Skip to main content
Legal

Privacy Policy

Last updated: April 2, 2026

1. Who we are

AlchemOS Positive ("we", "our" or "us") operates the ESG and carbon management platform available at alchemos.io and app.alchemos.io. We are the data controller for personal data collected through these services.

2. What data we collect

We collect data you provide directly, data generated by your use of our platform and limited technical data:

  • Account data: company name, full name, work email address, job title, password (stored as bcrypt hash — never in plaintext).
  • Subscription data: selected plan, billing information (processed by our payment processor — we do not store payment card data).
  • Platform usage data: emission entries, reports created, calculator configurations, project data you enter.
  • Technical data: IP address (for rate limiting and security only), browser type, pages visited (via analytics cookies — only if you consent).
  • Communications data: messages you send via our contact form or support channels.

3. Legal basis for processing

  • Contract performance: processing your registration and providing platform services.
  • Legitimate interests: security monitoring, preventing fraud, improving services.
  • Consent: analytics cookies (you control via our cookie banner).
  • Legal obligation: where required by applicable law.

4. How we use your data

  • Provide, maintain and improve the platform.
  • Send transactional emails (account verification, password reset, subscription notices).
  • Respond to support requests.
  • Comply with legal obligations.

We do not sell your personal data to third parties.

5. Cookies and tracking

We use Google Analytics 4 via Google Tag Manager only after you grant consent. See our Cookie Policy for full details. You can change your preference at any time via the cookie banner at the bottom of any page.

6. Data retention

We retain account data for the duration of your subscription plus 90 days after termination. Anonymised analytics data may be retained longer for product improvement. You may request deletion at any time.

7. Your rights (GDPR)

If you are located in the European Economic Area, you have the right to: access your data, correct inaccurate data, request deletion, restrict processing, data portability, and object to processing. Contact us at privacy@alchemos.io to exercise any right.

8. Cross-border transfers

Our infrastructure is hosted in the European Union. If data is transferred outside the EEA, we use EU Standard Contractual Clauses to ensure lawful transfer.

9. Security

We use industry-standard measures including TLS encryption in transit, bcrypt password hashing, role-based access controls and regular security testing. We maintain audit logs for all sensitive actions.

10. Contact

For privacy enquiries: privacy@alchemos.io

To report a security vulnerability: see security.txt