Privacy Policy

Effective date: 1 April 2025 | Last updated: 29 May 2026

Regional addendums covering specific data protection rights are included below:

Universal Privacy Policy - Applicable to All Users

1. Who we are and our role

Greenio is operated by Clasio UK Ltd, registered in England and Wales (company number 14759860).

For UK GDPR and EU GDPR purposes, Greenio is the Data Controller. For India's DPDPA 2023, Greenio is the Data Fiduciary. Where you use the Supplier Emissions feature, Greenio acts as a Data Processor on your behalf in respect of personal data in supplier submissions.

2. Data we collect

CategoryExamplesPurpose
Account dataName, work email, organisation name, country, roleAuthentication and account management
Emissions dataElectricity, fuel, refrigerants, Scope 3 activities, production outputCore service: carbon accounting and reporting
Organisation profileSector, employee count, reporting period, revenue, frameworks selectedReport generation (BRSR, SECR, CSRD, CCTS, PAT)
Supplier dataSupplier contact name, email, company details, submitted emissions dataScope 3 Category 1 data collection
Team and audit dataTeam member emails, CA/auditor details, review actions and timestampsMulti-user access and audit trail
Usage dataPages visited, features used, timestampsProduct improvement and support
Technical dataIP address, browser type, device type, error logsSecurity and fraud prevention

We do not collect payment card details directly. We do not sell your data. We do not use your data to train AI models without explicit consent.

3. How we use your data

  • Providing, maintaining, and improving the Greenio platform
  • Generating carbon accounting reports and regulatory filings (BRSR, SECR, CSRD, CCTS MRV Reports) on your behalf
  • Processing supplier emissions requests and managing Scope 3 data collection
  • Sending service communications, billing receipts, and supplier request emails
  • Sending automated reminders for outstanding supplier data requests
  • Anonymised benchmarking - no individual data shared
  • Complying with legal obligations and preventing fraud

4. Legal basis for processing

  • Contract performance: delivering the service you subscribed to
  • Consent: optional communications; withdraw at any time
  • Legitimate interests: platform security, fraud prevention, anonymised analytics
  • Legal obligation: where required by applicable law

5. Data storage and security

Your data is stored on Supabase (PostgreSQL) servers in the European Union (eu-west region). Application hosting is via Vercel. Supplier-uploaded files are stored in a private Supabase Storage bucket accessible only via time-limited signed URLs.

We use TLS encryption in transit, AES-256 at rest, row-level security for data isolation, and role-based access controls. In the event of a breach likely to risk your rights, we will notify you and the relevant authority within 72 hours (UK/EU GDPR) or as required by applicable law.

6. International data transfers

  • UK ↔ EU: Covered by mutual adequacy decisions between the UK and EU
  • UK/EU → India: Transfers made under Standard Contractual Clauses or equivalent safeguards
  • Supabase and Vercel: Both have executed Data Processing Agreements covering international transfers

7. Data sharing

We share data only with: Supabase (database and storage), Vercel (hosting), payment processors (billing only), professional advisors (confidentiality bound), regulatory authorities (where required by law - BEE, MoEFCC, SEBI, ICO, national DPAs), and suppliers (your organisation name and contact when you send a request).

All sub-processors are bound by data processing agreements.

8. Supplier data handling

Supplier contacts receive your organisation name and a tokenised link. Supplier submissions are stored securely and accessible only to your organisation. Supplier contacts may contact hello@greenio.co to query data usage. UK/EU supplier contacts retain full GDPR rights in respect of personal data in their submissions.

9. Data retention

We retain account and emissions data for as long as your account is active, plus 7 years after closure (statutory record-keeping requirements). Upon closure, data is available for export for 30 days before deletion.

10. Your rights (universal)

  • Access: request a copy of your personal data
  • Correction: request correction of inaccurate data
  • Erasure: request deletion, subject to legal retention
  • Data portability: CSV export available directly in the platform
  • Withdraw consent: at any time without affecting prior processing

Email hello@greenio.co to exercise any right. We respond within 30 days.

11. Cookies

We use only essential session cookies required for authentication. No advertising cookies, cross-site tracking, or third-party analytics cookies. No cookie consent banner is required as we only use strictly necessary cookies.

12. Changes to this policy

Material changes will be notified by email or in-platform notice at least 14 days before taking effect. Continued use constitutes acceptance.

13. Contact

Greenio

Email: hello@greenio.co

Regional Privacy Addendums

Where there is a conflict between a regional addendum and the universal policy, the addendum takes precedence for users in that region.

Addendum A

UK Users - UK GDPR

Data Controller

Clasio UK Ltd (company number 14759860) is the UK GDPR Data Controller, registered with the Information Commissioner's Office (ICO).

Additional rights under UK GDPR

  • Right to object to processing based on legitimate interests
  • Right to restrict processing in certain circumstances
  • Right not to be subject to solely automated decision-making producing significant effects

Supervisory authority

Information Commissioner's Office (ICO)

Website: ico.org.uk

Data transfers

Data stored on EU-based Supabase servers. The UK has recognised the EU as providing adequate protection under UK GDPR - no additional safeguards required.

Addendum B

EU Users - EU GDPR

Applies to users in Germany, France, Italy, Netherlands, Sweden, Portugal, Estonia, Lithuania, Ireland, Austria, Belgium, Spain, Poland, Denmark, and Latvia.

Transfers from EU to UK

The European Commission has adopted an adequacy decision for the UK. Transfers from the EU to Greenio are lawful under Article 45 GDPR without additional safeguards.

Additional rights under EU GDPR

  • Right to object to processing based on legitimate interests or for direct marketing
  • Right to restrict processing in certain circumstances
  • Right not to be subject to solely automated decision-making
  • Right to lodge a complaint with your national DPA

Data Processing Agreement

EU organisations subject to GDPR may request a DPA (Article 28 GDPR) by emailing hello@greenio.co. Covers processing instructions, security measures, sub-processor details, and data subject rights.

National supervisory authorities

Full list available at edpb.europa.eu

Addendum C

India Users - DPDPA 2023

Data Fiduciary

Greenio is the Data Fiduciary under DPDPA 2023 in respect of personal data of Indian users.

Additional rights under DPDPA 2023

  • Right to information about personal data being processed
  • Right to correction and erasure of inaccurate or unnecessary data
  • Right to grievance redressal - response within the DPDPA prescribed period
  • Right to nominate another individual to exercise rights on your behalf

Cross-border transfers

Data stored on EU-based servers. Transfers made in accordance with Section 16 DPDPA 2023 and applicable Central Government rules, with appropriate safeguards maintained.

Grievance Officer

Greenio Grievance Contact

Email: hello@greenio.co

Acknowledgement within 48 hours. Resolution within 30 days.

Data Protection Board

If your grievance is unresolved, you may approach the Data Protection Board of India once constituted under DPDPA 2023.