Privacy Policy

Last updated 18 January 2024.

Introduction

If you are a visually impaired customer, a customer who has another disability or a customer who seeks support in other languages, you may access support to understand this Privacy Policy by emailing us at businessenquiries@carbonjacked.com.

The privacy of all information provided to the Rapid Policy Feedback Tool is an absolute priority to all parties involved and therefore all reasonable steps have been taken to protect this information. This privacy policy explains how and why we collect, use and protect your information.

It is important that you read this privacy policy so that you are fully aware of how and why we are using data. By using the tool, you indicate your acceptance of this Policy. If you do not agree to this Policy, you should not use this tool.

Contents of this policy

1. Our privacy principles

2. How to read this policy

3. The type of personal information we collect

4. Use of user information and why

5. Communication

6. Children's privacy

7. Sharing user information

8. Data transfers

9. Retention of information

10. Security

11. Data protection rights

12. How to complain

13. Changes to our Privacy Policy

14. Our contact details

1. Our privacy principles

We understand and value the importance of privacy. Privacy is a key priority to all users of the platform, including ourselves, and as such we have prioritised it in order to provide confidence to users. As part of our efforts, we have set the following principles for our privacy policy:

1. Need - we only collect the “personal information” that we need in order to provide you with our services.

2. Retention - we do not retain personal information for longer than is necessary.

3. User control - by allowing users to contact us easily, we offer users ways to control their personal information and express their preferences.

2. How to read this policy

Where this privacy policy refers to terms like “us”, “we”, “our” or “Carbon Jacked” this means Carbon Jacked Ltd.

Where this privacy policy refers to terms like “user(s)”, “individual(s)”, “employee(s)” or “you” this means the user of the platform.

Where this privacy policy refers to “Tool”, “the Tool”, “platform”, “website” or similar it means The Rapid Policy Feedback Tool.

3. The type of personal information we collect

For the purposes of this Privacy Policy, “personal information” or “personal data” means any information that relates to an identified or identifiable individual. We do not collect any “sensitive” personal information/data on individuals as defined by the UK Information Commissioner's Office.

We may collect the following categories of personal information that users choose to provide to us when the Rapid Policy Feedback Tool is used or otherwise interacted with, or when users receive our services.

Information from others

For users that receive access to the Rapid Policy Feedback Tool through a colleague, their employer or other such organisation, their email address is submitted to us by that colleague or organisation to facilitate their use of the tool.

Basic contact information

For users to have an account and access to the Rapid Policy Feedback Tool, we currently collect and process the following information:

• Full name
• Email address and alternative email address
• Role of lead user i.e. Chief Sustainability Officer
• Number of employees

Communication and platform-based information provided by the user

When users send or respond to emails, messages, or other communications from us, we may collect user email addresses, names, and any other personal information the user chooses to include in the body content of their communications. In addition, when they interact with certain features of our Tool, we may collect the content of those interactions. For example, answers to feedback questions, such as free-form text entry.

Payment information

In circumstances where users do sign up for a paid product or service from us, they may be required to provide their payment card or bank account information. Please note that we do not directly process or store payment card information, but do rely on a highly reputable third-party payment processors to do so on our behalf. Please note that third party terms may apply to these payment services. Personal information collected for these purposes includes card number, type, expiration date, and billing address, and certain anonymised, limited and/or truncated versions of this information may be provided to us.

Other information

There are other times where users may choose to provide information to us, such as contacting us via email.

Information we automatically collect

We look to minimise this, however as a web-based tool the Rapid Policy Feedback Tool may collect standard tracking information from users automatically as they use them. This information may include:

• Browser and device data, such as IP address, device identifier, device type, operating system and Internet browser type, screen resolution, operating system name and version, device manufacturer and model, language, plug-ins, add-ons, and the language version of the Websites and Apps you are visiting; and

• Usage data, such as geolocation data, browsing history, time spent on the Platform, pages visited, links clicked, language preferences, performance of features, patterns of use, and the pages that led or referred you to our Platform including individual Websites and Apps.For example, we use Google Analytics on our Websites to help us analyse your use of our Websites and diagnose technical issues.

