Privacy Policy

    Last Updated: May 22, 2026

    1. Data Controller

    The data controller for personal data processed through the ClimatePoint Eco Report Builder (the 'Platform') is:

    ClimatePoint AS Organisation number: 929 099 389 Registered address: Universitetsgata 12, 0164 Oslo, Norway Email: [email protected] Data Protection Officer: [email protected]

    This Privacy Policy is governed by the EU General Data Protection Regulation (GDPR) as incorporated into Norwegian law through the Norwegian Personal Data Act (Personopplysningsloven) and the EEA Agreement.

    2. Information We Collect

    We collect personal information necessary to provide and secure access to the Platform, including:

    • User Profile Data: Name, professional email address, and job role.
    • Usage Data: Log data, IP addresses, and interaction history within the Platform for security and audit purposes.
    • Authentication Data: Login credentials managed through our authentication provider.

    3. Client Business Data

    The Platform processes confidential business data provided by clients, such as Bill of Materials (BOM), production volumes, and supply chain logistics. This data is used exclusively for generating environmental impact assessments and is protected by strict access controls and Row-Level Security (RLS) in our database.

    Client business data is processed on behalf of the client organisation (the data controller for their own data) under a separate Data Processing Agreement (DPA).

    4. Legal Basis for Processing (GDPR Article 6)

    We process personal data on the following lawful bases:

    • Contract Performance (Art. 6(1)(b)): Processing user profile and authentication data is necessary to provide access to the Platform and deliver our services under your organisation's agreement with ClimatePoint.
    • Legitimate Interest (Art. 6(1)(f)): We process usage data and log data for Platform security, fraud prevention, and service improvement. Our legitimate interest is balanced against your rights and does not override your fundamental freedoms.
    • Legal Obligation (Art. 6(1)(c)): We may process data to comply with applicable Norwegian law, including accounting and tax obligations.
    • Consent (Art. 6(1)(a)): Where required, such as for optional analytics or marketing communications. Consent can be withdrawn at any time without affecting the lawfulness of prior processing.

    5. Data Security

    We implement industry-standard technical and organisational security measures to protect your data, in accordance with GDPR Article 32. These include:

    • Encryption of data in transit (TLS) and at rest.
    • Access controls based on organisational membership and role-based permissions.
    • Row-Level Security (RLS) enforced at the database layer.
    • Regular security audits and vulnerability assessments.
    • Breach detection and incident response procedures.

    6. How We Use Information

    We use the collected data to:

    • Provide and maintain the Platform services.
    • Authenticate users and prevent unauthorised access.
    • Generate and display environmental impact reports for clients.
    • Improve Platform performance and user experience through anonymised usage analysis.
    • Comply with legal and regulatory obligations.

    7. Data Sharing & Third Parties

    We do not sell your personal or business data for monetary consideration. We may share information with trusted service providers (sub-processors) only to the extent necessary to operate the Platform:

    • Cloud hosting and database services (Supabase / AWS)
    • Authentication services (Supabase Auth)
    • AI-assisted analysis services (OpenAI, for manufacturing process suggestions only — no personal data is sent)
    • Web analytics (Google Analytics) — only loaded after you grant analytics consent. Data is anonymized (IP truncation, no advertising signals).
    • Website visitor identification (Apollo.io) — only loaded after you grant marketing consent. Apollo collects your IP address, page views, and a first-party visitor identifier to help us identify business visitors for sales outreach. See Apollo's privacy notice at https://www.apollo.io/privacy-policy.
    • Identity resolution (LiveIntent) — loaded as a sub-processor of Apollo when marketing consent is granted. LiveIntent performs cross-site identifier resolution (hashed email/device ID matching) used by Apollo to enrich visitor profiles. See LiveIntent's privacy notice at https://www.liveintent.com/services-privacy-policy/.

    Under the California Consumer Privacy Act (CCPA/CPRA) and similar US state laws, the use of Apollo and LiveIntent for visitor identification and cross-context behavioral advertising may qualify as 'sharing' of personal information, even though no money changes hands. US residents can opt out at any time — see Section 11 below.

    All sub-processors are bound by Data Processing Agreements ensuring GDPR-equivalent protections. A list of current sub-processors is available upon request.

    8. International Data Transfers

    Your data may be processed in countries outside the EEA. Where this occurs, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including:

    • EU Standard Contractual Clauses (SCCs) with supplementary measures where required.
    • Transfer Impact Assessments (TIAs) for each transfer destination.
    • Reliance on European Commission adequacy decisions where available.

    You may request details of the specific safeguards applied to your data by contacting our Data Protection Officer.

    9. Your Rights Under GDPR

    Under the GDPR and Personopplysningsloven, you have the following rights regarding your personal data:

    • Right of Access (Art. 15): Obtain confirmation of whether your data is being processed and request a copy.
    • Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data.
    • Right to Erasure (Art. 17): Request deletion of your personal data ('right to be forgotten').
    • Right to Restrict Processing (Art. 18): Request that we limit how we use your data.
    • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
    • Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling.
    • Right Against Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing that significantly affect you.

