top of page

PRIVACY POLICY
 

CarbonFlow AI Ltd

Effective Date: February 2026
 

This Privacy Policy explains how CarbonFlow AI Ltd (“CarbonFlow”, “we”, “us”, “our”) collects, uses, stores and protects personal data in connection with the CarbonFlow AI platform (“Platform”).

This Policy applies to:

  • Business customers

  • Platform users

  • Website visitors

  • Prospective clients

 

CarbonFlow AI is a data controller under the UK GDPR and, where applicable, the EU GDPR.

1. Who We Are

 

CarbonFlow AI Ltd
Registered in England & Wales
Registered Address: Office 9381 
321-323 High Road, 
Chadwell Heath, 
Essex 
RM6 6AX. UK
Email: Privacy@carbonflowai.com

 

If you have questions about this Policy, contact us using the above details.

 

2. The Data We Collect

 

Because CarbonFlow is a B2B platform, we primarily collect business-related information.

 

2.1 Account & Contact Information

  • Name

  • Business email address

  • Job title

  • Company name

  • Company address

  • Phone number (if provided)

 

2.2 Platform Data

  • Uploaded invoices

  • Utility bills

  • Supplier details

  • Contractor names (business context only)

  • Commercial transaction data

  • Sustainability reports

 

CarbonFlow does not intentionally collect special category data (e.g. health data, biometric data).

 

2.3 Technical Data

  • IP address

  • Browser type

  • Device information

  • Log files

  • Usage analytics

 

2.4 Payment Information

 

Payments are processed via Stripe.
CarbonFlow does not store full card details.

 

3. Lawful Basis for Processing

 

We process personal data under the following lawful bases:

 

Contract

To provide access to the Platform and deliver Services.

 

Legitimate Interests

  • Platform improvement

  • Security monitoring

  • Benchmarking using anonymised data

  • Business communications

 

Legal Obligation

 

Where required by law or regulatory authorities.

 

Consent

Where required for marketing communications.

 

4. How We Use Personal Data

 

We use data to:

  • Provide access to the Platform

  • Process uploaded data for emissions calculations

  • Generate benchmarking outputs

  • Improve AI models

  • Communicate with customers

  • Process payments

  • Maintain security and prevent fraud

 

We do not sell personal data.

 

5. AI Processing

 

The Platform uses automated systems and AI to:

  • Analyse uploaded commercial data

  • Generate emissions calculations

  • Produce sustainability reports

  • Provide benchmarking insights

 

Automated processing does not make legally binding decisions on behalf of customers.

 

Customers remain responsible for verifying outputs.

 

6. Data Sharing

We may share data with:

Service Providers

  • Amazon Web Services (AWS)

  • Stripe (payment processing)

  • Hosting and infrastructure partners

  • Security providers

 

Professional Advisers

  • Legal advisers

  • Accountants

  • Auditors

 

Regulatory Authorities

Where legally required.

 

All processors are subject to contractual confidentiality and data protection obligations.

 

7. International Transfers

 

CarbonFlow operates in the GCC and may host data in:

  • United Kingdom

  • European Union

  • United Arab Emirates (where contracted)

  • AWS data centres throughout the GCC to secure data residency requirements

 

Where data is transferred outside the UK or EU, we implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs)

  • Contractual data protection commitments

  • Secure cloud infrastructure

 

8. Data Security

 

We implement commercially reasonable technical and organisational measures, including:

  • Encryption in transit

  • Role-based access controls

  • Secure cloud hosting (AWS)

  • Access logging

  • Regular system monitoring

 

No system can guarantee absolute security.

 

9. Data Retention

 

We retain:

  • Active customer data during subscription

  • Data for 12 months after account termination

  • Anonymised and aggregated data indefinitely

 

After 12 months post-termination, identifiable customer data may be permanently deleted.

 

10. Your Rights (UK & EU GDPR)

 

Where applicable, individuals may have the right to:

  • Access their data

  • Rectify inaccurate data

  • Request erasure

  • Restrict processing

  • Object to processing

  • Data portability

  • Withdraw consent

 

Requests can be made by contacting us.

 

We may require identity verification before fulfilling requests.

 

11. Marketing Communications

 

We may send business-related updates to corporate contacts.

 

You may opt out at any time via:

  • Email unsubscribe link

  • Direct written request

 

12. Cookies & Tracking

 

Our website and Platform may use cookies for:

  • Authentication

  • Analytics

  • Security

 

A separate Cookie Policy applies.

 

13. Children

 

The Platform is not intended for individuals under 18.

 

14. Changes to This Policy

 

We may update this Privacy Policy from time to time.

 

Material changes will be notified via:

  • Website notice

  • Platform notification

  • Email (where appropriate)

 

15. Complaints

 

If you believe your data protection rights have been breached, you may contact:

 

UK Information Commissioner’s Office (ICO)
https://ico.org.uk

If you are in the EU, you may contact your local supervisory authority.

bottom of page