Effective Date: February 27, 2026

Last Updated: February 27, 2026

1. Purpose and Scope

This policy establishes Carbonfact's framework for using artificial intelligence (AI) and machine learning (ML) when processing customer data.

Definitions

• Customer data: customer-provided data, customer-generated data, and derived outputs produced from processing that data in Carbonfact systems.
• AI processing: any use of AI/ML systems to analyze, transform, classify, summarize, generate, or otherwise infer from customer data.
• Personal data / PII: personal data as defined by GDPR. Carbonfact designs systems to exclude personal data from AI processing.

This policy applies to all AI-powered features, internal tools, and data processing activities that involve customer data.

2. Policy Statement

AI usage with customer data is standard practice at Carbonfact and is governed by strict technical, organizational, and contractual safeguards.

Carbonfact may agree to customized AI usage arrangements on a case-by-case basis (including account-level exceptions), subject to technical enforceability and approval by Executive leadership and the CTO.

3. Technical Guardrails

The following guardrails are enforced for ALL AI usage involving customer data:

3.1 Providers configuration

All AI providers are configured with:

• Minimized data retention (Zero Data Retention when applicable, or minimal 30-day operational retention as permitted by the provider).
• Customer data is not used to train or fine-tune AI models.

Those are guaranteed by the contractual agreements and terms applicable to each provider.

3.2 Approved Providers Only