Start for Free
Why TerralynPricingFAQStart for Free

Terralyn Privacy Policy

Last Updated: April 17, 2026
Effective Date: June 01, 2025

1. Introduction

Climate Data Inc., doing business as Terralyn ("Terralyn," "we," "us," or "our"), provides an AI-powered sustainability analyst platform. This Privacy Policy explains what personal information we collect, how we use and share it, and the rights you have.

This policy applies to terralyn.ai and the Terralyn application. It does not apply to third-party services linked from or integrated with the Service; those services are governed by their own privacy practices.

2. Information We Collect

2.1 Information you provide

  • Account information: name, email, hashed password, organization, job title, phone (optional).
  • Billing information: processed by Stripe. We store a customer ID, subscription state, and last four card digits. We do not store full card numbers.
  • Vault content: documents, spreadsheets, PDFs, utility bills, supplier responses, bills of materials, datasets, and other files you upload.
  • Prompts and chat inputs: text, attachments, and context submitted to the AI interface.
  • Outputs: reports, models, spreadsheets, and other content generated by the Service from your inputs.
  • Memory and preferences: preferences and prior context that personalize responses for your account.
  • Support and feedback communications.

2.2 Information collected automatically

  • Usage data: pages viewed, features used, prompt metadata (length, timing, model selection, not content), actions taken, error logs.
  • Device and connection: IP address, browser, operating system, device identifiers.
  • Cookies and similar technologies: see Section 9 and our Cookie Policy.

2.3 Information from third parties

  • OAuth and integration partners (Google Workspace, Slack, Microsoft 365, and others) share data you authorize.
  • Emission factor and regulatory reference data licensed from providers. No personal data flows from us to them.
  • Publicly available professional information when you engage with our sales or marketing outreach.

2.4 Sensitive personal information

We do not ask for, and you should not upload, government-issued identifiers, precise geolocation, biometric data, health information, financial account credentials, union membership, religion, sexual orientation, or other sensitive categories, unless expressly required by a documented sustainability workflow. If you upload such data, we will treat it under the safeguards in Section 7.

3. How We Use Information

  • Provide the Service: authenticate, process prompts and files, generate Outputs, store Vault and Memory, deliver integrations.
  • Billing and account management.
  • Customer support and communications.
  • Security: detect abuse, prevent fraud, maintain platform integrity.
  • Improve the Service: diagnose errors, measure feature performance, develop new capabilities. We do not train AI models on Customer Data (see Section 6).
  • Marketing, with consent or where permitted: newsletters and product announcements.
  • Direct outreach: if you engage with our content on LinkedIn or visit our website, we may contact you via email or LinkedIn direct message about Terralyn offerings. You can opt out at any time.
  • Legal and compliance: comply with law, respond to lawful requests, enforce our Terms.

4. Legal Basis (GDPR and UK GDPR)

For users in the EU, EEA, UK, and Switzerland we process personal data under:

  • Contract: to provide the Service you request.
  • Legitimate interest: service improvement, security, fraud prevention, and B2B direct marketing where supported by a Legitimate Interest Assessment and an easy opt-out mechanism. Our LIA is available on request.
  • Consent: non-essential cookies, marketing to new contacts, optional features.
  • Legal obligation: tax, fraud, and regulatory requirements.

You can withdraw consent at any time. Withdrawing consent does not affect processing performed before withdrawal.

5. Sharing and Disclosure

5.1 We do not sell personal data.

We do not sell or "share" (as defined under California law) personal information for cross-context behavioral advertising.

5.2 Service providers (processors)

We share data with vendors who operate the Service on our behalf under data processing agreements that restrict use to providing services to us.

Category
Purpose
AI model providers
Process prompts and files to generate Outputs. Contractually prohibited from training on Customer Data. Zero-retention APIs used where available.
Cloud infrastructure
Hosting, storage, encryption.
Payment processing
Subscription billing and payment data.
Analytics and error monitoring
Diagnose issues, measure feature usage.
Communications
Account, support, and marketing communications.
Emission factor providers
We receive data from them. We do not share Customer Data with them.

An up-to-date subprocessor list is available on request.

5.3 Integrations you enable

If you connect Google Workspace, Slack, or other integrations, data flows as you authorize those integrations.

5.4 Legal disclosures

We may disclose data when required by law, to protect rights and safety, to enforce our Terms, or to cooperate with lawful requests from authorities.

