Legal

Privacy Policy

Last updated: 19 May 2026

This Privacy Policy explains how Paspira ("we", "us", "our") collects, uses, stores and protects your personal data when you use paspira.com and the Paspira CarbonLedger platform. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Key points at a glance

✓We collect only what we need to provide the service — your email, organisation details and emission data you enter.

✓We never sell your data to third parties.

✓Your emission data belongs to you. You can export or delete it at any time.

✓We use Supabase to store your data securely in the EU.

✓You have full rights under UK GDPR to access, correct or delete your data.

1. Who we are

Paspira is a carbon intelligence platform operating under the trading name Paspira CarbonLedger, based in England and Wales. We are currently in the process of incorporating as a limited company.

For the purposes of UK GDPR, Paspira is the data controller for personal data collected through paspira.com and the CarbonLedger platform.

Contact: support@paspira.com

2. What data we collect

2.1 Account data

When you create an account we collect your full name, email address, and the name of your organisation. This is required to create and manage your account.

2.2 Organisation and emission data

To provide the carbon accounting service you enter data including your organisation name, industry sector, number of employees, and monthly emission activity data such as energy consumption, fuel use, travel and waste. This data is used solely to calculate your greenhouse gas inventory and generate your reports.

2.3 Usage data

We collect information about how you use the platform including pages visited, features used and actions taken. This helps us improve the product. This data is not linked to your identity outside the platform.

2.4 Technical data

We collect your IP address, browser type, device type and operating system when you access the platform. This is used for security, fraud prevention and service delivery.

2.5 Payment data

We do not store payment card details. When payment processing is enabled, payments are handled by Stripe Inc. — a regulated payment processor. We receive only a transaction confirmation and your billing address. Stripe's privacy policy governs their handling of your payment data.

2.6 Cookies

We use essential cookies to keep you logged in and to maintain session security. We do not currently use advertising or tracking cookies. If we introduce analytics cookies in future we will update this policy and obtain your consent.

3. How we use your data

We use your personal data for the following purposes:

Account management

To create and manage your account, verify your identity and provide access to the platform.

Service delivery

To calculate your greenhouse gas emissions, generate compliance reports and provide the carbon accounting features you have subscribed to.

Communications

To send you service-related emails including account confirmations, password resets, report downloads and usage summaries. We do not send marketing emails without your explicit consent.

Product improvement

To understand how the platform is used and improve features, performance and user experience.

Legal compliance

To comply with our legal obligations under UK law including tax, fraud prevention and data protection requirements.

Security

To detect, prevent and investigate fraud, security breaches and unauthorised access.

4. Legal basis for processing

Under UK GDPR we must have a lawful basis for processing your personal data. We rely on the following:

Contract performance

Processing your account and emission data to deliver the subscription service you have signed up for.

Legitimate interests

Improving the platform, preventing fraud and maintaining security — where this does not override your privacy rights.

Legal obligation

Complying with applicable UK law including tax and financial regulations.

Consent

For any marketing communications or non-essential cookies, where we will ask for your explicit consent.

5. Who we share your data with

We do not sell your personal data. We share data only with the following categories of third parties where necessary to deliver the service:

Supabase Inc.

Our database and authentication provider. Your data is stored on Supabase servers hosted in the EU. Supabase acts as our data processor under a data processing agreement.

Stripe Inc.

Our payment processor (when enabled). Stripe processes payment transactions on our behalf and is subject to their own privacy policy and PCI DSS compliance.

Vercel Inc.

Our hosting provider. Vercel serves the platform and may process request logs and technical data as part of infrastructure operation.

Legal authorities

Where required by law, court order or to protect the rights, property or safety of Paspira, our users or others.

All third-party processors are required to process your data only for the purposes we specify and in accordance with applicable data protection law.

6. Where your data is stored

Your data is stored on Supabase servers located in the European Union. Supabase is compliant with the EU-US Data Privacy Framework and implements appropriate safeguards for international data transfers.

Where data is processed outside the UK or EU, we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V requirements, including standard contractual clauses where applicable.

7. How long we keep your data

Account data

Retained for the duration of your subscription plus 12 months after account closure, then deleted.

Emission and inventory data

Retained for the duration of your subscription. You can export your data at any time. On account deletion we delete all emission data within 30 days.

Usage and technical logs

Retained for 90 days for security and debugging purposes, then automatically deleted.

Payment records

Retained for 7 years in accordance with UK financial record-keeping requirements.

Support communications

Retained for 24 months then deleted, unless required for an ongoing legal matter.

8. Your rights under UK GDPR

You have the following rights in relation to your personal data. To exercise any of these rights, contact us at support@paspira.com.

Right of access

You can request a copy of all personal data we hold about you (a Subject Access Request). We will respond within 30 days.

Right to rectification

You can ask us to correct inaccurate personal data we hold about you.

Right to erasure

You can ask us to delete your personal data. We will comply unless we have a legal obligation to retain it. Account deletion requests are processed within 30 days.

Right to restriction

You can ask us to restrict how we use your data while a complaint or correction request is being resolved.

Right to portability

You can request your emission data in a machine-readable format (CSV). This is available directly from the dashboard.

Right to object

You can object to us processing your data on the basis of legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.

Right to withdraw consent

Where processing is based on consent you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data correctly.

9. Security

We take the security of your data seriously. We implement the following measures:

→All data is transmitted over HTTPS/TLS encryption.

→Passwords are hashed using industry-standard algorithms — we cannot see your password.

→Database access is restricted by role-based permissions (Row Level Security on Supabase).

→Authentication tokens are short-lived and rotated on each session.

→We conduct regular reviews of access controls and security configurations.

No method of transmission or storage is 100% secure. If you have concerns about a security issue please contact support@paspira.com immediately.

10. Children

The Paspira CarbonLedger platform is intended for business use by individuals aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has provided us with personal data please contact support@paspira.com and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. When we make material changes we will notify you by email or by displaying a notice on the platform before the change takes effect. The date at the top of this page shows when the policy was last updated.

Continued use of the platform after the effective date of a revised policy constitutes your acceptance of the changes.

12. Contact us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

Paspira (trading name)

England and Wales

Email: support@paspira.com

Website: paspira.com

We aim to respond to all privacy-related enquiries within 5 business days.