Privacy Policy

Privacy Policy — EcoAppraise™

Effective date: December 15, 2025
Last updated: December 15, 2025

EcoAppraise™ is operated by Carbon Blue Solutions Limited LLC (“EcoAppraise,” “we,” “us,” “our”). This notice explains what we collect, why we collect it, how we use and share it, and your rights under UK/EU and US laws.

A cookie banner (powered by Usercentrics) appears on first visit to manage your choices.

1) Who we are & how to contact us

Controller:
Carbon Blue Solutions Limited LLC (EcoAppraise™)

Registered office (USA):
1135 Marseille Drive, Suite 1, Miami Beach, FL 33141, USA

UK contact address:
c/o Steve Mayer, 167–169 Great Portland Street, London W1W 5PF, United Kingdom

Email (privacy & security):
info@carbonbluesolutions.net

2) Scope

This policy applies to:

ecoappraise.com and related pages (e.g., Submit, Verify, Secure Upload, Privacy Requests, Cookie Settings);
our communications with you (e.g., email, contact forms); and
EcoAppraise™ reports we generate, and verification pages (where enabled) that we host.

It also covers:

our Consent Management Platform (Usercentrics);
our contact-form email relay (FormSubmit); and
any secure upload features you use to provide ESG / sustainability reports and supporting files.

3) What we collect

3.1 Information you provide directly

Contact details – e.g., name, email address, phone number, company, role.
Claim/project submissions – text, claims, links (URLs), screenshots, and optional supporting files you submit for appraisal or verification.
Uploaded reports & documents (“Client Reports”) – ESG / sustainability reports, presentations, data appendices, and related materials submitted via upload pages or sent to us directly under NDA.
Support correspondence – emails, contact-form messages, feedback, and any attachments you include.
Billing & transaction details – information related to purchases (e.g., service selected, amount, currency, timestamp). Card data is handled by payment processors; we do not store full card numbers.

We do not seek:

government IDs;
precise geolocation; or
special/sensitive categories of personal data (e.g., health data, political opinions, data on children).

Please do not include these in submissions unless strictly necessary and agreed with us in advance.

3.2 Automatically collected data (usage data)

When you visit the site, we and our providers may collect:

IP address and approximate region;
device and browser type;
pages viewed, actions taken, timestamps;
basic error/diagnostic logs;
referral URLs and UTM parameters (if present);
cookie and consent identifiers (where enabled).

Analytics and marketing tools run only if you consent via the cookie banner, except for strictly necessary cookies.

3.3 Contact form via email relay (FormSubmit)

If you submit our Contact form:

the fields you enter (e.g., name, email, message) are transmitted to FormSubmit solely to deliver an email to us; and
we may also store a copy in our site database for reliability and follow-up.

3.4 Sources

We collect data from:

you directly (forms, uploads, emails);
automated logging on our site; and
our processors (e.g., payment providers, consent management, analytics – only if enabled by consent).

4) Why we use data (purposes) & legal bases

4.1 Purposes (all regions)

We use personal data to:

Provide the Service – process claims, run appraisals, generate reports, verification results, and follow-up commentary.
Handle uploaded reports/files – receive ESG / sustainability reports and supporting documents, review them under NDA or equivalent terms, and maintain records of work performed.
Operate and secure the website – troubleshooting, monitoring, preventing fraud/abuse, and protecting the integrity of our systems.
Improve the Service – understand how features are used, refine our rubric and tools, and develop new offerings (using aggregated and/or anonymised data where possible).
Communicate with you – respond to enquiries, send service-related notifications, and (if you opt in) send occasional updates or marketing.
Comply with law – meet legal, regulatory, tax, and accounting obligations; respond to lawful requests from authorities.
Enforce our Terms – prevent misuse of the Service and protect our rights, property, and safety, and those of our users and others.

