Last Updated: September 10, 2020
This document contains the following information:
What data is collected and why
How your data is handled, and by who
Threat and vulnerability management (how we keep your data safe)
Additional information regarding data privacy for users of our corporate service, Capture for Teams
The regulatory requirements we meet
Your rights to your data
What data is collected, and why?
We collect only the data we need. Here’s what that means practically...
Your Identity and Access
On signing-up for a product curated by Climate Technology Solutions Pte Ltd, we will typically ask for information such as your name and email address. We will not use your name in external marketing communications or any public statements without your permission.
Your In-App Responses
In order for us to provide you with information on your carbon footprint, we ask a number of questions about your lifestyle. This data that you create within the app is transmitted securely and kept securely on our cloud servers. We do not share the information attached to your profile with anybody outside of our organisation and you will need to be logged into your account to access this data.
Motion and Geolocation data
In order to automatically predict greenhouse gas emissions from mobility choices, users may choose to share location information and motion tracking information with the Capture app. This allows Climate Technology Solutions Pte Ltd to access precise GPS coordinates and other sensor information on the phone of the user in order to predict journey mode, journey time and, ultimately, CO2 emissions.
Using motion detection, we predict when a user is on-the-move, only asking for GPS information when our algorithm believes the user is taking a means of transport other than walking. We take GPS coordinates at the start and end points of such a journey and store it in our temporary database on the server. We may check GPS coordinates a few times during the journey - but we do not store any of those points. At the end of the journey (when a user goes back to being on foot or stationary), our algorithm uses the collected data on the server to predict the mode of journey. The start and endpoints of the journey are permanently deleted from the temporary database at the end of each day.
If you join a community area with Capture for Teams, in some cases, we will share some reporting data back to your team, such as emissions related to mobility choices, but that data is fully anonymized. Please see the Information for users of our corporate service, Capture for Teams area below.
When you pay for a product or service by Climate Technology Solutions Pte Ltd, we use a payment service provider called Stripe to manage your payments. We chose to use Stripe to manage your payment details and handle the payment process as they provide our users with a seamless payment experience and are certified to the highest compliance standards.
You can find full and up-to-date information on Stripe’s privacy policies here:
You can find full and up-to-date information on Stripe’s data retention policy here:
Your credit card is passed directly to our payment processor and doesn’t ever go through our servers. We store a record of the payment transaction, including the last 4 digits of the credit card number and as-of billing address, for account history, invoicing, and billing support.
We use CAPTCHA services on our website as a means of spam protection. When you fill out specific forms on our website, the CAPTCHA service evaluates various information (e.g IP address, how long the visitor has been on the app, mouse movements) to check whether the data is possibly filled out by an automated program instead of a human. We retain these data via our subprocessor forever because they are used for anti-spam mitigation.
Cookies and Do Not Track
We do use persistent first-party cookies to store certain preferences, make it easier for you to use our applications, and support some in-house analytics. A cookie is a piece of text stored by your browser to help it remember your login information, site preferences, and more. You can adjust cookie retention settings in your own browser. To learn more about cookies, including how to view which cookies have been set and how to manage and delete them, please visit: www.allaboutcookies.org
When you write to Climate Technology Solutions Pte Ltd with a question or to ask for help, we keep that correspondence, including the email address, so that we have a history of past correspondences to reference if you reach out in the future.
Information we do not collect
We don’t collect any characteristics of protected classifications including age, race, gender, religion, sexual orientation, gender identity, gender expression, or physical and mental abilities or disabilities. You may provide these data voluntarily, such as if you include a pronoun preference in your email signature when writing into our Support team.
How your data is handled, and by who
Our default practice is to not access your information. We may access or share your information in response to a specific request or to help you troubleshoot, or in order to handle an error or software bug, with your permission. If at any point we need to access your account to help you with a Support case, we will ask for your consent before proceeding.
We have an obligation to protect the privacy and safety of both our customers and the people reporting issues to us. If we do discover you are using our products for a restricted purpose, we will report the incident to the appropriate authorities.
Identity and Access Management
Predefined security groups are utilized to assign role-based access privileges and segregate access to data to the production systems. Administrator access to the production systems is granted based on job roles and responsibilities and limited to authorized personnel. Put simply, only a very limited number of specific people within Climate Technology Solutions that need to access data are allowed to access data.
For admin accounts (the ‘data controller’), we have two-factor authentication to protect access to user data. When a member of the team has their role terminated, access to all restricted information is revoked and any hardware used by the team-member is returned.
Sale of Data
Capture has not and will not ever sell our user’s data.
Storage of Data
We use a GDPR-approved authentication service provider to manage user login information. All data obtained thereafter is stored on our database with Google Cloud services in Europe.
When users share GPS information with our services, they give permission for the app to access their location data. The app records only small amounts of GPS data and only when we detect that a user is moving. To elaborate; when a user takes a journey, two pieces of information (the start and the end location) are sent from the app to temporary databases - where we make an analysis to determine the journey mode. Data held on this database is cleared every 24 hours. Once the journey has been determined, we send the journey mode data to be stored longer term on our server (held securely on Google Cloud).
Threat and Vulnerability Management
We perform annual risk assessments of production applications and services. Results from risk assessment activities are reviewed to prioritize the treatment of identified risks. We perform a vendor security review for third-party vendors whose services will store, process, or transmit our customer data.
