1. WHO WE ARE

The data controller

This website (the “Site”) is operated by Nikhil Kalanjee on behalf of the Carbon Token Project (“CTP”, “we”, “us”). As of the date of this policy, CTP is not yet incorporated as a legal entity. The data controller for the purposes of UK GDPR and EU GDPR is therefore Nikhil Kalanjee, contactable at hello@carbontokenproject.org. Once CTP is incorporated, this policy will be updated to name the legal entity as the controller.

2. WHAT WE COLLECT

The personal data we process

Contact form submissions

When you fill in the contact form on the Get involved page, we collect: your name, your email address, your organisation (optional), the lane you select (Time, Tokens, Partner, or Other), and the message you write. We use this only to respond to you and to track the conversation. Lawful basis: legitimate interests (responding to direct inquiries) under Article 6(1)(f) UK GDPR.

Direct email

If you email hello@carbontokenproject.org, we will hold your email address and message contents for as long as is necessary to respond and to keep a reasonable record of the correspondence.

Server access logs

Our hosting provider, Hostinger, automatically logs technical information about visits to the Site: IP address, user agent string, timestamp, page requested, HTTP status code, and referring URL. These logs are used for security, abuse detection, and infrastructure monitoring. We do not actively review or analyse them. Hostinger’s own privacy practices are described at hostinger.com/privacy-policy.

Cookies

The Site uses functional cookies set by WordPress and our hosting provider for site operation and performance caching. We do not use analytics cookies, advertising cookies, or third-party tracking cookies. We do not embed social media trackers. If you log in to the WordPress admin area (which is only relevant to site administrators), WordPress sets session and authentication cookies for the duration of your session.

Third-party fonts

We load the Inter typeface from Google Fonts. Loading a font triggers a request to Google’s servers, which receive your IP address as a consequence of the request. We do not transmit any other data to Google.

3. HOW WE USE IT

Purposes of processing

We use the personal data described above only for the following purposes:

• Responding to people who contact us about the project, including continuing a multi-message conversation.
• Operating and securing the Site (technical logs, caching).
• Complying with legal obligations where they apply.

We do not use personal data for automated decision-making, profiling, or marketing. We do not sell personal data to anyone.

4. WHO WE SHARE IT WITH

Recipients and processors

We act as the data controller. The following parties act as data processors on our behalf for the technical operation of the Site: Hostinger (web hosting and email), WPForms (contact form storage in our WP database), Google Fonts (font serving). We do not share personal data with any other third party except where required by law.

5. HOW LONG WE KEEP IT

Retention

• Contact form submissions and direct email: kept for as long as the conversation is active and for up to 24 months after the last response. After that, we will delete or anonymise the data unless we have a continuing legitimate reason to retain it.
• Server access logs: retained by Hostinger according to their standard policy (typically 30 to 90 days).
• Cookies: per the cookie’s own expiry (session cookies expire when you close your browser; persistent cookies typically expire within 12 months).

6. YOUR RIGHTS

What you can ask us to do

Under UK GDPR and EU GDPR, you have the right to access, correct, delete, restrict, port, or object to processing of your personal data, withdraw consent, and lodge a complaint with a supervisory authority (in the UK, the Information Commissioner’s Office at ico.org.uk).

To exercise any of these rights, email hello@carbontokenproject.org. We will respond within one month.

7. SECURITY & AI ACCESS

Security and automated access

The Site is served over HTTPS. WordPress and all installed plugins are kept up to date. Administrator accounts use strong passwords and rate-limited login. If a breach occurs that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours.

This Site is published openly with the intention that human readers, search engine crawlers, and AI assistants can read it. We explicitly allow major AI crawlers (GPTBot, ClaudeBot, PerplexityBot, Google-Extended) to access public pages. We use AI tools (notably Claude) as part of operating the Site, including drafting copy and triaging inquiries. AI tools do not have direct access to your personal data unless a human operator explicitly provides it for a specific purpose. Any AI assistance is supervised by a human.