5.5 Business transfers

In a merger, acquisition, financing, or sale of assets, data may be transferred. We will provide notice and, where required, an opportunity to object.

6. AI Processing, Training, and Automated Decision-Making

AI system notice. The Service is an AI system under the EU AI Act, Colorado AI Act, Texas Responsible AI Governance Act, and equivalent laws. When you interact with Terralyn, you are interacting with AI.

How AI is used. Your prompts, files, and selected context are sent to AI model providers to generate Outputs. Processing occurs in the United States on encrypted infrastructure.

No training on your data. Terralyn does not train AI models on Customer Data. Our contracts with AI providers prohibit them from using Customer Data for model training. We use zero-retention or equivalent enterprise API configurations where available.

Memory. Memory stores preferences and prior context to personalize responses for your account. You can view, export, and delete Memory in account settings.

Human oversight. Outputs are draft and decision-support. You control how and whether to rely on them.

Automated decision-making. We do not use Customer Data to make automated decisions about you that produce legal or similarly significant effects. The Service is not designed or authorized to be used as the sole basis for consequential decisions about natural persons (for example, in employment, housing, credit, insurance, education, or government benefits). Use of the Service for such purposes is prohibited under our Terms.

Labeling. Where required by law (including EU AI Act Article 50), Outputs are identifiable as AI-generated. You are responsible for downstream disclosure obligations if you distribute Outputs further.

7. Data Security

We use administrative, technical, and organizational controls including:

  • Encryption: TLS 1.2+ in transit, AES-256 at rest.
  • Access controls: role-based access, SSO support, multi-factor authentication for administrative access.
  • Tenant isolation: logical separation of Customer Data.
  • Security monitoring and incident response.
  • Vulnerability management and periodic third-party assessments.

No system is fully secure. We will notify affected users and regulators of a security incident as required by applicable law.

8. Data Retention

Data
Retention
Account data
Duration of account plus 12 months, unless you request earlier deletion
Vault content and uploaded files
While your account is active; deleted within 180 days of account deletion, subject to backup rotation
Prompts and chat history
While your account is active; deletable by you at any time
Generated Outputs
While your account is active; deleted with account
Memory and preferences
Until you delete, or the account is deleted
Billing records
7 years (tax and accounting)
Security and access logs
Up to 12 months
Marketing contacts
Until you unsubscribe or request deletion

Backup copies follow our standard rotation, generally not exceeding 180 days after primary deletion.

9. Cookies and Tracking

We use:

  • Essential cookies (always on): authentication, session management, security.
  • Analytics cookies (consent-based outside the US): product usage analytics.
  • Functional cookies (consent-based): remember preferences.
  • Marketing cookies on our public website only (consent-based): campaign attribution.

Manage preferences through the cookie banner on first visit or the Cookie Settings link in the footer. See our Cookie Policy for specifics, including cookie names, providers, and durations.

10. Your Rights

10.1 All users

  • Access, correct, export, and delete your personal data.
  • Opt out of marketing communications.

10.2 GDPR and UK GDPR rights

  • Access, rectification, erasure, restriction, portability.
  • Object to processing based on legitimate interest, including direct marketing.
  • Withdraw consent.
  • Lodge a complaint with your supervisory authority.

10.3 CCPA and CPRA (California)

  • Right to know, delete, correct, and opt-out of "sale" or "sharing." We do not sell or share.
  • Right to limit use of sensitive personal information. We do not use sensitive PI for purposes requiring this limit.
  • Right to non-discrimination.

Global Privacy Control (GPC). We treat a Global Privacy Control browser signal as a valid request to opt out of the "sale" and "sharing" of personal information and of processing for cross-context behavioral advertising or targeted advertising, to the extent required under California, Colorado, Connecticut, Texas, and other US state privacy laws. The opt-out applies to the browser and device from which the signal is received; signed-in users may also set account-level preferences via privacy@terralyn.ai.

