Legal

Privacy Policy

[PLACEHOLDER: effective date, e.g. "Effective 1 January 2026"]

This policy explains how [PLACEHOLDER: full company legal name] ("Ozomark", "we", "us", "our") processes your personal data when you use the Ozomark mobile app and employer-facing web dashboard. We are registered with the Information Commissioner's Office under registration number [PLACEHOLDER: ICO registration number].

Placeholders are present

Items marked [PLACEHOLDER: …] must be completed with your company's actual details and reviewed by a lawyer before this policy is published.

1. Who we are

[PLACEHOLDER: full company legal name] is a company registered in England and Wales (company number [PLACEHOLDER: company number]) with registered office at [PLACEHOLDER: registered office address].

We are the data controller for personal data processed through the Ozomark platform. Where an employer organisation ("Employer") uses Ozomark to obtain emissions reporting for its workforce, the Employer is an independent controller for any data it receives (k-anonymised aggregates — see Section 5); this policy covers our processing in our role as controller, not the Employer's downstream use.

Our data-protection contact is: [PLACEHOLDER: DPO name / Senior Responsible Individual, email address, postal address].

2. The on-device privacy edge

Ozomark's core privacy guarantee is architectural. Understanding it is the fastest way to understand the rest of this policy.

Stays on the device

Raw GPS coordinates
Home address or home reference
Precise timestamps of movement
Per-trip route or polyline
Distance from home

Synced to the server

Transport mode (e.g. walking, rail)
Estimated distance (km, no origin/destination)
Journey purpose label (commute / business)
Coarse calendar date (day bucket)
GHG scope label (Scope 3)

The Ozomark mobile app runs a transport-mode classifier directly on your device. It analyses the raw GPS trace to determine what mode of transport you used (walking, cycling, car, rail, bus, etc.) and to estimate the distance travelled. Once that classification is complete, only the coordinate-free summary — mode, estimated distance, journey purpose label, and a coarse date — is transmitted to our servers. The GPS coordinates are never uploaded.

Our server schema is designed to make it structurally impossible to store a coordinate, a precise timestamp, a home reference, or a per-trip route. These fields do not exist in the database. This means there is no administrative tier — including Ozomark's own staff — that can access where you went.

3. What we process and why

3.1 Account and identity data

What: work email address, organisation name, the admin role assigned to you by your employer.
Why: to create and authenticate your account, to provision access to the dashboard, and to scope what data each admin role may see.

3.2 Trip summaries (on behalf of employees)

What: transport mode, estimated distance, journey purpose label, GHG scope label, and a coarse calendar date — as described in Section 2. These are processed on the employee's device; only the coordinate-free summary reaches our servers.
Why: to compute per-employee CO₂-equivalent emissions using UK Government (DEFRA/DESNZ) conversion factors, and to generate the k-anonymised aggregates that employers use for Scope 3 carbon reporting.

Employers must obtain their employees' consent or establish a valid lawful basis before deploying Ozomark. See Section 4.

3.3 CO₂ calculations

What: computed CO₂-equivalent values derived by applying versioned DEFRA/DESNZ emission factors to the coordinate-free distance summaries.
Why: to produce audit-ready Scope 3 emissions figures for Carbon Reduction Plans and NHS supplier reporting. Emissions are computed entirely server-side; we do not accept CO₂ figures from the client.

3.4 Technical and operational data

What: server logs, error reports, authentication event logs.
Why: security, fraud prevention, platform reliability, and our legal obligations.

4. Lawful bases

Under UK GDPR Article 6, we rely on the following lawful bases:

Legitimate interests (Article 6(1)(f))

We process trip summaries and CO₂ calculations on the basis of our legitimate interests and those of the employing organisation in producing accurate, DEFRA-methodology carbon reporting for Scope 3 compliance and NHS Net Zero Supplier Roadmap obligations. We have carried out a Legitimate Interests Assessment (LIA): because raw location is processed exclusively on-device and never transmitted, the privacy impact on employees is substantially reduced compared with conventional fleet or mileage-tracking systems. The data minimisation and k-anonymisation controls described in this policy ensure the processing is not overridden by employees' interests, rights, and freedoms.

