Privacy Policy

This Privacy Policy describes how Terminal Carbon Pty Ltd handles personal information of website visitors, registered users, vendors, buyers and prospective customers. It is designed to comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth) and, where applicable, the EU and UK General Data Protection Regulation (GDPR).

For GDPR purposes, Terminal Carbon Pty Ltd is the data controller of the personal information described below.

We collect the following categories of information:

• Account data — name, work email, company, role, password hash, and authentication identifiers (e.g. Google sign-in subject ID).
• Transactional & business data — project listings, vendor profiles, deal enquiries, documents you upload, and messages exchanged on the Platform.
• Usage data — pages visited, features used, IP address, browser, device, referrer, and approximate location derived from IP.
• Cookies and similar technologies — see our Cookie Policy.
• Communications — emails, support tickets, scheduled-call notes.

We use personal information to:

• Provide, secure and improve the Platform.
• Authenticate users and prevent fraud, abuse and unauthorised access.
• Score projects, surface relevant listings, and operate brokered transactions.
• Send service emails, transaction confirmations, and (with consent) marketing updates.
• Comply with legal, regulatory and tax obligations.

Legal bases (GDPR/UK GDPR): contract performance, legitimate interests (operating and improving the Platform, security, fraud prevention), legal obligation, and consent (for non-essential cookies and marketing emails).

We share personal information with:

• Service providers processing data on our behalf — hosting (Cloudflare), database and authentication (Supabase), email delivery, analytics, and AI inference providers (OpenAI, Google) — under written data-processing terms.
• Counterparties to a transaction — when you express interest in a vendor or listing, we share enough information to enable them to respond.
• Authorities — where required by law, court order, or to protect our rights and safety.
• Successors — in a merger, acquisition or asset sale, subject to equivalent privacy protections.

We do not sell personal information.

Our infrastructure providers operate globally. Personal information may be processed in Australia, the United States, the European Union and other regions where our service providers are located. Where transfers occur from the EU/UK to a country without an adequacy decision, we rely on standard contractual clauses or equivalent safeguards.

We retain personal information only as long as necessary for the purposes described above or to comply with legal, accounting or reporting obligations. Account data is deleted within 90 days of account closure, except where we must retain it (e.g. transaction records for tax purposes — typically 7 years under Australian law).

We use encryption in transit (TLS), encryption at rest, role-based access control, row-level security on our database, and regular access reviews. No system is perfectly secure — if we become aware of a data breach likely to result in serious harm, we will notify affected users and the relevant authority in accordance with the Notifiable Data Breaches scheme.

Subject to applicable law, you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Request deletion of your information (where we are not required to retain it).
• Object to or restrict certain processing.
• Port your information to another provider.
• Withdraw consent at any time, without affecting prior lawful processing.
• Lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au) or your local data-protection authority.

To exercise any of these rights, email privacy@terminalcarbon.com. We respond within 30 days.

The Platform is intended for business users and is not directed to anyone under 18. We do not knowingly collect personal information from minors.

We may update this Privacy Policy from time to time. Material changes will be notified on the Platform and, for registered users, by email at least 14 days before they take effect.

Privacy enquiries: privacy@terminalcarbon.com. Postal address: Terminal Carbon Pty Ltd, Sydney, NSW, Australia (full registered address provided on request).