Homecarbon-llm

Privacy policy

Last updated: March 29, 2026

This policy describes how carbon-llm (as “controller” or, where applicable, “processor” toward your own end customers) processes personal data in connection with the Service (website, user account, API, support).

1. Data collected

  • Account: login identifier, email address, company name where applicable.
  • API usage: technical identifiers (hashed API keys), event identifiers, usage metadata (LLM model, token volumes, carbon estimates), timestamps.
  • Billing: data required for payment processing (e.g. customer identifier with Stripe).
  • Support / contact: content of messages you send us.

2. Purposes and legal bases (GDPR)

  • Performance of contract: providing the Service, account, billing (Art. 6(1)(b) GDPR).
  • Legitimate interests: security, product improvement, aggregated statistics (Art. 6(1)(f) GDPR).
  • Legal obligations: accounting retention or authority requests where applicable (Art. 6(1)(c) GDPR).
  • Consent: where required (e.g. certain marketing communications), withdrawable at any time.

3. Recipients and subprocessors

Data may be processed by hosting, database (e.g. Supabase), transactional email (e.g. Resend), payment (e.g. Stripe), and CDN / edge infrastructure (e.g. Cloudflare), under confidentiality and security obligations. An updated list may be provided in the annex to the DPA for B2B customers.

4. Transfers outside the EU

Where transfers occur to countries without an adequacy decision, they are governed by EU Commission standard contractual clauses or an equivalent mechanism, unless another legal basis applies.

5. Retention

Account and billing data are kept for the term of the relationship and then according to legal obligations (e.g. accounting). Usage logs may be kept for a limited period compatible with security and product analysis, then anonymized or deleted.

6. Your rights

Under the GDPR you have rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with a supervisory authority (e.g. in your country of residence). To exercise your rights, use the Contact page.

7. Security

We apply appropriate technical and organizational measures (encryption in transit, access control, hashing of secrets). No system is perfect; please protect your keys and accounts.

Notice: template — complete controller identity, DPO if any, exact retention periods, and data flows with your privacy counsel.