GDPR Compliance Statement for CarbonX

Carbon Trade AG (“CarbonX,” “we,” “our,” or “us”) is committed to protecting the privacy and security of all personal data in full compliance with the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679.

Written By CarbonX Registry

Last updated 4 months ago

This statement explains how CarbonX collects, uses, stores, and protects personal data processed through the CarbonX Platform. It also describes the principles and practices we follow to ensure transparency, lawfulness, and fairness in all personal data processing activities.

CarbonX applies GDPR-compliant safeguards across its operations, including:

  • Processing personal data only for specific, legitimate purposes;

  • Ensuring accuracy, integrity, and confidentiality of all personal data;

  • Implementing technical and organisational security measures consistent with ISO 27001 and SOC 2 standards;

  • Respecting data subjects’ rights to access, rectification, erasure, restriction, and data portability;

  • Maintaining records of processing activities and performing Data Protection Impact Assessments (DPIAs) where required.

For more information on our data processing activities, lawful bases, and user rights, please refer to our Privacy Policy.

1. Data Controller

Carbon Trade AG, located at Rossbergstrasse 16, Steinen 6422, Switzerland, is the data controller responsible for processing your personal data in connection with Carbondeck.

For GDPR-specific inquiries, contact our Data Protection Team at legal@carbonx.credit

2. Data Categories Collected

In connection with the operation and use of the CarbonX Sustainability and Carbon Accounting Platform, CarbonX processes the following categories of personal data as defined under Article 4(1) of the General Data Protection Regulation (GDPR).

Category

Examples of Data Processed

Legal Basis (under GDPR)

Billing & Payment Data

Company Name*, Billing Address*, Tax ID*, TR TIN*, Payment Email*, Cardholder Name*

Contractual necessity, Legal obligation

Contact & Address Data

Company Name*, Country*, Phone Number*, Main Email*, Facility Address*

Contractual necessity, Legitimate interests

Organizational Data

Franchise Name, Supplier Name, Operational Scope

Legitimate interests (for service delivery and platform management)

Emission & Reporting Data

Emission Factors (EF CO₂e), Activity Data, GHG Mapping Descriptions

Contractual necessity, Legal obligation

Optional Data

Company Website, Establishment Year, Facility Area (m²)

Consent (where applicable)

Note: Fields marked with an asterisk (*) are mandatory for the provision of services under the User Agreement.

CarbonX collects and processes only the minimum personal data necessary for providing and improving its services, maintaining accurate billing records, and ensuring compliance with applicable sustainability reporting regulations.

3. Purposes of Processing

CarbonX processes personal data strictly in accordance with the principles of lawfulness, fairness, and transparency, as set out in Article 5 of the GDPR.
The personal data collected through the CarbonX Platform is processed for the following purposes:

Purpose

Description

Legal Basis (GDPR)

Contractual Obligations

To deliver and manage carbon accounting services, including user account administration, billing, emissions tracking, and sustainability reporting.

Performance of a contract (Article 6(1)(b))

Legal Compliance

To meet legal and regulatory obligations, including tax reporting (Tax ID, TR TIN) and environmental compliance with greenhouse gas (GHG) reporting requirements.

Legal obligation (Article 6(1)(c))

Legitimate Interests

To maintain and improve platform functionality, ensure system security, prevent fraud, enhance customer support, and analyze usage trends to improve service quality.

Legitimate interest (Article 6(1)(f))

Consent

For optional data such as company website, facility details, or to send marketing communications, newsletters, or service updates.

Consent (Article 6(1)(a))

CarbonX does not process personal data for automated decision-making or profiling without explicit consent.

4. Data Security

CarbonX implements a comprehensive set of technical and organisational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures are designed in accordance with industry best practices and recognized security frameworks such as ISO 27001, NIST 800-53, and SOC 2.

Our key security controls include:

  • Encryption:
    All payment and financial data are encrypted using PCI-DSS–compliant payment processors. Sensitive data transmitted between users and our systems is protected through TLS 1.2+ encryption and data-at-rest encryption protocols.

  • Access Controls:
    Access to sensitive data (such as Tax IDs, TR TINs, and billing details) is restricted based on role and necessity, enforced through multi-factor authentication (MFA) and Zero Trust Model principles.

  • Regular Security Audits:
    CarbonX conducts periodic internal and external security reviews, vulnerability assessments, and penetration tests to identify and remediate potential weaknesses.

  • Incident Response:
    While no system can guarantee absolute security, CarbonX maintains a dedicated incident response program to promptly detect, respond to, and mitigate any data security incidents in accordance with our Data Breach Notification Policy.

These measures ensure that personal data processed within CarbonX’s systems remains secure, confidential, and available in compliance with Articles 32–34 of the GDPR.

5. Data Retention

CarbonX retains personal data only for as long as it is necessary to fulfil the purposes for which it was collected, comply with legal and regulatory obligations, resolve disputes, and enforce agreements.
Retention periods are determined in accordance with Article 5(1)(e) of the GDPR (storage limitation principle) and other applicable data protection and financial regulations.