Contract (Article 6(1)(b))

Processing of employer-account data is necessary to perform our contract with the employer, and processing of employee-account data (email, role) is necessary to create and operate the user's account on Ozomark where that account is a condition of access.

Consent (Article 6(1)(a))

Where we process data for genuinely optional features (e.g. [PLACEHOLDER: list any consent-based features]) we ask for your consent separately and in plain language. You may withdraw consent at any time without affecting other processing — see Section 7 (Your rights).

Legal obligation (Article 6(1)(c))

Certain processing (e.g. security logs, fraud prevention, tax records) is necessary to comply with legal obligations.

[PLACEHOLDER: confirm with your legal adviser that these bases are correctly stated for your specific deployment model and that the LIA has been documented.]

5. What your employer can and cannot see

k-anonymisation is enforced at the database layer

Employers can only query aggregate views that suppress any cohort below the k-anonymity threshold. This is not a policy control — it is a structural database constraint.

What the employer CAN see

Aggregate transport-mode split across a group of employees (e.g. "35 % of commutes are by rail this month") — only when that group contains at least k = 5 participants (k = 10 for smaller organisations).
Organisation-level or office-level aggregate CO₂-equivalent totals for Scope 3 travel reporting, subject to the same k threshold.
Aggregate participation rates (how many employees have synced trips) — again, never who specifically.
The roster of employees they have provisioned (work email, role, status, office assignment) — identity/HR data the employer already holds, not movement data.

What the employer CANNOT see

Any individual's trips, routes, locations, or movement patterns — ever.
The home address or any home reference for any employee.
Per-person CO₂ totals or distance totals — even for a specific named individual.
Aggregate data for any cohort below the k-anonymity threshold — those cells are suppressed entirely, not approximated or partially shown.
Any data from trips an employee has not approved for employer visibility (employees may withhold or revoke approval for any trip).

These controls are enforced at the database layer: the employer-facing views are row-level-security (RLS) gated and k-anonymised by the database engine. No admin tier — including Ozomark's own engineering staff — can bypass them from the application layer.

6. Retention

We retain your data for no longer than is necessary for the purposes described in this policy.

Trip summaries and CO₂ calculations

[PLACEHOLDER: retention period, e.g. "7 years from the date of recording, to support multi-year Carbon Reduction Plan reporting and audit obligations."]

Account and identity data

[PLACEHOLDER: retention period, e.g. "For the duration of the employment relationship plus [X] years, or until the account is deleted — whichever is sooner."]

Security and authentication logs

[PLACEHOLDER: retention period, e.g. "90 days rolling."]

k-anonymised aggregate reports

[PLACEHOLDER: retention period, e.g. "As long as the employer's subscription is active, plus [X] years for audit purposes."]

When you exercise your right to erasure (Section 7), we delete your identifiable data promptly, subject to any statutory retention obligations we are required to comply with. Because the k-anonymised aggregate data does not identify you, its retention does not constitute retention of your personal data.

7. Your data-subject rights

Under UK GDPR you have the following rights. You can exercise them by contacting us using the details in Section 13.

Right of access (Article 15)

Request a copy of the personal data we hold about you.

Right to rectification (Article 16)

Ask us to correct inaccurate or incomplete data.

Right to erasure (Article 17)

Request deletion of your personal data. The Ozomark app provides a self-service "Delete my account" function that erases your identifiable data. You can also submit a request to us directly.

Right to restrict processing (Article 18)

Ask us to restrict how we use your data while a dispute is resolved.

Right to portability (Article 20)

Receive the data you have provided to us in a structured, machine-readable format.

Right to object (Article 21)

Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.

