Carbon Border LLC emblem
Carbon Border LLC
Authorise EORI

Legal

Privacy Policy

Effective 22 April 2026 · GDPR · UK GDPR · CCPA aligned

1. Controller

Carbon Border LLC is the data controller for personal data processed through the compliance platform. Contact: privacy@carbonborder.net.

2. Data We Process

Account data (name, email, company, EORI), authentication metadata, shipment and supplier data submitted by you, generated compliance artefacts, and operational telemetry (IP, device, audit logs). We do not process special-category data.

3. Legal Bases

We rely on (a) contract performance to operate the Service, (b) legal obligation for the five-year CBAM retention period, and (c) legitimate interests for security monitoring and product improvement.

4. Sub-Processors

We use vetted EU-based sub-processors for hosting, transactional email, and AI document generation. A current list is available on request. Standard Contractual Clauses are in place where data leaves the EEA.

5. Retention

Compliance records are retained for five (5) years per Regulation (EU) 2023/956, Article 10. Account data is retained for the lifetime of the account plus thirty (30) days unless extended by statutory obligation.

6. Your Rights

You may request access, rectification, erasure (outside retention obligations), restriction, portability, or object to processing. Contact privacy@carbonborder.net. You have the right to lodge a complaint with your supervisory authority.

7. Security

We operate an ISO 27001-aligned ISMS, encrypt data in transit (TLS 1.3) and at rest (AES-256), enforce least-privilege access, and maintain hash-chained audit trails.

8. Cookies

We use only strictly necessary cookies for authentication and security. No advertising or cross-site tracking cookies are set.

9. Updates

Material changes will be notified via email at least thirty (30) days before taking effect.