Data Category

Retention Period

Purpose / Basis

Account Data

Retained until account deletion or for up to 2 years following last user activity, whichever occurs first.

To manage user accounts and comply with contractual obligations.

Payment Data

Retained for 7 years, or as required by applicable financial and accounting regulations.

Compliance with financial and audit obligations.

Tax Identification Data (TR TIN, Tax ID)

Retained in accordance with Swiss tax and accounting laws.

Compliance with national tax regulations.

Emission and Reporting Data

Retained for 5 years after contract termination, anonymized where possible.

Legal and environmental reporting obligations.

Marketing and Optional Data

Retained until consent is withdrawn or for 2 years following the last recorded interaction, whichever occurs first.

Based on user consent for marketing and communication activities.

Upon expiration of the applicable retention period, CarbonX will securely delete or anonymize personal data, ensuring it can no longer be linked to an identifiable individual.

6. International Data Transfers

CarbonX operates on a global scale, which may involve the transfer and processing of personal data outside the European Union (EU) or European Economic Area (EEA).
All such transfers are conducted in full compliance with the General Data Protection Regulation (GDPR) to ensure an equivalent level of protection for your personal data, regardless of where it is processed.

CarbonX applies the following safeguards to maintain GDPR compliance:

  • Standard Contractual Clauses (SCCs):
    For transfers to third countries (such as the United States) where no adequacy decision exists, CarbonX relies on the European Commission’s Standard Contractual Clauses to ensure lawful and secure data transfers to external service providers and sub-processors.

  • Binding Corporate Rules (BCRs):
    For intra-group data transfers between CarbonX entities and affiliates located outside the EU/EEA, CarbonX implements Binding Corporate Rules, ensuring consistent data protection standards and accountability within the CarbonX group.

  • Adequacy Decisions:
    Where applicable, CarbonX may transfer personal data to countries recognized by the European Commission as providing an adequate level of data protection under Article 45 GDPR.

For more details on our data transfer safeguards and applicable mechanisms, please refer to our Privacy Policy.

7. Your GDPR Rights

If you are a resident of the European Union (EU) or European Economic Area (EEA), you are entitled to the following rights under the General Data Protection Regulation (GDPR) with respect to your personal data processed by CarbonX:

Right

Description

Access

You have the right to request confirmation of whether CarbonX processes your personal data and to obtain a copy of such data. (Article 15 GDPR)

Rectification

You may request correction or completion of inaccurate or incomplete personal data. (Article 16 GDPR)

Erasure (“Right to be Forgotten”)

You may request deletion of your personal data where it is no longer necessary, where consent is withdrawn, or where processing is unlawful, subject to legal retention obligations. (Article 17 GDPR)

Restriction of Processing

You may request the temporary suspension of data processing under certain conditions (e.g., pending verification of accuracy or in cases of objection). (Article 18 GDPR)

Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. (Article 20 GDPR)

Objection

You may object to processing based on legitimate interests or for direct marketing purposes. (Article 21 GDPR)

Withdraw Consent

Where processing is based on your consent (e.g., for marketing communications), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. (Article 7(3) GDPR)

To exercise any of these rights, please log in to your CarbonX account settings or contact our Data Protection Team at: legal@carbonx.credit

CarbonX will respond to all verified data subject requests within 30 days, as required by Article 12(3) GDPR. In complex cases, this period may be extended by an additional 60 days, in which case we will inform you of the reasons for the delay.

8. Cookies and Tracking

CarbonX uses cookies and similar technologies to enhance user experience, analyze platform performance, and support marketing activities.

  • Functional cookies are essential for platform operation and cannot be disabled.

  • Analytics and marketing cookies are considered non-essential and are used only with your explicit consent.

9. Children’s Data

The CarbonX Platform is not intended for use by individuals under the age of 16.
CarbonX does not knowingly collect or process personal data from minors.
If you believe that a child has submitted personal data to CarbonX, please contact us immediately at legal@carbonx.credit so we can promptly delete such information.

10. Changes to This Statement

CarbonX may update this GDPR Compliance Statement periodically to reflect changes in our practices, technologies, or legal obligations.
When updates are significant, we will notify users via email or in-platform notifications.
Your continued use of CarbonX services following such notice constitutes acceptance of the updated terms.

11. Complaints

If you are dissatisfied with how CarbonX handles your personal data or your data protection request, you have the right to lodge a complaint with your local Data Protection Authority (DPA).

For a list of EU supervisory authorities and their contact information, please visit the European Data Protection Board (EDPB) website.

12. Contact Us

For all inquiries regarding this GDPR Compliance Statement or your personal data rights, please contact:

Carbon Trade AG
Rossbergstrasse 16
6422 Steinen, Switzerland
legal@carbonx.credit

CarbonX’s Data Protection Team will review and respond to verified GDPR-related requests within 30 days, in accordance with applicable data protection laws.