Privacy Policy
Last updated: February 23, 2026
1. Data Controller
The CarbonTrex platform is operated by Opsida Teknoloji Yazılım Bilgisayar ve Danışmanlık Ltd. Şti. (“Opsida Teknoloji”). As the data controller under the Turkish Personal Data Protection Law No. 6698 (KVKK) and in compliance with the EU General Data Protection Regulation (GDPR), we process your personal data as described below.
This policy applies to the account, contact, transaction-security, support, billing and web-usage data that Opsida processes in its capacity as data controller. With respect to the activity, emission, report and evidence data that a corporate customer uploads to its tenant workspace, the relevant corporate customer is the data controller; Opsida processes such data solely as a data processor, on the customer's instructions and within the scope of the service agreement and the DPA.
2. Data We Collect
We collect the following categories of data through our platform:
2.1 Personal Data
- Name, surname and contact information (email, phone)
- Company name, title and industry information
- Platform usage data and session information
2.2 Corporate Environmental Data
- Energy consumption data (electricity, natural gas, LPG, diesel, etc.)
- Fuel consumption quantities and invoice information
- Refrigerant gas usage and leakage data
- Process-related emission data
- Transportation and logistics data (Scope 3)
- Supply chain data and supplier information
- Water consumption data
- Waste management data
2.3 Calculation and Reporting Data
- Greenhouse gas emission calculation results (Scope 1, 2, 3)
- Uncertainty analysis results
- Generated reports and report archive
- Evidence documents and supporting documentation
3. Purposes of Data Processing
The collected data is processed for the following purposes:
- Greenhouse gas emission calculation in compliance with ISO 14064-1 and GHG Protocol standards
- Generation of Scope 1, 2 and 3 emission reports
- Uncertainty analysis and sensitivity calculation
- Generation of verification-ready reports
- Improvement of platform performance
- Fulfillment of legal obligations
4. Data Security
The confidentiality and integrity of your environmental data is our highest priority:
- Data is protected with encrypted transmission over TLS
- Per-tenant data isolation is enforced with row-level security (RLS)
- Role-based authorization ensures only authorized personnel can access your data
- Access logs are kept and regular backups are performed
- Locked reports are protected with a SHA-256 integrity digest and an RFC-3161 time stamp
- Production data is hosted in the Supabase/AWS eu-central-1 (Frankfurt) region
5. Data Sharing
Your data is not shared with third parties except in the following cases:
- Submission of reports to verification bodies with your explicit consent
- Disclosure to authorized public authorities when legally required
- Technical service providers with confidentiality agreements for platform infrastructure (hosting, backup, etc.)
Your environmental data is never shared with or sold to third parties for marketing purposes.
6. Data Retention Periods
- Personal data: Throughout the service period and for the legally required duration thereafter
- Emission calculation data: Reporting period + 10 years (for verification and audit requirements)
- Reports and archive: Retained for legally required retention periods
- Evidence documents: Relevant reporting period + 7 years
7. Cookies
Our platform uses the following cookies:
- Essential cookies: For session management and platform functionality
- Preference cookies: To store your language preference and interface settings
Other than essential session cookies and functional records such as language preference, the platform uses no analytics cookies. Usage is measured in aggregate form via Vercel Analytics, which does not use cookies.
8. Your Rights
Under KVKK Art. 11, you have the following rights:
- Right to know whether your personal data is being processed
- Right to request information if it has been processed
- Right to learn the purpose of processing and whether it is used appropriately
- Right to know third parties to whom data has been transferred, at home or abroad
- Right to request correction of incomplete or inaccurate data
- Right to request deletion or destruction of data
- Right to request that corrections, deletions or destructions be notified to third parties to whom the data was transferred
- Right to object to outcomes arising solely from automated data analysis
- Right to claim compensation for damages due to unlawful processing
To the extent the GDPR applies, you may additionally exercise the rights of access, rectification, erasure, restriction of processing, data portability, objection, withdrawal of consent, and lodging a complaint with the competent supervisory authority. The GDPR applies only where applicable.
To exercise your rights, please contact us at info@carbontrex.com.
9. Changes
This privacy policy may be updated in line with legal regulations or platform changes. Significant changes will be communicated via email.
10. Contact
For questions about our privacy policy, please reach us at info@carbontrex.com.