CBAMABLE Back to app
Privacy & Data Protection

Privacy Policy

This policy explains how CBAMable collects, uses and protects your information. We've written it in plain English — no legalese where we can avoid it.

Version 1.1 — June 2026 Governed by UK GDPR & DPA 2018 England & Wales Controller: CBAMable (cbamable.com)
1

Who we are

CBAMable is a CBAM evidence-preparation software tool operated from the United Kingdom. Our website is cbamable.com.

For the purposes of UK data protection law, CBAMable is the data controller for the account, billing and usage data we collect through the website and platform. For personal data contained in the trade documents you upload, CBAMable generally acts as a processor on your behalf (see sections 2 and 6).

CBAMable is a CBAM evidence-preparation tool. It is not an official CBAM filing service, a customs, legal or tax adviser, or a government, HMRC or EU system, and it does not submit declarations on your behalf. You remain responsible for your own regulatory submissions.

Where required under the UK GDPR, we maintain registration with the Information Commissioner's Office (ICO) — the UK's data protection authority; our registration reference will be shown here once confirmed. If you have any questions about how we handle your data, contact us at support@cbamable.com.

2

How we process data

Cloud-based service: CBAMable is a live, account-based platform — not a browser-only tool. When you create an account and use the service, your account details, the documents you upload, and the reports, evidence records and supplier requests you generate are processed on, and stored using, our cloud infrastructure providers. The text of uploaded documents is also processed by an automated extraction provider so that shipment and CBAM data can be read from your files.

In short, data you enter or upload leaves your device and is handled by CBAMable and the service providers described in section 7. We process this data to operate your account, prepare CBAM evidence outputs, and run the supplier and broker workflows you ask us to.

Controller and processor: CBAMable is the data controller for your account and billing data. For the personal data contained within the trade documents you upload (for example details of your suppliers, exporters, importers or their staff), you or your organisation are normally the controller, and CBAMable acts as a processor handling that data on your instructions. See sections 6 and 7.

3

What we collect

We collect the following categories of data when you use CBAMable:

  • Account information — company name, contact name, email address and the plan you choose.
  • Document upload data — the trade documents you upload (such as commercial invoices and shipping paperwork) and the data extracted from them. This can include importer, exporter, supplier and broker names, addresses, contact names and email addresses, invoice numbers, shipment references, HS/CN codes, weights, values and other CBAM evidence data.
  • Reports and records you generate — CBAM assessment reports, evidence records, supplier evidence requests and related workflow data you save to your account.
  • Payment information — handled by our payment processor (Stripe). We do not see or store full card numbers.
  • Usage data — which features you use, report generation events and login timestamps.
  • Communications — emails you send to our support address.
  • Cookies and similar technologies — see section 10.

We do not collect more data than is necessary for the purposes described in this policy. Much of the document content you upload is business data, but it may also contain personal data relating to named individuals — see section 6 for your responsibilities when uploading it.

4

How we use your information

We use the information we collect to:

  • Provide and operate the CBAMable platform and your account
  • Process payments and manage subscriptions
  • Send transactional emails: account confirmation, receipts, password reset, product updates that affect your use of the service
  • Send marketing emails — only where you have given explicit consent (see section 11)
  • Respond to support requests and complaints
  • Improve the product: understand how features are used, diagnose errors, prioritise development
  • Comply with our legal obligations, including financial record-keeping
  • Protect the security and integrity of the platform

We will not use your information for automated decision-making or profiling that produces legal or similarly significant effects.

5

Lawful basis for processing

Under UK GDPR, we must have a lawful basis for processing personal data. We rely on:

  • Contract — processing necessary to provide the service you've signed up for, including account management, report generation and billing
  • Legitimate interests — product improvement, security monitoring and fraud prevention, where our interests are not overridden by your rights
  • Consent — marketing emails and non-essential cookies, where you have opted in explicitly and may withdraw at any time
  • Legal obligation — financial records and compliance with applicable law

Where we rely on legitimate interests, you have the right to object to that processing. See section 9 for how to exercise your rights.

6

Uploaded documents and trade data

Uploaded documents are sent to CBAMable. When you upload a document, its content is transmitted to our infrastructure and to our automated extraction provider so that shipment and CBAM data can be read from it, and the records you choose to save are stored in your account. You — or your organisation — remain the controller for any personal data contained in those documents.

Commercial invoices and CBAM-related documents may contain personal data — for example, named contacts at your suppliers, exporters or importers, their email addresses, EORI numbers linked to individuals, or signatory details. As a user of CBAMable, you are responsible for ensuring you have a lawful basis to process such third-party personal data under UK GDPR before uploading it, and for informing those individuals how their data is used where you are required to.

If your organisation requires a Data Processing Agreement (DPA) with CBAMable for a pilot or for ongoing use, contact support@cbamable.com and we will put one in place.

Please do not upload documents containing special category personal data (such as health information) or data relating to criminal convictions. If such data appears incidentally in a trade document, redact it before upload.

7

Sharing and third parties

We do not sell your personal data. We do not share it with third parties for their own marketing purposes.