• Cookies and web-beacons - we may use cookies and other tracking technologies such as pixels, web beacons, embedded scripts, and tags (“Cookies”). We also collect information about users' online activities on websites and connected devices over time and across third-party websites, devices, apps, and other online features and services.

Please review our “Cookies and tracking technologies” section below for more information about our use of these technologies.

Aggregated, anonymous, and de-identified data

We may create aggregated, anonymous, or de-identified data from personal information by removing data components that make the data personally identifiable to users, or potentially personally identifiable to users, or through obfuscation or other means. Once information is aggregated, anonymised, or de-identified such information is no longer personal information, and use of the data is not subject to this Privacy Policy.

Cookies and tracking technologies

A cookie is a small file of letters and numbers that we store via a user's browser. Our website uses cookies to distinguish individuals from other users of our website. This helps us to provide users with a better experience when they browse our website and also allows us to improve our site. For example, we use cookies to offer sign-in functionality, to remember user preferences and to understand how our web pages are used.

We may use both temporary and persistent cookies. Users can delete cookies in their browser anytime and they can also block cookies from being placed; however, this could affect the quality of the service.

We may also rely on service providers and other partners to provide features of our Tool using data about how individuals use our Tool, which may include personal information. Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.

4. Use of user information and why

We may use personal information in the following ways:

• To provide our service, including the provision of ongoing business engagement.

• To communicate with users regarding the Rapid Policy Feedback Tool service.

• To notify users about updates or changes to the Rapid Policy Feedback Tool service.

• To provide customer service, answer user questions or requests for information, or handle complaints.

• Where applicable, to facilitate payment transactions, manage orders, and account for applicable sales taxes.

• To deliver on any agreements that we may have with a user, organisation or employer.

• To maintain and improve the quality of the Rapid Policy Feedback Tool, including to perform research and development.

• To provide users with information about new services and other opportunities that we believe may be of interest to them.

• To protect ourselves, users and others; preventing fraud and other unlawful or unauthorised activity; and creating and maintaining a trusted, secure, and reliable online environment.

• To comply with our legal obligations or conduct any legal cases where the information is relevant.

Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:

1. Either individual consent. Users are able to remove their consent at any time. They can do this by contacting businessenquiries@carbonjacked.com.
2. Or, we have a contractual agreement to provide users with access to the Carbon Jacked employee platform.

5. Communication

We may use individual information to contact users, including to ensure smooth operations of the service or provide relevant updates about long-term business engagement. We may also contact users about administrative and access issues for the Tool where needed.

Users have the option to unsubscribe from these communications at any time.

6. Children's privacy

Please note our Tool is intended for individuals at least 18 years old or older, as such we do not knowingly collect data relating to children.

7. Sharing user information

If necessary, we may share personal data with the third parties categorised below for the purposes set out in this privacy policy or where legally acceptable.

We may share information with the following categories of third parties:

• Suppliers and service providers (such as outsourced services partners, technology service providers, manufacturers and post and courier services).

• Payment services providers, e.g. via Stripe - payment processors may take personal data directly from users as part of processing a purchase, and they will be data controllers in their own right for that processing.

• Auditors and professional advisers like bankers, lawyers, accountants and insurers.

• Government, regulators and law enforcement.

We may also share data with third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.

Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use personal data in the same way as set out in this privacy policy.

8. Data transfers

In some cases, if we are operating internationally, the personal information we collect may be processed outside of the country in which users reside. Not all countries have the same protections for information. However, we look to ensure that user information processed by us and our suppliers outside of a user's country is protected in the same way as it would be if it was processed within their country.

For example, whenever we transfer information outside of the UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer information to countries that have been deemed to provide an adequate level of protection for personal information; or

• Where we use certain service providers, we may use specific contracts approved for use in the UK or the EEA, as applicable, which give personal information adequate protection.

9. Retention of information

We will only retain information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain information for a longer period in the event of a complaint.

To determine the appropriate retention periods for information, we will take into account factors including:

• The amount, nature and sensitivity of the information.

• The potential risk of harm from unauthorised use or disclosure of user information.

