Home > Data Protection Policy
This Data Protection Policy (“Policy”) describes how ZeroPact, Inc. (“ZeroPact”, “we”, “us”, “our”) collects, processes, stores, transfers, secures, and discloses personal data and customer data across all of our platforms, websites, mobile experiences, APIs, and SaaS tools (collectively, the “Services”). It applies to all data handled by ZeroPact’s AI-powered Life Cycle Analysis (LCA) engine, related dashboards, integrations (e.g., ERP, PLM, supplier portals), edge functions, and any internal tools used by our team to deliver the Services.
This Policy is designed to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), the Brazilian LGPD, and other applicable data protection laws.
ZeroPact, Inc. acts as the data controller for personal data collected through our public website and marketing channels, and as a data processor for customer data submitted into our SaaS platform on behalf of our business customers (each a “Customer”).
For privacy questions, data subject requests, or to reach our Data Protection Officer (DPO), contact: dpo@zeropact.co or tech@zeropact.co.
Across our platforms and SaaS tools, we process the following categories of data:
We do not intentionally collect special categories of data (e.g., health, biometric, political opinions). Customers must not upload such data into the Services.
We rely on the following legal bases under GDPR Art. 6:
Our SaaS tools use AI/ML to estimate environmental impacts, fill data gaps, and generate recommendations. These outputs are decision-support tools and do not produce legal or similarly significant effects on individuals. Human review is available for all AI-generated outputs. We log model versions and inputs to ensure traceability and auditability of results.
We share data only with vetted sub-processors that provide infrastructure, analytics, communications, payments, and AI capabilities required to deliver the Services. All sub-processors are bound by written contracts, including GDPR Art. 28 obligations and, where applicable, EU Standard Contractual Clauses (SCCs).
Current categories of sub-processors include cloud hosting, managed databases, authentication, email delivery, customer support, analytics, error monitoring, payment processing, and AI inference providers. A current list is available upon request to dpo@zeropact.co.
We do not sell personal data and we do not share personal data for cross-context behavioral advertising as defined under the CPRA.
Data may be processed in the European Union, the United Kingdom, and the United States. Where personal data leaves the EEA/UK, we rely on the EU SCCs (2021/914), the UK International Data Transfer Addendum, and the EU–US Data Privacy Framework where applicable, complemented by appropriate technical and organizational measures (encryption in transit and at rest, pseudonymization, access controls).
We implement industry-standard technical and organizational measures, including:
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours where required, and notify affected Customers and data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
Subject to applicable law, you have the right to:
To exercise these rights, contact dpo@zeropact.co. Where you are an end user of a Customer’s deployment, please contact that Customer first; we will assist them as a processor.
The Services are intended for business use and are not directed to children under 16. We do not knowingly collect personal data from children.
We may update this Policy from time to time to reflect changes in our Services, legal requirements, or industry practices. Material changes will be communicated via the Services or by email. The date at the top of this page indicates the latest revision.
ZeroPact, Inc. — Data Protection Office
Email: dpo@zeropact.co
General support: tech@zeropact.co