This Privacy Policy regarding the processing of personal data by Tessoris DPK aims to help you understand what personal data we collect, why we collect it, and how we use it. Please take the time to read this Privacy Policy carefully. We want you to be fully informed about how we use your information and the ways in which you can exercise your rights.
This Privacy Policy applies to your personal data when you visit our online platform: https://www.tessoris.com/ (the “Platform”, the “Website”), use our mobile application (the “Application”), create an account, use our services through the Platform or the Application, or otherwise interact with us. It does not apply to other websites, platforms, applications and/or services that we do not own or control.
If you have any questions or requests, please contact us at: Sofia 1784, Mladost District, 4111R Tsarigradsko shose Blvd., Synergy Tower, Office 12, email: office@tessoris.com
I. WHO ARE WE?
The Company, providing you services through this platform, acting as a Personal Data Controller, is Tessoris DPK, incorporated and existing under the Laws of the Republic of Bulgaria, registered with the Commercial Register and the Register of Non-Profit Legal Entities at the Registry Agency in the Republic of Bulgaria under Unified Identity Code 208183363 having its seat and registered office at Sofia 1784, Mladost District, 4111R Tsarigradsko shose Blvd., Synergy Tower, Office 12 (hereinafter referred to as the "Controller", “Tessoris”, "we", "us", and/or the "Company").
Data Protection Contact Person (DPCO): Plamen Dragnev, email: office@tessoris.com
We respect the right to privacy and continuously work to ensure that the personal data we process is kept to a minimum and is maximally protected. However, in order to provide you with our services, it is necessary to process certain personal data.
By registering a user account and/or using any of our services, you confirm that you have read and understood this Privacy Policy regarding the processing of personal data by Tessoris.
II. PERSONAL DATA WE COLLECT AND HOW WE USE IT
Personal data is data that describes and is linkable to someone as a person. We collect and process personal data solely for the purposes of operating the Platform and providing the services to our visitors, including but not limited to providing access to voluntary carbon credit purchasing and retirement services, managing user accounts, administering payments, ensuring platform security, and complying with applicable legal obligations.
We do not sell personal data.
1. Categories of Data Subjects
In connection with registration and creation of a user account on the Company’s Platform, use of its functionalities, provision of services, consultations, payment administration, document issuance, customer support, and compliance with our legal obligations, we process personal data of the following categories of data subjects:
- Natural persons - customers of the services provided by Tessoris;
- Representatives of legal entities - customers of the products/services provided by Tessoris (including legal representatives, managers, members of management bodies, and other persons acting on behalf of the customer);
- Contact persons and employees of legal entity customers of Tessoris;
- Authorized persons acting on behalf of natural or legal person customers of Tessoris;
- Individuals registered as users of the Platform;
- Beneficial owners, where personal data is processed for the purpose of complying with legal obligations.
2. Categories of Personal Data
Tessoris processes the following categories of personal data:
- Identification Data - full name, username, internal user identifier (User ID), country;
- Contact Data - email address, telephone number, correspondence address;
- Corporate Profile Data - details of the designated contact person or representative;
- User-Provided Environmental and Lifestyle Data - information voluntarily provided by users during onboarding or use of the Platform and/or the Application, including data relating to transportation habits, type of vehicle and fuel, dietary preferences, frequency of meat consumption, type of residence, home energy usage, and other factors used to estimate carbon footprint and environmental impact;
- Behavioural and Environmental Impact Data - information generated through the use of the Platform and/or the Application, including estimated CO₂ emissions, carbon footprint calculations, offset statistics, progress indicators, and usage-related metrics;
- Order and Transaction Data - order number, order history, transaction amount and currency, payment status, reference numbers, acquired carbon credit quantities, carbon credit status, portfolio/wallet identifier;
- Subscription Data - subscription plan, selected project, billing cycle, subscription status, renewal and cancellation data, periodic offset parameters, and payment confirmations received from application store providers;
- Carbon Credit Retirement and Certificate Data - carbon credit identifier, project and certification standard, volume (tCO₂), acquisition date, retirement date, certificate number and identifier, certificate status;
- Payment Data - information regarding completed payments (date, amount, status, reference), payment method, and limited payment-related data received from payment service providers and/or application store providers (Google Play and Apple App Store);
- Identity Verification (KYC) Data - type of identity document, document number, issue and expiry date, issuing country, image/copy of the document, verification result, verification status, approval/refusal date;
- Communication Data - content of inquiries, correspondence, support requests;
- Technical Data - IP address, date and time of access, login logs, device and browser information, security and fraud-prevention records;
- Personal data received from the “Contact Us” Section in the Website/Application or from contacting us by phone or via email - full name, email address and/or phone number;
3. Purposes of Processing
Tessoris processes personal data for one or more of the following purposes:
- Registration and administration of a user account on the Platform;
- Calculating carbon footprint, generating personalized statistics, and enabling carbon offset services;
- Visualization, tracking, and analysis of environmental impact, carbon footprint, and offsetting progress within the user account;
- Customer identification and data verification (including identification of representatives and contact persons, where applicable);
- Acceptance, administration, and fulfillment of orders for the purchase of voluntary carbon credits;
- Generation, storage, and management of digital carbon offset certificates associated with user activity;
- Management of subscription-based services, including selection of subscription plans, automatic recurring carbon offsetting, assignment of projects, periodic issuance of certificates, and related account and payment administration;
- Customer assessment/due diligence and provision of assistance by the Controller;
- Conclusion and performance of consultancy service agreements;
- Administration of payments and financial transactions;
- Tax compliance, accounting activities, and invoicing;
- Registration, transfer, offset and/or retirement of voluntary carbon credits through external carbon credit registries, including the exchange of necessary personal data with such registries;
- Communication with customers in relation to the services provided;
- Management of complaints, disputes, and legal claims;
- Platform security, fraud prevention, and misuse prevention;
- Direct marketing and newsletter communications*.
