PRIVACY POLICY

This Privacy Policy explains how VerifiedClimate™ Limited (“VerifiedClimate™”, “we”, “us”, or “our”) collects, uses, stores, shares, and protects information in connection with the use of our services, systems, and digital infrastructure, including but not limited to the website accessible at https://www.verifiedclimate.com and all related subdomains, services, tools, features, software, integrations, and associated platforms (collectively, the “Services”).
By accessing or using the Services, the user (“User”, “you”, “your”) acknowledges and agrees to the practices described in this Privacy Policy. If you do not agree with the terms of this Policy, do not use the Services.

1. Purpose and Scope

This Policy applies to all personal and non-personal data collected by VerifiedClimate™ through the Services. VerifiedClimate™ operates compliance-grade evidentiary infrastructure, powered by the RegistryRail™ system, for timestamping and preserving climate-related declarations. This infrastructure is neutral, automated, and does not act as a regulator, validator, or certifier. This Privacy Policy describes data handling practices only and does not expand or modify the procedural scope or non-verification boundaries described in the Terms of Service

2. Controller Information

VerifiedClimate™ Limited. Company Registration Number: 788557. Registered Office: Corporate Financial Solutions, Middle Third Terrace, Block 6, Killester, Dublin. D05 WC86. Ireland. VerifiedClimate™ is the data controller for the purposes of GDPR.

3. Categories of Data Collected

The data categories set out below are processed strictly for the operation of VerifiedClimate™’s evidentiary infrastructure and the issuance of RegistryRail™ Records on the Evidentiary Rail.

 Information Provided by Users:
• Organisation name
• Contact email address(es)
• Submitted climate declarations and supporting materials
• Region, sector, and summary information
• All submitted files are handled through a secure, automated upload and storage pipeline backed by enterprise-grade infrastructure.
Files are stored using cloud-based systems operated by ISO/IEC 27001-certified and SOC-audited infrastructure providers, with redundancy and disaster-recovery controls appropriate to institutional use.
‍
‍Encryption in transit and at rest
All files are encrypted using AES‑256 encryption at rest, and TLS/HTTPS during transfer, aligning with modern security standards for sensitive content transmission and storage.

‍No human handling
Files are processed and stored without routine human access. VerifiedClimate™ staff do not routinely view or manually handle submitted materials, and access by infrastructure providers is restricted to exceptional, security-controlled circumstances (e.g., system maintenance or legal obligations).

‍Submitter‑exclusive control
Only the original submitter determines whether supporting documents are visible or kept private. Records (neutral, procedural evidentiary artefacts) and materials are never made public unless the submitter explicitly enables visibility. VerifiedClimate™ does not authenticate recipients of Record URLs and assumes no responsibility for onward distribution once a URL is shared.

‍Global compliance alignment
The underlying storage infrastructure complies with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (GDPR), the California Consumer Privacy Act (CCPA), and the Data Protection Act 2018 (Ireland). VerifiedClimate™ is operated in a manner designed to support evidence-handling expectations associated with major sustainability disclosure regimes, where applicable. It does not itself determine, assess, or certify compliance with any disclosure framework.
VerifiedClimate™ operates the climate-sector instance of an evidentiary infrastructure architecture, with RegistryRail™ functioning as the Evidentiary Rail through which tamper-evident Records are timestamped, sealed, and preserved.

‍Resilience & reliability
All stored files benefit from redundant replication and automated failover, preserving availability and integrity even in the event of isolated infrastructure failures.
‍
‍Automatically Collected Data:
• IP address and device metadata
• Browser type and settings
• Operating system
•  Date/time of access
• Referring URL and on-site behavior logs
Metadata associated with submission timestamps
‍
Supplementary Fields:
• "Declared by" field (e.g., name, role, or department)
• Purpose selection dropdown metadata
• Visibility settings (e.g., document access control)

4. Legal Basis for Processing

VerifiedClimate™ processes personal data under one or more of the following lawful bases:
• Contractual Necessity: To perform the Services as requested by the User;
• Legitimate Interests: Including system integrity, legal compliance, and platform improvement;
• Consent: When the User opts to make supporting documents or metadata publicly visible;
• Legal Obligation: Where required by applicable law or regulatory directive.

5. Use of Data

VerifiedClimate™ uses collected data for the following purposes:
• To provide, operate, and maintain the Services;
• To create, timestamp, and archive RegistryRail™ Records;
• To display non-personal activity summaries on public-facing infrastructure (e.g., feed or ticker);
• To maintain audit trails, detect fraud, and ensure system integrity;
• To respond to legal requests or comply with statutory obligations;
• To improve and adapt platform performance and functionality, as well as to maintain evidentiary custody within the Evidentiary Rail, ensuring that submitted materials are preserved with tamper-evident integrity.

