Skip to main content
TerraLedger

GDPR & Data Protection

Last updated: June 6, 2026

Our Role

Under the General Data Protection Regulation (EU) 2016/679 ("GDPR"), TerraLedger acts in two distinct capacities depending on the type of data being processed:

  • Data Processor — for emissions data, operational records, and other business data that you (the customer) upload or connect to the TerraLedger platform. You remain the Data Controller for this data.
  • Data Controller — for personal data we collect directly about your employees and account users (names, email addresses, usage logs, billing records).

Where TerraLedger acts as a processor, we process data only on your documented instructions and will not process it for any other purpose without your explicit consent.

We rely on the following legal bases to process personal data:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the TerraLedger service under your subscription agreement.
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, product analytics, and improving service quality — balanced against your fundamental rights.
  • Legal obligation (Art. 6(1)(c)): Retaining financial records and responding to lawful requests from authorities.
  • Consent (Art. 6(1)(a)): Optional analytics cookies and marketing communications. You may withdraw consent at any time.

Your Rights Under GDPR

As a data subject, you have the following rights under GDPR:

  • Right of access (Art. 15): Obtain a copy of personal data we hold about you and information about how it is processed.
  • Right to rectification (Art. 16): Have inaccurate or incomplete personal data corrected.
  • Right to erasure (Art. 17): Request deletion of your personal data where there is no overriding legal ground for its retention.
  • Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format and transfer it to another controller.
  • Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
  • Rights related to automated decision-making (Art. 22): Not be subject to solely automated decisions that produce significant legal effects.

How to Exercise Your Rights

To exercise any of the rights listed above, please contact our Data Protection Officer by email at dpo@terraledger.io.

We will acknowledge your request within 5 business days and provide a substantive response within 30 days. In complex cases, we may extend this period by a further 60 days, in which case we will notify you of the extension and the reason.

We may ask you to verify your identity before fulfilling a request. This is to protect your data from unauthorised disclosure.

Data Transfers Outside the EU

TerraLedger processes and stores customer emissions data within the EU by default. No data is transferred outside the EEA without an appropriate safeguard in place.

For transfers involving US-based sub-processors, we rely on:

  • The EU-US Data Privacy Framework where the recipient is certified
  • Standard Contractual Clauses (SCCs) (Commission Implementing Decision 2021/914) supplemented by a Transfer Impact Assessment where required

Sub-processors

TerraLedger uses the following sub-processors, each bound by a Data Processing Agreement and appropriate transfer mechanisms:

  • [Cloud Infrastructure Provider] — Cloud hosting and storage. [Specify EU region and disaster-recovery region. State DPF certification or SCC reliance for US transfers.]
  • [Payment Processor] — Payment processing and subscription billing. Data limited to billing and financial records only.
  • [Customer Support Platform] — Customer support and in-app messaging. Limited to support conversations and account metadata.

We maintain a full and up-to-date sub-processor list at https://terraledger.io/sub-processors. We will notify you at least 30 days before adding a new sub-processor that processes personal data under your account.

Data Protection Officer

TerraLedger has appointed a Data Protection Officer (DPO) who can be contacted at:

  • Email: dpo@terraledger.io
  • EU Representative: REPLACE WITH YOUR EU ENTITY (e.g. TerraLedger EU Ltd, Ireland)

Our EU entity (REPLACE WITH YOUR EU ENTITY (e.g. TerraLedger EU Ltd, Ireland)) is the data controller for processing activities related to EU/EEA customers and serves as the primary point of contact for EU supervisory authorities.

Retention Periods

  • Emissions data: Retained for the duration of your active contract, plus 2 years after termination to support audit and compliance obligations.
  • Account and user data: Retained for the duration of the subscription, plus 7 years for financial records as required by applicable accounting law.
  • Support communications: Retained for 3 years from the date of the interaction.
  • Security and access logs: Retained for 12 months, then automatically deleted.

When a retention period expires, data is permanently and securely deleted from all production systems and backups within 30 days. We do not archive data beyond these periods.

Complaints

If you believe TerraLedger has not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority. This includes:

  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr
  • Ireland: Data Protection Commission (DPC) — dataprotection.ie
  • Germany: Your relevant Landesbeauftragter für Datenschutz

We encourage you to contact us first at dpo@terraledger.io so we can resolve your concern directly.

CSRD & Data Obligations

The EU Corporate Sustainability Reporting Directive (CSRD) requires many organisations to report on their environmental, social, and governance (ESG) performance — including detailed Scope 1, 2, and 3 GHG emissions. TerraLedger is designed to help you meet these obligations.

Where TerraLedger processes personal data as part of your CSRD reporting workflow (e.g., employee commute surveys, travel data linked to individuals), you remain the data controller for that processing. TerraLedger acts as your processor and provides the technical and organisational measures required by Art. 28 GDPR.

For enterprise customers requiring a signed Data Processing Agreement (DPA) to satisfy their own compliance obligations, please contact legal@terraledger.io. A standard DPA is available for download from your account settings.

DemoUI kit preview — content is fictional.