How Ekometrics protects your accounting data (GDPR made simple)

In short

• You own your data. We process it only to calculate your CO₂ report.

• Minimal data, EU hosting, encryption everywhere.

• No selling, no ad tech, no model training on your data (unless you explicitly opt-in).

• You stay in control: export, deletion, and clear audit trails.

• Built to respect GDPR (lawfulness, minimisation, security, accountability).

1) Who owns what (and why GDPR matters)

• You = Controller. You decide why and how your accounting data is used.

• Ekometrics = Processor. We act on your instructions to compute your CO₂ footprint, provide dashboards/exports, and support.

• Legal basis: typically contractual necessity with you (the controller). For any separate purposes (e.g., product analytics), we keep them separate and documented.

2) What we collect and what we don’t

We ingest only what’s needed to compute an accurate report using the ADEME monetary approach:

• Needed fields (examples): account codes (PCG), labels, dates, net-of-VAT amounts, journal, (optional) supplier name/ID.

• Not needed → not collected/used: salaries/PII beyond what’s incidentally present, bank IBANs, personal notes unrelated to emissions. If such data appears in the file, we ignore it and apply minimisation (filtering, masking).

3) Where your data lives

• Hosting in the EU/EEA by default.

• If a non-EU transfer is ever necessary (rare), we use Standard Contractual Clauses (SCCs) + transfer impact assessments, with encryption and strict access controls.

4) How we keep it safe (security in plain language)

• Encryption in transit & at rest (TLS for data in motion; strong encryption for data at rest).

• Access on a need-to-know basis (role-based access control, least privilege, MFA/SSO for staff).

• Tenant isolation (logical separation of customer data).

• Backups & disaster recovery with tested restores.

• Audit logging of admin access and data actions.

• Secure development lifecycle (code reviews, dependency scanning, vulnerability management, periodic pentests).

• Incident response plan aligned with GDPR timelines (we notify controllers without undue delay; authorities within 72 hours when required).

5) What we do not do

• We do not sell your data.

• We do not use your accounting data to train generic AI models.

• We do not mix your data with other customers’.

6) How long we keep it (retention)

• Default retention: reporting period + a short buffer (for support and audits).

• You can request deletion or return at any time; backups expire on a rolling schedule.

• We document retention in your Data Processing Agreement (DPA) and in-app settings.

7) Your controls & rights (you stay in charge)

• Export: download your data and results anytime.

• Deletion: request full deletion; we confirm once done.

• Corrections: re-upload corrected data and regenerate the report.

• Rights under GDPR: access, rectification, erasure, restriction, portability, objection. We help you fulfill these for any personal data in scope.

8) FAQs

Do you process personal data?

We don’t seek personal data, but some FECs include names in labels or sole-trader details. We treat them under GDPR with minimisation and security measures.

What happens if there’s a security incident?

We activate our incident response plan, contain and assess impact, and notify you without undue delay. If GDPR requires it, the competent authority is notified within 72 hours.

9) Our promise

We built Ekometrics on privacy by design: collect less, protect more, and give you control. If you ever have questions about how we handle your accounting data, we’ll answer in clear, non-legalese language, and show our work (settings, logs, and documentation).