Privacy Policy

Last updated on 16th June 2026. Version 2.0.

Click on the links below to go straight to more information on each area:

• Part A — All users
• Part B — Website visitors
• Part C — Platform users
• Part D — Supplier and vendor contact data
• Part E — Candidate and recruitment data

Introduction

1. Welcome to Track Zero Labs Ltd (TrackZero)’s privacy policy. This privacy policy applies to all individuals who interact with TrackZero.
2. When we refer to “TrackZero” we mean trackzero.eco, the TrackZero platform and all services provided via TrackZero.
3. Track Zero Labs Ltd (“we”, “us” or “our”) respects your privacy and we are committed to protecting personal data and handling Company Data securely.

Who we are and important information

1. The controller of TrackZero is Track Zero Labs Ltd of X+Why, Unity Place, 200 Grafton Gate, Milton Keynes MK9 1UP. Track Zero Labs Ltd is registered with the Information Commissioner’s Office (ICO) under registration number ZB674232. Our Privacy Team is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the privacy team at or write to us at the address above.

International transfers

1. Some of the third-party service providers we use are based outside the UK and European Economic Area (EEA), including in the United States of America. Whenever we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place.
2. For transfers to the USA and other countries outside the UK, we rely on a combination of transfer mechanisms depending on the supplier, including: Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office; the UK International Data Transfer Addendum (UK Addendum) to the EU SCCs; the UK Extension to the EU-US Data Privacy Framework where our suppliers are certified; and adequacy decisions where applicable (for example, transfers to New Zealand). Details of the specific transfer mechanism used by each supplier are set out on the TrackZero Sub-Processor Page at www.trackzero.eco/legal/sub-processors.
3. If you would like further information about the safeguards we use for international transfers, please contact us at .

Cookies

1. TrackZero uses cookies and similar tracking technologies to distinguish you from other users and to improve your experience. For full details of the cookies we use, the purposes for which we use them, and how to manage your preferences, please see our Cookie Policy.

Your legal rights

1. Under UK GDPR, you have the right to access, rectify, or erase your personal data; to restrict or object to its processing; to data portability; and to withdraw consent at any time where consent is the lawful basis. You also have the right to lodge a complaint with the ICO (ico.org.uk). To exercise any of these rights, contact us at . We will respond without undue delay and within one month. Where requests are particularly complex, we may extend this period by up to a further two months as permitted by applicable laws.

Automated decision-making

1. TrackZero does not make any decisions about you based solely on automated processing (including profiling) that produce legal or similarly significant effects.

Changes to this privacy policy

1. We may update this privacy policy from time to time. We will notify you of any material changes by updating the version number and date at the end of this policy. We encourage you to review this policy periodically.

This part applies to you if you are visiting trackzero.eco.

The data we collect about you as a website visitor

1. When you visit trackzero.eco, we may collect the following categories of personal data:
   1. Technical Data: IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.
   2. Usage Data: information about how you navigate and interact with our website, including pages visited and time spent.
   3. Identity & Contact Data: name and email address, if you contact us via a form or sign up to receive marketing communications.
   4. Marketing Data: your preferences in receiving marketing from us and your communication preferences.

How your data is collected as a website visitor

1. We collect this data through:
   1. Automated technologies: cookies and analytics tools (including Google Analytics) collect Technical Data and Usage Data automatically as you browse. Please see our Cookie Policy for further details.
   2. Direct interactions: if you complete a contact form, use our live chat, or sign up for marketing communications, we collect the Identity & Contact Data you provide.

How we use your data as a website visitor

1. We rely on consent for marketing communications to website visitors. You may withdraw your consent at any time by using the unsubscribe link in any marketing email or by contacting us at .

LinkedIn Page Insights — Joint Controller Relationship

1. TrackZero operates a LinkedIn Company Page. Where LinkedIn members in the European Economic Area or United Kingdom visit, follow or engage with our page, TrackZero and LinkedIn Ireland Unlimited Company act as joint controllers in respect of the Page Insights analytics data generated. LinkedIn takes primary responsibility for providing transparency information to members and responding to data subject requests in relation to Page Insights. The lead supervisory authority for this processing is the Irish Data Protection Commission. For more information, please see LinkedIn’s Privacy Policy and the LinkedIn Pages Joint Controller Addendum at www.linkedin.com/legal/l/page-joint-controller-addendum.

Third-party service providers (website)

1. We use carefully selected third-party service providers to support the operation, security and improvement of our website. These providers may process personal data on our behalf for purposes including website analytics, advertising and conversion tracking, website security, content delivery, communications and live chat services.
2. A current list of the third-party service providers we use, together with information about their locations and any applicable international transfer safeguards, is available at: www.trackzero.eco/legal/sub-processors

This part applies to you if you are a registered user of the TrackZero platform, including corporate client users, employer-administered users, and supplier users.

