Legal
Privacy Policy
Last updated: February 2, 2026 · Compliant with India DPDP Act 2023 & GDPR
1. Who We Are
CarbonCred ("we", "our", "us") is a climate-fintech platform operating in India. We're the data fiduciary for information you share with us.
2. What We Collect
- Account info: Name, email, phone (optional), role, region, profile picture.
- Eco-action data: Photos, GPS coordinates, timestamps, action descriptions.
- Financial info: UPI ID or bank details (only when you request cash-out). Payment details go directly to Razorpay — we don't store card numbers.
- Device data: Browser, IP address, session logs (for security & fraud detection).
- Usage data: Pages visited, features used (to improve the Platform).
3. Why We Collect It
- To run your account, wallet, and eco-action verification.
- To process Buy Creditz and Cash-Out transactions.
- To detect fraud, prevent duplicate submissions, and enforce Terms.
- To send notifications (transactional; marketing only with opt-in).
- To generate anonymized impact analytics for governments and corporates.
4. Who We Share With
- NGO Verifiers: Your photo, GPS, and submitted details (never your bank info).
- Razorpay: Payment processing.
- Cloud providers: MongoDB Atlas (data hosting), Google (AI verification via Gemini).
- Government/corporate dashboards: Only aggregate, anonymized statistics — never your personal profile.
- Legal: When required by law or court order.
We do not sell your personal data to advertisers.
5. Your Rights (DPDP Act 2023 & GDPR)
- Access: Request a copy of all your data.
- Correction: Update inaccurate information.
- Erasure: Delete your account and all associated data (some records like financial transactions may be retained per Indian tax law for 8 years).
- Portability: Export your data in JSON format.
- Withdraw consent: Turn off marketing notifications anytime in Profile.
- Grievance: Contact our Data Protection Officer at dpo@carboncred.io.
6. Data Security
- Passwords hashed with bcrypt (never stored in plain text).
- All API traffic over HTTPS (TLS 1.3).
- JWT tokens with short expiry + refresh token rotation.
- Photos encrypted at rest in MongoDB Atlas.
- Rate limiting on auth endpoints to block brute-force attacks.
- Audit logs for every admin action.
7. Cookies
We use one session_token httpOnly cookie for Google Sign-In. No third-party tracking cookies.
8. Data Retention
- Active accounts: retained while you use the Platform.
- Deleted accounts: personal data purged within 30 days.
- Financial transaction records: 8 years (Indian tax law).
- Audit logs: 2 years.
9. Children
CarbonCred is not for users under 18. If you believe a minor has created an account, email us and we'll delete it.
10. Changes to This Policy
We'll notify you via in-app banner and email if we make material changes.
11. Contact
Data Protection Officer: dpo@carboncred.io