Legal

Privacy Policy

TERRALEKHA ("we", "our", "us") is a carbon accounting platform that helps Indian MSME exporters generate CBAM-compliant emissions PassPorts. This Privacy Policy explains what personal data we collect, why we collect it, how we store and protect it, and your rights over it.

1. Who we are

TERRALEKHA is a product operated in India. Our primary contact for privacy matters is: [email protected]

2. What data we collect

We collect the following categories of personal data:

• Contact information — name, email address, WhatsApp number, company name, provided when you request an invite or contact us.
• Business information — export sector, accounting software, annual export volume, provided during onboarding.
• Accounting data — emission-relevant entries extracted from your accounting software (electricity, fuel, freight, raw material purchases) during PassPort generation. This data does not include personal financial records, salaries, or individual transactions unrelated to emissions.
• Usage data — pages visited, time spent, browser type, IP address. Collected via essential cookies only.

3. Why we collect it

• To generate your CBAM-compliant PassPort and associated emissions calculations.
• To contact you regarding your invite request and onboarding.
• To provide support and respond to queries.
• To send service notifications — PassPort generation, verifier co-signature, expiry reminders.
• To improve our platform based on usage patterns.

4. Legal basis for processing (GDPR)

If you are located in the EU or your data is processed in connection with EU CBAM obligations, we process your data on the following legal bases:

• Contract performance — processing necessary to generate your PassPort and deliver the service you have requested.
• Legitimate interests — usage analytics to improve the platform, fraud prevention.
• Consent — where you have explicitly agreed, such as marketing communications.

5. Where your data is stored

All customer data — emission records, PassPorts, organisation profiles — is stored in Supabase, hosted in the Mumbai region (AWS ap-south-1), with physical servers located in India. Transit data may pass through Cloudflare's global edge network for performance and security. No customer data is stored on our team's personal devices.

6. How long we keep your data

• PassPort and emission records — 7 years, in line with CBAM regulatory requirements.
• Contact and onboarding data — for the duration of the service relationship, plus 2 years.
• Usage data — 90 days.

7. Who we share your data with

We do not sell your data. We share data only with:

• Accredited verifiers — the verifier co-signing your PassPort receives the emission data necessary for verification, under a formal data processing agreement.
• Infrastructure providers — Supabase (database), Cloudflare (edge and CDN), Railway (compute). All are bound by data processing agreements.
• EU CBAM Registry — verification status may be shared with the CBAM Registry as required by EU Regulation 2023/956.

8. Your rights

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion of your data, subject to legal retention requirements.
• Object to processing based on legitimate interests.
• Data portability — receive your data in a machine-readable format.
• Withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Cookies

We use essential cookies only — those required to make the website function. We do not use advertising or tracking cookies. Essential cookies include session identifiers and your cookie consent preference. By continuing to use the website you accept this use.

10. Changes to this policy

We will update this policy as our practices evolve. Material changes will be notified by email to registered users. The effective date at the top of this page reflects the most recent revision.