• The purposes for which we process user information and whether we can achieve those purposes through other means.

• Our contractual obligations and rights in relation to the information involved.

• Legal obligation(s) under applicable law to retain information for a certain period of time.

• Applicable regulatory, tax, accounting or other requirements;

• Our legitimate interests for retaining the information (see ‘Use of user information and why' above).

• Whether there is an actual or potential dispute.

• Guidelines issued by relevant data protection authorities.

In some circumstances users can ask us to delete their information (see “Data protection rights” section below). At the end of a retention period, we will securely delete or anonymise their information.

10. Security

We adopt robust technologies and policies to protect user information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have implemented procedures to deal with any personal data breach and will notify users and any applicable regulator of a breach where we are legally required to do so.

Unfortunately, the transmission of information via the internet is not completely secure. Although we make extensive efforts to protect user information, we cannot guarantee the security of their information transmitted; any transmission is at their own risk. Once we have received their information, we will use procedures and security features to try to prevent unauthorised access.

In order to increase security, we operate a best practice passwordless login system. In circumstances where users have chosen a password, users are responsible for keeping this password confidential. Users must keep any password created, or other secure login method, secret, and prevent unauthorised access. We advise passwords are not shared.

11. Data protection rights

In certain circumstances, under local data protection law, users may have rights in relation to the information we hold about them. We will handle a request to exercise these rights in line with the applicable law.

If users are in the UK or the EU, they have the following rights:

• The right to be informed. They have the right to be provided with clear, transparent and easily understandable information about how we use their information and their rights. This is why we're providing them with the information in this policy.

• The right of access. This is also known as a “data subject access request”. Users have the right to receive a copy of their information if we hold any information about them and to check that we are processing it lawfully.

• The right to rectification. Users are entitled to have any incomplete or inaccurate information we hold about them corrected, though we may need to verify the accuracy of the new information they provide to us.

• The right to erasure. This is also known as “the right to be forgotten”. Users have the right to request the deletion or removal of certain information that we hold about them where there is no good reason for us continuing to process it. The right is not absolute and only applies in certain circumstances.

• The right to restrict processing. Users have rights to block or suppress further use of their information in certain circumstances. When processing is restricted, we may still have a lawful reason to hold their information, but we will not use it further.

• The right to data portability. They have the right to receive their information in a structured, commonly used and machine-readable format. This right is not absolute and only applies in certain circumstances.

• The right to withdraw consent. Where we rely on consent to use user information, they have the right to withdraw that consent at any time. Withdrawing consent will not, however, make unlawful our use of their information before they withdraw their consent. If they withdraw their consent, we may not be able to provide certain services to them.

• The right to object to processing. Users have the right to object to certain types of processing of their information, including processing for direct marketing purposes.

If users wish to exercise their privacy rights, they can contact businessenquiries@carbonjacked.com.

12. How to complain

If users have any concerns about our use of their information, they can make a complaint to us at businessenquiries@carbonjacked.com.

Users can also complain to the ICO if they are unhappy with how we have used their data.

The ICO's address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF United Kingdom

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

13. Changes to our privacy policy

We may change this Privacy Policy from time to time to reflect new services or changes in our data practices or relevant laws. The date at the bottom of this Privacy Policy indicates when this Privacy Policy was last revised. Any changes are effective when we post the revised Privacy Policy on the Rapid Policy Feedback Tool website. We may take reasonable measures to notify users via email and/or a prominent notice on our Platform prior to certain changes becoming effective, and will update the effective date at the top of this Privacy Policy. Users are advised to review this Privacy Policy periodically for any changes.

We update this privacy policy from time to time, so users should remember to check back in every so often, in case anything has changed and, where appropriate, we will notify users of the changes, for example by email or another method.

This privacy policy was last updated in January 2024.

14. Our contact details

Name: Rapid Policy Feedback Tool (Operated by Carbon Jacked Ltd)

Address: 2 The Mill, Waterside Village, Loughborough, East Midlands LE11 1FU

Phone Number: +447858051168

E-mail: businessenquiries@carbonjacked.com.