Privacy Policy
This policy explains what personal information Green Reporting collects, how we use it, and the choices you have. We are based in Ontario, Canada, and handle personal information in accordance with PIPEDA (Canada's federal privacy law) and, where applicable, other privacy laws such as the UK/EU GDPR and Australian Privacy Act for users in those regions.
1. Information we collect
Account information. Email address and password (passwords are handled by our authentication provider and never visible to us), plan type, and team membership.
Report inputs. The company, financial, emissions, risk and narrative information you enter into the wizard. This may include names and roles you choose to enter (for example, an internal data reviewer's name).
Payment information. Payments are processed by Stripe. We receive confirmation of payment and plan details, not your card number.
Usage information. Reports generated, timestamps, and technical logs needed to operate and secure the Service. Your in-progress wizard draft is also stored locally in your own browser (localStorage) so you can resume where you left off.
Website visitors. If you use our marketing website (greenreportinggroup.com) without an account, we collect only what you actively submit: your email address and selected standard and role if you request a sample report, or your multiple-choice answers and optional feedback/email if you complete our Scope 3 roadmap survey. We do not use tracking, advertising or analytics cookies on the marketing website — see the notice shown on the site for details.
2. How we use information
We use your information to: provide the Service and generate your reports; authenticate you and manage your plan and team; process payments; provide support; maintain security and prevent abuse; and meet legal obligations. We record your acceptance of our Terms (version, time and account) as evidence of agreement. Where you've submitted information through our marketing website, we use it to send the resource you requested and to inform our product roadmap. We do not sell personal information, and we do not use your report inputs, or website form submissions, to train AI models.
3. AI-assisted report generation
To produce framework-aligned disclosure narrative, relevant report inputs are sent to a third-party AI inference provider (currently Groq) at the moment your report is generated. This processing is used only to generate your report content. Avoid entering personal information into narrative fields beyond what you want to appear in your report.
4. Service providers
| Provider | Purpose |
|---|---|
| Supabase | Authentication, database and storage for accounts, plans, reports, and marketing-website form submissions |
| Stripe | Payment processing |
| Groq | AI generation of report narrative from your inputs |
These providers may process data outside Canada (for example, in the United States). We share only what each provider needs to perform its function.
5. Retention
We keep account information and generated reports while your account is active so you can re-download your reports. Terms-acceptance records are retained as evidence of agreement. Marketing-website form submissions are retained to fulfil the request made (e.g. sending a sample report) and to inform product decisions. If you close your account, we delete or de-identify personal information within a reasonable period, except where we must retain it for legal, accounting or security reasons.
6. Your rights and choices
You may request access to, correction of, or deletion of your personal information, and you may withdraw consent (which may limit the Service we can provide). Contact us at the address below and we will respond within the time required by applicable law. You can clear your locally stored wizard draft at any time using "New report (clear draft)" in the app.
7. Additional information for UK users
If you are located in the UK, this section supplements the information above.
Legal basis for processing. We process your personal information under the UK GDPR on the following legal bases: performance of a contract, to provide the Service you've signed up for; legitimate interests, to secure the Service, respond to enquiries, and improve our product, balanced against your rights; consent, where you submit optional information such as our roadmap survey; and legal obligation, for tax, accounting and regulatory record-keeping.
International transfers. Your personal information may be transferred to and processed in Canada and the United States by our service providers (Supabase, Stripe, Groq — see Section 4). Where we transfer personal information outside the UK, we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism recognised under UK data protection law.
Complaints. If you have concerns about how we handle your personal information, please contact us using the details in Section 12. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
8. Additional information for Australian users
If you are located in Australia, this section supplements the information above and is provided in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).
Overseas disclosure. We disclose personal information to overseas recipients, namely our service providers located in Canada and the United States (Supabase, Stripe, Groq — see Section 4). We take reasonable steps to ensure these recipients handle your information consistently with the APPs, including through contractual commitments with each provider.
Complaints. If you are not satisfied with how we have handled a complaint about your personal information, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
9. Security
We use industry-standard safeguards including encrypted connections (HTTPS), managed authentication, and access controls limiting data access to what is needed to operate the Service. No system is perfectly secure; please use a strong, unique password.
10. Children
The Service is for business use by adults and is not directed to children under 18. We do not knowingly collect personal information from children.
11. Changes to this policy
If we make material changes, we will update the effective date above and notify you in the application.
12. Contact
2658023 Ontario Inc, trading as Green Reporting — Privacy contact: mail@greenreportinggroup.com. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada, the UK Information Commissioner's Office, or the Office of the Australian Information Commissioner, as applicable to you.
UK representative: To be appointed. This section will be updated once a UK GDPR Article 27 representative is confirmed.