Contents of this policy
- Our privacy principles
- How to read this policy
- The type of personal information we collect
- Use of user information and why
- Public Employee Sustainability Rankings data
- Children’s privacy
- Sharing user information
- Data transfers
- Retention of information
- Data protection rights
- How to complain
- Our contact details
1. Our privacy principles
We understand and value the importance of privacy. We have therefore set the following principles for our policy:
- We only collect the personal information that we need in order to provide you with our services/products.
- We do not retain personal information for longer than is necessary.
- By allowing users to contact us easily, we offer users ways to control their personal information and express their preferences.
2. How to read this policy
3. The type of personal information we collect
We may collect the following categories of personal information that users choose to provide to us when the Carbon Jacked Employee Sustainability Platform is used or otherwise interacted with or users receive our products and services.
Information from others
For users that receive access to Carbon Jacked through their employer or other such organisation, their basic contact information is submitted to us by that organisation to facilitate their enrolment in our services.
Basic Contact information
For users to have an account and access to the Carbon Jacked Employee Sustainability Platform, we currently collect and process the following information:
- Full name
- Work email address
- Where applicable Country, Office, Team/Function
Communication and platform-based information provided by the user
When users send or respond to emails, messages, or other communications from Carbon Jacked, we may collect user email addresses, names, and any other personal information the user chooses to include in the body content of their communications. In addition, when they interact with certain features of our Platform, we may collect the content of those interactions. For example, if users actively choose to calculate their carbon footprint using the carbon footprint calculator on the Platform, they can submit information about their lifestyle, such as their travel and the type of diet they follow.
In circumstances where users do sign up for a paid product or service from us, they may be required to provide their payment card or bank account information. Please note that Carbon Jacked does not directly process payment card information, but does rely on third-party payment processors to do so on our behalf. Please note that third party terms may apply to these payment services. Personal information collected for these purposes includes card number, type, expiration date, and billing address, and certain anonymized, limited and/or truncated versions of this information may be provided to Carbon Jacked.
There are other times users may choose to provide information to us, including in the following scenarios:
- Signing up to receive our newsletter
- Creating an account on our website
- Subscribing to our services
- Using our carbon footprint calculator
- Using our Employee Sustainability Rankings
- Asking for direct marketing to be sent
- Engaging with us on social media
- Entering a competition, promotion or survey
- Contacting us (e.g. customer services)
- Leaving comments or reviews on our services
Information we automatically collect
Our Platform and Website may collect standard tracking information from users automatically as they use them. This information may include:
- Browser and device data, such as IP address, device identifier, device type, operating system and Internet browser type, screen resolution, operating system name and version, device manufacturer and model, language, plug-ins, add-ons, and the language version of the Websites and Apps you are visiting; and
- Usage data, such as geolocation data, browsing history, time spent on the Platform, pages visited, links clicked, language preferences, performance of features, patterns of use, and the pages that led or referred you to our Platform including individual Websites and Apps.For example, we use Google Analytics on our Websites to help us analyse your use of our Websites and diagnose technical issues.
Please review our “Cookies and tracking technologies” section below for more information about our use of these technologies.
Aggregated, anonymous, and de-identified data
Cookies and tracking technologies
We may use both temporary and persistent cookies. Users can delete cookies in their browser anytime and they can also block cookies from being placed; however, this could affect the quality of the service.
4. Use of user information and why
We may use personal information in the following ways:
- To provide our products and services, including the delivery of content and facilitation of interactive features.
- To communicate with users regarding the Carbon Jacked Platform, products and services.
- To notify users about updates or changes to the Carbon Jacked Platform, products and or services.
- To provide customer service, answer user questions or requests for information, or handle complaints.
- Where applicable, to facilitate payment transactions, manage orders, and account for applicable sales taxes.
- To deliver on any agreements that we may have with a user, organisation or employer.
- To maintain and improve the quality of the Carbon Jacked Platform, products and services, including to perform research and development, understand our user trends, and understand the effectiveness of our marketing and advertising.
- To provide users with information about new products and services, promotions, and other opportunities that we believe may be of interest to them.
- To protect ourselves, users and others; preventing fraud and other unlawful or unauthorised activity; and creating and maintaining a trusted, secure, and reliable online environment.
- To comply with our legal obligations or conduct any legal cases where the information is relevant.
- Please note that we may also use personal information to cross-reference or convert various types of accounts that users may be associated with on our Platform, for example personal and employee accounts.
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
- Either individual consent. Users are able to remove their consent at any time. They can do this by contacting email@example.com.
- Or, we have a contractual agreement to provide users with access to the Carbon Jacked employee platform.
We may use individual information to contact users, including to fulfil our contractual obligations, such as to provide educational content about sustainability. We may also contact users about administrative and access issues for the platform where needed.
