Privacy policy

1. Identity of the controller

The controller responsible for the processing of your personal data is CBAMDesk, located at Brinklaan 134, 1404 GV Bussum, The Netherlands. We are committed to protecting your privacy and ensuring that your personal data is handled in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. If you have any questions or concerns about how we process your data, you may contact us at any time by sending an email to contact@cbamdesk.eu. This privacy policy explains what data we collect, why we collect it, how we use it, and what rights you have in relation to your personal data.

2. What data we collect

Account data

When you create an account on CBAMDesk, we collect your full name, email address, company name, and other information necessary for providing our services. This data is required to set up and manage your account, identify you as a user, and deliver the features of our platform. We may also collect your job title and phone number if you choose to provide them.

Usage data

We automatically collect certain information when you use our platform, including your IP address, browser type, operating system, pages visited, time spent on pages, and other diagnostic data. This usage data helps us understand how our service is used and allows us to improve the user experience. Usage data is collected through server logs and analytics tools.

Submitted forms

When you submit a contact form, request a demo, or apply through our partner program, we collect the information you provide in those forms. This typically includes your name, email address, company name, and the content of your message. We use this data solely to respond to your inquiry and to evaluate potential partnerships.

Cookies & analytics

Our website uses cookies and similar tracking technologies to enhance your browsing experience and gather analytical data. We use functional cookies that are essential for the operation of the website, as well as analytics cookies that help us understand visitor behavior and improve our service. You can manage your cookie preferences through your browser settings. For more detailed information about the specific cookies we use, please refer to Section 9 of this policy.

3. Legal basis for processing

We process your personal data on the basis of one or more of the following legal grounds as defined in Article 6 of the GDPR. First, we process data as necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract. This includes the processing of your account data and any data required to deliver our services.

Second, we may process your data based on our legitimate interests, provided that such interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include improving our platform, preventing fraud, ensuring network and information security, and conducting analytics to better understand how our services are used.

Third, where required by law, we obtain your explicit consent before processing your personal data. This applies in particular to the use of certain analytics cookies and to marketing communications. You may withdraw your consent at any time by contacting us at contact@cbamdesk.eu or by using the relevant opt-out mechanisms provided.

4. Purpose of processing

We process your personal data for the following purposes. Our primary purpose is to provide and maintain our CBAM compliance platform, including account management, calculation services, reporting features, and supplier management tools. Without this processing, we would be unable to deliver the services you have requested.

We also process your data for communication purposes, including responding to your inquiries, sending transactional emails related to your account, and providing customer support. Additionally, where you have given consent, we may send you information about product updates, new features, or relevant industry news.

Furthermore, we process usage data for analytics and service improvement. This allows us to identify trends, monitor the performance of our platform, detect and prevent technical issues, and develop new features that meet the needs of our users. All analytics processing is conducted in a manner that respects your privacy and minimizes the use of personal data wherever possible.

5. Data sharing

We do not sell, rent, or trade your personal data to any third parties. We share your data only with a limited number of trusted processors that are strictly necessary for the delivery of our service. These processors include our hosting provider, email service provider, and analytics tools. Each processor is contractually bound to process your data only on our instructions and in accordance with applicable data protection laws.

We have entered into data processing agreements with all our processors, ensuring that they implement appropriate technical and organizational measures to protect your data. We regularly review the practices of our processors to ensure continued compliance with our privacy standards and the GDPR.

In certain circumstances, we may be required to disclose your personal data to comply with a legal obligation, such as a court order or a request from a supervisory authority. In such cases, we will disclose only the minimum amount of data necessary to comply with the obligation and will notify you where legally permitted to do so.

6. Data retention

We retain your account data for as long as your account remains active and for a reasonable period thereafter, in order to comply with our legal obligations, resolve disputes, and enforce our agreements. The specific retention period after account closure is determined by the nature of the data and the applicable legal requirements, but will generally not exceed 24 months.

Form submissions, including contact form inquiries, demo requests, and partner applications, are retained for a period of two (2) years from the date of submission. After this period, the data is securely deleted or anonymized so that it can no longer be associated with you.

Usage data and analytics logs are retained in an aggregated or anonymized form for statistical analysis purposes. Where usage data contains personal identifiers, it is deleted or anonymized within 26 months of collection, consistent with common industry practices and regulatory guidance.

