Privacy Policy

​

1. Introduction

 

This Privacy Policy explains how The Carbon Foundation (“Carbon Foundation”, “we”, “us”, “our”) collects, uses, discloses and protects personal data when you interact with us, use our websites, platforms and services, or otherwise engage with our organisation.

 

We are a science-first, compliance-led carbon infrastructure provider. In the course of operating carbon registries, MRV-enabled platforms, project assessment services and carbon-linked financial solutions, we necessarily process personal data relating to project owners, First Nations and Indigenous partners, sovereign counterparties, brokers, investors, service providers and website users.

 

We are committed to protecting your privacy and handling personal data lawfully, fairly and transparently in line with applicable data protection laws, including (where relevant):

• The EU General Data Protection Regulation (GDPR)

• The UK GDPR and Data Protection Act 2018

• Applicable data protection, privacy and security laws in the jurisdictions in which we operate

 

Please read this Policy carefully to understand how and why we process your data and the rights you have.

 

2. Who we are and contact details

The data controller for the purposes of this Privacy Policy is:

The Carbon Foundation
(operated by Themis Carbon CY Limited, and/or other group entities as applicable)
Registered office: Prodromou 121, Hadjikyriakeion Building, 1st floor, Strovolos, 2064, Nicosia, Cyprus
Company number: HE410562

​

If you have any questions, concerns or requests about this Policy or how we handle your personal data, you can contact us at:

​

• Email: privacy@carbonfoundation.com

• Postal: Data Protection, The Carbon Foundation, rodromou 121, Hadjikyriakeion Building, 1st floor, Strovolos, 2064, Nicosia, Cyprus

 

Where local law requires, we may appoint a representative or Data Protection Officer (DPO). Their details will be made available upon request or via our website.

 

3. Scope of this Policy

​

This Privacy Policy applies to:

• Visitors to our websites and digital platforms

• Users of our registries, MRV platforms and related tools

• Project owners, developers, and project participants

• First Nations and Indigenous partners and community representatives

• Government and sovereign counterparties

• Brokers, financial institutions, investors and professional advisers

• Suppliers, contractors and consultants

• Job applicants and prospective staff

 

It covers personal data we collect:

• Online (via websites, portals, emails, virtual meetings)

• Offline (through meetings, events, workshops, and physical documents)

 

This Policy does not apply to anonymised or aggregated data that cannot reasonably identify an individual.

 

4. What personal data we collect

 

The categories of personal data we may collect include:

4.1 Identification and contact data

• Name, title, position, organisation

• Postal address, email address, telephone numbers

• Nationality and country of residence

• Government-issued identifiers where legally required (e.g. for KYC/AML)

4.2 Professional and project-related data

• Role, qualifications, professional background

• Information about the organisation you represent

• Project proposals, ownership and participation details

• Records of meetings, correspondence and engagement with us

• Information relevant to project scoping, due diligence and MRV processes where it relates to identifiable individuals

4.3 Technical and usage data

• IP address, browser type and version, device identifiers

• Log data (access times, pages viewed, referring URLs)

• Usage data related to our platforms, registries and tools

• Cookie and tracking data (see Section 8)

4.4 Compliance and verification data

• KYC/AML information (where we are required to perform checks)

• Documentation relating to sanctions screenings or regulatory requirements

• Records of consents, authorisations and declarations

4.5 Recruitment data

• CVs, cover letters and application forms

• Employment history, education, skills and qualifications

• Interview notes, references and assessment results

• Right-to-work documentation where legally required

4.6 Special category data

We generally do not seek to collect special categories of personal data (e.g. health, ethnicity, religion) unless:

• You choose to share it voluntarily (e.g. in a CV), or

• It is necessary for a specific purpose (such as diversity monitoring) and permitted by law.

Where we do process such data, we will ensure an appropriate legal basis and additional safeguards.

​

5. How we collect personal data

We collect personal data in the following ways:

• Directly from you – when you contact us, submit forms, apply for a role, attend our events, use our platforms or enter into agreements with us.

• Through your use of our digital services – via cookies, logs and similar technologies that capture technical and usage data.

• From your organisation or intermediaries – where you are included as a contact, representative or project participant.

• From public sources – such as company registers, regulatory filings, professional networking sites, and public websites.

• From third parties – including service providers (e.g. KYC/AML providers), professional advisers, MRV companies, or partners who introduce you to us.

 

We take steps to ensure personal data we hold is accurate and up to date, and may periodically ask you to confirm or update your details.

 

6. Why we use personal data and legal bases

We process personal data for the following purposes and under the following legal bases (under EU/UK GDPR):

​

1. Providing and operating our services

   • To operate registries, MRV-integrated platforms, project assessment services and carbon-related financial solutions.

   • Legal basis: Performance of a contract; legitimate interests.

2. Project and partner relationship management

   • To assess, onboard and manage projects, partners, First Nations and Indigenous communities, sovereign counterparties, brokers and investors.

   • Legal basis: Performance of a contract; legitimate interests.

3. Compliance, risk and governance

   • To conduct KYC/AML checks, sanctions screening and other regulatory checks where required.

   • To comply with audit, reporting and legal obligations.

   • Legal basis: Legal obligation; legitimate interests; public interest where applicable.

4. Science, MRV and methodology application

   • To link project and MRV data to specific methodologies and frameworks, including where personal details are needed for validation, authorship or traceability.

   • Legal basis: Performance of a contract; legitimate interests.

5. Communications and engagement

   • To respond to enquiries, send administrative information and communicate about our services, events and updates.

   • Legal basis: Performance of a contract; legitimate interests; consent where required (e.g. certain marketing).

6. Marketing and business development

   • To send newsletters, invitations or information about our solutions that may be relevant to you in a professional capacity.