4.2 EU/UK legal bases (where applicable)

When UK/EU data-protection law applies, we rely on:

Contract (Art. 6(1)(b) UK/EU GDPR) – to provide appraisals, verification and related services that you request.
Legitimate interests (Art. 6(1)(f)) – for security, fraud/abuse prevention, product improvement, internal analytics, and record-keeping, where these interests are not overridden by your rights.
Consent (Art. 6(1)(a)) – for non-essential cookies/analytics and for marketing communications where required.
Legal obligation (Art. 6(1)(c)) – where we must process or retain data to comply with applicable law.

5) Automated decision-making & profiling (EU/UK Art. 22)

EcoAppraise™ risk rating uses automated methods to evaluate claims against a rubric and may generate a risk rating (LOW / MEDIUM / HIGH) and supporting narrative.

Some services may include human oversight (for example, when explicitly selected), but not all deliverables include human sign-off.

You may request clarification, express your viewpoint, and contest an outcome by emailing info@carbonbluesolutions.net.

The risk rating and narrative may influence how others view a claim’s credibility, but we do not use outcomes to grant or deny you access to our service or to make decisions about you as an individual.

6) Uploaded reports, confidentiality & verification

6.1 Client Reports and confidentiality

“Client Reports” are ESG / sustainability reports and related documents you upload or otherwise provide to us (including via secure upload pages, email, or file-sharing links). Client Reports may contain business-sensitive information.

By default:

We treat Client Reports and the reports we generate for you as confidential between you and EcoAppraise™.
We use Client Reports only to perform the agreed services, maintain records of work performed, and comply with legal/contractual requirements, consistent with any NDA in place.

6.2 Storage behaviour and deletion

Client Reports and other uploaded files may:

be temporarily stored on hosting infrastructure operated by Wix.com Ltd. and its sub-processors (as our site/CMS provider);
be downloaded to our own secure storage (e.g., encrypted drives, controlled-access folders) for the duration of the engagement; and
be deleted from the web-hosting environment once download is confirmed or once the engagement is completed and we have archived local copies.

We retain local copies of Client Reports and related work papers only for as long as reasonably necessary to:

provide and document the services;
maintain quality-control and internal records; and
comply with legal, tax, and regulatory obligations or defend legal claims.

You may request earlier deletion of our copies after an engagement has ended; we will comply unless we are required by law or legitimate interests (e.g., legal defence) to retain certain records for longer.

6.3 Verification privacy (how Verify works)

If a report holder shares a unique reference or verification code, anyone with that code may verify limited details of the report (for example: reference, final risk rating (LOW / MEDIUM / HIGH), issue date, and methodology version) via our verification page (e.g., /verify-a-report).

Offline/manual reports and memos generated outside the automated on-site system may not have an online verification page and therefore may not be “reviewable” via Verify. In those cases, verification (if offered) is handled by the report holder sharing the deliverable directly.

Full reports and underlying Client Reports remain private unless the holder chooses to share them. Where a verification page is enabled, visibility is generally available for a limited period (e.g., 90 days) from issue, after which entries may be archived or removed.

6.4 Responsibility for uploads

You are responsible for:

ensuring you have appropriate rights and permissions to share Client Reports and any personal data contained within them;
avoiding inclusion of unnecessary personal or sensitive data; and
not uploading unlawful content or files containing malware or other technical threats.

7) Cookies & similar technologies (Usercentrics banner)

We use cookies and similar technologies to run the site and, with your consent, to understand usage and improve the Service.

Strictly necessary cookies – required for basic site functions (security, load-balancing, session management, forms, and core Wix platform features; PayPal’s technically necessary cookies during checkout).
Functional cookies (optional) – remember choices such as interface preferences.
Analytics cookies (optional) – help us understand how the site is used (e.g., Google Analytics 4 with IP anonymisation, if enabled).
Advertising/marketing cookies (optional) – measure campaigns or build audiences only if you enable them.

7.1 Consent management (Usercentrics)

We use Usercentrics as our Consent Management Platform (CMP):

It displays the cookie banner, records your choices, and shows the live list of vendors and cookies.
Your consent record (time, choice, pseudonymous identifier, device/browser info) is stored by Usercentrics on our behalf.

7.2 Managing your choices

On first visit, the banner lets you accept, reject, or customise optional cookies. You can change or withdraw consent at any time via the “Cookie settings” link in our footer.

