Privacy.

We handle three categories of personal information.

• Identification and contact data for the people who hold accounts on our platform — names, work email addresses, organisation, role, and authentication metadata.
• Operational data that customers upload or generate while using the platform — environmental performance data, supplier contact details, calculation outputs, narrative content, and audit-trail records.
• Technical data automatically generated when you visit the Services — IP address, browser type, device characteristics, request timestamps, error logs.

We do not sell personal information. We do not run advertising networks on the Services and do not share personal information with third-party advertisers. Our platform does not target or knowingly process personal information of children under sixteen.

From visitors to enviroai.io. Server logs containing your IP address, request URL and timestamp, user-agent string, and referrer. These logs are retained for security and abuse prevention.

From people who book a walkthrough or contact us. The contact details you submit through Calendly or by email, plus any context you share about your reporting needs.

From authenticated users on the platform. Your name, work email, organisation, role, password hash, and your in-product activity (pages visited, actions taken, files uploaded, server-action timing). We log every change to platform records as part of an immutable audit trail required by sustainability assurance frameworks.

From the customer organisations our users belong to. The environmental performance data, supplier contact details, framework selections, and disclosure narratives that your team chooses to upload, calculate, or generate inside the platform. This data may include personal information about your employees (for employee-emissions calculations) and your suppliers (for Scope 3 supplier engagement). The customer is responsible for the lawful basis to share that information with us.

We do not access customer data for any purpose other than running the Service for you, fixing bugs you report, responding to lawful access requests, and producing aggregate non-identifying telemetry.

• Operate the Services — authenticate you, render dashboards, calculate emissions, generate reports, send transactional email such as one-time passcodes and supplier requests.
• Improve the Services — investigate errors, evaluate performance, and design new features, using aggregate or de-identified telemetry where practical.
• Communicate with you — respond to support requests, notify you of platform changes, and (where you have consented) share product news.
• Comply with applicable law — including tax, accounting, and lawful access requests that meet the legal threshold under the DPA.

We do not use customer data to train artificial-intelligence models. Where the platform calls third-party AI services to assist with extraction or narrative drafting, those calls are made under contracts that prohibit the provider from training on submitted content.

For website visitors and prospective customers, our legal basis is consent (where required) and our legitimate interest in operating and securing the website.

For users on the platform, our legal basis is the performance of the contract between EnviroAI and the customer organisation that authorised your account. Some processing — for example, security logging — relies on our legitimate interest in protecting the Services.

Where we process personal information of EU or UK data subjects on behalf of a customer, we do so under a data-processing agreement with that customer that incorporates GDPR Article 28 obligations and, where transfers leave the EEA or UK, the Standard Contractual Clauses.

We do not sell personal information. We share it only with vendors who help us operate the Services, under contracts that bind them to confidentiality and to data-protection obligations no weaker than ours.

We update this list as our infrastructure evolves. Material changes that introduce new categories of sub-processors are communicated to customers under their data-processing agreement.

We may also disclose personal information when required by law, in response to valid legal process, or to protect the rights, property, or safety of EnviroAI, our customers, or the public.

• Customer-uploaded data is retained for the term of the customer's subscription plus a five-year rolling history window required by Philippine SEC reporting frameworks. Customers can export their data at any time under §07 and can request earlier deletion.
• Account records are retained until the user closes the account, then de-identified for analytics.
• Server logs are retained for ninety days, then aggregated.
• Marketing-site contact records are retained for two years from last interaction, unless you opt out earlier.
• Audit-trail records are retained for the customer's contractual term plus seven years to support sustainability assurance, then deleted.

Under the Philippines Data Privacy Act, the GDPR, and the UK GDPR, you have rights to:

• Access the personal information we hold about you.
• Correct information that is inaccurate or incomplete.
• Port your information in a structured, machine-readable format.
• Erase your information (the "right to be forgotten"), subject to applicable retention obligations.
• Restrict or object to certain processing.
• Withdraw consent at any time where processing is based on consent.

If you hold a platform account, you can exercise the data-portability and erasure rights directly from Settings → Data Privacy inside the platform. The portability export covers all tenant-scoped data tables in JSON format. Deletion requests are reviewed and confirmed by EnviroAI within thirty days.

If you do not hold a platform account, write to support@enviroai.io with your request and proof of identity.

You also have the right to lodge a complaint with the Philippines National Privacy Commission (privacy.gov.ph) or, in the EU/UK, with your local supervisory authority.

We protect personal information with administrative, technical, and physical safeguards that align with industry practice. Transport between you and the Services is encrypted with TLS 1.3. Database connections inside our infrastructure run over private networks. Authentication tokens are short-lived and bound to session context. Production access is restricted to a small number of named engineers, all logged and audited.

No security control is absolute. If you believe your account has been compromised, contact us at support@enviroai.io so we can investigate and respond.

Our hosting infrastructure is in Germany. Some sub-processors are located in the United States. Where personal information of EU or UK data subjects is transferred outside the EEA or UK, we rely on the European Commission's Standard Contractual Clauses or the UK International Data Transfer Addendum, supplemented by additional safeguards where required after the Schrems II decision.

The marketing site uses a small number of strictly necessary cookies for routing and analytics. We do not run third-party advertising trackers or session-replay tools. Inside the platform, we use first-party cookies to maintain your authenticated session.

You can configure your browser to refuse cookies; some platform features may not work without session cookies.

The Services are intended for use by enterprise customers and their authorised employees. We do not knowingly collect personal information from anyone under sixteen. If you believe a child has provided personal information to us, contact us and we will delete it.

We may update this notice from time to time. When changes are material, we will notify customers through the platform and update the "Effective" date above. Continued use of the Services after the new effective date constitutes acceptance of the updated notice.

Novaris Technologies Ltd
Manila, Philippines

• Privacy and security enquiries — support@enviroai.io
• General contact — hello@enviroai.io