The data we collect

1. We collect the following categories of data in connection with your use of the platform:
   1. Company Data is business-related information that is not personal data, including operational data (energy consumption, emissions, business activities), performance data (ESG metrics, carbon reduction progress), and financial data (revenue, expenditure, and related details provided for reporting purposes). Aggregated and anonymised data derived from Company Data is not personal data and may be used for research and benchmarking.
   2. Personal data about individuals who use the platform includes Identity & Contact Data (name, username, email address, location, telephone number), Account Data (job role, organisation, employer name, and profile image where optionally provided), Technical Data (IP address, browser and device information), Usage Data (how you use the platform), Transactional Data (payment details), and Marketing Data (communication preferences).
2. We also collect personal data about individuals who are added to a company account, such as name, email address and job title.
3. If you fail to provide personal data we are required to collect, we may be unable to deliver the relevant service and will notify you if so.
4. We may derive aggregated, anonymised data from your personal data for research and product improvement.
5. For personal data processed on behalf of Corporate Clients through the TrackZero platform, TrackZero generally acts as a data processor and the relevant Corporate Client acts as the data controller. This Privacy Policy explains how TrackZero processes personal data where it acts as a controller. Where TrackZero acts as a processor, the relevant Corporate Client’s privacy notice will govern the processing of that personal data.

How we collect it

1. We collect data through:
   1. Direct interactions: when you open an account, subscribe, or correspond with us.
   2. Indirect interactions: through your use of platform features.
   3. Automated technologies: cookies and similar tools collect Technical Data as you use the platform. See our Cookie Policy for details.
   4. Third parties: we may receive Identity & Contact Data when you are invited to the platform by your employer or a Corporate Client, and Technical Data from analytics providers such as Google.
2. Where you upload bills or invoices for carbon calculations, these may be processed by OpenAI as a sub-processor. Users are advised to remove personal data from such documents before upload where it is not required for calculation purposes. AI features are optional; manual alternatives are available.

Third party personal data

1. Where users upload documents or attachments that incidentally contain personal data relating to third parties, TrackZero acts as a data processor in respect of that data and does not actively request, use, or analyse it. Users are responsible for ensuring they have a lawful basis for any such uploads.

How we use it

1. For marketing communications to prospects, we rely on consent. You may withdraw consent at any time via the unsubscribe link in any marketing email or by contacting .

How we share it

1. Company Data may be shared with:
   1. Collaborators you authorise for collection, measurement, verification, or reporting of emissions.
   2. Research partners, for aggregated and anonymised benchmarking data only.
   3. Sub-processors, as set out on the TrackZero Sub-Processor Page at www.trackzero.eco/legal/sub-processors

Third-party service providers (platform)

1. We use carefully selected third-party service providers to support delivery of the TrackZero platform and related services. These providers may process personal data on our behalf for purposes including hosting and infrastructure, communications, customer support, payment processing, security monitoring and AI-assisted functionality.
2. A current list of the third-party service providers we use, together with information about their locations and any applicable international transfer safeguards, is available at: www.trackzero.eco/legal/sub-processors

Retention

1. Deleted data may remain in secure encrypted backups for a limited period before being automatically overwritten.

Employer-administered accounts

1. In some cases, your employer or a Corporate Client may invite you to TrackZero as an authorised user without you signing up directly.
2. Where a Corporate Client subscribes to TrackZero, they may invite employees or other authorised individuals to join the platform. You will receive an invitation from us or from the Corporate Client, and will set up your own account on acceptance. We receive your name, email address and any other account information provided during the invitation process from the Corporate Client or organisation that invited you to the platform.
3. We will collect Identity & Contact Data (such as your name and email address) and Account Data as you provide when setting up your account.
4. We process this data on the basis of legitimate interests in administering platform access. The Corporate Client is responsible for ensuring their users are made aware of this policy before being added to TrackZero.

Supplier users

1. TrackZero allows Corporate Clients to invite suppliers to submit data via the platform. If you have been invited as a supplier user, this section applies to you.
2. We receive your name, email address and any other account information provided during the invitation process from the Corporate Client or organisation that invited you to the platform.
3. We collect Identity & Contact Data (such as your name and email address) and Account Data in connection with your use of TrackZero. This data, along with the information you submit via the platform, will be shared with the Corporate Client who invited you. Their identity will be made known to you at the point of onboarding.
4. We process this data on the basis of the Corporate Client’s legitimate interests in collecting supply chain sustainability data.

1. Where TrackZero engages suppliers, contractors or other third parties in connection with its business operations, we may hold contact details (such as name, email address, phone number and job title) of individuals at those organisations.
2. This data is processed on the basis of Art. 6(1)(b) — Contract (where necessary to manage a contractual relationship) and Art. 6(1)(f) — Legitimate interests (managing our business relationships). Such data is retained for the duration of the relationship plus 6 years in line with the Limitation Act 1980.

1. Where individuals apply for roles at TrackZero, we process personal data including name, email address, CV and employment history for the purpose of assessing applications and conducting interviews. This processing is based on Art. 6(1)(b) (pre-contractual steps).
2. Unsuccessful candidate data is retained for 12 months following the conclusion of the recruitment process, after which it is deleted. Right to work verification records for successful candidates are retained for the duration of employment plus 2 years as required by the Immigration, Asylum and Nationality Act 2006.
3. If you voluntarily disclose health or disability information in connection with a request for reasonable adjustments, this will be handled under Art. 9(2)(b) and retained only as long as necessary.

Address
Track Zero Labs Ltd, X+Why, Unity Place, 200 Grafton Gate, Milton Keynes MK9 1UP

Email