data • Authenticated API routes with session validation • Secure authentication via Supabase Auth (bcrypt password hashing, OAuth 2.0) • Automatic session management and token refresh • Append-only audit logging for compliance-critical operations

Organizational Safeguards • Principle of least privilege for all system access • Regular review of security configurations and access controls • Incident response procedures for potential data breaches • Sub-processor due diligence and contractual security requirements

Important Disclaimers No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. You are responsible for: maintaining the confidentiality of your account credentials; securing the devices you use to access the Platform; and promptly reporting any suspected unauthorized access.

9. Data Retention

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, reporting, or compliance obligations.

Retention Periods • Active account data: retained for the duration of your account and a reasonable period thereafter (typically 90 days after account deletion request) • Emissions and operational data: retained for the duration of your account and deleted upon account termination, subject to legal retention requirements • Audit logs: retained for a minimum of 7 years to support ISO 14064-3 verification readiness and regulatory compliance • Technical and usage logs: retained for up to 24 months for security, performance, and analytics purposes • Communication records: retained for up to 36 months • Aggregated and anonymized data: may be retained indefinitely as it does not constitute personal data

After the applicable retention period, personal data is securely deleted or irreversibly anonymized.

You may request earlier deletion of your personal data by contacting us (see Section 12). However, we may retain certain data where required by law or for legitimate business purposes.

10. Cookies and Tracking Technologies

Carbon Trace uses a minimal set of cookies and similar technologies, primarily for essential Platform functionality:

Essential Cookies: Authentication session cookies required for secure access to the Platform. These cannot be disabled without losing the ability to sign in.

Local Storage: The Platform uses browser local storage to support offline-first functionality and session continuity. This data remains on your device and is cleared on sign-out.

Analytics: We may use privacy-respecting analytics tools to understand usage patterns and improve the Platform. Where required by law, we obtain your consent before setting non-essential analytics cookies.

We do not use third-party advertising cookies or tracking pixels. We do not engage in cross-site tracking or behavioral advertising.

You can manage cookies through your browser settings. Disabling essential cookies may impair Platform functionality.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. We will respond to valid requests within the timeframes required by applicable law (typically 30 days, extendable as permitted).

11.1 Rights Under GDPR (EEA and UK Users) • Right of Access (Article 15): Request a copy of your personal data • Right to Rectification (Article 16): Request correction of inaccurate data • Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements • Right to Restriction (Article 18): Request restriction of processing in certain circumstances • Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format • Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing • Right to Withdraw Consent (Article 7(3)): Withdraw consent at any time where processing is based on consent • Right to Lodge a Complaint: File a complaint with your local Data Protection Authority (DPA)

11.2 Rights Under CCPA/CPRA (California Residents) • Right to Know: Request disclosure of the categories and specific pieces of personal information collected • Right to Delete: Request deletion of personal information, subject to exceptions • Right to Correct: Request correction of inaccurate personal information • Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information (note: we do not sell or share personal information) • Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your rights • Right to Limit Use of Sensitive Personal Information: Where applicable

11.3 Rights Under PDPA (Singapore Residents) • Right of Access: Request access to your personal data and information about how it has been used • Right to Correction: Request correction of errors or omissions in your personal data • Right to Withdraw Consent: Withdraw consent for collection, use, or disclosure (subject to legal and contractual restrictions) • Right to Data Portability: Request transmission of your data to another organization (where applicable under the PDPA amendments)

11.4 Rights Under Australian Privacy Principles (APPs) • Right of Access (APP 12): Request access to your personal information held by us • Right to Correction (APP 13): Request correction of inaccurate, out-of-date, or incomplete personal information • Right to Complain: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles • Right to Anonymity (APP 2): Where practicable, you may deal with us without identifying yourself

11.5 Exercising Your Rights To exercise any of these rights, contact us at hello@carbontraceglobal.com with your request. We may need to verify your identity before processing your request. We will not charge a fee for exercising your rights unless requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse to act on the request.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33) or within the timeframe required by other applicable laws • Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34) • Comply with breach notification requirements under the Notifiable Data Breaches (NDB) scheme under the Australian Privacy Act 1988 • Comply with PDPA breach notification requirements in Singapore • Document the breach, its effects, and remedial actions taken

Our incident response procedures are designed to detect, contain, and remediate security incidents promptly while fulfilling all applicable legal notification obligations.

13. Children's Privacy

The Platform is not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect, solicit, or process personal data from children under 16.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at hello@carbontraceglobal.com. If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will take steps to promptly delete such information from our systems.

For users in the United States, we comply with the Children's Online Privacy Protection Act (COPPA) with a minimum age threshold of 13. For users in the EEA, we comply with Article 8 of the GDPR regarding conditions applicable to a child's consent in relation to information society services.

14. Do Not Track Signals

Some web browsers may transmit "Do Not Track" (DNT) signals. As there is currently no universally accepted standard for how to respond to DNT signals, Carbon Trace does not respond to DNT browser signals at this time.

However, our minimal use of tracking technologies (as described in Section 10) means that your privacy is respected regardless of DNT settings.

15. Automated Decision-Making

Carbon Trace does not use fully automated decision-making processes (including profiling) that produce legal effects or similarly significantly affect users, as contemplated by Article 22 of the GDPR.

The Platform performs automated emissions calculations based on user inputs and standardized emission factors, but these calculations are computational tools provided for the user's informational purposes and do not constitute automated decisions with legal or similarly significant effects.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations.

Material Changes: For material changes (such as changes to the types of data collected, new sharing practices, or significant changes to your rights), we will: update the "Last Updated" date at the top of this Policy; post a prominent notice on the Platform; and where required by applicable law, notify you by email and/or seek your renewed consent.

Non-Material Changes: Minor clarifications or formatting changes may be made without additional notice.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the revised Policy, you must stop using the Platform and delete your account.

17. Contact Us

For any privacy-related questions, concerns, data subject requests, or complaints, please contact:

Carbon Trace — Data Protection Inquiries Email: hello@carbontraceglobal.com Website: www.carbontraceglobal.com

We aim to respond to all legitimate requests within 30 days. In complex cases, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for the delay.

Supervisory Authority Complaints If you are not satisfied with our response, you have the right to lodge a complaint with: • EEA/UK: Your local Data Protection Authority (list available at edpb.europa.eu) • Australia: Office of the Australian Information Commissioner (OAIC) at oaic.gov.au • Singapore: Personal Data Protection Commission (PDPC) at pdpc.gov.sg • United States (California): California Attorney General at oag.ca.gov