7.3 Payments

If you use PayPal, PayPal may set technically necessary cookies for transactions and fraud prevention.

7.4 Current status

Essential cookies: always active.
Analytics: off by default; load only if you consent.
Marketing pixels: not deployed on public pages unless you consent to enable them.

8) Sharing your data

We do not sell or rent personal data.

We share data with carefully selected service providers acting as processors under contract, strictly for our purposes, including:

Wix.com Ltd. – website hosting, CMS, infrastructure, site security.
Usercentrics – consent management platform (CMP); stores your cookie/consent choices.
FormSubmit – contact-form email relay; delivers your message to our inbox.
Payment processors (e.g., PayPal) – process payments; we do not receive full card numbers.
Analytics/marketing tools – only if you consent via the cookie banner (e.g., GA4, other tools listed in the CMP).

We may also share data:

with authorities or third parties where required by law or to protect rights, safety, or the integrity of our systems; and
with a successor entity in the event of a merger, acquisition, or other corporate transaction (subject to equivalent protections).

We remain the controller of your personal data; our processors act only on our instructions.

9) International transfers

Some providers process data in countries outside your own (for example, transfers from the UK/EU to the United States and other jurisdictions where Wix and other vendors operate).

Where such transfers occur, we rely on appropriate safeguards such as:

the EU Standard Contractual Clauses (SCCs); and/or
the UK IDTA or UK-approved SCCs; and
supplementary safeguards and transfer impact assessments where appropriate.

Copies of key safeguards can be provided on request where legally permissible.

10) Retention

We keep data only for as long as reasonably necessary for the purposes described in this policy or as required by law, then delete or anonymise it.

Indicative retention periods:

Contact form submissions (site database): up to 24 months.
Claims, appraisals, Client Reports, and related work papers: up to 24 months after completion of the relevant engagement, unless earlier deletion is requested and permitted, or longer retention is required by law or for legal defence.
Verify references & minimal verification data (where verification is enabled): typically visible for up to 90 days from issue, then archived or deleted
Logs and basic analytics data: up to 6 months (longer if required for security or legal reasons).
Consent records (Usercentrics): up to 24 months from consent or until withdrawn, whichever is earlier.
Payment records: in line with accounting/tax law and payment provider retention; we keep only what is necessary for our own legal and accounting obligations.

11) Your rights

11.1 EU/UK (GDPR / UK GDPR)

Where applicable, you have the right to:

Access – obtain a copy of your personal data we hold.
Rectify – correct inaccurate or incomplete data.
Erase – request deletion of your data in certain circumstances.
Restrict – request restriction of processing in certain cases.
Object – object to processing based on legitimate interests, including profiling.
Portability – receive data you provided to us in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.
Withdraw consent – where we rely on consent (e.g., for cookies or marketing), you can withdraw it at any time.
Human review of automated decisions – request human review and contest decisions where automated decision-making has legal or similarly significant effects on you.

11.2 US state privacy rights (e.g., CA/CPRA, CO, CT, VA, UT)

Where applicable, you may have rights to:

Know/access – request disclosure of categories and specific pieces of personal information collected.
Correct – request correction of inaccurate information.
Delete – request deletion of certain personal information.
Portability – request a copy of your information in a portable format.
Opt out of sale/sharing – we do not sell personal information; you may opt out of cross-context behavioural advertising by declining Marketing cookies in the cookie banner.
Non-discrimination – we will not discriminate against you for exercising your privacy rights.

For states that require an appeals process (e.g., VA/CO/CT), if we deny your request, you may appeal; we will respond with our reasons and any further options.

11.3 How to exercise your rights

You can exercise your rights by:

emailing info@carbonbluesolutions.net; or
using any dedicated privacy request form or page we provide (e.g., /privacy-requests).

We will respond within:

30 days where EU/UK law applies; or
45 days for US state laws (extendable once where permitted, with notice).

We may need to verify your identity before acting on your request. You also have the right to lodge a complaint with your local Data Protection Authority or, in the UK, the Information Commissioner’s Office (ICO).

