Data Protection Policy

Home > Data Protection Policy

Last updated: January 16, 2026

1. Purpose & Scope

This Data Protection Policy (“Policy”) describes how ZeroPact, Inc. (“ZeroPact”, “we”, “us”, “our”) collects, processes, stores, transfers, secures, and discloses personal data and customer data across all of our platforms, websites, mobile experiences, APIs, and SaaS tools (collectively, the “Services”). It applies to all data handled by ZeroPact’s AI-powered Life Cycle Analysis (LCA) engine, related dashboards, integrations (e.g., ERP, PLM, supplier portals), edge functions, and any internal tools used by our team to deliver the Services.

This Policy is designed to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), the Brazilian LGPD, and other applicable data protection laws.

2. Data Controller & Contact

ZeroPact, Inc. acts as the data controller for personal data collected through our public website and marketing channels, and as a data processor for customer data submitted into our SaaS platform on behalf of our business customers (each a “Customer”).

For privacy questions, data subject requests, or to reach our Data Protection Officer (DPO), contact: dpo@zeropact.co or tech@zeropact.co.

3. Categories of Data We Process

Across our platforms and SaaS tools, we process the following categories of data:

  • Account data: name, business email, job title, company, phone, password hashes, role/permissions.
  • Identity & authentication data: login credentials, MFA tokens, OAuth identifiers, session tokens, IP address, device fingerprints.
  • Customer business data: product specifications, bills of materials, supplier information, manufacturing process data, transport and energy data uploaded into the LCA engine.
  • Usage & telemetry data: pages visited, features used, API calls, performance metrics, error logs, browser, OS.
  • Communications data: support tickets, chat transcripts, emails, demo requests, meeting notes.
  • Billing data: billing contact, VAT/Tax ID, invoices, payment status (payment card data is handled by PCI-DSS compliant processors and never stored by ZeroPact).
  • Marketing data: newsletter consents, event attendance, content downloads, UTM parameters.
  • Cookies & similar technologies: see our Cookie Policy.

We do not intentionally collect special categories of data (e.g., health, biometric, political opinions). Customers must not upload such data into the Services.

4. Legal Bases for Processing

We rely on the following legal bases under GDPR Art. 6:

  • Contract: to provide the Services and fulfill our agreements with Customers.
  • Legitimate interests: to secure, improve, and analyze the Services, prevent fraud, and conduct B2B marketing where permitted.
  • Consent: for non-essential cookies, marketing emails to individuals, and optional features.
  • Legal obligation: to comply with tax, accounting, regulatory, and law enforcement requirements.

5. How We Use Data

  • Operate, maintain, and improve the LCA engine, dashboards, integrations, and APIs.
  • Authenticate users, manage entitlements, and enforce access controls.
  • Train and tune our proprietary AI models on aggregated and anonymized data only — Customer-identifiable data is never used to train models for other Customers without explicit written consent.
  • Provide customer support, onboarding, and professional services.
  • Send service notices, security alerts, and (with consent) marketing communications.
  • Detect, investigate, and prevent security incidents, fraud, and abuse.
  • Comply with legal, regulatory, and contractual obligations.

6. AI & Automated Processing

Our SaaS tools use AI/ML to estimate environmental impacts, fill data gaps, and generate recommendations. These outputs are decision-support tools and do not produce legal or similarly significant effects on individuals. Human review is available for all AI-generated outputs. We log model versions and inputs to ensure traceability and auditability of results.

7. Data Sharing & Sub-processors

We share data only with vetted sub-processors that provide infrastructure, analytics, communications, payments, and AI capabilities required to deliver the Services. All sub-processors are bound by written contracts, including GDPR Art. 28 obligations and, where applicable, EU Standard Contractual Clauses (SCCs).

Current categories of sub-processors include cloud hosting, managed databases, authentication, email delivery, customer support, analytics, error monitoring, payment processing, and AI inference providers. A current list is available upon request to dpo@zeropact.co.

We do not sell personal data and we do not share personal data for cross-context behavioral advertising as defined under the CPRA.

8. International Data Transfers

Data may be processed in the European Union, the United Kingdom, and the United States. Where personal data leaves the EEA/UK, we rely on the EU SCCs (2021/914), the UK International Data Transfer Addendum, and the EU–US Data Privacy Framework where applicable, complemented by appropriate technical and organizational measures (encryption in transit and at rest, pseudonymization, access controls).

9. Data Retention

  • Customer data in the SaaS platform: retained for the duration of the subscription and deleted or returned within 30 days of termination, unless a longer retention is required by law.
  • Account data: retained while the account is active and up to 24 months after closure for legitimate business reasons.
  • Billing & tax records: retained for up to 10 years where required by law.
  • Security logs & audit trails: retained for up to 24 months.
  • Marketing data: retained until consent is withdrawn or after 24 months of inactivity.

10. Security Measures

We implement industry-standard technical and organizational measures, including:

  • TLS 1.2+ encryption for all data in transit and AES-256 encryption at rest.
  • Role-based access control (RBAC), least-privilege principles, and SSO/MFA for internal access.
  • Network segmentation, Web Application Firewalls, and DDoS protection.
  • Centralized logging, anomaly detection, and 24/7 monitoring.
  • Secure software development lifecycle, code reviews, dependency scanning, and periodic penetration testing.
  • Vendor risk management and annual security reviews of sub-processors.
  • Backup and disaster recovery with defined RPO/RTO objectives.
  • Employee security awareness training and confidentiality agreements.

11. Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours where required, and notify affected Customers and data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

12. Your Rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate or incomplete data.
  • Request deletion (“right to be forgotten”).
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time, without affecting prior lawful processing.
  • Lodge a complaint with your local data protection authority.

To exercise these rights, contact dpo@zeropact.co. Where you are an end user of a Customer’s deployment, please contact that Customer first; we will assist them as a processor.

13. Children’s Data

The Services are intended for business use and are not directed to children under 16. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this Policy from time to time to reflect changes in our Services, legal requirements, or industry practices. Material changes will be communicated via the Services or by email. The date at the top of this page indicates the latest revision.

15. Contact Us

ZeroPact, Inc. — Data Protection Office
Email: dpo@zeropact.co
General support: tech@zeropact.co

Ready to Transform Your Carbon Tracking?

See where ZeroPact implements its certified LCA Engine
Solutions