Skip to main content
TerraLedger

Privacy Policy

Last updated: June 6, 2026

Introduction

REPLACE WITH YOUR LEGAL COMPANY NAME ("TerraLedger", "we", "us", or "our") operates terraledger.io and the TerraLedger carbon accounting platform. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our services.

By accessing or using TerraLedger, you agree to the collection and use of information as described in this policy. We are committed to protecting your personal data in compliance with the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

Information We Collect

Account Data

When you register for TerraLedger, we collect your name, business email address, company name, job title, and password (stored as a bcrypt hash). For enterprise accounts, we may also collect VAT or tax identification numbers.

Usage Data

We automatically collect information about how you interact with our platform, including pages visited, features used, session duration, IP address, browser type, operating system, and referring URLs. This data is used to improve the service and diagnose technical issues.

Emissions Data You Input

TerraLedger processes the emissions data you upload or connect via integrations — including energy consumption records, travel data, supplier invoices, and other Scope 1, 2, and 3 activity data. This data belongs to you. We act as a data processor for this information.

Billing Data

Payment card information is processed directly by your payment processor and is never stored on TerraLedger servers. We retain billing addresses, invoice history, and subscription status for accounting and legal compliance purposes.

How We Use Your Information

  • Service delivery: Providing, operating, and maintaining your TerraLedger account and generating emissions reports.
  • Analytics: Understanding how our platform is used to prioritise product improvements.
  • Compliance: Meeting our legal obligations, including financial record-keeping and responding to lawful requests.
  • Communications: Sending account notifications, product updates, and (with your consent) marketing emails. You can opt out at any time.
  • Security: Detecting and preventing fraud, abuse, and security incidents.

Data Sharing

We do not sell, rent, or trade your personal data to third parties. We share data only with the following categories of sub-processors, each bound by data processing agreements:

  • [Cloud Infrastructure Provider] — cloud hosting and storage (EU regions).
  • [Payment Processor] — payment processing and subscription billing.
  • [Customer Support Platform] — customer support and in-app messaging.
  • [Analytics Provider] — privacy-first, cookieless product analytics.

We may also disclose data if required by law, court order, or government authority, or to protect the rights, property, or safety of TerraLedger, our customers, or others.

Data Retention

Account data is retained for the duration of your subscription plus 7 years for financial audit and regulatory compliance purposes.

Emissions data is retained for the duration of your contract plus 2 years, unless you request earlier deletion or a longer retention period for regulatory purposes.

When you delete data within the platform or close your account, data is marked for deletion and permanently purged from all systems within 30 days, except where retention is required by law.

Your Rights

Under the General Data Protection Regulation (GDPR) and UK GDPR, you have the following rights regarding your personal data:

  • Art. 15 — Right of access: Request a copy of the personal data we hold about you and information about how we process it.
  • Art. 16 — Right to rectification: Ask us to correct inaccurate or incomplete personal data without undue delay.
  • Art. 17 — Right to erasure ("right to be forgotten"): Request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other legal basis for processing.
  • Art. 18 — Right to restriction of processing: Ask us to restrict processing of your data in certain circumstances (e.g. while accuracy is contested, or where processing is unlawful but you oppose erasure).
  • Art. 20 — Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.
  • Art. 21 — Right to object: Object to processing based on legitimate interests or for direct marketing purposes at any time.
  • Art. 21(2) — Right to object to direct marketing: Object to processing of your personal data for direct marketing at any time; processing shall cease immediately upon objection.
  • Art. 22 — Right not to be subject to solely automated decision-making: Not be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects concerning you, except where the decision is necessary for a contract, authorised by law, or based on your explicit consent.
  • Art. 7(3) — Right to withdraw consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing prior to withdrawal.
  • Art. 77 — Right to lodge a complaint:Lodge a complaint with your national supervisory authority (UK: the Information Commissioner's Office at ico.org.uk; EU: your local data protection authority).

To exercise your GDPR rights, email us at legal@terraledger.io. We will respond within 30 days (or as required by applicable law).

California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you, the purposes for collection, the categories of sources, and the categories of third parties with whom we share your information.
  • Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information we hold about you.
  • Right to Opt-Out of Sale or Sharing: Opt out of the sale or sharing of your personal information for cross-context behavioural advertising. See our Do Not Sell or Share My Personal Information page.
  • Right to Limit Use of Sensitive Personal Information: Limit our use and disclosure of sensitive personal information to that which is necessary to perform the services you request. See our Limit Use of Sensitive Personal Information page.
  • Right to Opt-Out of Automated Decision-Making and Profiling: Opt out of automated decision-making, including profiling, that produces significant legal or similarly significant effects concerning you. This right applies to profiling for decisions related to employment, credit, education, housing, insurance, and access to basic necessities.
  • Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights. We will not deny you goods or services, charge you different prices, or provide a different level of service because you exercised your rights.

To exercise your California privacy rights, email us at legal@terraledger.io or use the link above. We will respond within 45 days as required by CCPA/CPRA.

Global Privacy Control & Do Not Track

Global Privacy Control (GPC): We honour the GPC browser signal (Sec-GPC: 1). If your browser sends a GPC signal, we treat it as a valid opt-out from the sale or sharing of your personal information for cross-context behavioural advertising, as required by California, Colorado, Connecticut, and other applicable US state privacy laws. Non-essential cookies are automatically rejected for visitors with GPC enabled and the banner will not display.

Do Not Track (DNT): Your browser may send a Do Not Track signal. Due to the lack of an agreed industry-wide standard for interpreting the DNT header, we do not currently respond to DNT signals. We recommend using GPC (supported by Firefox, Brave, and other browsers) as a more legally effective opt-out mechanism.

International Transfers

REPLACE WITH YOUR LEGAL COMPANY NAME (REPLACE WITH PLACE OF REGISTRATION) processes your data in the European Union. When data is transferred outside the European Economic Area (EEA), we rely on:

  • The EU-US Data Privacy Framework for transfers to certified US entities
  • Standard Contractual Clauses (SCCs) approved by the European Commission

Security

TerraLedger operates a continuous security-monitoring programme with controls mapped to the SOC 2 and ISO 27001 frameworks. Security controls include role-based access, multi-factor authentication for administrative access, and encrypted transport + at-rest storage. See our Security Practices page for full details.

Cookies

We use essential cookies only by default — these are required for authentication and session management and cannot be disabled without breaking core functionality.

With your consent, we also set optional analytics cookies (Plausible Analytics) to understand product usage. You can manage your cookie preferences at any time from your account settings or by clicking the cookie preferences link in the site footer.

Contact

For privacy-related enquiries, contact our legal team at legal@terraledger.io.

For GDPR-specific requests, contact our Data Protection Officer at dpo@terraledger.io or see our full GDPR & Data Protection page.

REPLACE WITH YOUR LEGAL COMPANY NAMEREPLACE WITH PLACE OF REGISTRATION.

DemoUI kit preview — content is fictional.