Last Updated: March 31, 2026
1. Purpose and Scope
This policy establishes Carbonfact's framework for using artificial intelligence (AI) and machine learning (ML) when processing customer data.
Definitions
- Platform Customer Data: customer-provided data, customer-generated data, and derived outputs produced from processing that data within Carbonfact's production infrastructure (the Carbonfact Platform, its databases, data pipelines, and associated storage). This includes uploaded files, product data, measurements, footprint results, and any data generated or derived from these within the platform.
- Operational Customer Data: customer-related information that appears in Carbonfact's internal collaboration and communication tools (e.g., Slack, Notion, email, project management tools) as part of normal business operations. This includes account metadata, project notes, support conversations, and analysis summaries.
- AI processing: any use of AI/ML systems to analyze, transform, classify, summarize, generate, or otherwise infer from customer data.
- Personal data / PII: personal data as defined by GDPR. Carbonfact designs systems to exclude personal data from AI processing.
This policy applies to all AI-powered features, internal tools, and data processing activities that involve customer data.
2. Policy Statement
AI usage with customer data is standard practice at Carbonfact and is governed by strict technical, organizational, and contractual safeguards.
Carbonfact may agree to customized AI usage arrangements on a case-by-case basis (including account-level exceptions), subject to technical enforceability and approval by Executive leadership and the CTO.
3. Technical Guardrails
The guardrails in this section apply in full to Platform Customer Data. For Operational Customer Data, see Section 5 (AI in Internal Collaboration Tools), which defines the applicable controls for collaboration and communication tools.
3.1 Providers configuration
All AI providers are configured with:
- Minimized data retention (Zero Data Retention when applicable, or minimal 30-day operational retention as permitted by the provider).
- Customer data is not used to train or fine-tune AI models.
Those are guaranteed by the contractual agreements and terms applicable to each provider.
3.2 Approved Providers Only