   • Legal basis: Legitimate interests for B2B contacts; consent where required by law (you can opt out at any time).

7. Recruitment and HR

   • To process job applications, assess suitability, manage interviews and, where relevant, make offers and onboard new staff or contractors.

   • Legal basis: Pre-contractual steps; legitimate interests; legal obligation.

8. Security, fraud prevention and platform integrity

   • To protect our systems, investigate suspicious activity and maintain the integrity of our infrastructure.

   • Legal basis: Legitimate interests; legal obligation.

 

Where we rely on legitimate interests, we balance those interests against your rights and expectations, and only proceed where we believe your privacy is not overridden.

 

Where we rely on consent, you have the right to withdraw it at any time.

​

7. How we share personal data

We may share personal data, only where necessary and appropriate, with:

• Group companies within The Carbon Foundation group for internal administration, governance and service provision.

• Service providers and professional advisers who support our operations (e.g. IT hosting, MRV providers, KYC/AML providers, legal and financial advisers, auditors), under appropriate confidentiality and data processing agreements.

• Project partners and counterparties, including sovereign entities, First Nations and Indigenous partners, investors, brokers and project owners, where required for project implementation, due diligence, verification or contractual performance.

• Verification and certification bodies, where external review or audit is required for projects, methodologies or registries.

• Regulators, authorities and law enforcement, where we are legally required to do so, or where disclosure is necessary to establish, exercise or defend legal claims.

• Prospective buyers or investors in the event of a corporate transaction, merger, restructuring or sale, subject to appropriate safeguards.

 

We do not sell your personal data.

 

8. International data transfers

Given our global operations, your personal data may be transferred to, and processed in, countries outside your home jurisdiction, including countries that may not provide the same level of data protection as the EU/UK.

 

Where we transfer personal data from the EEA or UK to countries without an adequacy decision, we will put in place appropriate safeguards, such as:

​

• Standard Contractual Clauses approved by the European Commission or UK authorities; and/or

• Other lawful mechanisms recognised under applicable data protection laws.

 

You may contact us for more information on the safeguards used for specific transfers.

 

9. Cookies and similar technologies

We use cookies and similar technologies on our websites and platforms to:

• Ensure basic functionality and security

• Understand usage patterns and improve performance

• Tailor content and, where applicable, measure outreach or marketing effectiveness

 

Where required by law, we will request your consent before placing non-essential cookies and give you the ability to manage your preferences.

 

For more detailed information, please refer to our Cookie Policy or contact us using the details in Section 2.

​

10. Data retention

 

We keep personal data only for as long as necessary to fulfil the purposes described in this Policy, including to:

• Provide our services and maintain relationships

• Comply with legal, regulatory, accounting and reporting obligations

• Resolve disputes and enforce agreements

 

Retention periods vary depending on the type of data and context, but typically:

• Contract and project records: kept for the duration of the project/relationship and a defined period thereafter (e.g. 6–10 years) to meet legal and audit requirements.

• KYC/AML records: retained as required by applicable financial or anti-money laundering laws.

• Recruitment data: retained for the recruitment process and, where appropriate, a limited period afterwards (e.g. 6–24 months), unless you become an employee, in which case HR retention rules apply.

• Marketing records: retained while you remain subscribed or we believe our communications are relevant, and deleted or anonymised when no longer needed or at your request.

 

When personal data is no longer needed, we will securely delete or anonymise it.

 

11. Security measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, disclosure or destruction. These may include:

​

• Access controls and authentication

• Encryption of data in transit and/or at rest, where appropriate

• Network and infrastructure security controls

• Secure development and change management processes

• Regular back-ups and business continuity planning

• Staff training and confidentiality obligations

 

While we strive to protect your data, no system is completely secure. If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and relevant authorities as required by law.

 

12. Your data protection rights

 

Depending on where you are located and subject to applicable law, you may have the following rights in relation to your personal data:

​

• Right of access – to obtain confirmation whether we process your data and, if so, receive a copy.

• Right to rectification – to correct inaccurate or incomplete personal data.

• Right to erasure (“right to be forgotten”) – to request deletion of your personal data in certain circumstances.

• Right to restriction of processing – to request that we limit the processing of your data in certain circumstances.

• Right to data portability – to receive your data in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.

• Right to object –

  • to processing based on our legitimate interests, on grounds relating to your particular situation;

  • to direct marketing at any time (including profiling for marketing).

• Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects, unless specific conditions are met.

• Right to withdraw consent – where we rely on consent, you can withdraw it at any time (this will not affect prior lawful processing).

• ​

To exercise any of these rights, please contact us using the details in Section 2. We may need to verify your identity before responding.

​

You also have the right to lodge a complaint with your local data protection authority. For example:

​

• In the EEA: your national supervisory authority

• In the UK: the Information Commissioner’s Office (ICO)

• ​

We encourage you to contact us first so we can try to resolve your concerns.

 

13. Children’s data

Our services and platforms are not directed at children, and we do not knowingly collect personal data from anyone under the age of 16 (or lower age where permitted by local law) without appropriate consent or authorisation.

​

If you believe we have collected personal data about a child without appropriate permissions, please contact us and we will take steps to delete such data.

 

14. Automated decision-making and profiling

We may use analytics, scoring and other automated tools to support internal risk assessments, project evaluations or fraud prevention. However, we do not currently make decisions solely based on automated processing that produce legal or similarly significant effects on individuals.

If this changes, we will update this Policy and, where required, provide additional information and safeguards.

 

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, services or legal requirements. When we do, we will revise the “Last updated” date at the top and, where appropriate, notify you through our website or by direct communication.

We encourage you to review this Policy periodically to stay informed about how we handle personal data.