Privacy Policy
Last updated: 7 February 2025
1. Introduction
Emisso Pty Ltd (ABN 79 390 265 966) ("Emisso," "we," "us," or "our") operates the Emisso carbon accounting platform available at emisso.app (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service.
We are committed to protecting your privacy and handling your data in accordance with the General Data Protection Regulation (GDPR), the Australian Privacy Act 1988, and other applicable data protection laws.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. This policy should be read alongside our Terms of Service and Cookie Policy. If you do not agree with the practices described herein, please do not use the Service.
2. Data Controller
The data controller responsible for your personal data is:
- Entity: Emisso Pty Ltd
- Address: Sydney, Australia
- Email: privacy@emisso.app
3. Data We Collect
3.1 Account Information
When you create an account, we collect:
- Email address
- Password (stored in hashed form by our authentication provider)
- Organisation name and details
- Role within your organisation
3.2 Carbon Accounting Data
As part of the core Service functionality, we process and store:
- Emission records: Scope 1, Scope 2, and Scope 3 greenhouse gas emission data you enter or import
- Facility data: Names, locations, and operational details of your facilities
- Reports: Generated carbon footprint reports and associated metadata
- CSV imports: Data files you upload for bulk emission entry (Starter plan and above)
- Supplier questionnaires: Questionnaire responses and supply chain data (Pro plan and above)
- Audit trail records: Logs of changes to emission data for accountability purposes (Pro plan and above)
3.3 Billing and Payment Data
When you subscribe to a paid plan, we collect:
- Billing name and address
- Payment method details (processed and stored by Stripe; we do not store your full credit card number)
- Subscription plan and billing history
3.4 Usage and Technical Data
We automatically collect certain technical information:
- IP address
- Browser type and version
- Device type and operating system
- Pages visited and features used
- Date and time of access
- Referring URL
3.5 API Usage Data (Pro Plan)
If you use the Emisso REST API, we additionally collect:
- API key identifiers (keys are stored as SHA-256 hashes)
- API request logs (endpoint, timestamp, response status)
- Rate limit usage data
3.6 Team and Invitation Data
When you invite team members to your organisation, we collect the email addresses of invitees and record acceptance status and roles assigned.
4. How We Use Your Data
We use your personal data for the following purposes and legal bases:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and operating the Service | Performance of a contract |
| Processing subscription payments | Performance of a contract |
| Sending transactional emails (account confirmations, password resets, team invitations) | Performance of a contract |
| Generating carbon footprint reports | Performance of a contract |
| Maintaining audit trail logs | Performance of a contract / Legitimate interest |
| Improving the Service and fixing bugs | Legitimate interest |
| Sending product updates and service notices | Legitimate interest |
| Preventing fraud and abuse | Legitimate interest |
| Complying with legal obligations | Legal obligation |
We do not sell your personal data. We do not use your carbon accounting data for advertising or profiling purposes.
5. Third-Party Data Processors
We share your data with the following third-party service providers who process data on our behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase (Supabase Inc.) | Authentication, database hosting, and row-level security | Account data, emission data, facility data, all application data |
| Stripe (Stripe, Inc.) | Payment processing and subscription management | Name, email, billing address, payment method tokens |
| Resend (Resend, Inc.) | Transactional email delivery | Email address, name, email content |
| Vercel (Vercel Inc.) | Application hosting and delivery | IP address, request metadata |
Each processor is bound by data processing agreements that require them to process your data only for the purposes described above and in accordance with applicable data protection laws.
6. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our third-party processors operate. Where such transfers occur, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Processor certifications under recognised frameworks (e.g., SOC 2)
- Any adequacy decisions made by the relevant data protection authority
7. Cookies and Tracking
We use cookies and similar technologies on our Service. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.
In summary:
- Essential cookies: Required for authentication sessions and security. These cannot be disabled.
- Third-party cookies: Stripe may set cookies for fraud prevention during checkout.
We do not use advertising, tracking, or analytics cookies.
8. Data Retention
We retain your data for the following periods:
- Account data: For the duration of your account plus 30 days after deletion to allow for account recovery.
- Carbon accounting data: For the duration of your account. Upon account deletion, all emission data, facility records, and reports are permanently deleted within 30 days.
- Billing data: As required by applicable tax and accounting laws (typically 7 years for financial records).
- API keys: Key hashes are retained until revoked or account deletion. API request logs are retained for 90 days.
- Audit trail logs: Retained for the duration of your account.
9. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) for all data transmitted to and from the Service
- Encryption at rest for database storage
- Row-level security (RLS) ensuring each organisation can only access its own data
- Password hashing using industry-standard algorithms via our authentication provider
- SHA-256 hashing for API keys (raw keys are never stored)
- Role-based access control within organisations (owner, admin, member roles)
- Regular security assessments and dependency updates
No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security.
10. Your Rights
10.1 Rights Under GDPR (EEA Residents)
If you are located in the European Economic Area, you have the following rights:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention obligations.
- Right to restriction of processing: Request that we limit how we use your data.
- Right to data portability: Receive your data in a structured, commonly used, machine-readable format (e.g., CSV or JSON via our API).
- Right to object: Object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
- Right to lodge a complaint: File a complaint with your local data protection authority.
10.2 Rights Under the Australian Privacy Act
If you are an Australian resident, you have the right to access and correct your personal information under the Privacy Act 1988. You may also complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles.
10.3 Exercising Your Rights
To exercise any of your rights, please contact us at privacy@emisso.app. We will respond to your request within 30 days (or within the timeframe required by applicable law).
You can also export your emission data at any time through the Service by generating reports (available to all plan tiers) or via the REST API (Pro plan).
11. API Data Handling
Pro plan subscribers may access their data through the Emisso REST API. The following provisions apply:
- API access is authenticated via Bearer tokens with a unique prefix (
emso_live_). Tokens are hashed before storage and cannot be recovered. - API requests are subject to rate limiting (60 requests per minute per organisation).
- Data returned via the API is scoped to the authenticated organisation. No cross-organisation data access is possible.
- API request metadata (endpoint, timestamp, status code) is logged for security and debugging purposes.
- You are responsible for securing your API keys and any data retrieved through the API.
12. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate consent, we will take steps to delete that data promptly.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you via email or through an in-app notification at least 14 days before the changes take effect
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: privacy@emisso.app
- General support: support@emisso.app
- Mail: Emisso Pty Ltd, Sydney, Australia
- ABN: 79 390 265 966