Privacy Policy
Last updated: 2nd April 2026
This Privacy Policy explains how CarbonCert (“we”, “us”, “our”) collects and uses personal data. CarbonCert is operated by eCarbon Ltd, a company registered in England and Wales (Company No. 17127091).
Website: https://www.carboncert.com
Data Controller: eCarbon Ltd
Address: 4th Floor, Silverstream House, Fitzroy Street, London W1T 6EB, United Kingdom
Email: [email protected]
Data We Collect
Information you provide
- Account details (name, email, password).
- Business details (company name, address, sector).
- Subscription selections and service settings.
- Support enquiries or messages.
Payment information
We use Stripe to process payments. We do not store or have access to full card details. Stripe processes payment data in accordance with their own privacy policy.
Automatically collected data
- IP address and device information.
- Log data (pages visited, access times, browser type).
- Authentication and session events used to secure accounts.
Cookies
Cookies are small text files stored on your device when you visit our website. UK law (the Privacy and Electronic Communications Regulations 2003) requires us to tell you what cookies we use and why.
Essential cookies
These are required for the website to function. They cannot be disabled.
| Cookie | Purpose | Duration |
|---|---|---|
carboncert_session |
Maintains your logged-in session | 2 hours |
XSRF-TOKEN |
Prevents cross-site request forgery attacks | 2 hours |
remember_web_* |
Keeps you logged in between visits (if selected) | 5 years |
Payment cookies
Set by Stripe when you interact with a payment form. These are necessary to process payments securely.
| Cookie | Purpose | Set by |
|---|---|---|
__stripe_mid |
Fraud prevention and payment processing | Stripe |
__stripe_sid |
Fraud prevention for the current session | Stripe |
Performance and infrastructure cookies
Set by Cloudflare to deliver the website securely and efficiently.
| Cookie | Purpose | Set by |
|---|---|---|
__cf_bm |
Bot detection and security | Cloudflare |
cf_clearance |
Records that you passed a security challenge | Cloudflare |
Analytics and advertising cookies
These cookies are only set with your consent. They help us understand how visitors use our website and measure the effectiveness of our advertising.
| Cookie | Purpose | Duration | Set by |
|---|---|---|---|
_ga |
Distinguishes unique visitors | 2 years | Google Analytics |
_ga_* |
Maintains session state | 2 years | Google Analytics |
_gcl_au |
Tracks ad conversions | 90 days | Google Ads |
_gac_* |
Stores campaign information | 90 days | Google Ads |
Managing cookies
Essential, payment, and infrastructure cookies cannot be disabled without breaking the website. Analytics cookies are only set with your consent. You can also control cookies through your browser settings — all major browsers allow you to block or delete cookies. Note that blocking essential cookies will prevent you from logging in or making purchases.
For more information about cookies, visit aboutcookies.org.
How We Use Your Data
- To create and manage user accounts.
- To deliver CarbonCert services, reporting and subscriptions.
- To process payments via Stripe.
- To send service emails (account notices, billing, operational updates).
- To maintain security, prevent fraud and ensure system integrity.
- To comply with legal obligations.
Legal Basis for Processing
We process personal data under the following UK GDPR bases:
- Contract: providing our services and maintaining accounts.
- Legitimate interests: cybersecurity, fraud prevention, service improvement.
- Legal obligation: financial record-keeping and compliance.
- Consent: where explicitly required (e.g., marketing emails).
Sharing Your Data
We share personal data only when necessary:
- Stripe: payment processing.
- Service providers: hosting, analytics, email delivery.
- Legal/regulatory bodies: where required by law.
We do not sell personal data.
International Transfers
Service providers may store data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as UK GDPR-approved transfer mechanisms.
Data Retention
We keep data only as long as required for:
- operating accounts and subscriptions;
- legal, tax and accounting obligations;
- security and fraud prevention.
You may request deletion at any time (subject to legal retention requirements).
Account Security
We use encryption, access controls and monitoring to protect personal data. Users are responsible for maintaining the confidentiality of their login credentials.
Your Rights
Under UK GDPR you may request:
- access to your data;
- correction of inaccuracies;
- deletion of your data;
- restriction of processing;
- data portability;
- to withdraw consent (where applicable).
Requests can be sent to the contact email provided above.
Marketing
We only send marketing emails when you have opted in. You can opt out at any time via the link in the email or by contacting us.
Children
Our services are not intended for individuals under 18. We do not knowingly collect data from minors.
Third-Party Links
Our website may link to third-party websites. We are not responsible for their privacy practices.
Changes to This Policy
We may update this policy when necessary. Updated versions will appear on this page with a revised date.