We perform risk-based continuous control monitoring throughout the year by performing control testing using a formal methodology. The testing results are documented and reviewed by management, including remediation plans for identified observations.
Scanning For Vulnerabilities
We conduct vulnerability scans against the production environment to identify threats and assess their potential impact to system security on a weekly basis. Results are evaluated and remediated according to risk rating.
Our goal is to execute a 3rd party application penetration test on an annual basis, a process that includes additional 3rd party remediation testing if any high or moderate risk vulnerabilities are identified.
Monitoring tools are used to continuously monitor security events, latency, network performance, and virtual server performance. Incident response procedures are in place that outlines the response procedures to security events and include lessons learned to evaluate the effectiveness of the procedures.
Application & Infrastructure Security
A configuration management tool is utilized to ensure security hardening and baseline configuration standards have been established on production servers.
Network traffic to and from untrusted networks passes through a policy enforcement point; firewall rules are established in accordance with identified security requirements and business justifications.
An issue tracking system is in place to centrally maintain, manage, and monitor application and infrastructure changes from development through implementation.
Information for users of our corporate service, Capture for Teams
Capture for Teams is a service provided by Climate Technology Solutions Pte Ltd to help organisations build and/or engage a ‘planet-friendly’ community. This often takes the form of working with a corporation to provide a dedicated in-app area for employees, helping employees to view collective planet-friendly savings, whilst organisations benefit from aggregated information on the impact their workforce has on the planet.
Information Shared From Community Members
The following data is shared from community members with the organisation who has commissioned that community to be created (‘the client’):
Which invited users have activated their account and completed the in-app on-boarding process
Aggregated data (not on a user-by-user basis) on the following metrics:
Number of ‘planet-friendly commitment’ days completed
Emissions reduced as a result of those commitments
Collective emissions from food and/or transport
The date that a specific user has joined any of the available planet-friendly commitments, and details of which planet-friendly commitment that specific user has joined
Collectively, how many people have joined a ‘planet-friendly commitment’, and the number of logged commitment days (it is not possible for the client to see whether a specific community member has completed a specific ‘planet-friendly commitment’ on a certain day).
This information will be used to create leaderboards, which are visible to the client and to other community members. Leaderboards are based on % reductions in personal CO2 emissions relating to travel and diet, and the total commitment days kept on a weekly and monthly basis
Again, the client won’t be able to deduce which community member completed which commitment on which day
Further aggregated data will be shared from community members to the client, including:
Average mobility emissions (available on a daily basis within the dashboard as a precise number in the form of a chart)
Total planet-friendly commitments kept (available on a daily basis within the dashboard as a precise number in the form of a chart)
The owner of any community (the client) will be able to see the following information about each of the community members:
Whether a community member has activated their account
Whether a community member has joined a planet-friendly commitment
When (if at all) a community member joined a planet-friendly commitment
… aggregated data will be averaged from the community to help the client to:
Monitor total mobility and dietary emissions
Monitor planet-friendly commitment participation and CO2 savings
The regulatory requirements we meet
We meet GDPR regulatory requirements in regards to the handling of user data. We use a GDPR-approved authentication service provider to manage user login information, with all data obtained thereafter being stored on our database with Google Cloud services in Europe.
You can access further up-to-date information on the data security and privacy policies of Google Cloud via the following link:
Your rights to your data
All Users Hold The Same Rights
We apply the same data rights to all customers, regardless of their location. We adhere to the European Union’s General Data Protection Regulation (“GDPR”). These rights include:
Right of Access. This includes your right to access the personal information we gather about you, and your right to obtain information about the sharing, storage, security and processing of that information.
Right to Correction. You have the right to request correction of your personal information.
Right to Erasure / “To be Forgotten”. This is your right to request, subject to certain limitations under applicable law, that your personal information be erased from our possession and, by extension, all of our service providers.
Right to Complain. You have the right to make a complaint regarding our handling of your personal information with the appropriate supervisory authority.
Right to Restrict Processing. This is your right to request restriction of how and why your personal information is used or processed, including opting out of sale of personal information.
Right to Object. You have the right, in certain situations, to object to how or why your personal information is processed.
Right to Portability. You have the right to receive the personal information we have about you and the right to transmit it to another party.
Right to not be subject to Automated Decision-Making. You have the right to object and prevent any decision that could have a legal, or similarly significant, effect on you from being made solely based on automated processes. This right is limited, however, if the decision is necessary for performance of any contract between you and us, is allowed by applicable law, or is based on your explicit consent.
If you have questions about exercising these rights or need assistance, please contact us at firstname.lastname@example.org
What happens when you delete your account
If you use any of our products, you have a right to be forgotten and to have all your collected data deleted by our company. You can write to us to delete your account at any time. Once received, we process the request within 28 working days and send you a confirmation message on completion. At your request, all data associated with your account will be permanently deleted from active systems and logs.
For requests to delete personal information or to know what personal information has been collected, we will first verify your identity using your email address.
Questions or Changes
We may update this policy as needed to comply with relevant regulations and reflect any new practices. Whenever we make a significant change to our policies, we will also announce them on our company blog, which can be found at www.thecapture.club/blog
Climate Technology Solutions Pte. Ltd.
6 Raffles Quay