Privacy Policy

1. Privacy at a Glance

This table is your complete quick-reference summary. Every row is expanded in full detail below. The guiding principle behind every decision in this table is the same: collect less, keep less, sell never.

2. About This Policy — Who We Are and What This Covers

GreenCalculus.com (“GreenCalculus,” “we,” “our,” or “us”) is a premier B2B platform providing 1,000+ high-precision environmental and carbon calculators to sustainability officers, corporate compliance teams, and government engineers worldwide.

Controller identity: This website is operated by GreenCalculus.com. For all data protection enquiries, our appointed Data Protection Officer is contactable at dpo@greencalculus.com. For general privacy questions that do not constitute a formal data subject request, contact privacy@greencalculus.com.

This Privacy Policy explains what data we collect, why we collect it, how long we retain it, and the rights you hold over it. It applies to all services accessible via GreenCalculus.com and any associated APIs, widgets, or integrations.

This Policy was drafted in accordance with applicable data protection law including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, Canada’s PIPEDA, Singapore’s PDPA, and Thailand’s PDPA. Where laws differ in the standard they impose, we apply the higher standard globally.

3. Calculator Input Data — Our Binding Pledge

Our calculators process commercially sensitive operational data: energy consumption figures, fuel volumes, fleet distances, refrigerant quantities, Scope 1, 2, and 3 emissions inventories, land-use metrics, supply chain figures, and more. This data is proprietary to the organisations that generate it. We treat it accordingly.

This is technically enforced, not merely a policy statement:

• Stateless computation: Our calculation engine processes inputs and returns results without writing any input values to persistent storage at any point in the request lifecycle.
• No server-side input logging: Web server and application logs record only request metadata — timestamp, endpoint called, HTTP response code. Input parameters and values are never written to logs.
• Session isolation: Where multi-step calculators use temporary server-side state, sessions are cryptographically isolated and purged immediately upon session termination or browser close.
• GHG Protocol alignment: Our data handling practices align with the confidentiality requirements of the GHG Protocol Corporate Standard and the 2026 GHG Protocol Land Sector and Removals Standard. Organisations using GreenCalculus outputs in formal sustainability disclosures can confirm their underlying inputs are not accessible to any external party.
• IEA data integrity: Regional grid emission factors in our energy calculators are sourced from the IEA Global Energy Review 2026 and updated annually. These are reference constants, not user inputs, and are publicly available.

4. What Data We Collect and Why

4.1 Identity Data

We collect the following identity information only when you voluntarily provide it:

• Name and professional title — to personalise your account experience.
• Business email address — for account creation, authentication, newsletter delivery, and support communications.
• Organisation name — to contextualise your usage and provide organisation-level features where applicable.

Legal basis (GDPR Art. 6): Contract performance for account functionality. Consent for newsletter communications. You may withdraw newsletter consent at any time via the unsubscribe link in any email or by contacting dpo@greencalculus.com.

4.2 Technical Data

We automatically collect the minimum technical information required to operate a secure, performant service:

• IP address (truncated): The last octet of your IP address is removed before any logging occurs. We retain only the /24 subnet prefix for geolocation-level security and rate-limiting. We never log full IP addresses.
• User-agent string: Browser and operating system information, used solely for rendering compatibility decisions.
• HTTP request logs: Endpoint called, HTTP response code, and response time only. No query parameters or request body content are ever logged.
• De-identified error data: Stack traces for debugging, stripped of any user-identifiable information before storage.

Legal basis (GDPR Art. 6(1)(f)): Legitimate interests — maintaining the security and performance of the platform. Retention: 90 days rolling, then automated permanent deletion. Legitimate Interests Assessments (LIAs) are available from our DPO on request.

4.3 Analytics Data

We use cookieless, privacy-first analytics to understand how our tools are used in aggregate. Our analytics are provided by Umami — a privacy-first, cookieless, open-source analytics service — chosen specifically because it:

• Does not use cookies or any persistent cross-session identifiers.
• Does not collect personal data or construct user profiles.
• Does not track users across websites or sessions.
• Provided by Umami Cloud, an open-source service operated from the EU (Germany) data region that receives only aggregate, non-personal page metrics — never shared with advertising networks and never used to build user profiles.
• Produces only aggregate statistics (e.g., “The Scope 3 Category 1 Calculator received 2,400 sessions this week”).

Legal basis (GDPR Art. 6(1)(f)): Legitimate interests — improving product quality through aggregate usage insight. No consent banner is required for this analytics implementation because no personal data is processed.

5. Our Data Minimisation Pledge

Our Zero-Bloat engineering philosophy extends directly into our data practices. We believe organisations should never have to choose between accessing powerful environmental tools and protecting proprietary operational data.

What We Deliberately Do Not Use

• No third-party advertising pixels — not Google Ads, Meta Pixel, LinkedIn Insight Tag, or any equivalent.
• No cross-site behavioural tracking or fingerprinting of any kind.
• No session-replay or heatmap tools that record keystrokes, mouse movements, or form inputs.
• No data broker integrations, lead enrichment services, or CRM data pipelines.
• No AI training data pipelines that incorporate user-submitted content or calculator inputs.

Every tracking script that does not exist on this page is one fewer vector for data leakage, one fewer third-party dependency that could be compromised, and measurably lower page weight — which reduces both load time and the carbon footprint of each page view served.

6. Cookie Policy

A cookie is a small data file stored in your browser. GreenCalculus.com uses the minimum number of cookies required to operate the service. We do not use advertising cookies, tracking cookies, or third-party cookies of any kind.

