Privacy Policy

Last updated: 19 April 2026

CO2 Compliance Services (UK) Ltd ("we", "us", "our") is committed to protecting the privacy of individuals who visit our website and use the Citicus ONE platform. This Privacy Policy explains how we collect, use, store and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller responsible for your personal data is:

CO2 Compliance Services (UK) Ltd
1-2 Manor Farm, Farm Lane, South Littleton, Worcestershire, WR11 8UA, United Kingdom
Email: privacy@co2compliance.co.uk

2. Personal Data We Collect

We may collect and process the following categories of personal data:

2.1 Information You Provide

• Account information: name, email address, job title, organisation name, phone number.
• Contact form submissions: name, email address, company, subject and message content.
• Payment information: billing name, billing address, payment card details (processed securely by our payment processor, Stripe — we do not store full card numbers).
• Communications: records of correspondence when you contact us by email, phone or through the website.

2.2 Information Collected Automatically

• Usage data: pages visited, features used, access times and durations within the Service.
• Technical data: IP address, browser type and version, operating system, device type.
• Cookies: we use essential cookies to operate the website and Service. See Section 8 for details.

3. How We Use Your Data

We use your personal data for the following purposes and legal bases:

• To provide the Service (contractual necessity): creating and managing your account, providing access to Citicus ONE, processing payments and providing support.
• To communicate with you (contractual necessity / legitimate interest): responding to enquiries, sending service-related notifications, providing technical support.
• To improve our Service (legitimate interest): analysing usage patterns to improve functionality, performance and user experience.
• To comply with legal obligations (legal obligation): maintaining records for tax, accounting and regulatory purposes.
• To protect our interests (legitimate interest): preventing fraud, enforcing our terms, and ensuring the security of our Service.

4. Data Sharing

We do not sell your personal data. We may share personal data with:

• Service providers: trusted third parties who assist us in operating the Service, including cloud hosting providers, payment processors (Stripe) and email service providers. These providers process data on our behalf under data processing agreements.
• Legal requirements: where required by law, regulation, legal process or governmental request.
• Business transfers: in connection with a merger, acquisition or sale of assets, subject to the acquiring party agreeing to protect your data in accordance with this policy.

5. International Data Transfers

Your data is primarily stored and processed within the United Kingdom and the European Economic Area. Where data is transferred to countries outside the UK/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO).

6. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

• Account data: retained for the duration of the subscription plus 12 months, unless you request earlier deletion.
• Subscriber data in the platform: available for export for 30 days after subscription termination, then securely deleted.
• Contact form submissions: retained for up to 24 months.
• Financial records: retained for 7 years as required by UK tax legislation.

7. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure: request deletion of your data in certain circumstances.
• Right to restrict processing: request restriction of processing in certain circumstances.
• Right to data portability: receive your data in a structured, commonly used, machine-readable format.
• Right to object: object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@co2compliance.co.uk. We will respond within one calendar month.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

Our website uses the following types of cookies:

• Essential cookies: required for the website and Service to function correctly (e.g., session management, authentication). These cannot be disabled.
• Analytics cookies: help us understand how visitors interact with our website so we can improve it. These are only set with your consent.

You can manage cookie preferences through your browser settings.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS) and at rest.
• Role-based access control and multi-factor authentication.
• Regular security assessments and penetration testing.
• Secure development practices and code review.
• Incident response procedures and breach notification processes.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on our website. The "Last updated" date at the top of this page indicates when the policy was last revised.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@co2compliance.co.uk
• Post: CO2 Compliance Services (UK) Ltd, 1-2 Manor Farm, Farm Lane, South Littleton, Worcestershire, WR11 8UA, United Kingdom