    To exercise any of these rights, contact our Data Protection Officer at [email protected]. We will respond within 30 days as required by law.

    10. Data Retention

    We retain personal data only as long as necessary for the purposes described in this policy:

    • User profile data: Retained for the duration of the user's active account. Deleted within 90 days of account closure.
    • Usage and log data: Retained for up to 12 months for security and audit purposes.
    • Client business data: Retained for the duration of the client engagement. Upon termination, data is securely deleted or returned within 90 days, unless longer retention is required by Norwegian accounting or tax law (Bokforingsloven).
    • Audit trail data: Retained for 5 years in accordance with Norwegian regulatory requirements.

    11. US State Privacy Rights (CCPA/CPRA & Others)

    If you are a resident of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, or other US states with applicable privacy laws, you have the following rights:

    • Right to Know — request what personal information we collect, use, and share.
    • Right to Delete — request deletion of your personal information.
    • Right to Correct — request correction of inaccurate personal information.
    • Right to Opt Out of Sale/Share — opt out of the 'sharing' of personal information for cross-context behavioral advertising (Apollo + LiveIntent visitor identification).
    • Right to Limit Use of Sensitive Personal Information.
    • Right to Non-Discrimination — we will not deny services or charge different prices for exercising these rights.

    How to opt out:

    1. Click 'Do Not Sell or Share My Personal Information' in the site footer, or reopen the Cookie Preferences banner and disable Marketing cookies.
    2. Enable Global Privacy Control (GPC) in your browser — we automatically detect and honor this signal, disabling all marketing/sharing trackers.
    3. Email [email protected] with the subject 'US Privacy Rights Request' to exercise any other right. We respond within 45 days as required by law.

    Authorized agents: you may designate an authorized agent to make a request on your behalf. We will verify the agent's authorization before processing.

    We do not knowingly sell or share the personal information of minors under 16.

    12. Cookies & Tracking Technologies

    We use cookies and similar technologies to operate the Platform, measure usage, and identify business visitors. You can review and change your choices at any time via the 'Cookie Preferences' link in the site footer. Withdrawal of consent is as easy as giving it (GDPR Art. 7(3)).

    Strictly Necessary (always on — no consent required, ePrivacy Art. 5(3) exemption)

    • Supabase auth session cookie (sb-access-token) — provider: Supabase — purpose: keep you signed in — retention: 1 hour (rotated).
    • Supabase auth refresh token (sb-refresh-token) — provider: Supabase — purpose: refresh your session without re-login — retention: 30 days.
    • Consent record (consent:cookies, localStorage) — provider: ClimatePoint (first-party) — purpose: remember your cookie choices and prove consent under GDPR Art. 7(1) — retention: until you reset or version bumps.
    • UI preferences (localStorage) — provider: ClimatePoint (first-party) — purpose: remember UI settings (theme, expanded panels) — retention: until you clear browser storage.

    Analytics (requires consent — GDPR Art. 6(1)(a), ePrivacy Art. 5(3))

    • _ga — provider: Google Analytics (Google Ireland Ltd. / Google LLC) — purpose: distinguish unique users (anonymized, IP truncation enabled, advertising signals disabled) — retention: 2 years.
    • ga<container-id> — provider: Google Analytics — purpose: session state — retention: 2 years.
    • Transfer: data may be processed in the United States under EU Standard Contractual Clauses (Module 2) with supplementary measures.

    Marketing (requires consent — GDPR Art. 6(1)(a), ePrivacy Art. 5(3); auto-denied when Global Privacy Control is on)

    • Apollo visitor identifier (first-party cookie) — provider: Apollo.io (Apollo.io Inc.) — purpose: identify returning business visitors for B2B sales outreach — retention: up to 1 year.
    • LiveIntent identity cookies (li_, li) — provider: LiveIntent Inc. (Apollo sub-processor) — purpose: cross-site identifier resolution to enrich visitor profiles — retention: up to 1 year.
    • Transfer: data is processed in the United States under EU Standard Contractual Clauses (Module 2) and a Transfer Impact Assessment. Apollo and LiveIntent operate under written Data Processing Agreements with ClimatePoint.

    Global Privacy Control (GPC): when your browser sends a GPC signal, we automatically disable all Marketing trackers regardless of your stored choice (CCPA 2026 and emerging EU guidance). The marketing toggle in our banner is also disabled while GPC is on.

    Do Not Track (DNT): we currently treat DNT as informational. GPC is the binding signal we honor.

    Third-party cookie policies: Google Analytics — policies.google.com/privacy. Apollo — apollo.io/privacy-policy. LiveIntent — liveintent.com/services-privacy-policy.

    Version: 2026-05-22