GDPR Compliant
EU data protection standards
EU Servers Only
Your data stays in Portugal
Fully Encrypted
AES-256 encryption at rest
Your Rights
Full control over your data
EcoImpact Nexus ("we," "our," or "us") is committed to protecting your privacy and handling your data responsibly. This Privacy & Data Protection Notice explains how we collect, use, store, and protect your personal information in compliance with the EU General Data Protection Regulation (GDPR) and Portuguese data protection laws.
1. Who We Are
Data Controller: EcoImpact Nexus
Contact: info@ecoimpactnexus.com
Location: Portugal (EU)
We are a carbon tracking and offset platform specifically designed for Portuguese startups. Our mission is to help businesses achieve carbon neutrality while creating verified green jobs in Portugal.
2. What Data We Collect
2.1 Information You Provide
When you use our carbon calculator or sign up for our services, we collect:
- Company Information: Company name, industry sector, number of employees
- Contact Details: Name, email address, phone number (optional)
- Carbon Footprint Data: Electricity usage, heating/gas consumption, business travel, flight hours, shipping distances, office space, cloud/server usage, waste management practices
- Sustainability Practices: Renewable energy percentage, vehicle types, waste management programs
2.2 Automatically Collected Information
- Technical Data: IP address, browser type, device information, operating system
- Usage Data: Pages visited, time spent on site, calculator completion rates
- Cookies: Essential cookies for site functionality (see Section 7)
2.3 Data We Do NOT Collect
We do not collect:
- Credit card or payment information (processed securely by third-party payment providers)
- Social security numbers or tax identification numbers
- Sensitive personal data (health, religion, political views, etc.)
- Data from individuals under 18 years of age
3. How We Use Your Data
3.1 Primary Purposes
| Purpose | Legal Basis (GDPR) |
|---|---|
| Calculate your carbon footprint | Performance of contract / Legitimate interest |
| Send your carbon analysis reports via email | Performance of contract |
| Provide AI-powered insights and recommendations | Performance of contract / Legitimate interest |
| Industry benchmarking (anonymized data) | Legitimate interest |
| Improve our calculator accuracy and features | Legitimate interest |
| Send service updates and platform improvements | Legitimate interest |
| Marketing communications (if you opt-in) | Consent |
3.2 AI-Powered Analysis
When you use our Pro or Enterprise tiers, we use Claude AI (by Anthropic) to provide personalized carbon reduction recommendations. Your company data is sent to Anthropic's API for analysis but is NOT used to train their AI models. See Section 5 for details on data sharing.
4. How We Store Your Data
4.1 Security Measures
- Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256)
- Access Controls: Role-based access with multi-factor authentication
- Regular Backups: Daily encrypted backups with 30-day retention
- Security Audits: Annual third-party security assessments
- Employee Training: All team members complete GDPR and data security training
4.2 Data Retention
- Active Accounts: We retain your data for as long as your account is active
- Inactive Accounts: If your account is inactive for 24 months, we will contact you. If no response, data is anonymized after 36 months
- Deleted Accounts: When you delete your account, all personal data is permanently deleted within 30 days
- Legal Obligations: We may retain certain data longer if required by Portuguese or EU law (e.g., financial records for 7 years)
5. Who We Share Your Data With
5.1 Service Providers (Data Processors)
We share limited data with trusted third-party service providers who help us operate our platform:
- Anthropic (Claude AI): Provides AI-powered carbon insights. Data is NOT used for training. EU-US Data Privacy Framework certified.
- Google Sheets API: Stores calculation data (if you opt-in). Covered by Google's GDPR-compliant data processing terms.
- Cloudflare: Provides secure hosting and DDoS protection. EU data centers only.
- Email Service Provider: Sends your carbon reports. GDPR-compliant EU provider.
All service providers are bound by Data Processing Agreements (DPAs) that ensure GDPR compliance.
5.2 We Do NOT Sell Your Data
We never sell, rent, or trade your personal information to third parties for marketing purposes. Your data belongs to you.
5.3 Legal Disclosure
We may disclose your data if required by Portuguese or EU law, court order, or to protect our legal rights.
6. Your Rights Under GDPR
As a data subject in the EU, you have the following rights:
Your Data Rights
- Right to Access: Request a copy of all personal data we hold about you
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure ("Right to be Forgotten"): Delete your data permanently
- Right to Restrict Processing: Limit how we use your data
- Right to Data Portability: Receive your data in a machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent for marketing emails anytime
- Right to Lodge a Complaint: File a complaint with Portuguese Data Protection Authority (CNPD)
6.1 How to Exercise Your Rights
To exercise any of these rights, email us at: privacy@ecoimpactnexus.com
We will respond within 30 days as required by GDPR. If your request is complex, we may extend this by 60 days and will notify you.
7. Cookies & Tracking
7.1 Essential Cookies
We use only essential cookies required for the calculator to function:
- Session cookies: Remember your calculation progress (deleted when you close browser)
- localStorage: Save your calculation results locally on your device
7.2 Optional Analytics
If you consent, we use Google Analytics (with IP anonymization) to understand how people use our platform. You can opt-out anytime via our cookie banner.
7.3 No Third-Party Advertising Cookies
We do not use advertising cookies or sell your data to advertisers.
8. International Data Transfers
Some of our service providers (e.g., Anthropic for AI services) are based in the United States. When we transfer data outside the EU:
- We use providers certified under the EU-US Data Privacy Framework
- We implement Standard Contractual Clauses (SCCs) approved by the European Commission
- We ensure adequate safeguards are in place to protect your data
9. Data Breach Notification
In the unlikely event of a data breach that affects your personal information:
- We will notify the Portuguese Data Protection Authority (CNPD) within 72 hours
- If the breach poses high risk to your rights, we will notify you directly via email
- We will provide information on the breach, potential consequences, and measures taken
10. Children's Privacy
Our services are designed for businesses and are not intended for individuals under 18. We do not knowingly collect data from children. If you believe we have collected data from a minor, please contact us immediately at privacy@ecoimpactnexus.com.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make significant changes:
- We will update the "Last Updated" date at the top of this page
- We will notify you via email if you have an account
- For material changes, we may require renewed consent
12. Portuguese Data Protection Authority
If you have concerns about how we handle your data, you have the right to lodge a complaint with:
Comissão Nacional de Proteção de Dados (CNPD)
Address: Av. D. Carlos I, 134, 1º, 1200-651 Lisboa, Portugal
Phone: +351 21 392 84 00
Email: geral@cnpd.pt
Website: www.cnpd.pt
Questions About Your Privacy?
Our Data Protection Officer is here to help:
Email: info@ecoimpactnexus.com
We typically respond within 24-48 hours
This Privacy Policy is governed by Portuguese and EU law. By using our services, you acknowledge that you have read and understood this policy.