Direct Marketing and Newsletter Communications - If you have given your consent to receive marketing information and/or have subscribed to our newsletter through the Website and/or the Application (where such an option is available), we will use your email address to send you up-to-date information about our activities, upcoming events, new products or services, or other information that we believe may be of interest to you. Your consent is voluntary. We will not deny you our services if you have not given your consent to receive marketing information and/or have not subscribed to our newsletter through the Website and/or the Application (where such an option is available). You may withdraw your consent to receive this information at any time. Personal data processed for direct marketing purposes is stored until the given consent for direct marketing is explicitly withdrawn or an objection to the processing of personal data for direct marketing is received.
4. Legal Grounds for Processing
- Taking steps at the request of the data subject prior to entering into a contract and/or for the performance of a contract to which the data subject is a party;
- Compliance with the Controller’s pre-contractual, contractual, and legal obligations;
- The legitimate interests of the Controller, including ensuring Platform security, preventing fraud and misuse, protecting against legal claims and disputes, and improving the services provided;
- The explicit consent of the data subject, where such consent is required.
5. Retention Periods
- Contract-related data - for a period of 5 years following termination of the relevant contract or until the final resolution of any disputes, in line with the applicable statutory limitation period for contractual claims;
- Accounting and financial data - for a period of 10 years, in accordance with applicable tax and accounting legislation;
- Platform user profile data - for the duration of the existence of the user account. In the event of inactivity for a period exceeding 2 calendar years, calculated from the date of the last recorded activity within the user account, the account shall be automatically deleted, unless a longer retention period is required for compliance with a legal obligation or for the protection of the Controller’s rights and legitimate interests.
- Identity Verification (KYC) data- for a period of 5 years from the date of the last transaction;
- Technical logs and security data - for 6 months from the date of the relevant record, for the purpose of evidencing actions and ensuring platform security;
- Certificate-related data - for 5 years from the date of issuance of the respective certificate, for the purpose of evidencing completed actions;
- Communication Data and Data of individuals who have submitted inquiries through contact forms - for 6 months from the date of the last correspondence, unless further retention is required for the performance of a contract, compliance with legal obligations, or for the establishment, exercise or defence of legal claims;
- Marketing Data and Consent Records - until withdrawal of consent.
III. METHOD OF DATA COLLECTION
Each visitor personally provides the personal data that is entered or uploaded to the Website and/or the Application.
Personal data may also be collected through onboarding questionnaires completed by users prior to or during account registration. Such information may initially be provided without direct identification but becomes associated with a specific user account upon completion of registration and is thereafter treated as personal data.
Visitors are not allowed to enter third-party personal data without due authorisation by such third party. We do not monitor or control the content entered or uploaded by the visitor. It is the visitor’s sole responsibility to ensure that any processing of personal data performed through our Website and Application complies with the requirements of the GDPR and other applicable personal data protection legislation.
IV. SECURITY MEASURES
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. Such measures include, where appropriate:
- access control based on the “need-to-know” principle;
- authentication and authorization mechanisms;
- secure hosting environments;
- logging and monitoring of access;
- regular review of access rights;
- confidentiality obligations for personnel;
- incident response procedures.
Access to personal data is limited to authorized personnel, processors and, where applicable, joint controllers acting under appropriate contractual or legal confidentiality obligations.
We also take appropriate technical and organisational measures to protect your personal data against loss or other forms of unlawful processing. Please be aware that personal data is accessible only to personnel who require access in order to perform their duties and who have been properly trained and authorised. Our staff is required to comply with internal confidentiality, ethics and data protection policies and to sign confidentiality agreements. Employees receive appropriate training in data protection, privacy and information security.
