CARBON[6] | The Excellence Collective

1. Information We Collect

1.1 Account Information

When you create a Carbon6 account, we collect:

Name and email address
Company name and role
Billing information (processed by Stripe, not stored by us)
Phone number (optional)

1.2 Technical Data

To provide and improve our service, we automatically collect:

IP address and browser type
Device information and operating system
Usage data (pages viewed, features used)
Performance metrics and error logs

1.3 Security Scan Data

When you use our security scanning features:

Repository metadata (commit hashes, file names)
Vulnerability findings and remediation status
Security policy compliance records
Note: We never store your source code or credentials

2. How We Use Your Information

We use collected information for:

Service Delivery

Provide security scanning, monitoring, and compliance features

Account Management

Authenticate users, manage subscriptions, send service notifications

Product Improvement

Analyze usage patterns, fix bugs, develop new features

Security & Fraud Prevention

Detect abuse, prevent unauthorized access, maintain system integrity

3. Data Protection & Security

3.1 Encryption

At Rest: AES-256-GCM encryption for all stored data
In Transit: TLS 1.3 for all network communications
Secrets: HashiCorp Vault with automatic rotation (30 days)

3.2 Access Controls

Role-based access control (RBAC)
Multi-factor authentication (MFA) enforced
Least privilege principle
Regular access reviews (quarterly)

3.3 Monitoring

24/7 security monitoring (SIEM)
Intrusion detection systems (IDS)
Automated vulnerability scanning
Incident response procedures (P0-P3)

4. Your Rights (GDPR & CCPA)

Right to Access

Request a copy of your data via GET /api/gdpr/export

Right to Deletion

Request permanent deletion via DELETE /api/gdpr/delete

Right to Portability

Export data in JSON format for migration to other services

Right to Correction

Update inaccurate information via your account settings

Right to Object

Opt-out of marketing communications (does not affect service emails)

Exercising Your Rights

Email privacy@carbon6.agency or use our GDPR APIs. We respond within 30 days as required by law.

5. Data Retention

Data Type	Retention Period	Reason
Account Data	Duration of account + 30 days	Service provision
Audit Logs	2 years	SOC 2 compliance
Billing Records	7 years	Tax requirements
Usage Analytics	1 year	Product improvement

6. Third-Party Services

We use the following trusted third-party services:

Stripe

Payment Processing

PCI-DSS Level 1 certified. We never store card details.

Vercel

Hosting & CDN

SOC 2 Type II certified. Edge network for global performance.

Supabase

Database & Auth

SOC 2 Type II certified. PostgreSQL with RLS security.

7. Cookies & Tracking

We use minimal cookies for essential functionality:

Essential: Authentication session (required)
Functional: User preferences (optional)
Analytics: Anonymous usage statistics (optional, opt-out available)
We do NOT use: Advertising or tracking cookies

Manage cookie preferences via our Cookie Settings page.

8. Contact & DPO

For privacy inquiries or to exercise your rights:

Data Protection Officer

Email: privacy@carbon6.agency

Mail: Carbon6 Security, VLTRN Family Office, [Address]

Response Time: Within 30 days (per GDPR requirements)

9. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. When we make material changes:

We'll notify you via email (30 days advance notice)
Update the "Last Updated" date at the top
Post a notice in your dashboard
Maintain previous versions in our Policy History

Privacy Policy

Privacy at a Glance

Data Encryption

No Data Selling

Your Rights