Privacy Policy

Last Updated: February 25, 2026

Overview

CarbonGuru provides a carbon footprint analysis service through a browser extension, website, and related services. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

What Data We Collect

Account Information

When you create an account, we collect your email address and display name.

Shopping Pages

When you use the extension to analyze a product or shopping cart, it sends the page content, URL, and title to our servers so we can identify the products and calculate their carbon footprint.

This only happens when you actively click the CarbonGuru button. The extension does not passively monitor or record your browsing.

Email Receipts (Gmail Integration)

If you connect your Gmail account, we request read-only access (the gmail.readonly scope). CarbonGuru cannot modify, delete, or send emails on your behalf.

We access order confirmations, receipts, and invoices to extract product and purchase information. We do not access personal correspondence or other non-purchase emails.

Email content is processed in memory only. Raw email HTML is never written to disk or stored in our database. Once product information has been extracted, the email content is discarded.

Data Stored on Your Device

The extension stores login credentials and basic preferences locally in your browser. This data is cleared when you log out or uninstall the extension.

Cookies

The extension accesses session cookies on the carbonguru.io domain to keep your shopping cart in sync between the extension and our website. We do not read cookies from any other website.

How We Use Your Data

  • Calculate the carbon footprint of products and shopping carts
  • Match products to environmental impact databases
  • Sync carbon offset and removal items to your cart
  • Avoid reprocessing items you’ve already analyzed
  • Improve our analysis accuracy using aggregated, de-identified data

What We Store

  • We store: Product names, prices, quantities, merchant names, calculated carbon footprints, and your account information
  • We do not store: Full email content, raw email HTML, passwords, payment card numbers, or your browsing history

Email content is used only during analysis and never retained afterward. We use samples of page HTML as reference for refining our HTML processing functions. No user data is ever used to train models. Raw email HTML is processed in memory and discarded immediately after product data extraction.

Data Sharing

We do not sell your personal data. We share data only in these cases:

  • AI service providers โ€” to extract product information from web pages and emails, preprocessed content is sent to AI service providers that act as sub-processors on our behalf. These providers process the content solely to identify product names, prices, and descriptions for carbon footprint estimation. They do not store, retain, or use your data for any other purpose, including model training or advertising
  • Carbon offset providers โ€” when you purchase offsets or removals, we share your name (for certificate attribution), carbon amount, and order details with our fulfillment providers (currently CNaught and Stripe Climate). CNaught also receives your email address for certificate delivery. Payment card details are handled directly by payment processors and are never shared with offset providers
  • Payment processing โ€” payments are handled by Stripe and PayPal. We do not store your payment card details
  • Legal requirements โ€” we may disclose data if required by law

Google API Services โ€” Limited Use Disclosure

CarbonGuru’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Scope and access: CarbonGuru requests only the gmail.readonly scope. This grants read-only access to your email messages. CarbonGuru cannot and does not modify, delete, send, or draft emails on your behalf.

Limited Use compliance:

  • We only use Gmail data to provide and improve carbon footprint analysis โ€” our core application functionality
  • We do not use Gmail data for serving advertisements or for any advertising purpose
  • To extract product information, preprocessed email content is sent to AI service providers acting as sub-processors solely for product identification. These providers do not retain the data or use it for any independent purpose. No Gmail data is transferred to third parties as independent recipients, except to comply with applicable law or as part of a merger or acquisition with comparable privacy protections
  • No human reads your Gmail data unless you affirmatively grant permission for a specific support request, it is necessary to investigate a security incident, or it is required to comply with applicable law

Token security: Your Gmail OAuth tokens are encrypted at rest using AES-based symmetric encryption. When you disconnect your Gmail account, CarbonGuru revokes your tokens directly with Google and deactivates them in our system.

Audit logging: All Gmail API accesses are logged for security purposes, including the user, timestamp, and purpose of each access. These logs are used solely for security monitoring and debugging.

Data Retention

  • Account data โ€” retained while your account is active
  • Carbon footprint analyses โ€” retained so you can view your history and track your impact
  • Login credentials โ€” stored locally and expire automatically; cleared on logout
  • Gmail OAuth tokens โ€” encrypted and retained while your Gmail connection is active. Tokens are revoked at Google and deactivated in our system when you disconnect Gmail
  • Email content โ€” not retained. Raw email HTML is processed in memory and discarded immediately after extraction

Data Security

All communication between the extension and our servers is encrypted via HTTPS. We do not store passwords. Server-side credentials and Gmail tokens are encrypted at rest.

Your Rights

  • Access โ€” request a copy of the data we hold about you
  • Deletion โ€” request deletion of your account and associated data
  • Revoke Gmail access โ€” disconnect Gmail through your account settings or via Google Account Permissions
  • Uninstall โ€” removing the extension deletes all locally stored data and stops all data collection

General Audience Service

CarbonGuru is designed for general audiences. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to This Policy

We may update this policy from time to time. Changes will be reflected in the “Last Updated” date above.

Contact

For questions or data requests: support@carbonguru.io