You can manage functional cookie preferences at any time via the Cookie Preference Centre in the site footer. Essential cookies cannot be disabled — they are required for the platform to function. You may also manage cookies directly at the browser level; refer to your browser’s help documentation for instructions.

7. Global Compliance — Your Privacy Rights by Jurisdiction

We honour privacy rights for all users regardless of location. The following table summarises your rights under the major frameworks we comply with. All requests are responded to at no charge.

7.1 GDPR — European Union and United Kingdom

For users in the EU and UK, GreenCalculus.com acts as the Data Controller under Regulation (EU) 2016/679 and its UK equivalent (UK GDPR).

Lawful Bases for Processing

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the service you have requested — account management and calculator computation.
• Legitimate interests (Art. 6(1)(f)): Technical logging for security and platform performance; aggregate anonymised analytics. LIAs available on request from our DPO.
• Consent (Art. 6(1)(a)): Newsletter subscriptions and functional cookies. Consent is freely given, specific, informed, and unambiguous, and may be withdrawn at any time without detriment to your access to the platform.

Your GDPR Rights — Exercisable Free of Charge Within 30 Days

Data Transfers Outside the EEA

Where personal data is transferred outside the European Economic Area, we ensure adequate safeguards are in place — including Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914/EU, and Transfer Impact Assessments (TIAs) where required by applicable guidance.

Supervisory Authority

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority. We strongly encourage you to contact our DPO at dpo@greencalculus.com first — we commit to responding within 2 business days and resolving most concerns without the need for regulatory escalation.

7.2 CCPA and CPRA — California Consumers

GreenCalculus.com complies with the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020.

California Consumer Rights

• Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you in the past 12 months, and the purposes for which it was collected.
• Right to Delete: Request deletion of personal information we have collected, subject to certain legal exceptions.
• Right to Correct: Request correction of inaccurate personal information we hold about you.
• Right to Opt-Out of Sale/Sharing: We do not sell or share data, but we acknowledge and honour all opt-out requests submitted.
• Right to Limit Sensitive Personal Information: We do not process sensitive personal information for any purpose beyond providing the requested service.
• Right to Non-Discrimination: We will never discriminate against you — in service quality, pricing, or access — for exercising any privacy right.

To exercise your California rights, email privacy@greencalculus.com. We will respond within 45 days. In complex cases, we may extend by a further 45 days with written notice.

8. Data Security and Hosting

We apply industry-standard technical and organisational security measures at every layer of the platform.

8.1 Hosting Infrastructure

• Cloud hosting: Production infrastructure is hosted on SOC 2 Type II certified data centres — EU-West region for EU/UK users, Singapore region for Asia-Pacific users. Our hosting infrastructure is also aligned with ISO/IEC 27001 information security management standards.
• Data residency: EU/UK user data does not leave EU-West data centres under normal operating conditions. Asia-Pacific user data is processed in Singapore-region data centres.

8.2 Encryption

• Data in transit: All connections to GreenCalculus.com are encrypted using TLS 1.3 (minimum TLS 1.2). HTTP Strict Transport Security (HSTS) is enforced with a max-age of one year and the domain is included in the HSTS preload list.
• Data at rest: All data stored in our databases is encrypted at rest using AES-256, including all database backups.
• Credentials and secrets: API keys, database credentials, and secrets are managed via industry-standard secrets management systems. They are never stored in source code, configuration files, or logs.

8.3 Access Controls

• Least privilege: Staff access to production systems is role-based and restricted to the minimum required to perform the relevant function.
• Multi-factor authentication: Required for all staff access to production systems and administrative interfaces without exception.
• Audit logging: All administrative access to systems that store personal data is logged and reviewed on a quarterly basis.

8.4 Incident Response

In the event of a data breach likely to result in a risk to the rights and freedoms of individuals, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights, in accordance with GDPR Article 34.
• Maintain a documented internal record of all breaches, including those not requiring external notification, in accordance with GDPR Article 33(5).

9. Data Retention — How Long We Keep What We Hold

We retain data only for as long as strictly necessary for the purpose it was collected, or as required by applicable law. At the end of every retention period, data is deleted using secure erasure methods that render recovery infeasible.

You may request earlier deletion of any personal data we hold at any time — see Section 7 for your rights and the contact details to use.

10. Third-Party Processors — Who Touches Your Data

We use a small number of carefully vetted sub-processors. Each is bound by a Data Processing Agreement (DPA) that meets GDPR Article 28 requirements. We do not permit any sub-processor to use your data for their own commercial purposes.

Enterprise customers may request our standard Data Processing Agreement by contacting dpo@greencalculus.com. We will notify account holders of any material changes to our sub-processor list at least 30 days in advance.

11. Children’s Privacy

GreenCalculus.com is a professional B2B platform designed for use by corporate teams, sustainability officers, and government engineers. Our services are not directed at persons under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has submitted personal data to this platform, please contact dpo@greencalculus.com immediately and we will delete it without delay.

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in law, technology, or our data practices. We will notify you of any material changes by:

• Publishing the revised policy at greencalculus.com/privacy with an updated Effective Date and version number.
• Sending an email notification to all registered account holders at least 14 days before any material change takes effect.
• Displaying a prominent notice on the platform for 30 days following any material change.

The current version is always the authoritative version. Earlier versions are available on request from dpo@greencalculus.com.

13. Contact Our Data Protection Officer

GreenCalculus.com has appointed a Data Protection Officer (DPO) as required under GDPR Article 37. Our DPO is your primary contact for all formal privacy matters. We commit to acknowledging all data subject requests within 2 business days and resolving them within the statutory timeframe.