Privacy Policy

1. Who We Are

Coffset OÜ ("we", "us", "our") operates the platform at coffset.org. We provide AI-powered carbon footprint calculation and carbon credit offsetting services.

2. Data We Collect

• Account data: Email address, full name, and hashed password when you create an account.
• Carbon calculations: Lifestyle, travel, and activity data you provide during calculator conversations, stored linked to your account.
• Payment data: Processed by Stripe. We store purchase amount, currency, and Stripe session ID only.
• Usage data: IP address, browser type, pages visited, and timestamps via server logs and analytics.
• Communications: Emails you send us and newsletter subscription status (MailerLite).

3. How We Use Your Data

• To operate and maintain your account and deliver core features.
• To process carbon offset purchases and issue retirement certificates.
• To send transactional emails (order confirmations, account creation).
• To send newsletters if you have explicitly subscribed.
• To improve the platform through aggregated, anonymized analytics.
• To comply with applicable laws and regulations.

4. Legal Bases for Processing (GDPR)

Under the GDPR, we process your personal data based on:

• Contract performance (Art. 6(1)(b)): Account creation, carbon calculations, and offset purchases.
• Legitimate interests (Art. 6(1)(f)): Website analytics and service improvement.
• Consent (Art. 6(1)(a)): Newsletter subscriptions and non-essential cookies.
• Legal obligation (Art. 6(1)(c)): Tax record-keeping for purchases.

5. Third-Party Services

• Supabase — Database and authentication (EU region).
• Stripe — Payment processing. Privacy Policy
• CNaught — Carbon credit retirement.
• Groq — AI inference for calculator (US, SCCs in place).
• Resend — Transactional email delivery.
• MailerLite — Newsletter management.
• Google Analytics — Analytics (with consent). Privacy Policy
• Vercel — Hosting and infrastructure.

6. International Data Transfers

Your data may be transferred outside the EEA. We ensure appropriate safeguards:

• Supabase: EU region (Frankfurt).
• Stripe: EU-US Data Privacy Framework certified.
• Groq: US processing under Standard Contractual Clauses.
• Vercel: EU regions available; global CDN for performance.

7. Data Retention

• Account data: Until you delete your account, then removed within 30 days.
• Carbon calculations: Retained while your account is active.
• Purchase records: 7 years for tax compliance.
• Analytics data: Aggregated/anonymized data may be retained indefinitely.

8. Your Rights

You have the right to:

• Access — Request a copy of your personal data.
• Rectification — Request correction of inaccurate data.
• Erasure — Request deletion ("right to be forgotten").
• Restrict processing — Limit how we use your data.
• Data portability — Receive your data in a machine-readable format.
• Object — Object to processing based on legitimate interests.
• Withdraw consent — Withdraw any previously given consent.

To exercise these rights, email [email protected]. We respond within 30 days.

9. Cookies

We use:

• Essential cookies: Authentication and session management.
• Analytics cookies: Google Analytics (with consent).

See our Cookie Policy for details.

10. Automated Decision-Making

Our carbon calculator uses AI to estimate emissions. This automated processing:

• Does not produce legally significant decisions about you.
• Is based on your explicit consent when using the calculator.
• Can be reviewed or contested by contacting us.

11. Security

We use industry-standard security measures including HTTPS encryption, bcrypt password hashing, HTTP-only session cookies, and Row Level Security on our database. We will notify you promptly in the event of a data breach.

12. Right to Lodge a Complaint

If you believe we have not handled your data properly, you can lodge a complaint with:

13. Changes to This Policy

We may update this policy from time to time. For significant changes, we will notify users by email.

14. Contact

For privacy-related questions: [email protected]