Privacy Policy

Effective date: 9 May 2026. This policy describes how CTS-VDC Services, operating within the CTS Group context (“we”, “us”), handles personal information in connection with the CTS Carbon Platform (“Platform”). It is provided for transparency and internal governance; it does not constitute legal advice.

The Platform supports sustainability data workflows, including carbon accounting, ESG-related reporting preparation, audit-oriented outputs, evidence and file handling associated with authorised users, analytics, and integration touchpoints with enterprise systems. This policy is written for a professional, enterprise audience.

1. Scope

This policy applies to personal information processed when you visit public areas of the Platform, request access, create or use an account, upload or link data (including evidence and attachments where enabled), use analytics or integration features, or otherwise interact with the Platform as permitted by your organisation and your account role.

2. Roles and responsibility

Depending on your organisation’s deployment and agreements, your employer or contracting entity may be the primary controller for certain datasets, while we act as a processor or service operator for the Platform as configured. Where we determine purposes and means for specific processing (for example, access-request handling), we act as a controller for that limited processing. Contractual arrangements with customers govern details where they exist.

3. Categories of information we may process

We may process the following types of information, as applicable:

  • Account and profile data: identifiers such as name, work email, organisation or company affiliation, role or title, and credentials used for authentication.
  • Usage and security data: technical logs, device and browser type, approximate location derived from network information where available, session identifiers, and similar metadata needed to operate and secure the service.
  • Operational and sustainability content: data you or your organisation submits through workflows supported by the Platform—for example, activity data for emissions calculations, procurement or travel records where used, supporting documentation or evidence files, and outputs generated for reporting or internal review.
  • Communications: messages you send to us (for example, via a designated contact channel) regarding access, support, or contractual matters.

4. Purposes of processing

We process personal information to provide and maintain the Platform; authenticate users and enforce role-based access; support sustainability, ESG, and audit-readiness workflows authorised by your organisation; operate analytics and integrations where enabled; detect and respond to misuse or security incidents; comply with law where applicable; and communicate about operational or contractual matters.

5. Sharing and sub-processors

We do not sell personal information. We may share information with service providers that host infrastructure, provide security monitoring, or deliver narrowly scoped functions on our instructions, subject to confidentiality and security expectations. We may also disclose information if required by law or to protect rights, safety, or the integrity of the Platform.

6. Retention

We retain information for as long as necessary to fulfil the purposes in this policy, meet contractual or legal obligations, and resolve disputes. Retention periods may depend on your organisation’s configuration, regulatory context, and the nature of uploaded content (for example, evidence tied to reporting periods).

7. Security

We implement administrative, technical, and organisational measures appropriate to the nature of the Platform and the sensitivity of data handled. No method of transmission or storage is completely secure; we encourage customers to apply least-privilege access, strong authentication practices, and internal data-handling policies aligned with their regulatory context.

8. Your choices and rights

Depending on applicable law, you may have rights to access, rectify, delete, restrict, or object to certain processing, or to lodge a complaint with a supervisory authority. To exercise rights, contact us using the details below. We may need to verify your identity and consider overlapping obligations to your organisation.

9. International transfers

Where data is accessed from or stored in jurisdictions other than your own, appropriate safeguards (such as contractual clauses adopted by your organisation) may apply. Details are often set out in customer agreements.

10. Changes

We may update this policy from time to time. The effective date at the top will be revised when material changes are made. Continued use of the Platform after updates may constitute notice where permitted by law and contract.

11. Contact

For privacy-related requests concerning the CTS Carbon Platform, contact sustainability@cts-nordics.com. CTS-VDC Services operates within the broader CTS Group ecosystem described on public corporate channels.