1) Scope and Applicability

This Acceptable Use Policy (“Policy” or “AUP“) applies to all access to and use of Carbon Trail’s websites, applications, APIs, software, documentation, and related services (collectively, the “Services“) by customers, users, and any person acting on their behalf (each a “User“). This Policy is incorporated by reference into the applicable master service agreement, order, or terms of service (the “Agreement“). Capitalized terms not defined here have the meanings in the Agreement.

2) Your Responsibilities

You are responsible for: (a) your Users’ compliance with this Policy and the Agreement; (b) securing and maintaining your accounts, credentials, and systems; and (c) promptly notifying Carbon Trail of any suspected breach of this Policy or unauthorized use of an account or API key.

3) Prohibited Conduct

Users must not (and must not allow others to):

1. Unlawful Activity. Use the Services in violation of any applicable law, regulation, governmental order, or third‑party rights (including privacy, IP, export, sanctions, anti‑corruption, consumer protection, and environmental marketing/advertising laws).
   
   
2. Security Violations. Access or attempt to access accounts, systems, data, or networks without authorization; probe, scan, or test vulnerability; breach or circumvent security or authentication; distribute malware or exploit; conduct denial‑of‑service (DoS/DDoS) or similar attacks.
   
   
3. Interference or Abuse. Interfere with the normal operation of the Services; overload or stress the platform; bypass, throttle, or disable rate limits; use robots/scrapers without written permission; or resell, sublicense, or timeshare the Services except as expressly permitted.
   
   
4. IP Infringement. Upload, process, or share Customer Data that infringes or misappropriates intellectual property or other proprietary rights;
   
   
5. Privacy Violations. Collect, process, or disclose personal data through the Services without a valid legal basis or in violation of applicable privacy laws (e.g., GDPR, UK GDPR, CCPA/CPRA, LGPD) or your privacy notices.
   
   
6. Reverse Engineering. Decompile, disassemble, or otherwise attempt to derive source code or underlying models/algorithms of the Services.
   
   
7. Benchmarking/Competitive Use. Publish or disclose performance or benchmark tests of the Services without our prior written consent.

4) Data Integrity, Transparency, and Environmental Claims

1. Data Quality. Users must maintain accurate, complete, and non‑fraudulent inputs. Where estimates or proxies are used, Users must label them appropriately within the Services when the feature allows.
   
   
2. Methodology Disclosure. When sharing outputs externally, Users must not remove or obscure available context such as system boundaries, functional units, data vintage, uncertainty ranges, or other methodological assumptions.
   
   
3. Third‑Party Validation. Unless expressly stated in the Agreement, Carbon Trail does not provide third‑party assurance or certification. Users are responsible for obtaining any required validation for regulatory, EPD, PCR, or disclosure frameworks.
   
   
4. Responsible Environmental Marketing. Any public claims that rely on outputs produced by the Services must be truthful, substantiated, and compliant with applicable guidance.

5) Emissions Factors, Databases, and Third‑Party Content

1. License Respect. Some datasets, emissions factors, life cycle inventories, and schemas made available via or used with the Services are licensed by third parties and may be subject to additional terms (“Third‑Party Terms“). Users must comply with those terms, including any restrictions on redistribution, extraction, or public disclosure of values, metadata, or documentation.
   
   
2. No Bulk Export Where Prohibited. Unless permitted by the Agreement or Third‑Party Terms, Users must not perform bulk export, scraping, or mass extraction of third‑party datasets or make them available outside the Services.
   
   
3. Attribution. Where an attribution, citation, or provenance statement is presented by the Services or required by Third‑Party Terms, Users must preserve it when sharing outputs.

6) Customer Data and Confidential Information

1. Ownership. As between the parties, you retain ownership of Customer Data. You represent that you have obtained all rights necessary to submit and process Customer Data in the Services.
   
   
2. Prohibited Data Types (without express written approval). Users must not submit: (i) data classified as highly sensitive personal data under applicable laws; (ii) protected health information (PHI) subject to HIPAA unless a signed BAA is in place; (iii) cardholder data subject to PCI DSS; or (iv) classified or defense information subject to specific governmental handling requirements.
   
   
3. Confidentiality. You must protect any non‑public information received from Carbon Trail (including security documentation and system information) in accordance with the Agreement and use it only for purposes permitted by the Agreement.
   
   

7) Security, Access Controls, and APIs

1. Account Security. Maintain strong password hygiene, least‑privilege access, and timely de‑provisioning of former personnel. You are responsible for actions taken using your accounts and credentials.
   
   
2. API Keys. Keep keys confidential; do not embed keys in client‑side code; rotate keys if compromise is suspected; and respect any published API rate limits, pagination, and backoff requirements.
   
   
3. Testing. Do not conduct penetration tests or security scans on the Services without Carbon Trail’s prior written authorization.
   
   

8) Fair Use; Automated Access; Integrations

1. Fair Use. Use the Services in a manner consistent with normal, good‑faith LCA/GHG workflows. Excessive, abnormal, or automated access patterns that degrade stability may be limited.
   
   
2. Automation and Bots. Automated scripts and RPA tools may be used only within documented APIs or export interfaces and must respect rate limits and concurrency guidance.
   
   
3. Third‑Party Integrations. Use of connectors or integrations is subject to the third party’s terms; Carbon Trail is not responsible for third‑party products and does not grant any rights to them.

9) Export Controls and Sanctions

Users must not use or access the Services in or for the benefit of persons or entities (a) located in, organized in, or ordinarily resident in embargoed or comprehensively sanctioned jurisdictions, or (b) identified on applicable sanctions or denied‑party lists. Users must comply with export control laws governing software, technology, and encryption.

10) Anti‑Corruption and Ethics

Users must comply with anti‑bribery and corruption laws (e.g., FCPA, UK Bribery Act) and must not offer, give, solicit, or receive bribes or improper advantages in connection with the Services.

11) Monitoring, Auditing, and Enforcement

1. Monitoring. Carbon Trail may (but has no obligation to) monitor use of the Services to verify compliance with the Agreement and this Policy and to operate, maintain, and improve the Services.
   
   
2. Suspension/Remediation. We may suspend or restrict access to the Services (in whole or part) if we reasonably believe a violation has occurred, to prevent harm, or to comply with law. Where practicable, we will provide notice and an opportunity to cure.
   
   
3. Takedown. We may remove content alleged to be unlawful or in violation of third‑party rights upon receipt of a credible complaint, court order, or government request.
   
   
4. Audit Cooperation. Upon reasonable request, Users will provide information sufficient to demonstrate compliance with this Policy (e.g., attribution preservation, dataset license observance, and rate‑limit adherence).
   
   

12) Reporting Violations and Security Issues

To report abuse, suspected policy violations, or security issues, contact: [email protected]. For security matters, include steps to reproduce and relevant logs, without sharing secrets over email.

13) Changes to this Policy

We may update this Policy from time to time. Material changes will be effective on posting to our website or as otherwise stated. Your continued use of the Services after the effective date constitutes acceptance of the changes.

14) Definitions (for clarity)

• Customer Data: Data submitted by or for you to the Services, including activity data, supplier/facility information, and attachments.
  
  
• Third‑Party Terms: License terms that apply to third‑party datasets, emission factors, or content accessible in or used with the Services.
  
  
• Outputs: Reports, dashboards, calculations, estimates, or other results generated by the Services based on Customer Data and/or third‑party content.
  
  

15) Governing Documents and Order of Precedence

If there is a conflict between this Policy and the Agreement, the Agreement controls, except where this Policy expressly states that it governs specific conduct. Any Service‑specific usage guidelines published by Carbon Trail form part of this Policy.