7. Your rights

Under the GDPR, you have a number of rights with respect to your personal data. You have the right to access the personal data we hold about you and to receive a copy of that data. You have the right to rectification, meaning you can request the correction of any inaccurate or incomplete personal data. You also have the right to erasure, commonly known as the "right to be forgotten," which allows you to request the deletion of your personal data under certain circumstances.

Furthermore, you have the right to restrict the processing of your personal data, for example if you contest the accuracy of the data or if the processing is unlawful. You have the right to data portability, which means you can request your personal data in a structured, commonly used, and machine-readable format and have it transferred to another controller. Finally, you have the right to object to the processing of your personal data, particularly where processing is based on our legitimate interests.

To exercise any of these rights, please contact us at contact@cbamdesk.eu. We will respond to your request within one (1) month of receipt. In certain cases, this period may be extended by two additional months, depending on the complexity and number of requests. We will inform you of any such extension and the reasons for it.

8. International transfers

Your personal data is primarily stored and processed within the European Union. Our hosting infrastructure is located in the EU, and we select processors based in the EU wherever feasible. We take the geographical location of data processing seriously, as it is a key factor in ensuring the protection of your personal data.

In certain cases, it may be necessary to transfer your personal data to processors located outside the European Economic Area (EEA). When such transfers occur, we ensure that appropriate safeguards are in place. Specifically, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission to provide an adequate level of protection for your data.

Before engaging any non-EU processor, we conduct a transfer impact assessment to evaluate the legal framework and data protection standards in the recipient country. We only proceed with the transfer if we are satisfied that your data will be adequately protected. You may request a copy of the applicable safeguards by contacting us at contact@cbamdesk.eu.

9. Cookies

Our website uses cookies to ensure proper functionality and to collect analytical data. Functional cookies are essential for the operation of the website and enable core features such as session management, security, and remembering your preferences. These cookies do not require your consent as they are strictly necessary for the service you have requested.

Analytics cookies help us understand how visitors interact with our website by collecting information about pages visited, time spent on the site, and any errors encountered. This data is used in aggregate form to improve the performance and usability of our platform. We obtain your consent before placing analytics cookies, as required by applicable law.

We are in the process of developing a comprehensive cookie policy that will provide detailed information about each cookie used on our website, including its purpose, duration, and type. This cookie policy will be published separately and linked from this page. In the meantime, you can manage your cookie preferences through your browser settings, where you can choose to block or delete cookies.

10. Security measures

We take the security of your personal data seriously and have implemented a range of technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS), ensuring that your information is protected in transit.

Data at rest is encrypted using industry-standard encryption algorithms. Access to personal data is restricted to authorized personnel only, on a need-to-know basis. We enforce strong authentication requirements and maintain detailed access logs to monitor and audit data access. Our infrastructure is protected by firewalls, intrusion detection systems, and other security technologies.

We perform regular backups to ensure data availability and integrity, and we have disaster recovery procedures in place. Our security practices are reviewed and updated on an ongoing basis to address emerging threats and vulnerabilities. While no method of transmission or storage is completely secure, we strive to use commercially acceptable means to protect your personal data.

11. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes to this policy, we will notify you by email or through a prominent notice within our application prior to the changes taking effect. We encourage you to review this policy periodically to stay informed about how we protect your data.

The date at the top of this policy indicates when it was last updated. Any changes will become effective when the updated policy is posted on this page, unless otherwise stated in the notification. Your continued use of our services after the effective date of the revised policy constitutes your acceptance of the changes. If you do not agree with any modifications, you may close your account and discontinue your use of the platform.

12. Supervisory authority

If you believe that our processing of your personal data infringes upon your rights under the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for CBAMDesk is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), which can be contacted at the following address:

We would, however, appreciate the opportunity to address your concerns before you approach the supervisory authority. Please contact us first at contact@cbamdesk.eu so that we can attempt to resolve the matter directly with you.

13. Effective date

This privacy policy is effective as of February 2026. It applies to all personal data processed by CBAMDesk from this date onwards. Previous versions of our privacy policy, if any, are superseded by this document. If you have any questions about this privacy policy or our data practices, please do not hesitate to contact us at contact@cbamdesk.eu.