Document Version: 1.0 | Effective starting: June 10, 2020
Origin Ledgers (“Origin Ledgers,” “we,” “our,” or “us”) is committed to protecting the privacy and security of all personal data in full compliance with the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679.
This statement explains how Origin Ledgers collects, uses, stores, and protects personal data processed through the Origin Ledgers Platform. It also describes the principles and practices we follow to ensure transparency, lawfulness, and fairness in all personal data processing activities.
Origin Ledgers applies GDPR-compliant safeguards across its operations, including:
- Processing personal data only for specific, legitimate purposes;
- Ensuring accuracy, integrity, and confidentiality of all personal data;
- Implementing technical and organizational security measures consistent with ISO 27001 and SOC 2 standards;
- Respecting data subjects’ rights to access, rectification, erasure, restriction, and data portability;
- Maintaining records of processing activities and performing Data Protection Impact Assessments (DPIAs) where required.
For more information on our data processing activities, lawful bases, and user rights, please refer to our Privacy Policy.
1. Data Controller
Origin Ledgers, located at Via Luigi Canonica 4, CH-6900 Lugano, Switzerland, is the data controller responsible for processing your personal data in connection with Origin Ledgers.
For GDPR-specific inquiries, contact our Data Protection Team at legal@originledgers.com
2. Data Categories Collected
In connection with the operation and use of the Trade Room Sustainability and Carbon Accounting Platform, Origin Ledgers processes the following categories of personal data as defined under Article 4(1) of the General Data Protection Regulation (GDPR).
Origin Ledgers collects and processes only the minimum personal data necessary for providing and improving its services, maintaining accurate billing records, and ensuring compliance with applicable sustainability reporting regulations.
| Category | Examples of Data Processed | Legal Basis (under GDPR) |
|---|---|---|
| Billing & Payment Data | Company Name*, Billing Address*, Tax ID*, TR TIN*, Payment Email*, Cardholder Name* | Contractual necessity, Legal obligation |
| Contact & Address Data | Company Name*, Country*, Phone Number*, Main Email*, Facility Address* | Contractual necessity, Legitimate interests |
| Organizational Data | Franchise Name, Supplier Name, Operational Scope | Legitimate interests (for service delivery and platform management) |
| Emission & Reporting Data | Emission Factors (EF CO2e), Activity Data, GHG Mapping Descriptions | Contractual necessity, Legal obligation |
| Optional Data | Company Website, Establishment Year, Facility Area (m²) | Consent (where applicable) |
3. Purposes of Processing
Origin Ledgers processes personal data strictly in accordance with the principles of lawfulness, fairness, and transparency, as set out in Article 5 of the GDPR.
The personal data collected through the Origin Ledgers Platform is processed for the following purposes:
| Purpose | Description | Legal Basis (GDPR) |
|---|---|---|
| Contractual Obligations | To deliver and manage carbon accounting services, including user account administration, billing, emissions tracking, and sustainability reporting. | Performance of a contract (Article 6(1)(b)) |
| Legal Compliance | To meet legal and regulatory obligations, including tax reporting (Tax ID, TR TIN) and environmental compliance with greenhouse gas (GHG) reporting requirements. | Legal obligation (Article 6(1)(c)) |
| Legitimate interests | To maintain and improve platform functionality, ensure system security, prevent fraud, enhance customer support, and analyze usage trends to improve service quality. | Legitimate interest (Article 6(1)(f)) |
| Consent | For optional data such as company website, facility details, or to send marketing communications, newsletters, or service updates. | Consent (Article 6(1)(a)) |
4. Data Security
Origin Ledgers implements a comprehensive set of technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures are designed in accordance with industry best practices and recognized security frameworks such as **ISO 27001**, **NIST 800-53**, and **SOC 2**.
Our key security controls include:
-
Encryption:
All payment and financial data are encrypted using PCI-DSS-compliant payment processors. Sensitive data transmitted between users and our systems is protected through **TLS 1.2+ encryption** and **data-at-rest encryption protocols**.
-
Access Controls:
Access to sensitive data (such as Tax IDs, TR TINs, and billing details) is restricted based on role and necessity, enforced through **multi-factor authentication (MFA)** and **Zero Trust Model** principles.
-
Regular Security Audits:
Origin Ledgers conducts periodic internal and external security reviews, vulnerability assessments, and penetration tests to identify and remediate potential weaknesses.
-
Incident Response:
While no system can guarantee absolute security, Origin Ledgers maintains a dedicated incident response program to promptly detect, respond to, and mitigate any data security incidents in accordance with our **Data Breach Notification Policy**.
These measures ensure that personal data processed within Origin Ledgers' systems remains secure, confidential, and available in compliance with **Articles 32–34 of the GDPR**.
5. Data Retention
Origin Ledgers retains personal data only for as long as it is necessary to fulfill the purposes for which it was collected, comply with legal and regulatory obligations, resolve disputes, and enforce agreements.
