Skip to main content

Privacy Policy

ArgonGate Ltd.

Last updated: March 2026

1. Introduction and Scope

This Privacy Policy explains how ArgonGate Ltd. (Company No. 16771850, registered at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, England and Wales) (“we”, “us”, “our”, “ArgonGate”) collects, uses, stores, shares, and protects personal data when you visit our website at argongate.com or use our carbon reporting SaaS platform (the “Service”).

This policy applies to all users of the Service, including individual account holders and personnel of organisations that subscribe to the Service. Where your organisation has entered into a separate Data Processing Agreement (DPA) with us, the terms of that DPA shall prevail in the event of any conflict with this policy regarding our processing of personal data on behalf of your organisation.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please do not use the Service.

2. Data Controller

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), ArgonGate Ltd. is the data controller for personal data we collect directly from you (e.g. account registration data, usage data). Where you or your organisation upload data to the Service for CBAM compliance processing, your organisation is the data controller and ArgonGate acts as a data processor under the terms of a Data Processing Agreement.

Data Protection Contact: privacy@argongate.com

3. Personal Data We Collect

3.1 Data you provide directly

Account and contact data: Name, email address, company name, job title, phone number, and billing address when you register, subscribe, or contact us.

Organisation data: Company registration details, VAT/tax identification numbers, and EORI numbers as required for CBAM reporting.

CBAM compliance data: Activity data, emission factors, supplier information, production data, and import records that you upload or enter into the Service. This data may include personal data of third parties (e.g. supplier contact details) for which you are the data controller.

Communications: Content of messages you send to us via email, contact forms, or in-app support channels.

Payment data: Payment is processed by our third-party payment processor (Stripe). We do not store full credit card numbers. We receive and store only the last four digits, card type, and billing address for record-keeping.

3.2 Data collected automatically

Usage data: Login timestamps, pages visited, features used, report generation activity, session duration, and interaction patterns.

Technical data: IP address, browser type and version, operating system, device type, screen resolution, and referring URL.

Server and security logs: Where enabled for our infrastructure, we may record each request’s path, client IP address, and user agent string in our database for security, abuse prevention, and operational diagnostics. This is distinct from third-party advertising or analytics scripts.

Cookie and similar technologies: As described in Section 8 below.

3.3 Data from third parties

We may receive data from your organisation’s administrator who provisions your account, or from publicly available sources for business contact enrichment (e.g. company registries). If we introduce single sign-on (SSO) or other identity integrations in the future, we may also receive data from those providers as described when the feature is offered.

4. Legal Basis for Processing

We process your personal data on the following legal grounds under Article 6(1) of the GDPR:

Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.

5. How We Use Your Data

Service delivery: To operate, maintain, and provide the features of the Service, including CBAM calculations, report generation, and compliance tracking.

Account management: To create and manage your account, authenticate access, and process subscription payments.

Communication: To send transactional messages (e.g. account confirmations, billing receipts, service alerts), respond to your enquiries, and provide customer support.

Product improvement: To analyse usage patterns, diagnose technical issues, and develop new features. Where possible, we use aggregated or anonymised data for this purpose.

Security: To detect, prevent, and respond to security incidents, fraud, and abuse.

Legal compliance: To comply with applicable laws, regulations, and lawful requests from authorities.

Marketing (with consent): To send promotional communications about our products and services. You may opt out at any time via the unsubscribe link in any marketing email or by contacting us.

We do not sell your personal data. We do not use your uploaded CBAM compliance data for any purpose other than providing the Service to you, except in aggregated and anonymised form as described above.

6. Data Sharing and Sub-Processors

We share personal data only in the following circumstances:

6.1 Sub-processors

We use the following categories of third-party service providers (sub-processors) to operate the Service:

Hosting and delivery infrastructure (Vercel): To host and serve the website and application.

Authentication and database infrastructure (Supabase): To manage user authentication sessions and store Service data. Our Supabase project is hosted in the EU (AWS eu-central-1, Frankfurt, Germany), within the EEA.

Payments infrastructure (Stripe): To process subscription payments and related billing events.

AI-assisted compliance analysis and content generation (Anthropic): To provide AI-assisted compliance analysis and content generation features where enabled.

Content management for our blog and resources (Sanity): To store and deliver editorial content and media (including delivery via Sanity’s content delivery network).

Transactional email delivery (Resend): To send certain service-related emails (e.g. onboarding or account notifications) where we use an email delivery provider.

A complete, up-to-date list of sub-processors is available upon request at privacy@argongate.com. We will notify subscribers of any changes to sub-processors at least 30 days before the change takes effect, providing an opportunity to object.

6.2 Other disclosures

Legal requirements: We may disclose data where required by law, regulation, legal process, or governmental request.

Business transfers: In connection with a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify you of any such transfer.

With your consent: We may share data with third parties where you have given explicit consent.

7. International Data Transfers

ArgonGate is incorporated in England and Wales. Some of our sub-processors may process data outside the UK and the European Economic Area (EEA). Where we transfer personal data to countries that have not been deemed to provide an adequate level of data protection, we implement appropriate safeguards, including:

Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK Information Commissioner’s Office (ICO).

