ClimateGuardClimateGuard← Back
Legal

Privacy Policy

Last updated: 10 May 2026

1.Who we are

ClimateGuard ("ClimateGuard", "we", "us") operates the climate-risk reporting platform at climate-guard.io (the "Platform"). ClimateGuard is currently operated as an unincorporated business based in the Philippines. Upon incorporation, this notice will be updated to reflect the formal legal entity, its registered office, and any local data-protection registration.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and your rights as a data subject.

2.Data we collect

Account & identity

Email address, name, role, organisation, password (hashed by our auth provider — we never see your plaintext password).

Asset & report data

Addresses, coordinates, sector classifications, asset attributes, and any other information you enter to generate a climate-risk report. These data are owned by you; we hold them on your behalf solely to deliver the Platform.

Usage data

Pages viewed, features used, anonymised performance metrics. Collected via Vercel Analytics — IP addresses are anonymised before storage and are not linkable to your account.

Cookies & session

Strictly-necessary cookies for authentication and session management (set by Supabase Auth). No advertising or third-party tracking cookies.

What we do NOT collect

We do not collect financial / payment card data (handled separately by a PCI-compliant processor when paid plans launch), government IDs, health data, biometric data, or any data about you outside of the Platform.

3.Why we collect it (legal basis)

  • Performance of contract — to deliver the report-generation service you have requested.
  • Legitimate interest — to operate the Platform, secure it against abuse, and improve product quality. Balanced against your reasonable expectations.
  • Legal obligation — to comply with applicable accounting, tax, anti-money-laundering, and lawful-request requirements.
  • Consent — only where required by law (e.g. marketing communications, which are opt-in).

4.Who we share it with (sub-processors)

We share data only with the vendors required to operate the Platform. Each vendor is bound by its own data-processing terms.

  • ·
    Supabase
    Authentication and primary database (Postgres) hosting
    Hosted: United States / regional
  • ·
    Vercel
    Web hosting and edge-network delivery; Vercel Analytics
    Hosted: United States (CDN: global)
  • ·
    OpenAI
    LLM inference used to draft narrative sections of reports. Inputs and outputs are NOT used by OpenAI to train models, per OpenAI's Enterprise API terms.
    Hosted: United States
  • ·
    Mapping & geo APIs
    Geocoding and elevation lookup (Nominatim/OpenStreetMap, Open-Elevation, Carto basemap)
    Hosted: Various

We will notify you in advance of any material changes to this list. We do not sell your data, and we do not share it with marketing or analytics third parties beyond the privacy-preserving usage metrics described above.

5.International data transfers

Our infrastructure is global. Data may be processed in the United States or other countries where our sub-processors operate. Where required, transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) or equivalent safeguards. For EU/UK-based customers requiring EU-region hosting, contact us; an EU-resident Supabase project is available for enterprise plans.

6.Retention

We retain account data for the life of your account plus 30 days after closure (for backup and dispute-resolution reasons). Reports remain accessible until you delete them. Audit-log data is retained for 12 months. Anonymised usage metrics are retained for up to 24 months.

7.Your rights

You may, at any time, contact us at admin@climate-guard.io to:

  • Access the personal data we hold about you;
  • Correct inaccurate or incomplete data;
  • Delete your account and associated personal data;
  • Export your data in a machine-readable format (JSON);
  • Object to or restrict certain processing;
  • Withdraw consent where processing is based on consent.

We will respond within 30 days. Where local law (GDPR, CCPA, PDPA, etc.) grants additional rights, those rights apply in addition to the above.

8.Security

We apply industry-standard protections: TLS 1.3 in transit, AES-256 at rest, row-level security on the database, append-only audit logging, 30-minute idle session timeout, rate-limited APIs, and strict secret management. Our security posture is documented at our public SECURITY.md. SOC 2 Type I is in progress (target Q3 2026).

9.Changes to this policy

We will post material changes on this page and update the "Last updated" date. For substantive changes that materially expand our use of your data, we will also notify you by email at the address on your account.

10.Contact

Questions, requests, or complaints? Email admin@climate-guard.io. We aim to acknowledge within 2 business days.

This policy is provided as a plain-English summary of our practices. It is not legal advice. Where local data-protection law (e.g. EU GDPR, UK Data Protection Act, California CCPA, Philippines DPA, Singapore PDPA) confers stronger rights, those rights take precedence.