Last Update: Apr 20, 2023
Data collected, access and storage
The App collects only the minimum data that is required to provide you with the service of automatically calculating carbon emissions. Kooling is the ‘Data Processor’.
When registering to the service, you will be asked to sign in with a pseudonym. No other data such as email address is collected by Kooling Technologies Limited unless this information is voluntarily provided by you.
Once logged in, in order for us to provide you with more accurate information about your carbon footprint, we may ask you to enter the make/model of your personal vehicle. Kooling focuses on calculating accurate carbon emissions data from mobility and transport – i.e. every time that you move around.
In order to automatically calculate carbon emissions from mobility and transport, access to the sensor data collected by your mobile device, including geolocation, is required. This allows Kooling to gather the necessary data about your journey to calculate your climate impact (such as distance travelled and mode of transport that you used on a given journey). The latter can be automatically detected. This data will be used to compute your carbon footprint. Once carbon footprint is calculated, all input data (geolocation, timestamps) gets automatically and permanently deleted (unless you volunteer to be Tester/Pioneer, by explicitely providing your consent to Kooling retaining geolocation information data in order to perform tests, improve the Service and receive advantaged rewards provided by Kooling Partners and accessible via the Kooling App). The output information is carbon emissions, mileage, mode of transport, month & year, Country, Kooling points.
Kooling does not collect any Personally Identifiable Information of protected classifications including age, gender, gender expression and identity, race, religion, sexual orientation or physical and mental abilities or disabilities. You may provide this information voluntarily, such as if you include such information in your voluntary communication to Kooling Technologies Limited.
We do not access your information, however occasionally we may have to do so in order to comply with lawful requests from regulatory authorities and/or with your permission to help you troubleshoot, or in order to handle an error or software bug. If at any point we need to access your account to help you with an open ticket, we will ask for your consent before proceeding.
We have the obligation to protect the privacy and safety of both our customers and the people reporting issues to us. If we do discover that you are using our products for a restricted purpose, we will report the incident to the appropriate authorities.
Only a very limited number of specific people within Kooling Technologies Limited have Administrator privileges required to gain access to your data. Administrator access to the production systems is granted based on job roles and responsibilities.
Access to users’ geolocation data is never permitted to corporate super-users. Users’ geolocation data is stored in a database which corporate super-users have no access to. Access to users’ output data is permitted to corporate super-users and limited to a small number of authorised individuals within the Data Controller, Data Processor and/or selected Kooling Partners which may need such access in order to provide a specific service to Users. A two-factor authentication is enforced in order to protect access to user data.
Our datacenters are located in the EU with AWS and OVH Cloud.
Cybersecurity and Risk Mitigation
Risk assessments of production applications and services are regularly performed. We use the results from risk assessment activities to prioritise our response to identified risks. Any third-party vendors whose services stores, processes, or transmits our customer data undergoes a thorough security review.
We perform risk-based continuous control monitoring throughout the year by performing control testing using a formal methodology. The testing results are documented and reviewed by management, including remediation plans for identified observations.
Additionally we conduct vulnerability monitoring of the production environment to identify threats and assess their potential impact to system security on a regular basis. Results are evaluated and remediated according to risk rating.
We execute a 3rd party application penetration test every year. Monitoring tools are used to continuously monitor security events, latency, network performance, physical and virtual server performance. Incident response procedures are in place that outlines the response procedures to security events and include lessons learned to evaluate the effectiveness of the procedures.
A configuration management tool is in place to ensure security hardening and baseline configuration standards have been established on production servers.
Network traffic to and from untrusted networks passes through a policy enforcement point; firewall rules are established in accordance with identified security requirements and business justifications.
An issue tracking system is in place to centrally maintain, manage, and monitor application and infrastructure changes from development through implementation.
Your rights to your data
Under data protection law, you may have a number of rights concerning the data we hold about you. If you wish to exercise any of these rights, please contact our Data Protection Officer using the contact details set out below. For additional information on your rights please contact your data protection authority and see below.
The right to be informed: You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we’re providing you with the information in this policy.
The right of access: You have the right to obtain access to your information (if we’re processing it). This will enable you, for example, to check that we’re using your information in accordance with data protection law. If you wish to access the information we hold about you in this way, please get in touch (see Contact Details).
The right to rectification: You are entitled to have your information corrected if it is inaccurate or incomplete. You can request that we rectify any errors in information that we hold by contacting us (see Contact Details).
The right to erasure: This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of certain of the information that we hold about you by contacting us (see Contact Details).
The right to restrict processing: You have rights to ‘block’ or ‘suppress’ further use of your information. When processing is restricted, we can still store your information, but will not use it further.
The right to data portability: You have the right to obtain your personal information in an accessible and transferable format so that you can re-use it for your own purposes across different service providers. This is not a general right however and there are exceptions. To learn more please get in touch (see Contact Details).
The right to lodge a complaint: You have the right to lodge a complaint about the way we handle or process your information with the national data protection authority.
The right to withdraw consent: If you have given your consent to anything we do with your information (i.e. we rely on consent as a legal basis for processing your information), you have the right to withdraw that consent at any time. You can do this by contacting us (see Contact Details). Withdrawing consent will not however make unlawful our use of your information while consent had been apparent.
The right to object to processing: You have the right to object to certain types of processing, including processing for direct marketing and profiling.
If you have questions about exercising these rights or need assistance, please contact us at email@example.com
What happens when you delete your account:
If you use any of our products, you have a right to be forgotten and to have all your collected data deleted by our company. You can write to us to delete your account at any time. Once received, we process the request within 28 working days and send you a confirmation message on completion. At your request, all data associated with your account will be permanently deleted from active systems and logs.
For requests to delete personal information or to know what personal information has been collected, we will first verify your identity using your email address.
Kooling Technologies Limited
32 Blackfriars Road
London SE1 8PB