CCPA categories of personal information collected in the preceding 12 months:

CCPA category
Collected
Identifiers (name, email, IP, account ID)
Yes
Customer records (contact details, job title, employer)
Yes
Protected classifications
No
Commercial information (subscription, transactions)
Yes
Biometric information
No
Internet/network activity (usage, device)
Yes
Geolocation
Approximate only, from IP
Sensory data
No
Professional/employment
Yes (job title, employer)
Education
Not typically collected
Inferences (preferences, memory)
Yes
Sensitive PI (as defined by CPRA)
Not collected unless voluntarily provided

10.4 Other US states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Indiana, Iowa, Tennessee, Montana, Rhode Island, and other states with comprehensive privacy laws have rights to access, correct, delete, port, opt out of targeted advertising and sale, and appeal denied requests. Exercise rights via privacy@terralyn.ai.

10.5 Exercising rights

Email privacy@terralyn.ai or use in-product controls where available. We verify requests to protect your data. We respond within 30 days (most US states) or 3 months (GDPR, extendable to 6 months for complex requests). Authorized agents may submit on your behalf with verifiable authorization.

10.6 Canada (PIPEDA and Quebec Law 25)

Canadian residents have rights of access, correction, and withdrawal of consent under PIPEDA. Quebec residents additionally have rights of data portability, the right to be informed of and object to automated decision-making, and the right to request de-indexation where applicable, under the Act respecting the protection of personal information in the private sector ("Law 25"). Exercise rights via privacy@terralyn.ai. You may also complain to the Office of the Privacy Commissioner of Canada or, for Quebec residents, the Commission d'accès à l'information du Québec.

11. International Transfers

For transfers from the EU, EEA, UK, and Switzerland, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, the Swiss Federal Data Protection and Information Commissioner's SCC recognition, and any other lawful transfer mechanism available to us from time to time. We apply supplementary technical and organizational measures, including encryption in transit and at rest, access controls, and contractual restrictions on subprocessor access, as appropriate to the transfer.

12. Children

The Service is for business use by individuals 18 and older. We do not knowingly collect personal data from children under 16 (EU) or 13 (US). If you believe a child has provided data, contact privacy@terralyn.ai and we will delete it.

13. Third-Party Links

The Service may contain links to third-party sites. Their privacy practices are their own.

14. Marketing and Direct Outreach

Email. We send marketing emails with consent or to existing business contacts under CAN-SPAM and equivalent law. Every marketing email includes an unsubscribe link. Unsubscribe requests are honored within 5 business days.

Canada (CASL). Commercial electronic messages to Canadian recipients are sent only with express or implied consent under Canada's Anti-Spam Legislation. Each message identifies Terralyn, discloses a valid postal address, and provides a working unsubscribe mechanism that we honor within 10 business days.

LinkedIn direct messages. For prospects who have engaged with our content (for example, by commenting on a LinkedIn post or visiting our site), we may send direct messages on LinkedIn related to Terralyn offerings. Each message identifies Terralyn, states its commercial purpose, and provides an opt-out ("reply stop," or email privacy@terralyn.ai). For recipients in the EU, EEA, or UK, we rely on legitimate interest with a documented LIA, limit frequency, and cease contact immediately on objection.

Transactional communications. Account, security, and billing messages are not opt-outable while your account is active.

Do-not-contact list. On request we will add you to a suppression list that prevents future outreach even if your data is re-acquired from a public source.

15. California "Shine the Light"

California residents may request information about disclosure of personal information to third parties for those third parties' direct marketing purposes. We do not disclose personal information to third parties for their direct marketing.

16. Changes to This Policy

We will post updates with a new "Last Updated" date. Material changes will be notified by email and in-product banner at least 30 days before they take effect, except where a shorter notice is required by law. We will not apply changes retroactively to data collected under a prior policy in a way that is materially different from the policy in effect at collection, without your consent.

17. Supervisory Authorities

EU, EEA, UK, and Swiss users may contact their local data protection authority. US state residents may contact their state attorney general. California residents may contact the California Privacy Protection Agency.

18. Contact

Climate Data Inc. (DBA Terralyn)
Privacy and Data Protection: privacy@terralyn.ai
Legal: legal@terralyn.ai
Website: https://terralyn.ai/privacy-policy

19. Summary (non-binding)

  • Your Customer Data is yours. We process it only to operate the Service for you.
  • We do not train AI models on your data and contractually prohibit our AI providers from doing so.
  • We do not sell or share personal information.
  • You can access, export, and delete your data at any time.
  • You can cancel a paid plan from account settings any time, no call required.
  • We are transparent about AI use, human oversight, automated decision-making, and your rights.