12) Cookie Policy — EcoAppraise™

12.1 Who we are

EcoAppraise™ is a service of Carbon Blue Solutions Limited LLC (“we,” “us,” “our”). This Cookie Policy explains how we use cookies and similar technologies on ecoappraise.com.

12.2 What are cookies?

Cookies are small files placed on your device. Some are essential for the site to function; others are optional (e.g., analytics or marketing) and run only with your consent via our Usercentrics banner.

12.3 Categories we use

Strictly necessary (always on): security, load-balancing, session management, forms, core Wix platform features, and PayPal’s technically necessary cookies during checkout.
Functional (optional): remember choices such as language or UI preferences.
Analytics (optional): understand site usage to improve the Service (e.g., Google Analytics 4 with IP anonymisation, if enabled).
Advertising/Marketing (optional): measure campaigns or build audiences only if you enable them.

12.4 Your choices and “Do Not Sell or Share”

On first visit, the banner lets you accept, reject, or customise optional cookies. You can change or withdraw consent anytime via “Cookie settings” in the footer. The live banner lists current cookies and vendors reflecting your choices.

We do not sell personal information. If you are in a US state with “Do Not Sell or Share” rules, declining Marketing cookies in the banner will opt you out of cross-context behavioural advertising where applicable. If we later deploy ad pixels, we will provide a “Do Not Sell or Share” link that opens the banner to the Marketing tab.

12.5 International transfers & retention (cookies)

Where providers process cookie-related data outside the UK/EU, we rely on safeguards such as SCCs/IDTA (as described in Section 9). Cookie data persists for its stated lifetime (see the banner) or until you delete it. Analytics data is generally retained for up to 14 months unless configured otherwise.

13) US “Notice at Collection”

This section provides a notice at or before the point of collection for applicable US state privacy laws.

Categories collected:
Identifiers (e.g., name, email, IP address), internet/activity data (e.g., device, pages, timestamps, cookies), user-submitted content (claims, links, files, Client Reports), and transaction data via payment providers (when used).

Sensitive personal information:
Not intentionally collected. Please do not submit sensitive categories unless strictly necessary and agreed with us.

Purposes:
Provide and verify appraisals and reports; operate and secure the Service; prevent fraud/abuse; debug and improve the Service; perform analytics/marketing where you consent; and communicate with you.

Disclosures:
Service providers as described in Section 8.

Sale/Sharing:
We do not sell personal information. We do not “share” personal information for cross-context behavioural advertising unless you enable Marketing cookies. Opt out via Cookie settings in the footer.

Retention:
As set out in Section 10.

14) Security

We use reasonable technical and organisational measures to protect personal data, including encryption in transit (HTTPS/TLS), access controls, and monitoring. However, no system is 100% secure.

If you believe there has been unauthorised access to your data or a security issue, please contact us promptly at info@carbonbluesolutions.net.

15) Children

Our Service is not directed to children under 13 (US) or 16 (EU/UK). We do not knowingly collect personal data from children in these age groups. If you believe a child has provided data to us, please contact us so we can delete it.

16) Third-party links

Our site may contain links to third-party websites or services. Those sites are governed by their own privacy and cookie policies. We are not responsible for the privacy practices of third parties, and we encourage you to review their policies before providing them with personal data.

17) Changes to this policy

We may update this Privacy Policy as our Service or applicable laws evolve. Material changes will be highlighted on the site or notified where reasonably practicable.

The Effective date at the top shows when this policy last changed. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

18) Contact (all regions)

For questions, concerns, or to exercise your privacy rights, you can contact us at:

Email: info@carbonbluesolutions.net

Postal (UK contact):
c/o Steve Mayer
167–169 Great Portland Street
London W1W 5PF
United Kingdom

Processors we use (summary)
We rely on service providers under data-processing agreements. Core processors include:

Wix.com Ltd. (hosting/CMS and infrastructure)
Usercentrics (consent management)
FormSubmit (contact-form email relay)
PayPal (payments)
Analytics/marketing tools you enable via the cookie banner