Data & Information Handling Policy

Purpose

Environmental certificates are only as trustworthy as the data behind them.
We handle sensitive information every day — registry data, counterparty details, sustainability claims, pricing, contracts, and transfers.

This policy explains how we collect, store, protect, use, and share information.
The principle is simple: data should help you trade with confidence, not increase your risk.

1. What data we handle

We work with three categories of information:

A. Certificate & Registry Data

  • certificate serial numbers
  • technology, fuel-type, commissioning date
  • production periods
  • registry account details
  • transfer history
  • eligibility data (e.g., renewable fuel use, sustainability tags)

B. Counterparty Information

  • onboarding/KYC documents
  • beneficial ownership
  • contact details
  • contracts and commercial terms
  • trading behaviour and historical activity

C. Internal & Operational Data

  • internal communications
  • pricing models
  • margin structures
  • compliance files
  • due diligence records
  • audit findings

We treat all of it with a high degree of protection.

2. How we collect data

We collect information from:

  • counterparties
  • registries
  • public sources
  • onboarding documentation
  • trade confirmations
  • internal systems
  • communications
  • third-party verifiers (where authorised)

We only collect what is necessary.
We do not collect data “just in case.”

3. How we use data

We use information to:

  • verify counterparties
  • execute and settle trades
  • prevent fraud and double counting
  • comply with AML, KYC, and sanctions rules
  • maintain accurate registry records
  • calculate positions and exposures
  • manage risk
  • produce confirmations and documentation
  • maintain full audit trails

We do not use confidential information to gain unfair market advantage.

4. How we store data

We store data:

  • securely
  • encrypted at rest and in transit
  • access-controlled
  • logged and monitored
  • backed up
  • protected against loss, corruption, or unauthorised access

Access is granted on a least-privilege basis:
only those who need data to do their job can access it.

5. Sharing of data

We share data only when necessary:

We may share with:

  • registries (to execute trades)
  • regulators (when required by law)
  • auditors (internal or external)
  • payment providers
  • authorised counterparties
  • legal advisers

We do not share:

  • counterparty data with other counterparties
  • pricing or order-flow information
  • proprietary methods or systems
  • commercially sensitive information

We never sell data.

6. Accuracy and integrity

We maintain strict data accuracy standards:

  • all certificate details must match registry records
  • serial numbers must be verified
  • delivery instructions must be correct
  • discrepancies are corrected immediately
  • historical data must remain unchanged unless a formal amendment is documented

Data integrity is the backbone of certificate trading.

7. Retention

We retain records for the period required by:

  • law
  • regulators
  • market rules
  • audit cycles

We do not keep data longer than necessary.
When retention ends, data is securely deleted.

8. Confidentiality

Everyone working with us — employees, contractors, advisors — must:

  • sign confidentiality agreements
  • handle information responsibly
  • avoid discussing sensitive matters outside controlled channels
  • never disclose information to third parties without approval

Careless disclosure is treated as a compliance breach.

9. Personal data

Where we handle personal data (names, IDs, contact details), we comply with:

  • UK GDPR
  • local data protection laws
  • appropriate international frameworks

Individuals may request:

  • access
  • correction
  • deletion (where legally permissible)
  • clarification on how their data is used

We respect these rights fully.

10. Communications & document handling

We follow strict controls:

  • business communication must use approved channels
  • confidential material must be encrypted
  • sensitive files must not be forwarded externally without approval
  • physical documents must be secured
  • USB drives & portable storage are prohibited unless encrypted and authorised

No screenshots of sensitive systems.
No sending registry details via unsecured channels.

11. Data breach response

If we discover or suspect a data breach, we:

  1. Contain the incident immediately
  2. Investigate root causes
  3. Assess impact
  4. Notify affected parties if required
  5. Notify regulators if required
  6. Implement corrective measures
  7. Document and review the incident

We do not conceal data incidents.

12. Training

All staff receive training on:

  • data protection
  • information security
  • correct registry handling
  • confidentiality
  • cyber hygiene
  • phishing and fraud prevention

Competence prevents mistakes.

13. Third-party processors

Where third parties process data on our behalf, we:

  • conduct due diligence
  • require written contracts
  • ensure proper security standards
  • monitor regularly
  • review compliance performance

Third-party risk is treated as internal risk.

14. Why this matters

Clean certificate markets require clean data.
Inaccurate or exposed information can lead to:

  • double claiming
  • fraudulent transfers
  • regulatory penalties
  • financial losses
  • market manipulation
  • reputational damage

Protecting data protects the market.

Scroll to Top