Legal
Privacy Policy
How EcoDiligence collects, uses, and protects your data. We follow GDPR principles for all users.
Last updated:
1. What we collect
EcoDiligence collects the minimum data needed to operate the service:
- Account information: name, email address, and organization details you provide when signing up.
- ESG profile data: the answers you enter into the wizard (company information, energy consumption, waste, supply chain, certifications).
- Uploaded documents: electricity bills or other documents you upload to the AI bill parser. These are sent to our AI provider for one-time extraction and are not stored on our servers afterward.
- Technical logs: standard server logs (IP, user agent, timestamps) retained for 30 days for security and abuse prevention.
2. How we use your data
We use your data to:
- Operate the EcoDiligence platform and generate your ESG Passport.
- Send transactional emails (sign-in links, profile updates, account notifications) via Resend.
- Improve service reliability through aggregated, anonymized usage analysis.
- Comply with legal obligations and respond to lawful requests.
We do not sell your data, do not show ads, and do not share data with third parties for marketing purposes.
3. Third-party processors
EcoDiligence uses a small number of trusted subprocessors to deliver the service:
- Clerk — authentication and account management.
- Supabase — database and file storage (EU region).
- Anthropic — AI bill parsing (Claude Vision API). Uploaded bills are sent for one-time extraction only.
- Resend — transactional email delivery.
- Vercel — application hosting and edge networking.
4. Cookies
EcoDiligence currently uses only essential cookies required for authentication (Clerk) and session management (Vercel). We do not set analytics or marketing cookies. See our Cookie Policy for details.
5. Your rights (GDPR)
Under the EU General Data Protection Regulation, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion of your account and all associated data.
- Export your data in a portable format.
- Object to specific processing.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, email privacy@ecodiligence.com. We respond within 30 days.
6. Data retention
We retain your account and ESG profile data for as long as your account is active. When you delete your account, all profile data is removed within 30 days. Server logs are retained for 30 days. Backups containing your data are rotated out within 90 days.
7. International transfers
Our primary infrastructure is hosted in the European Union (Supabase EU region). Some subprocessors (Anthropic, Resend, Vercel) operate globally; data transferred to them is protected by Standard Contractual Clauses (SCCs).
8. Children
EcoDiligence is a business tool and is not intended for individuals under the age of 18. We do not knowingly collect data from minors.
9. Changes to this policy
We may update this policy from time to time. Material changes will be announced via email to account holders. The “Last updated” date at the top of this page reflects the most recent revision.
10. Contact
Questions about this Privacy Policy or our handling of your data: privacy@ecodiligence.com.