Legal

Privacy Policy

Last updated: February 2, 2026 · Compliant with India DPDP Act 2023 & GDPR

1. Who We Are

CarbonCred ("we", "our", "us") is a climate-fintech platform operating in India. We're the data fiduciary for information you share with us.

2. What We Collect

  • Account info: Name, email, phone (optional), role, region, profile picture.
  • Eco-action data: Photos, GPS coordinates, timestamps, action descriptions.
  • Financial info: UPI ID or bank details (only when you request cash-out). Payment details go directly to Razorpay — we don't store card numbers.
  • Device data: Browser, IP address, session logs (for security & fraud detection).
  • Usage data: Pages visited, features used (to improve the Platform).

3. Why We Collect It

  • To run your account, wallet, and eco-action verification.
  • To process Buy Creditz and Cash-Out transactions.
  • To detect fraud, prevent duplicate submissions, and enforce Terms.
  • To send notifications (transactional; marketing only with opt-in).
  • To generate anonymized impact analytics for governments and corporates.

4. Who We Share With

  • NGO Verifiers: Your photo, GPS, and submitted details (never your bank info).
  • Razorpay: Payment processing.
  • Cloud providers: MongoDB Atlas (data hosting), Google (AI verification via Gemini).
  • Government/corporate dashboards: Only aggregate, anonymized statistics — never your personal profile.
  • Legal: When required by law or court order.

We do not sell your personal data to advertisers.

5. Your Rights (DPDP Act 2023 & GDPR)

  • Access: Request a copy of all your data.
  • Correction: Update inaccurate information.
  • Erasure: Delete your account and all associated data (some records like financial transactions may be retained per Indian tax law for 8 years).
  • Portability: Export your data in JSON format.
  • Withdraw consent: Turn off marketing notifications anytime in Profile.
  • Grievance: Contact our Data Protection Officer at dpo@carboncred.io.

6. Data Security

  • Passwords hashed with bcrypt (never stored in plain text).
  • All API traffic over HTTPS (TLS 1.3).
  • JWT tokens with short expiry + refresh token rotation.
  • Photos encrypted at rest in MongoDB Atlas.
  • Rate limiting on auth endpoints to block brute-force attacks.
  • Audit logs for every admin action.

7. Cookies

We use one session_token httpOnly cookie for Google Sign-In. No third-party tracking cookies.

8. Data Retention

  • Active accounts: retained while you use the Platform.
  • Deleted accounts: personal data purged within 30 days.
  • Financial transaction records: 8 years (Indian tax law).
  • Audit logs: 2 years.

9. Children

CarbonCred is not for users under 18. If you believe a minor has created an account, email us and we'll delete it.

10. Changes to This Policy

We'll notify you via in-app banner and email if we make material changes.

11. Contact

Data Protection Officer: dpo@carboncred.io

Made with Emergent