Privacy Policy

Account Information

When you register, we collect your name, email address, organisation name, and role. If you sign up via SSO, we receive your identity token from the provider.

Emissions & Compliance Data

Data you submit through the platform — GHG emission reports, document uploads, BRSR disclosures, and carbon credit transactions — is stored in your organisation's isolated tenant within our database.

Usage & Telemetry

We collect anonymised usage metrics (pages visited, feature adoption, API call counts) to improve the product. We do not track individual keystrokes or screen recordings.

AI Interaction Data

Conversations with our AI agents (Auditor, Strategist) and MCP tool invocations are logged for quality assurance and human-in-the-loop (HITL) review. These logs are scoped to your organisation and are not shared with other tenants.

Platform Operations

Your data is used to provide carbon accounting, compliance reporting (BRSR, CCTS), marketplace trading, and AI-powered analysis services as described in our product documentation.

AI Model Improvement

We do not use your proprietary emissions data or documents to train foundation models. AI agents run on privately hosted LLMs (Ollama) within our infrastructure. Document analysis results are used only to serve your requests.

Regulatory Compliance

We may process your data to generate reports required by SEBI, CPCB, BEE, or other Indian regulatory bodies — but only when you explicitly initiate such reports through the platform.

Infrastructure

All data is stored in Supabase (PostgreSQL) with row-level security (RLS) enforcing tenant isolation. Documents are stored in Supabase Storage with presigned URLs for access control.

Encryption

Data is encrypted at rest (AES-256) and in transit (TLS 1.3). JWT tokens are signed with RS256 and expire after 1 hour. Refresh tokens expire after 7 days.

Access Control

Role-based access control (RBAC) with six levels — SUPER_ADMIN, ORG_ADMIN, AUDITOR, ANALYST, TRADER, and VIEWER — ensures users only access data appropriate to their role.

No Sale of Data

We do not sell, rent, or trade your personal or organisational data to third parties.

Service Providers

We use Supabase for database and auth, Redis for caching, and Langfuse for AI observability. These providers process data under strict data processing agreements.

Marketplace Counterparties

When you execute a trade on the carbon marketplace, your organisation name and trade details are shared with the counterparty as part of the settlement process. No personal data is shared.

Access & Correction

You can view and update your profile, organisation details, and submitted data at any time through the Settings page or via the API.

Data Portability

You can export your emissions data, BRSR reports, and trade history in CSV or JSON format from the dashboard.

Erasure

You may request complete deletion of your account and associated data by contacting privacy@indicarbon.ai. We will process erasure requests within 30 days, subject to regulatory retention requirements.

Grievance Redressal

Our Data Protection Officer can be reached at dpo@indicarbon.ai. We acknowledge grievances within 48 hours and resolve them within 30 days as required under the DPDP Act.

Essential Only

We use localStorage to persist your JWT session token and Redux state. We do not use third-party tracking cookies, advertising pixels, or cross-site trackers.

Active Accounts

Your data is retained for as long as your account is active. Emissions data and compliance reports are retained for the duration required by applicable Indian regulations (typically 8 years for financial records).

Deleted Accounts

Upon account deletion, personal data is purged within 30 days. Anonymised aggregate data (sector benchmarks, platform statistics) may be retained indefinitely.

We will notify you of material changes via email and an in-app banner at least 15 days before they take effect. Continued use of the platform after the effective date constitutes acceptance.