Users have the option to unsubscribe from these communications at any time.
6. Public Employee Sustainability Rankings data
For our public ‘Employee Sustainability Rankings’ we do not collect or store any personal identifying information. This includes not collecting or storing user analytics such as IP addresses.
7. Children’s privacy
Please note our Platform is intended for individuals at least 18 years old or older, as such we do not knowingly collect data relating to children.
8. Sharing user information
We may share personal data with the following categories of third parties:
- Suppliers and service providers (such as outsourced services partners, technology service providers, manufacturers and post and courier services).
- Payment services providers, e.g. via Stripe - payment processors may take personal data directly from users as part of processing a purchase, and they will be data controllers in their own right for that processing.
- Auditors and professional advisers like bankers, lawyers, accountants and insurers.
- Government, regulators and law enforcement.
We may also share data with third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.
9. Data transfers
In some cases, where we are operating internationally, the personal information we collect may be processed outside of the country in which users reside. Not all countries have the same protections for information. However, we look to ensure that user information processed by us and our suppliers outside of a user’s country is protected in the same way as it would be if it was processed within their country.
For example, whenever we transfer information outside of the UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer information to countries that have been deemed to provide an adequate level of protection for personal information; or
- Where we use certain service providers, we may use specific contracts approved for use in the UK or the EEA, as applicable, which give personal information adequate protection.
10. Retention of information
We will only retain information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain information for a longer period in the event of a complaint.
To determine the appropriate retention periods for information, we will take into account factors including:
- The amount, nature and sensitivity of the information.
- The potential risk of harm from unauthorised use or disclosure of user information.
- The purposes for which we process user information and whether we can achieve those purposes through other means.
- Our contractual obligations and rights in relation to the information involved.
- Legal obligation(s) under applicable law to retain information for a certain period of time.
- Applicable regulatory, tax, accounting or other requirements;
- Our legitimate interests for retaining the information (see ‘Use of user information and why’ above).
- Whether there is an actual or potential dispute.
- Guidelines issued by relevant data protection authorities.
In some circumstances users can ask us to delete their information (see “Data protection rights” section below). At the end of a retention period, we will securely delete or anonymise their information.
We adopt robust technologies and policies to protect user information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have implemented procedures to deal with any personal data breach and will notify users and any applicable regulator of a breach where we are legally required to do so.
Unfortunately, the transmission of information via the internet is not completely secure. Although we take steps to protect user information, we cannot guarantee the security of their information transmitted; any transmission is at their own risk. Once we have received their information, we will use procedures and security features to try to prevent unauthorised access.
Where users have chosen a password which allows access users are responsible for keeping this password confidential. Users must keep any password created, or other secure login method, secret, and prevent unauthorised access. We advise passwords are not shared.
12. Data protection rights
In certain circumstances, under local data protection law, users may have rights in relation to the information we hold about them. We will handle a request to exercise these rights in line with the applicable law.
If users are in the UK or the EU, they have the following rights:
- The right to be informed. They have the right to be provided with clear, transparent and easily understandable information about how we use their information and their rights. This is why we’re providing them with the information in this policy.
- The right of access. This is also known as a “data subject access request”. Users have the right to receive a copy of their information if we hold any information about them and to check that we are processing it lawfully.
- The right to rectification. Users are entitled to have any incomplete or inaccurate information we hold about them corrected, though we may need to verify the accuracy of the new information they provide to us.
- The right to erasure. This is also known as “the right to be forgotten”. Users have the right to request the deletion or removal of certain information that we hold about them where there is no good reason for us continuing to process it. The right is not absolute and only applies in certain circumstances.
- The right to restrict processing. Users have rights to block or suppress further use of their information in certain circumstances. When processing is restricted, we may still have a lawful reason to hold their information, but we will not use it further.
- The right to data portability. They have the right to receive their information in a structured, commonly used and machine-readable format. This right is not absolute and only applies in certain circumstances.
- The right to withdraw consent. Where we rely on consent to use user information, they have the right to withdraw that consent at any time. Withdrawing consent will not, however, make unlawful our use of their information before they withdraw their consent. If they withdraw their consent, we may not be able to provide certain services to them.
- The right to object to processing. Users have the right to object to certain types of processing of their information, including processing for direct marketing purposes.
If users wish to exercise their privacy rights, they can contact firstname.lastname@example.org.
13. How to complain
If users have any concerns about our use of their information, they can make a complaint to us at email@example.com.
Users can also complain to the ICO if they are unhappy with how we have used their data.
The ICO’s address:
Information Commissioner’s Office,
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
15. Our contact details
Carbon Jacked Ltd
2 The Mill, Waterside Village, Loughborough, East Midlands LE11 1FU