CBAMCalc is operated by Ta-meri Systems ("we", "us", "our"). Our platform is available at cbamcalc.company.
For the purposes of the EU General Data Protection Regulation (GDPR), Ta-meri Systems acts as the Data Controller for account and usage data. For customer CBAM business data, we act as a Data Processor on behalf of the customer organisation (the Controller).
Data Protection Officer contact: dpo@cbamcalc.company
Account data: Your name, email address, organisation name, and job title when you register.
Usage data: Actions taken within the platform, feature interactions, page views, session timestamps, and IP addresses. Used to improve the Service and for security monitoring.
CBAM business data: Import records, product details, embedded emissions figures, and scenario data that you upload or create. This is your data — we process it solely to provide the Service.
Payment data: Billing is processed entirely by Paddle (our Merchant of Record). We never receive or store your card number, bank details, or full payment credentials. We receive only a transaction confirmation and subscription status.
We use your data to: (a) provide and maintain the CBAMCalc platform; (b) send transactional emails (account verification, password reset, subscription receipts); (c) respond to support requests; (d) detect and prevent fraud and abuse; (e) comply with legal obligations; (f) generate anonymised, aggregated analytics to improve the Service.
We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described in the Sub-processors section below or as required by law.
Under GDPR Article 6, we process your personal data on the following legal bases:
Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you subscribed to — account management, billing, and platform functionality.
Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and platform improvement through anonymised analytics.
Legal obligation (Art. 6(1)(c)): Retaining transaction records for tax and accounting purposes.
Consent (Art. 6(1)(a)): Optional communications such as product newsletters. You may withdraw consent at any time.
We retain your personal data for as long as your account is active. Upon account deletion or subscription cancellation, personal data is deleted within 90 days, except where we are required to retain it for legal or regulatory reasons (e.g., transaction records retained for 7 years for tax purposes).
CBAM business data (import records, scenarios, reports) is deleted within 30 days of account deletion. You may export all your data before deleting your account.
Under GDPR Articles 15–22, you have the following rights:
Access (Art. 15): Request a copy of the personal data we hold about you. Rectification (Art. 16): Request correction of inaccurate or incomplete data. Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). Portability (Art. 20): Receive your data in a structured, machine-readable format. Restriction (Art. 18): Request that we limit processing of your data in certain circumstances. Objection (Art. 21): Object to processing based on legitimate interests.
To exercise any of these rights, email privacy@cbamcalc.company. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority.
We use a small number of carefully selected sub-processors to deliver the Service. The full and current list is maintained on our Security & Trust page at cbamcalc.company/trust.
Key sub-processors include: Amazon Web Services (EU hosting), Vercel (web delivery), Anthropic (AI inference — aggregated data only), and Resend (transactional email). We notify customers of material sub-processor changes at least 14 days in advance.
Our primary infrastructure is located in the EU (Frankfurt, Germany). Where we engage US-based sub-processors (such as Anthropic and Resend), we ensure appropriate safeguards are in place under GDPR Article 46, including Standard Contractual Clauses (SCCs) adopted by the European Commission.
No personal data is transferred to third countries without an adequacy decision or equivalent safeguards.
We use only strictly necessary cookies to operate the platform:
Session cookies: Required to maintain your authenticated session. Expire when you close your browser or sign out. CSRF tokens: Security tokens that protect against cross-site request forgery attacks.
We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not use Google Analytics or any equivalent tracking service. No cookie consent banner is required because we use only essential cookies.
For privacy enquiries, data subject requests, or to request a Data Processing Agreement:
Email: privacy@cbamcalc.company DPO: dpo@cbamcalc.company Security & sub-processor list: cbamcalc.company/trust
A standard DPA is available to all paid subscribers on request. Enterprise customers may request a custom DPA.