Privacy Policy

Who we are

This is the privacy policy of C Free Ltd (company number 12106786) with registered office at 90 Shenley Road, Camberwell, London, SE5 8NQ (“C Free”, “we”, “us”).

This policy explains how we collect, use, share and protect personal data when you use:

  • our website (c-free.co.uk);
  • our client portal (portal.c-free.co.uk); and
  • our employee survey pages (typically accessed via a link provided by an employer).

Key concepts: controller and processor

Data protection law distinguishes between a data controller (the party that decides why and how personal data is used) and a data processor (the party that processes personal data on behalf of a controller).

Portal user accounts and website enquiries

C Free is typically the data controller for personal data relating to people who create or use Portal accounts (for example, name, email address, login and security logs) and for people who contact us via the website.

Client data and employee survey responses

Where we process personal data provided by a client (including employee survey responses), the client is typically the data controller and C Free acts as a data processor under our client contract.

If you complete an employee survey, your employer is responsible for explaining why the survey is being run and how the results will be used.

What personal data we collect

Website visitors and enquiries

  • Contact details and message content when you email us or submit a form (for example, name, email address and message).
  • Basic technical data (for example, device or browser information and approximate location derived from IP address) where required for security and analytics.

Portal users (authorised users of client organisations)

  • Account data: name, email address, role and organisation (company) association.
  • Authentication and security data: password hash (where applicable), multi-factor authentication status, login timestamps, failed login attempts and account lockout information.
  • Operational metadata: last login time and audit or security logs required to operate and secure the Portal.

Employee survey respondents

If you complete an employee survey, we may process limited personal data such as your postcode and commuting-related answers. This data is processed on behalf of your employer for carbon footprint calculation and reporting.

Client-provided data processed as part of the Services

Clients may upload business and operational data (for example, spend and activity data) so that we can calculate organisational emissions. Depending on what the client provides, this data may sometimes include personal data (for example, employee travel entries or supplier contact details).

How we use personal data and our legal bases

Where C Free is the controller

  • Providing and administering the Portal, including account creation, access control, support and communications;
  • Security, including authentication, fraud prevention, abuse prevention and maintaining system integrity;
  • Responding to enquiries and managing our relationship with business contacts; and
  • Improving our services using optional analytics.

Our legal bases are typically contract (to provide Portal access and support) and legitimate interests (to secure and improve our services and respond to business enquiries). Where analytics are optional, we rely on consent collected via Portal settings.

Where C Free is the processor

Where we process personal data on behalf of a client (including employee survey data), we do so only on the client’s documented instructions and in accordance with our client contract (including the data processing schedule).

Analytics

Portal analytics (Matomo)

We use a self-hosted instance of Matomo to understand aggregated usage of the Portal (for example, pages visited and feature adoption) so we can improve the service.

  • Portal analytics are optional and user-specific information capture is disabled.
  • Analytics can be enabled or disabled at any time in Portal settings.
  • We do not use Portal analytics for marketing or advertising.

Website analytics and cookies

Our website may use cookies and similar technologies. Where required, we provide a cookie notice or banner on the website and you can manage your choices there. The Portal uses strictly necessary cookies for authentication and security.

Who we share personal data with

We do not sell personal data. We share personal data only where necessary to run our services, comply with legal obligations, or provide services under contract.

Sub-processors and service providers

  • Hosting and infrastructure: Krystal (UK);
  • Backups and storage: Wasabi (UK);
  • Dashboards and reporting: Google (Looker Studio), where used for client reporting;
  • Error monitoring: Sentry (used to diagnose and fix technical issues and may process limited technical data).

We may also use third-party APIs (for example mapping services) for calculations. We aim to configure these so that they do not receive personal data, but depending on usage they may receive technical information such as IP address.

International transfers

We primarily host and process data in the UK. Some third-party providers (for example Google or Sentry) may process data outside the UK. Where international transfers occur, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or other lawful transfer mechanisms as applicable.

How long we keep personal data

  • Portal accounts: for as long as the user’s organisation has an active relationship with us, plus a reasonable period to handle account closure, disputes and security records;
  • Support communications: for as long as needed to resolve queries and maintain business records;
  • Client and survey data processed as a processor: as set out in the client contract and according to the client’s instructions, subject to legal retention requirements;
  • Backups: retained for a limited period in encrypted form for disaster recovery.

Security

We take security seriously and use appropriate technical and organisational measures designed to protect personal data, including access controls, least-privilege access, monitoring and (where enabled) multi-factor authentication.

Your rights

  • Portal users and website contacts: you can contact us to exercise your rights (for example access, correction, deletion, objection, restriction or portability).
  • Employee survey respondents: your employer is the data controller, so requests should normally be made to your employer. We will support your employer as required under our contract.

How to contact us

If you have questions about this policy or want to exercise your rights where we are the controller, please contact: info@c-free.co.uk

Changes to this policy

We may update this policy from time to time. If we make material changes, we will update the “Last updated” date above and publish the revised policy on our website.

Meet with one of our experts