Privacy Policy

Last updated: 17 March 2026

1. Who We Are

Pamoja dMRV is operated by Consuming Carbon Corporation, a company incorporated in the State of Delaware, United States. We provide a digital Measurement, Reporting and Verification (dMRV) platform for carbon credit projects across Africa.

Data Controller: Consuming Carbon Corporation
Registered: State of Delaware, USA
Contact: privacy@consumingcarbon.com

2. Data We Collect

We collect the following categories of personal data:

  • Account data: Name, email address, organisation, role, profile picture
  • Authentication data: Firebase authentication tokens, session identifiers (we do not store passwords directly)
  • Usage data: Pages visited, features used, timestamps, IP address, browser type
  • Project data: Carbon project information, measurement data, credit batch records, field visit data
  • Location data: GPS coordinates of project sites and field measurements (not user device location)
  • Farmer/household data: Household identifiers, stove usage data, agricultural data collected during field visits

3. How We Use Your Data

  • Providing and operating the dMRV platform
  • Authenticating users and managing access control
  • Processing carbon credit verification and issuance
  • Generating analytics and monitoring reports
  • Communicating platform updates, alerts, and notifications
  • Complying with carbon registry requirements (Verra, Gold Standard, Puro.Earth)
  • Improving platform performance and user experience

4. Legal Basis for Processing

We process personal data under the following legal bases:

  • Contract performance: Providing the dMRV platform services you have subscribed to
  • Legitimate interest: Platform security, fraud prevention, analytics
  • Legal obligation: Carbon registry reporting requirements, tax obligations
  • Consent: Marketing communications, non-essential cookies

5. Data Storage and Security

Your data is stored on Google Cloud Platform infrastructure. Our primary data region is europe-west1 (Belgium), with project-specific data residency available for African jurisdictions.

  • All data is encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Database: Google Cloud Spanner with point-in-time recovery
  • Authentication: Firebase Auth with optional multi-factor authentication
  • Audit trail: Immutable audit log with cryptographic hash chain verification
  • Access control: Role-based access control (RBAC) with tenant isolation

6. Data Sharing

We share personal data only in these circumstances:

  • Carbon registries: Project data shared with Verra, Gold Standard, Puro.Earth as required for credit issuance
  • Cloud providers: Google Cloud Platform (data processor, under DPA)
  • Blockchain: Anonymised hash anchors on Hedera Hashgraph for data integrity
  • Legal requirements: When required by law, regulation, or valid legal process

We do not sell personal data to third parties.

7. Data Retention

Account data is retained for the duration of your account plus 12 months after closure. Carbon project data and credit records are retained for the project crediting period plus 7 years, as required by carbon registry standards. Audit logs are retained indefinitely for compliance verification.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data (subject to legal retention requirements)
  • Restrict or object to processing
  • Data portability
  • Withdraw consent for optional processing

To exercise these rights, contact privacy@consumingcarbon.com. We will respond within 30 days.

9. Applicable Laws

Consuming Carbon Corporation is incorporated in the State of Delaware, USA, and operates the Pamoja dMRV platform for users primarily located in East Africa. This policy is designed to comply with:

  • U.S. Federal and Delaware State Privacy Laws — Corporate jurisdiction
  • Kenya Data Protection Act 2019 — Primary operating jurisdiction
  • EU General Data Protection Regulation (GDPR) — For EU-based users
  • South Africa POPIA — For South African users and data subjects
  • Tanzania Data Protection Act 2022
  • Uganda Data Protection Act 2019
  • Rwanda Law on Protection of Personal Data 2021

10. Cookies

We use essential cookies for authentication and session management. These are strictly necessary and cannot be disabled. Non-essential analytics cookies are only set with your consent via the cookie banner.

  • __session: Authentication session (httpOnly, 7 days)
  • cookie_consent: Your cookie preference (localStorage)

11. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or platform notification at least 30 days before taking effect.

12. Contact

For privacy-related questions or concerns:
Email: privacy@consumingcarbon.com
Address: Consuming Carbon Corporation, Delaware, USA