We share data with the following categories of third-party service providers (sub-processors) who process data on our behalf to run the service:

  • Cloud hosting, database, authentication and storage — to run the platform and store your account, reports, evidence records and supplier requests. Our infrastructure provider is Supabase, with hosting in the EU/UK region.
  • Automated document extraction — the text of documents you upload is processed by an AI extraction provider (Anthropic) to read shipment and CBAM data. It is used to prepare your outputs and is not used to train third-party models.
  • Payment processing — to handle subscription and pilot payments securely (Stripe). Card data is handled entirely by Stripe; we never see or store full card numbers.
  • Email delivery — to send account, authentication and (where consented) other emails, for example via Supabase and Resend.
  • Analytics — where used, to understand product usage and improve the platform. We do not sell your data.

We may also disclose data where required to do so by law, court order, or to protect the rights, property or safety of CBAMable, our users, or others.

All third-party processors are required to handle your data in accordance with UK GDPR.

8

How long we keep your data

We keep personal data only for as long as necessary for the purposes for which it was collected, or as required by law. As a guide:

  • Account data — kept while your account is active, and for a period after closure to meet financial and legal record-keeping requirements.
  • Reports, evidence records and uploaded document data — kept while your account is active so you can reuse them, unless you delete them sooner.
  • Payment records — kept for the period required by HMRC and applicable tax law.
  • Support correspondence — kept for a reasonable period after your query is resolved.
  • Marketing consent records — kept as evidence of consent for as long as required.

You can delete saved records from within your account, and you can ask us to delete personal data we hold about you — see section 9. Where we are required to retain certain records by law, we will keep only what is necessary for that purpose.

9

Your rights under UK GDPR

You have the following rights in relation to your personal data. To exercise any of them, contact support@cbamable.com. We will respond within one calendar month.

Right of access
Request a copy of the personal data we hold about you (a Subject Access Request).
Right to rectification
Ask us to correct inaccurate or incomplete personal data.
Right to erasure
Ask us to delete your data in certain circumstances ("right to be forgotten").
Right to restrict processing
Ask us to pause processing of your data in certain situations.
Right to portability
Receive your data in a structured, machine-readable format.
Right to object
Object to processing based on legitimate interests or for direct marketing.
Withdraw consent
Withdraw marketing consent at any time. This doesn't affect prior lawful processing.
Automated decisions
We don't make solely automated decisions with legal effect about you.
Right to complain: If you're not satisfied with how we've handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We'd always prefer the chance to resolve concerns directly first — please contact us before going to the ICO.
10

Cookies

CBAMable uses the following on your device:

  • Strictly necessary cookies and local storage — for sign-in, authentication and session management (including secure tokens from our authentication provider) and to hold your workspace state. These are required for the service to work.
  • Analytics — where used, to understand how the platform is used and improve it. Any non-essential analytics are only enabled with your consent.

We do not use advertising, cross-site tracking or third-party marketing cookies. Some workspace data is also held in your browser's localStorage as a local cache; clearing your browser data removes that local copy but does not delete records saved to your account.

11

Marketing emails

We will only send you marketing emails — including CBAM regulatory updates, product news and offers — if you have given us explicit consent to do so at the point of account creation, in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR.

You can withdraw consent at any time by:

  • Clicking the unsubscribe link in any marketing email
  • Emailing support@cbamable.com with the subject "Unsubscribe"

Withdrawal of consent will be processed within 5 business days. It does not affect the lawfulness of emails sent before withdrawal. Withdrawing marketing consent does not affect your ability to use the platform or receive transactional emails relating to your account.

12

Security

We take the security of your data seriously. Measures in place include:

  • Encryption in transit (HTTPS/TLS) for data sent between your browser, CBAMable and our service providers.
  • Use of established infrastructure providers (such as Supabase and Stripe) that provide encryption at rest and platform-level security controls.
  • Account-level access controls and database access rules that restrict each account's data to that account.
  • Limiting staff access to personal data on a need-to-know basis.
  • Incident-response procedures, including notifying the ICO within 72 hours where a breach is likely to risk your rights and freedoms.

No method of transmission or storage over the internet is 100% secure, and we cannot guarantee absolute security. CBAMable is an evolving product and we continue to strengthen our controls. If you suspect any security issue relating to your account, contact support@cbamable.com immediately.

13

Children

CBAMable is a business-to-business platform intended for use by adults in a professional or commercial capacity. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a minor, we will delete it promptly. If you believe a minor has submitted data to us, please contact support@cbamable.com.

14

Changes to this policy

We may update this privacy policy from time to time — for example, when we add features or change how data is processed, or when we engage new service providers. The version number and date at the top of this page will always reflect the current version.

Where a material change affects how we use your data, registered users will be notified by email at least 14 days before the change takes effect. We will also update the "last updated" date and increment the version number. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

Previous versions of this policy are available on request by emailing support@cbamable.com.

15

Contact and complaints

For any questions about this privacy policy, to exercise your data protection rights, or to raise a concern about how we handle your data:

  • Email: support@cbamable.com
  • Subject line: "Privacy" or "Data request" helps us route your query quickly
  • Response time: We aim to acknowledge within 2 business days and respond fully within one calendar month (as required by UK GDPR)

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office:

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

This policy is governed by the law of England and Wales. Any disputes relating to this policy shall be subject to the exclusive jurisdiction of the courts of England and Wales.