Privacy Policy

Athlas Verity ("we", "our", "us", or "the Platform") is operated by CarbonFi Labs. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access or use the Athlas Verity carbon credit verification platform (the "Service").

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy and that your continued use constitutes consent to the data practices described herein. If you do not agree with any part of this Policy, you must discontinue use of the Service immediately.

This Policy was last updated on 1 January 2025 and is effective as of that date.

We collect information in the following categories:

• Account & Identity Data: Full name, email address, and hashed password created during registration. For OAuth sign-in, we receive the email address and display name from the identity provider.
• Project Submission Data: Carbon project details you submit for verification, including project name, location coordinates, land-use type, carbon credit category, quantification inputs, and any supporting documents or satellite imagery you upload.
• Geospatial & Satellite Data: Polygon boundaries, NDVI values, RGB composites, and Collect Earth Online validation data associated with your projects. This data is processed to compute verified carbon reduction estimates.
• Usage & Analytics Data: Page views, feature interactions, session duration, referral URLs, and error logs collected to improve platform performance and user experience.
• Technical & Device Data: IP address, browser type and version, operating system, device identifiers, and time zone — collected automatically via standard web server and analytics tooling.
• Communications Data: Any correspondence you send to our support or legal team, including email content and metadata.

We process your personal data solely for legitimate business purposes, including:

• Service Delivery: To authenticate your account, process verification submissions, generate AI-powered verification reports, and deliver PDF outputs.
• Platform Improvement: To analyse usage patterns, diagnose technical issues, and develop new features that improve verification accuracy and user experience.
• Communication: To send you transactional emails (account confirmation, password reset, verification completion notifications) and important policy updates. We do not send unsolicited marketing emails without your explicit consent.
• Security & Fraud Prevention: To detect, investigate, and prevent malicious activity, unauthorised access, and abuse of the platform.
• Legal Compliance: To comply with applicable laws, regulations, and lawful requests from competent public authorities.
• Methodology Transparency: Aggregated, anonymised project statistics may be used in published methodology research. No personally identifiable data is ever included in public research outputs.

We do not sell, rent, or trade your personal data. We may share your information only in the following limited circumstances:

• Service Providers: Trusted third-party vendors who process data on our behalf under strict data processing agreements (e.g., cloud infrastructure, email delivery, analytics). They may access only the minimum data required to perform their functions.
• AI & Satellite Processing Partners: Satellite imagery and project polygon data may be transmitted to processing services (DeepSeek, Gemini, Collect Earth Online APIs) solely to compute verification outputs. These partners do not retain project data beyond the processing session.
• Legal Requirements: We may disclose your data if required by law, court order, or governmental authority, or to protect the rights, property, or safety of Athlas Verity, our users, or the public.
• Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

We implement industry-standard technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, and destruction. These measures include:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest: Sensitive data stored in our databases is encrypted at the storage layer.
• Access Controls: Access to personal data is restricted on a need-to-know basis and protected by role-based access control (RBAC) and multi-factor authentication for administrative accounts.
• Audit Logging: All access and modifications to personal data are logged and periodically reviewed by our security team.

Despite our efforts, no method of transmission over the internet or electronic storage is absolutely secure. We cannot guarantee the absolute security of your data and encourage you to use strong, unique passwords and enable account security features where available.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying legal, accounting, and reporting obligations.

Account data is retained for the duration of your active account plus 24 months following account closure, after which it is securely deleted or anonymised. Verification project data may be retained for up to 7 years for audit and regulatory compliance purposes. Technical logs are retained for 90 days.

Subject to applicable law, you have the following rights regarding your personal data:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data, subject to legal retention obligations.
• Right to Restriction: You may request that we restrict processing of your data in certain circumstances.
• Right to Portability: You may request a machine-readable export of your personal data.
• Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes at any time.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting prior processing.

To exercise any of these rights, please contact us at privacy@athlasverity.com. We will respond within 30 days.

We use cookies and similar technologies to maintain your session, remember your preferences, and collect analytics data. Strictly necessary cookies (required for authentication and security) are always active. Analytics and performance cookies may be disabled through your browser settings without affecting core functionality.

We do not use third-party advertising cookies or cross-site tracking technologies.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting the updated policy on this page with a revised "last updated" date and, where required by law, by sending an email notification to your registered address.

We encourage you to review this Policy periodically.

If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact our Privacy Team: