Privacy Policy
Last updated: 19 March 2026
1. Who we are
SECR-ESG Ltd ("we", "us", "our") operates SECR-ESG, a software-as-a-service platform for UK Streamlined Energy and Carbon Reporting (SECR). We are the data controller for personal data processed through our website at secr-esg.com and our application.
Contact us about privacy matters: secr@secr-esg.com
2. What data we collect
Account data
Email address, full name, and password (stored as a secure hash by Supabase Auth). Collected when you create an account.
Company data
Company name, registered name, industry, country, and employee count. Provided by you for SECR reporting purposes.
Emissions data
Energy consumption figures, activity data, and calculated emissions results you enter into the platform. This is operational data, not personal data, but it is associated with your account.
Usage data
Log data including IP address, browser type, pages visited, and timestamps. Collected automatically when you use our service.
Cookies
We use strictly necessary cookies for authentication (Supabase session token). We do not use tracking or advertising cookies. See Section 7 for details.
3. Why we process your data
| Purpose | Legal basis |
|---|---|
| Providing the SECR-ESG service | Contract — necessary to perform our agreement with you |
| Account authentication and security | Contract and Legitimate interests |
| Sending service emails (password reset, invitations) | Contract |
| Improving the platform | Legitimate interests |
| Complying with legal obligations | Legal obligation |
| Responding to support requests | Contract and Legitimate interests |
4. Who we share data with
We do not sell your personal data. We share data only with the following sub-processors:
Supabase Inc.
Database, authentication, and file storage
USA (adequacy via EU-US Data Privacy Framework)
Vercel Inc.
Application hosting and edge network
USA (adequacy via EU-US Data Privacy Framework)
Anthropic PBC
AI narrative generation (report text only, no personal data sent)
USA
5. How long we keep your data
Account data: Retained for the duration of your account plus 30 days after deletion to allow recovery.
Emissions and reporting data: Retained for the duration of your account. You may export and delete at any time via Settings → Exports and Settings → Account.
Log data: Retained for 90 days.
Backups: Retained for up to 30 days after account deletion.
6. Your rights under UK GDPR
As a UK data subject you have the following rights:
- •Right of access: Request a copy of all personal data we hold about you.
- •Right to rectification: Ask us to correct inaccurate or incomplete data.
- •Right to erasure: Request deletion of your account and all associated data. Use Settings → Account → Delete Account, or email us.
- •Right to restrict processing: Ask us to pause processing your data in certain circumstances.
- •Right to data portability: Receive your data in a machine-readable format. Use Settings → Exports.
- •Right to object: Object to processing based on legitimate interests.
- •Right to lodge a complaint: Contact the ICO at ico.org.uk if you believe we have breached UK GDPR.
To exercise any right, email secr@secr-esg.com. We will respond within 30 days.
7. Cookies
We use the following cookies:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| sb-access-token | Supabase authentication session | Strictly necessary | 1 hour |
| sb-refresh-token | Supabase session refresh | Strictly necessary | 60 days |
| cookie-consent | Records your cookie consent choice | Strictly necessary | 1 year |
We do not use analytics, advertising, or third-party tracking cookies.
8. Security
We implement appropriate technical and organisational measures to protect your data, including encrypted connections (TLS), row-level security in our database, and hashed password storage. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.
9. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email. The current version is always available at secr-esg.com/privacy.
10. Contact
SECR-ESG Ltd
Email: secr@secr-esg.com
ICO registration: pending