Adequacy decisions where available (e.g. the UK Extension to the EU-US Data Privacy Framework).

Supplementary measures where required following a transfer impact assessment.

You may request a copy of the relevant transfer safeguards by contacting privacy@argongate.com.

8. Cookies and Similar Technologies

We use cookies and similar browser technologies (such as local storage) as follows:

8.1 Strictly necessary cookies

Required for the Service to function (e.g. authentication tokens, session identifiers, CSRF protection, and admin authentication cookies for the /admin area). These cannot be disabled and do not require consent.

8.2 Functional preferences (cookies and local storage)

We use a first-party language cookie and local storage to remember your language, marketing-site segment selection, and cookie-banner choices. Depending on your jurisdiction, some of these technologies may require consent where they are not strictly necessary.

8.3 Analytics and marketing

We do not currently load third-party analytics or advertising trackers on the public website. The cookie banner stores your analytics and marketing preferences in local storage so that, if we introduce such technologies later, we can align implementation with your choices. Until then, those toggles do not activate third-party tracking scripts.

8.4 Managing preferences

You can manage your cookie preferences at any time via the cookie banner on our website or through your browser settings (including blocking or clearing cookies and site data). Disabling strictly necessary cookies may affect sign-in and core functionality.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including the following general timeframes:

Account and subscription data: For the life of your account and for a reasonable period afterwards to resolve disputes, enforce our terms, and meet legal, tax, and accounting requirements (where longer retention is required by law, such as up to seven years for certain records, we apply that period).

Server traffic and security logs (where collected): For a limited period for security, troubleshooting, and capacity planning, after which they are deleted or aggregated where appropriate.

Newsletter and marketing contacts: Until you unsubscribe, withdraw consent, or request deletion, subject to minimal retention needed to prove consent or suppression lists.

Upon termination of your account, we will delete or anonymise your personal data within these timeframes, unless longer retention is required by law. You may request earlier deletion subject to our legal obligations.

10. Data Export and Portability

You may export your CBAM compliance data from the Service at any time using the built-in export functionality. Upon account termination, we will provide a data export in a commonly used, machine-readable format (e.g. CSV, JSON) upon request, free of charge, within 30 days.

11. Your Rights

Under the UK GDPR and EU GDPR, you have the following rights:

Right of access (Art. 15): Request a copy of the personal data we hold about you.

Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.

Right to erasure (Art. 17): Request deletion of your data, subject to our legal retention obligations.

Right to restrict processing (Art. 18): Request that we limit how we use your data in certain circumstances.

Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.

Right to object (Art. 21): Object to processing based on legitimate interest, including profiling. Object to direct marketing at any time.

Right to withdraw consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

Right not to be subject to automated decision-making (Art. 22): We do not make decisions based solely on automated processing that produce legal effects concerning you.

To exercise any of these rights, contact us at privacy@argongate.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). We may ask you to verify your identity before processing your request.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority. For UK residents, this is the Information Commissioner’s Office (ICO) at ico.org.uk. For EU residents, you may contact your local data protection authority.

12. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data in transit using TLS, and protection of data at rest through our infrastructure providers in line with industry-standard practices.

Role-based access controls and least-privilege access to production and administrative systems; strong authentication for administrative access where supported.

Security reviews and vulnerability handling as part of our development and operations processes.

Incident response procedures with breach notification within 72 hours to the relevant supervisory authority (and to you without undue delay where there is a high risk to your rights and freedoms), in accordance with Articles 33 and 34 of the GDPR.

No system is completely secure. If you become aware of any security vulnerability or suspected breach, please contact us immediately at info@argongate.com.

13. Children’s Privacy

The Service is designed for business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

14. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal data.

15. Data Processing Agreement (DPA)

Where your organisation subscribes to the Service and uploads personal data for processing (e.g. supplier contact details within CBAM compliance data), ArgonGate acts as a data processor under Article 28 of the GDPR. A separate Data Processing Agreement (DPA) governs this relationship, covering: the subject matter and duration of processing, the nature and purpose of processing, the types of personal data and categories of data subjects, obligations regarding sub-processors, data breach notification, audit rights, and data return/deletion upon termination.

To request a copy of our DPA, contact privacy@argongate.com.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will:

Post the revised version on this page with an updated “Last updated” date.

Notify you of material changes by email and/or a prominent notice in the Service at least 30 days before the changes take effect.

Obtain your renewed consent where required by law.

Continued use of the Service after the effective date of changes constitutes acceptance of the revised policy. If you do not agree with material changes, you may terminate your account in accordance with the Terms of Service.

17. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint, please contact us:

ArgonGate Ltd.

Registered Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Company Number: 16771850

Email: privacy@argongate.com

General enquiries: burkan@argongate.com

Phone: +90 554 349 72 87

UK Supervisory Authority: Information Commissioner’s Office (ICO) — ico.org.uk