Retention periods are determined in accordance with Article 5(1)(e) of the GDPR (storage limitation principle) and other applicable data protection and financial regulations.
| Data Category | Retention Period | Purpose / Basis |
|---|---|---|
| Account Data | Retained until account deletion or for up to 2 years following last user activity, whichever occurs first. | To manage user accounts and comply with contractual obligations. |
| Payment Data | Retained for 7 years, or as required by applicable financial and accounting regulations. | Compliance with financial and audit obligations. |
| Tax Identification Data (TR TIN, Tax ID) | Retained in accordance with Swiss tax and accounting laws. | Compliance with national tax regulations. |
| Emission and Reporting Data | Retained for 5 years after contract termination, anonymized where possible. | Legal and environmental reporting obligations. |
| Marketing and Optional Data | Retained until consent is withdrawn or for 2 years following the last recorded interaction, whichever occurs first. | Based on user consent for marketing and communication activities. |
6. International Data Transfers
Origin Ledgers operates on a global scale, which may involve the transfer and processing of personal data outside the European Union (EU) or European Economic Area (EEA).
All such transfers are conducted in full compliance with the General Data Protection Regulation (GDPR) to ensure an equivalent level of protection for your personal data, regardless of where it is processed.
Origin Ledgers applies the following safeguards to maintain GDPR compliance:
-
Standard Contractual Clauses (SCCs):
For transfers to third countries (such as the United States) where no adequacy decision exists, Origin Ledgers relies on the European Commission’s Standard Contractual Clauses to ensure lawful and secure data transfers to external service providers and sub-processors.
-
Binding Corporate Rules (BCRs):
For intra-group data transfers between Origin Ledgers entities and affiliates located outside the EU/EEA, Origin Ledgers implements Binding Corporate Rules, ensuring consistent data protection standards and accountability within the Origin Ledgers group.
-
Adequacy Decisions:
Where applicable, Origin Ledgers may transfer personal data to countries recognized by the European Commission as providing an adequate level of data protection under Article 45 GDPR.
For more details on our data transfer safeguards and applicable mechanisms, please refer to our Privacy Policy.
7. Your GDPR Rights
If you are a resident of the European Union (EU) or European Economic Area (EEA), you are entitled to the following rights under the General Data Protection Regulation (GDPR) with respect to your personal data processed by Origin Ledgers:
To exercise any of these rights, please log in to your Origin Ledgers account settings or contact our Data Protection Team at legal@originledgers.com
Origin Ledgers will respond to all verified data subject requests within 30 days, as required by Article 12(3) GDPR. In complex cases, this period may be extended by an additional 60 days, in which case we will inform you of the reasons for the delay.
| Right | Description |
|---|---|
| Access | You have the right to request confirmation of whether Origin Ledgers processes your personal data and to obtain a copy of such data. (Article 15 GDPR) |
| Rectification | You may request correction or completion of inaccurate or incomplete personal data. (Article 16 GDPR) |
| Erasure ("Right to be Forgotten") | You may request deletion of your personal data where it is no longer necessary, where consent is withdrawn, or where processing is unlawful, subject to legal retention obligations. (Article 17 GDPR) |
| Restriction of Processing | You may request the temporary suspension of data processing under certain conditions (e.g., pending verification of accuracy or in cases of objection). (Article 18 GDPR) |
| Data Portability | You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. (Article 20 GDPR) |
| Objection | You may object to processing based on legitimate interests or for direct marketing purposes. (Article 21 GDPR) |
| Withdraw Consent | Where processing is based on your consent (e.g., for marketing communications), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. (Article 7(3) GDPR) |
8. Cookies and Tracking
Origin Ledgers uses cookies and similar technologies to enhance user experience, analyze platform performance, and support marketing activities.
- Functional cookies are essential for platform operation and cannot be disabled.
- Analytics and marketing cookies are considered non-essential and are used only with your explicit consent.
9. Children's Data
The Origin Ledgers Platform is not intended for use by individuals under the age of **16**.
Origin Ledgers does not knowingly collect or process personal data from minors.
If you believe that a child has submitted personal data to Origin Ledgers, please contact us immediately at legal@originledgers.com so we can promptly delete such information.
10. Changes to This Statement
Origin Ledgers may update this GDPR Compliance Statement periodically to reflect changes in our practices, technologies, or legal obligations.
When updates are significant, we will notify users via email or in-platform notifications.
Your continued use of Origin Ledgers services following such notice constitutes acceptance of the updated terms.
11. Complaints
If you are dissatisfied with how Origin Ledgers handles your personal data or your data protection request, you have the right to lodge a complaint with your local Data Protection Authority (DPA).
For a list of EU supervisory authorities and their contact information, please visit the European Data Protection Board (EDPB) website at: https://www.edpb.europa.eu/edpb_en
12. Contact Us
For all inquiries regarding this GDPR Compliance Statement or your personal data rights, please contact:
Origin Ledgers
Via Luigi Canonica 4,
CH-6900 Lugano, Switzerland
legal@originledgers.com
Origin Ledgers’ Data Protection Team will review and respond to verified GDPR-related requests within 30 days, in accordance with applicable data protection laws.