V. PROCESSORS
For the provision of our services we may engage third-party service providers acting as data processors. Such processors are carefully selected based on their ability to provide sufficient guarantees for the protection of personal data and compliance with the GDPR. Personal data is processed by such processors strictly on our instructions and in accordance with this Privacy Policy and applicable confidentiality and security requirements. These may include:
- IT hosting and infrastructure providers;
- software maintenance and development providers;
- payment service providers (in particular Stripe - https://stripe.com/en-bg, and banks), and e-money institutions;
- external carbon project developers;
- accounting, legal and audit advisors;
- email and communication service providers.
For the processing of payments, the Platform uses Stripe Connect, a payment service provided by Stripe, Inc. Personal data necessary for processing payments may be shared with Stripe. Stripe processes such data as an independent payment service provider in accordance with its own Privacy Policy, Terms and Conditions.
All processors act under written agreements in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and are required to implement appropriate technical and organisational security measures.
VI. JOINT CONTROLLERS
In connection with the registration, transfer and retirement of voluntary carbon credits through the Platform, Tessoris may exchange certain personal data with external carbon credit registries. Where such processing involves the joint determination of the purposes and essential means of processing, Tessoris and the respective carbon credit registry act as joint controllers within the meaning of Article 26 of the GDPR.
For the purposes of the joint processing described above, Tessoris is responsible for providing the Platform and the Application through which users purchase, manage and request the retirement of voluntary carbon credits, for the collection of personal data from users, and for providing privacy information to data subjects through this Privacy Policy.
The Carbon Credit Register is responsible for operating the carbon credit registry infrastructure, maintaining registry accounts, and recording the issuance, transfer, cancellation and retirement of carbon credits in accordance with its Registry rules and Operational Documents.
Tessoris acts as the main contact point for data subjects in relation to the joint processing activities described in this section. Data subjects may exercise their rights under the GDPR in respect of the joint processing against either joint controller.
In accordance with Article 26 of the GDPR, the essence of the arrangement between the joint controllers, including the allocation of responsibilities between the parties in relation to the processing of personal data, is made available to data subjects through this Privacy Policy.
The responsibilities of the parties in relation to such joint processing activities are further regulated in separate Joint Controller Agreements. Certain information relating to carbon credit transactions and registry records may not be deleted where retention is necessary to ensure the integrity, traceability and auditability of carbon credit transactions or to comply with applicable registry rules or legal obligations.
VII. MINORS
The Platform and the services provided by Tessoris are intended for use by individuals who are at least 18 years of age.
We do not knowingly collect personal data from individuals under the age of 18. If we become aware that personal data has been collected from a person under 18 without valid legal grounds, we will take appropriate steps to delete such data without undue delay, unless retention is required by law.
If you believe that we have inadvertently collected personal data from a minor, please contact us immediately.
VIII. YOUR RIGHTS
You have the right to request confirmation whether personal data concerning you is being processed and to request access to your personal data and information regarding the purposes of processing, categories of personal data, recipients and retention periods.
You have the right to request rectification of inaccurate personal data or completion of incomplete personal data.
You have the right to request deletion of personal data where one of the following applies: the data is no longer necessary for the purposes for which it was collected; the processing is unlawful; the data subject withdraws consent where processing is based on consent; or deletion is required to comply with a legal obligation.
You have the right to request restriction of processing under the conditions provided in the GDPR, including where the accuracy of the data is contested or where the processing is unlawful but the data subject opposes erasure.
You have the right to data portability, meaning that you may receive personal data concerning you in a structured, commonly used and machine-readable format and transmit it to another controller where the processing is based on consent or a contract and is carried out by automated means.
You also have the right to object to the processing of your personal data where such processing is based on legitimate interests, as well as the right to object at any time to processing for direct marketing purposes.
Requests may be submitted via the contact details provided in Section I of this Privacy Policy and are handled within 30 days.
If requests are manifestly unfounded or excessive, in particular due to their repetitive nature, we may either charge a reasonable administrative fee or refuse to act on the request, in accordance with Article 12 of the GDPR.
IX. INFORMATION WE SHARE
We do not share personal information with companies, organisations and individuals unless one of the following circumstances applies:
- With your consent - we will share personal information with companies or organisations when we have your explicit consent to do so;
- For making services possible - with third-party processors involved in providing the services;
- For legal reasons - when disclosure is necessary to comply with applicable law, legal process, governmental request, or to protect the rights, property or safety of Tessoris, our users or the public;
- For provision of in-app purchases, subscriptions, billing, and transaction verification - with application store providers.
We may share your name with Stripe in connection with the payment services they provide to you. You can find their Privacy Policy at: https://stripe.com/en-bg/privacy.
Application store providers, such as Google Play and the Apple App Store, may process personal data related to in-app purchases, subscription billing, payment processing, fraud prevention, and related account management as independent data controllers. In such cases, they determine the purposes and means of processing in accordance with their own terms, conditions, and privacy policies.
X. SUPERVISORY AUTHORITY
You may lodge a complaint with the Bulgarian Commission for Personal Data Protection:
Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Email: kzld@cpdp.bg
More information can be found at: www.cpdp.bg.
You may also lodge a complaint with the supervisory authority in your country of residence or place of work.