Legal

Privacy Policy

Last updated: April 2026

This Privacy Policy explains how Green-Trace AI Ltd (“Green Trace AI”, “we”, “us”, “our”) collects, uses, stores, and protects personal data when you use our website at greentraceai.co.uk and our SaaS platform (together, “the Service”). It applies to all users of the Service and visitors to our website.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you have any questions about this policy or how we handle your data, please contact us at hello@greentraceai.co.uk.

1. Who we are

Green-Trace AI Ltd is the data controller for personal data processed through the Service. UK company registration is in progress; our registered details will be added to this page once incorporation is complete. Our registered office will be in the United Kingdom.

2. What personal data we collect

We collect the following categories of personal data:

• Account data— your email address, collected when you register or sign in via magic link. We do not collect or store passwords.
• Business operational data— energy bills, fuel records, invoices, and similar documents you upload to the Service. These may contain personal data such as account holder names, addresses, or contact details appearing on the documents.
• Profile and onboarding data— your company name, sector, and reporting framework, collected during onboarding.
• Usage data— pages visited, features used, and actions taken within the Service, collected to improve the product and for security monitoring.
• Payment data— billing name, address, and payment method details. Card data is handled directly by Stripe and is never seen or stored by us.
• Communications— the content of emails or messages you send us.

3. How we collect personal data

• Directly from you when you register, sign in, upload documents, or contact us.
• Automatically through your use of the Service (session cookies, server logs).
• From Stripe when you complete a payment.

4. Lawful basis for processing

We rely on the following lawful bases under UK GDPR Article 6:

• Contract (Article 6(1)(b))— processing your account data, uploaded documents, and billing information is necessary to provide the Service you have signed up for.
• Legitimate interests (Article 6(1)(f))— we process usage data to improve the Service, detect fraud, and ensure security. Our legitimate interests do not override your rights.
• Legal obligation (Article 6(1)(c))— we may retain certain records to comply with UK tax and accounting law.
• Consent (Article 6(1)(a))— where we set non-essential cookies, we do so only with your consent, which you can withdraw at any time via the cookie banner or your browser settings.

5. How we use your personal data

• To create and manage your account and authenticate your sign-in via magic link.
• To extract structured emissions data from documents you upload and generate SECR and UK SRS compliance reports.
• To process subscription payments via Stripe.
• To send transactional emails (sign-in links, account notifications) via Resend.
• To respond to support and sales enquiries.
• To improve the Service and monitor for security incidents.
• To comply with legal obligations.

6. Sub-processors and data sharing

We share personal data with the following sub-processors to operate the Service. We do not sell personal data to third parties.

• Supabase— database, authentication, and file storage. Region: eu-west-1 (Ireland, EEA).
• Anthropic— the Claude API, used to extract structured data from uploaded documents. Anthropic does not train models on data submitted via the API.
• Stripe— payment processing. Stripe’s privacy policy governs card data.
• Vercel— application hosting and edge delivery.
• Resend— transactional email delivery.

We will notify you before adding a new sub-processor that processes your personal data.

7. International transfers

Our primary database and file storage is located in the EEA (eu-west-1, Ireland). Some sub-processors, including Anthropic and Vercel, operate infrastructure outside the UK and EEA. Where personal data is transferred outside the UK, we rely on appropriate safeguards including the UK International Data Transfer Addendum (IDTA) to Standard Contractual Clauses and adequacy decisions where applicable.

8. Data retention

• Account and usage data— retained for the duration of your subscription and for up to 12 months after account closure, unless you request earlier deletion.
• Uploaded documents and emissions data— retained for the duration of your subscription and deleted within 30 days of account closure on request.
• Payment records— retained for 7 years to comply with UK accounting and tax obligations.
• Support communications— retained for up to 3 years for audit and quality purposes.

9. Your rights under UK GDPR

You have the following rights regarding your personal data:

• Access (Article 15) — request a copy of the personal data we hold about you.
• Rectification (Article 16) — ask us to correct inaccurate data.
• Erasure (Article 17) — ask us to delete your data, subject to legal retention obligations.
• Restriction (Article 18) — ask us to limit how we use your data.
• Portability (Article 20) — receive your data in a structured, machine-readable format.
• Object (Article 21) — object to processing based on legitimate interests.
• Withdraw consent — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email hello@greentraceai.co.uk. We will respond within one calendar month as required by UK GDPR Article 12.

10. Cookies

We use strictly necessary cookies to manage your authentication session and protect against cross-site request forgery. With your consent, we may set functional and analytics cookies. Full details are in our Cookie Policy. You can manage your cookie preferences at any time via the banner on our website.

11. Security

We apply appropriate technical and organisational security measures including TLS encryption in transit, AES-256 encryption at rest, HTTP-only session cookies, and access controls. Full details are on our Security page. In the event of a personal data breach, we will notify affected users and, where required, the ICO within 72 hours.

12. Children

The Service is intended for business use by adults. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after a change constitutes acceptance of the updated policy.

14. Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.ukor by calling 0303 123 1113. We would appreciate the opportunity to address your concerns before you contact the ICO — please email hello@greentraceai.co.uk first.