Privacy Policy
Effective date: 1 April 2025 | Last updated: 29 May 2026
Regional addendums covering specific data protection rights are included below:
1. Who we are and our role
Greenio is operated by Clasio UK Ltd, registered in England and Wales (company number 14759860).
For UK GDPR and EU GDPR purposes, Greenio is the Data Controller. For India's DPDPA 2023, Greenio is the Data Fiduciary. Where you use the Supplier Emissions feature, Greenio acts as a Data Processor on your behalf in respect of personal data in supplier submissions.
2. Data we collect
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, work email, organisation name, country, role | Authentication and account management |
| Emissions data | Electricity, fuel, refrigerants, Scope 3 activities, production output | Core service: carbon accounting and reporting |
| Organisation profile | Sector, employee count, reporting period, revenue, frameworks selected | Report generation (BRSR, SECR, CSRD, CCTS, PAT) |
| Supplier data | Supplier contact name, email, company details, submitted emissions data | Scope 3 Category 1 data collection |
| Team and audit data | Team member emails, CA/auditor details, review actions and timestamps | Multi-user access and audit trail |
| Usage data | Pages visited, features used, timestamps | Product improvement and support |
| Technical data | IP address, browser type, device type, error logs | Security and fraud prevention |
We do not collect payment card details directly. We do not sell your data. We do not use your data to train AI models without explicit consent.
3. How we use your data
- Providing, maintaining, and improving the Greenio platform
- Generating carbon accounting reports and regulatory filings (BRSR, SECR, CSRD, CCTS MRV Reports) on your behalf
- Processing supplier emissions requests and managing Scope 3 data collection
- Sending service communications, billing receipts, and supplier request emails
- Sending automated reminders for outstanding supplier data requests
- Anonymised benchmarking - no individual data shared
- Complying with legal obligations and preventing fraud
4. Legal basis for processing
- Contract performance: delivering the service you subscribed to
- Consent: optional communications; withdraw at any time
- Legitimate interests: platform security, fraud prevention, anonymised analytics
- Legal obligation: where required by applicable law
5. Data storage and security
Your data is stored on Supabase (PostgreSQL) servers in the European Union (eu-west region). Application hosting is via Vercel. Supplier-uploaded files are stored in a private Supabase Storage bucket accessible only via time-limited signed URLs.
We use TLS encryption in transit, AES-256 at rest, row-level security for data isolation, and role-based access controls. In the event of a breach likely to risk your rights, we will notify you and the relevant authority within 72 hours (UK/EU GDPR) or as required by applicable law.
6. International data transfers
- UK ↔ EU: Covered by mutual adequacy decisions between the UK and EU
- UK/EU → India: Transfers made under Standard Contractual Clauses or equivalent safeguards
- Supabase and Vercel: Both have executed Data Processing Agreements covering international transfers
7. Data sharing
We share data only with: Supabase (database and storage), Vercel (hosting), payment processors (billing only), professional advisors (confidentiality bound), regulatory authorities (where required by law - BEE, MoEFCC, SEBI, ICO, national DPAs), and suppliers (your organisation name and contact when you send a request).
All sub-processors are bound by data processing agreements.
8. Supplier data handling
Supplier contacts receive your organisation name and a tokenised link. Supplier submissions are stored securely and accessible only to your organisation. Supplier contacts may contact hello@greenio.co to query data usage. UK/EU supplier contacts retain full GDPR rights in respect of personal data in their submissions.
9. Data retention
We retain account and emissions data for as long as your account is active, plus 7 years after closure (statutory record-keeping requirements). Upon closure, data is available for export for 30 days before deletion.
10. Your rights (universal)
- Access: request a copy of your personal data
- Correction: request correction of inaccurate data
- Erasure: request deletion, subject to legal retention
- Data portability: CSV export available directly in the platform
- Withdraw consent: at any time without affecting prior processing
Email hello@greenio.co to exercise any right. We respond within 30 days.
11. Cookies
We use only essential session cookies required for authentication. No advertising cookies, cross-site tracking, or third-party analytics cookies. No cookie consent banner is required as we only use strictly necessary cookies.
12. Changes to this policy
Material changes will be notified by email or in-platform notice at least 14 days before taking effect. Continued use constitutes acceptance.
13. Contact
Greenio
Email: hello@greenio.co
Where there is a conflict between a regional addendum and the universal policy, the addendum takes precedence for users in that region.
UK Users - UK GDPR
Data Controller
Clasio UK Ltd (company number 14759860) is the UK GDPR Data Controller, registered with the Information Commissioner's Office (ICO).
Additional rights under UK GDPR
- Right to object to processing based on legitimate interests
- Right to restrict processing in certain circumstances
- Right not to be subject to solely automated decision-making producing significant effects
Supervisory authority
Information Commissioner's Office (ICO)
Website: ico.org.uk
Data transfers
Data stored on EU-based Supabase servers. The UK has recognised the EU as providing adequate protection under UK GDPR - no additional safeguards required.
EU Users - EU GDPR
Applies to users in Germany, France, Italy, Netherlands, Sweden, Portugal, Estonia, Lithuania, Ireland, Austria, Belgium, Spain, Poland, Denmark, and Latvia.
Transfers from EU to UK
The European Commission has adopted an adequacy decision for the UK. Transfers from the EU to Greenio are lawful under Article 45 GDPR without additional safeguards.
Additional rights under EU GDPR
- Right to object to processing based on legitimate interests or for direct marketing
- Right to restrict processing in certain circumstances
- Right not to be subject to solely automated decision-making
- Right to lodge a complaint with your national DPA
Data Processing Agreement
EU organisations subject to GDPR may request a DPA (Article 28 GDPR) by emailing hello@greenio.co. Covers processing instructions, security measures, sub-processor details, and data subject rights.
National supervisory authorities
Full list available at edpb.europa.eu
India Users - DPDPA 2023
Data Fiduciary
Greenio is the Data Fiduciary under DPDPA 2023 in respect of personal data of Indian users.
Additional rights under DPDPA 2023
- Right to information about personal data being processed
- Right to correction and erasure of inaccurate or unnecessary data
- Right to grievance redressal - response within the DPDPA prescribed period
- Right to nominate another individual to exercise rights on your behalf
Cross-border transfers
Data stored on EU-based servers. Transfers made in accordance with Section 16 DPDPA 2023 and applicable Central Government rules, with appropriate safeguards maintained.
Grievance Officer
Greenio Grievance Contact
Email: hello@greenio.co
Acknowledgement within 48 hours. Resolution within 30 days.
Data Protection Board
If your grievance is unresolved, you may approach the Data Protection Board of India once constituted under DPDPA 2023.