Privacy Policy

TechPeak Lab Ltd ("we", "us", "our") is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR) and applicable UK and European data protection laws.

This Privacy Policy describes how we collect, use, store, and protect personal data when you use our platform, website, and services. By using CarbonOS, you agree to the practices described in this policy.

Controller: TechPeak Lab Ltd, 20 Wenlock Road, London, N1 7GU, United Kingdom (company number 15974827). Email: hello@complyraone.com

We collect the following categories of personal data:

Account Data: Name, work email address, job title, and authentication credentials when you register for an account.

Organizational Data: Company name, VAT number, registered address, and billing information provided during onboarding.

Usage Data: Platform activity logs, feature usage patterns, login timestamps, and IP addresses for security and operational purposes.

Communication Data: Messages and files submitted through our support system, email correspondence, and form submissions.

We do not collect sensitive personal data (special categories under GDPR Article 9) in the normal course of providing our services.

We process your personal data for the following purposes:

Service delivery: Providing, operating, and improving the CarbonOS platform and associated services.

Account management: Creating and managing your user account, authenticating sessions, and enforcing access controls.

Billing and licensing: Processing payments, managing license agreements, and sending billing communications.

Security: Detecting and preventing unauthorized access, fraud, and other security incidents.

Legal compliance: Meeting our obligations under applicable laws, including tax and accounting regulations.

We do not sell personal data to third parties. Customer data is not used to train AI or machine learning models. We do not engage in profiling for marketing purposes.

CarbonOS is a multi-tenant platform. Each customer organization (tenant) operates within a fully isolated workspace. Data belonging to one tenant is never accessible to or shared with another tenant.

Technical isolation is enforced at the database, storage, and application layer through row-level security policies, strict access control enforcement, and operational procedures. Elevated access requires authorization and is logged.

CarbonOS does not use artificial intelligence or machine learning to make compliance decisions, categorize emissions, or produce regulatory outputs.

Emissions are calculated deterministically from published conversion factors with a versioned, auditable engine—not by AI or machine learning.

CarbonOS aligns operational reporting workflows to recognized frameworks, including UK Government DEFRA / GOV.UK GHG conversion factors, GHG Protocol scopes, and CSRD-era ESRS E1-style GHG exports. Scope and category hints that appear when you select a conversion factor reflect published dataset metadata—not probabilistic inference or automated AI judgment.

Customer data is not used to train AI or machine learning models. This applies to all data stored in CarbonOS, including emission entries, evidence documents, task content, report data, and support communications. This policy is contractually enforceable and forms part of our Data Processing Agreement (DPA).

All customer data is stored within the European Economic Area (EEA) on infrastructure hosted in data centers certified to ISO 27001 and SOC 2 Type II standards.

We do not transfer personal data outside the EEA unless required by applicable law. Where subprocessors outside the EEA are used, we ensure adequate safeguards are in place through Standard Contractual Clauses (SCCs) approved by the European Commission.

Our primary infrastructure is hosted on servers located in Germany and the Netherlands.

We retain personal data for as long as your account is active or as needed to provide our services. Upon account termination:

- Active workspace data is retained for 30 days in read-only mode - After 30 days, data is moved to secure archival storage for 90 days - After 120 days, all data is permanently deleted unless subject to a legal hold

You may request early deletion of your data at any time by contacting hello@complyraone.com. We will complete deletion within 30 days of a verified request.

As a data subject under GDPR, you have the following rights:

Right of access (Article 15): Request a copy of the personal data we hold about you.

Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data.

Right to erasure (Article 17): Request deletion of your personal data, subject to legal retention requirements.

Right to restriction of processing (Article 18): Request restriction of processing in certain circumstances.

Right to data portability (Article 20): Receive your data in a structured, machine-readable format.

Right to object (Article 21): Object to processing based on legitimate interests.

To exercise any of these rights, contact us at hello@complyraone.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the United Kingdom or your local supervisory authority.

We implement technical and organizational measures to protect your personal data against unauthorized access, accidental loss, destruction, or alteration. These measures include:

- AES-256 encryption at rest for all stored data - TLS 1.3 encryption in transit for all communications - Multi-factor authentication for all administrative access - Regular penetration testing by independent third parties - SOC 2 Type II annual audit - ISO 27001 certification - Role-based access controls throughout the platform - Automated anomaly detection and alerting

In the event of a personal data breach, we will notify affected customers and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

CarbonOS uses strictly necessary cookies for session management and authentication. We do not use tracking cookies, advertising cookies, or third-party analytics that process personal data.

See the dedicated Cookie Policy: /cookies

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice in the platform at least 30 days before changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

This policy was last updated on 1 January 2025.