Right to withdraw consent

Where processing is based on consent, you may withdraw it at any time without detriment.

We will respond to your request within one calendar month. If we need more time (up to two further months), we will explain why. We will not charge a fee for reasonable requests.

8. Security

We apply appropriate technical and organisational measures to protect your personal data, including:

Encryption of all data in transit (TLS 1.2+) and at rest.
Row-level security (RLS) enforced at the database layer, so each admin can only read data for their own organisation and office scope.
Authentication via Supabase magic-link (no passwords stored). Tokens are short-lived and scoped.
Infrastructure hosted within the UK (AWS eu-west-2, London) — see Section 9.
Strict deny-by-default access controls: every database table has RLS enabled; no table is readable without an explicit policy.
The service-role database key never appears in browser-reachable code.

Despite these measures, no system is entirely secure. If you become aware of a suspected security vulnerability or breach, please contact us immediately at [PLACEHOLDER: security contact email].

9. Sub-processors

We share personal data with the following categories of sub-processor only where necessary for the services described in this policy. All sub-processors are bound by data-processing agreements (DPAs) and provide appropriate safeguards under UK GDPR Article 28.

Sub-processor	Purpose	Location
Supabase, Inc.	Database, authentication, and API hosting	UK (AWS eu-west-2, London)
[PLACEHOLDER: email / transactional-email provider, e.g. Resend]	Transactional email (magic-link authentication, invite notifications)	[PLACEHOLDER: country]
Cloudflare, Inc.	Website hosting (dashboard + marketing site), DNS, and CDN	Global edge (served from the UK); US-incorporated
Umami Software, Inc. (Umami Cloud)	Cookieless, privacy-friendly website analytics on the public pages only — no cookies, and no personal data is stored (IP addresses are hashed and discarded)	United States

[PLACEHOLDER: add any additional sub-processors; confirm this list with your legal adviser. If any sub-processor is outside the UK/EEA, describe the transfer safeguard (e.g. UK International Data Transfer Agreement).]

We do not sell personal data. We do not share it with third parties for their own marketing purposes.

10. Cookies

The Ozomark web dashboard uses strictly necessary cookies only:

Cookie	Purpose	Duration
sb-…-auth-token	Supabase authentication session	Session / [PLACEHOLDER: max age]
nuxt-color-mode	Remembers your light/dark mode preference (no personal data)	Persistent (1 year)

We do not use advertising or tracking cookies. To understand visitor numbers on our public website we use Umami — a privacy-friendly analytics tool that sets no cookies and stores no personal data (IP addresses are hashed and discarded). Because it neither stores information on your device nor processes personal data, it requires no cookie-consent banner under PECR / UK GDPR, and it never runs on the authenticated dashboard. If you use the Ozomark mobile app, the app uses on-device storage (SQLite) for the trip database, not browser cookies.

11. Children

Ozomark is a business-to-business platform intended for use by employees of organisations at least 16 years of age. We do not knowingly process the personal data of children under 13 (UK GDPR minimum age for consent). If you believe we have inadvertently collected data from a child, please contact us immediately so we can delete it.

12. Changes to this policy

We may update this policy from time to time. When we make a material change we will update the "effective date" at the top of this page and, where required by law, notify you directly (e.g. by email or in-app notification) before the change takes effect.

Continued use of Ozomark after the effective date of a material change constitutes acceptance of the updated policy, where permitted by applicable law. You always have the right to object or withdraw consent as described in Section 7.

13. Contact & complaints

To exercise your rights or if you have any questions about this policy, contact us at:

[PLACEHOLDER: company legal name]

[PLACEHOLDER: postal address]

Email: [PLACEHOLDER: data-protection contact email]

You also have the right to lodge a complaint with the UK supervisory authority at any time:

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Website: ico.org.uk

Helpline: 0303 123 1113

We would always welcome the chance to address your concerns before you contact the ICO, so please reach out to us first if you are comfortable doing so.