6. Data Storage and Retention

• All data is securely stored using advanced encryption and access control protocols.
• Data is hosted in secure environments compliant with European and Irish data protection standards.
• Records are retained only as long as necessary for operational, legal, or archival purposes.
• RegistryRail™ Records are designed to be durable and non-editable once issued; however, retention and visibility are governed by applicable legal requirements and user-controlled settings.

7. Data Sharing and Transfers

VerifiedClimate™ does not sell, lease, or share personal data with third parties for marketing purposes.
Data may be shared under strict limitations;
• With infrastructure partners and subprocessors (e.g., hosting providers, email processors) under GDPR-compliant data processing agreements;
• With competent legal authorities when required by law or court order;
• Internally within VerifiedClimate™ for compliance and system integrity purposes;
• Publicly only when the User explicitly selects visibility settings allowing for document sharing.
VerifiedClimate™ does not sell or monetise personal data and does not permit use of submitted materials for advertising, profiling, or behavioural targeting.

8. International Transfers

If personal data is transferred outside the European Economic Area (EEA), such transfers are safeguarded using appropriate legal mechanisms, including:
• Standard Contractual Clauses (SCCs);
• Adequacy decisions issued by the European Commission;
• Binding corporate rules (if applicable).
Where RegistryRail™ functions as the Evidentiary Rail for cross-border submissions, all associated transfers adhere to the safeguards described above. All subprocessors involved in the provision of the Services operate under GDPR-compliant data processing agreements.

9. Data Security

No Use of Artificial Intelligence in Processing
VerifiedClimate™ does not deploy artificial intelligence (AI) or machine-learning (ML) systems for content interpretation, evaluation, or decision-making in the processing, storage, analysis, or evaluation of user-submitted content.  For the avoidance of doubt, VerifiedClimate™ does not use machine-learning or automated decision-making that produces legal or similarly significant effects under GDPR Article 22. Processing logic is deterministic and auditable.
‍
All submissions are handled using deterministic backend logic, with no profiling, predictive modeling, or automated inference applied at any stage.
This deliberate exclusion of AI supports GDPR transparency and accountability principles, including avoiding automated decision-making that produces legal or significant effects, and related provisions of the Data Protection Act 2018 (Ireland).

In particular, no automated decision-making or content interpretation occurs that could affect the rights, obligations, or standing of the submitter or any third party. By avoiding AI-driven processes entirely, the VerifiedClimate™ and RegistryRail™ infrastructure preserves the clarity, auditability, and human-legible traceability of all records issued through the platform.

VerifiedClimate™ implements robust technical and organisational measures to protect the evidentiary integrity and security of all data processed through the Evidentiary Rail, including protection against unauthorised access, alteration, disclosure, or destruction, including but not limited to:
• End-to-end encryption;
• Role-based access controls;
• Immutable timestamping and tamper-evident hashing;
• Regular integrity checks and security audits.

10. User Rights Under GDPR

Users have the right to:
• Access their personal data;
• Request correction of inaccurate or incomplete data;
• Request erasure of personal data, subject to legal exceptions;
• Object to processing based on legitimate interests;
• Request data portability;
• Withdraw consent for processing at any time (where applicable);
• Lodge a complaint with the Irish Data Protection Commission.
To exercise any rights, contact: privacy@verifiedclimate.com

11. Automated Decision-Making and Profiling

VerifiedClimate™ does not perform profiling or automated decision-making that produces legal or similarly significant effects. Automated workflows relate exclusively to the structured issuance of immutable records and do not affect legal status or third-party relationships. All automated processes relate solely to deterministic evidentiary issuance on the Evidentiary Rail and do not constitute decision-making, evaluation, or interpretation of content.

12. Cookies and Tracking Technologies

VerifiedClimate™ uses minimal cookie technology strictly necessary for:
• Security and authentication;
• Submission continuity;
• Analytics (aggregate, non-identifiable);
All optional cookies are disabled by default. Users may manage cookie settings in their browser.

13. Children’s Privacy

The Services are not intended for individuals under the age of 18. VerifiedClimate™ does not knowingly collect personal data from children. If you believe that a child has submitted data, contact: privacy@verifiedclimate.com

14. Amendments to this Privacy Policy

VerifiedClimate™ may amend this Policy at any time to reflect updates in law, platform functionality, or operational practices. Updated versions will be posted to the website with a clearly indicated effective date. Continued use of the Services after any update constitutes acceptance of the revised Policy. Updates may also reflect enhancements to VerifiedClimate™’s evidentiary infrastructure or the operational scope of the Evidentiary Rail.

15. Contact

For privacy inquiries, data access requests, or exercise of rights, contact:
Privacy Officer
VerifiedClimate™
Email: privacy@verifiedclimate.com