Privacy Policy

1. Information We Collect

Emissa is a B2B SaaS platform. We collect information to provide emissions reporting services to businesses. We do not collect personal data from consumers.

Account Information

When you create an Emissa account, we collect: company name, your full name, work email address, and phone number (optional). You may also provide a company logo for the buyer verification portal.

Emissions Data

You upload QuickBooks transaction exports (CSV files) to generate emissions reports. These files contain vendor names, transaction amounts, dates, and category data. We also collect the resulting Scope 1, 2, and 3 emissions calculations and report outputs you generate through the platform.

Buyer Portal Data

When you invite a procurement buyer to a verification portal, you provide their email address. When they access the portal, we collect their email address and any actions they take during their session. This data is linked to your account as the supplier.

Payment Information

We use Stripe for subscription billing. We do not store credit card numbers — Stripe handles payment method storage on our behalf. We store your Stripe customer ID and subscription status.

Usage Data

We collect basic usage analytics: pages visited, features used, and session duration. This data is used to improve the product and is not linked to individual user identities without your consent.

2. How We Use Your Information

We use your information only to provide and improve the Emissa service. Specifically, we use it to:

Parse QuickBooks exports and calculate Scope 1, 2, and 3 emissions using EPA emission factors
Generate compliance reports in the formats you request (Walmart Project Gigaton, Costco Sustainability Audit, Target SSA, Apple Supplier SAQ, EcoVadis, CDP, SBTi, and others)
Facilitate buyer verification portal access for suppliers and their procurement counterparts
Process subscription payments and send billing-related communications
Send product updates, security notices, and service-related emails
Detect and prevent fraud, abuse, or unauthorized access

We do not use your emissions data, transaction data, or buyer portal data for any purpose other than the service you signed up for. We do not sell, rent, or license your data to third parties for marketing purposes.

3. Data Sharing

We share your data only in these limited circumstances:

Service providers: We share data with Render (hosting), Neon PostgreSQL (database), and Stripe (payments). These providers process data only on our behalf, under our instructions, and under data processing agreements.
Buyer portal: Emissions data and supplier verification information is shared with the procurement buyer you invite, at your direction, via a secure portal link.
Legal obligations: We may disclose data if required by law, court order, or government request, or if we believe disclosure is necessary to prevent fraud, protect our rights, or protect the safety of others.
Business transfers: If Emissa is acquired or merged, user data would transfer to the acquiring entity under the same privacy commitments.

We do not share your data with advertising networks, data brokers, or analytics services that monetize user data.

4. Data Retention

We retain your data for as long as your account is active. When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required to comply with legal obligations (such as tax or financial record-keeping requirements).

Emissions calculations and report outputs that have been shared with buyers via the verification portal may be retained as part of the buyer's records — we cannot delete data that resides with third parties.

If you stop using the service and your account is inactive for 24 months, we may delete your data after providing 30 days' notice to your registered email address.

5. Security

We implement the following security measures:

TLS 1.2+ encryption for all data in transit
AES-256 encryption at rest via Neon PostgreSQL
Infrastructure hosted on SOC 2-compliant providers (Render, Neon)
Role-based access control with scoped permissions
Session expiry for buyer portal access (7 days)
Regular dependency updates and vulnerability monitoring

For full details, see our Security & Trust page. For breach notification procedures, see our Data Processing Agreement (available on request).

6. Your Rights (GDPR & CCPA)

GDPR (EU/EEA users): If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation:

Right to access — request a copy of your personal data
Right to rectification — request correction of inaccurate data
Right to erasure — request deletion of your personal data ("right to be forgotten")
Right to restrict processing — request limits on how we use your data
Right to data portability — request your data in a machine-readable format
Right to object — opt out of certain processing activities
Right to lodge a complaint — file a complaint with your local data protection authority

CCPA (California residents): If you are a California resident, you have the right to know what personal information we collect and how it is used, request deletion of your personal information, and opt out of the sale of your personal information. We do not sell personal information.

To exercise any of these rights, contact us at hello@emissa.tech. We will respond within 30 days.

7. Cookies

We use cookies and similar tracking technologies to operate our service:

Authentication cookies: Required for login sessions (30-day expiry). These are essential for the service to function.
Buyer portal cookies: Required for buyer verification portal sessions (7-day expiry).
Analytics cookies: We use Google Analytics and Meta Pixel to understand how visitors use our landing pages. These cookies are not used to track authenticated app users.
Marketing pixels: Our Meta Pixel tracks landing page visits and conversion events (signup, purchase). This is used for advertising analytics and is not used to build individual profiles for sale.

You can disable cookies in your browser settings, but this may affect your ability to use the application. Essential authentication cookies cannot be disabled while you are logged in.

8. Children's Privacy

Emissa is a business-to-business service. We do not knowingly collect personal information from children under the age of 16. Our service is not directed to individuals under 16, and we do not offer consumer-facing services. If you believe a child has provided us with personal data, contact us at hello@emissa.tech and we will delete it immediately.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes — such as adding new data collection practices, changing subprocessors, or altering data retention practices — we will notify you by email at least 30 days before the changes take effect. Material changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically.

10. Contact

Data Privacy Inquiries
Email: hello@emissa.tech
Response time: Within 30 days, typically sooner.

DPO (Data Protection Officer)
Emissa does not currently have a designated DPO. For all privacy-related matters, please contact hello@emissa.tech directly. For GDPR supervisory authority complaints, you may contact your local data protection authority in your EU/EEA member state.