Legal
Privacy Policy
Last updated: 26 February 2026
1. Introduction
StepZero ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our website at stepzero.eco and our services (together, the "Service").
We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If you have any questions about this policy or our data practices, please contact us at privacy@stepzero.eco.
2. Information we collect
2.1 Information you provide to us
- Account information: name, email address, and password when you register for an account.
- Business profile data: business name, type, sector, number of employees, annual turnover band, postcode, premises type, and operational details you provide during onboarding or profile setup.
- Action plan interactions: which sustainability actions you save, mark as in progress, or complete.
- Baseline sustainability activities: actions you indicate you are already taking when setting up your account.
- Progressive profile data: additional details you provide over time, such as whether your business has vehicles, ships products, employs staff outdoors, or holds specific certifications. This information is collected progressively to personalise your sustainability recommendations.
- Communications: any messages, feedback, or support requests you send us.
2.2 Information collected automatically
- Usage data: pages visited, features used, time spent on pages, and actions taken within the Service.
- Device and technical data: IP address, browser type and version, operating system, device type, and screen resolution.
- Rate limiting data: your IP address is used server-side to enforce limits on authentication requests (such as login, signup, and password reset). This is processed entirely in server memory for the duration of the relevant rate limit window (15 minutes to 1 hour) and is never written to a database, log file, or any persistent storage. This processing is necessary to protect your account and our Service from automated attacks.
- Security and bot-protection data: Google reCAPTCHA v3 analyses your interactions with our login and signup pages, including mouse movements and browsing patterns, to determine whether you are a genuine user. This data is sent to Google. See our Cookie Policy for full details.
- Cookies and similar technologies: see our Cookie Policy for full details.
2.3 Information from third parties
- Authentication providers: if you sign in via a third-party service, we receive your name and email address from that provider.
- Carbon calculation data: we may retrieve emission factors from government sources (such as UK DESNZ) to calculate your carbon footprint. This does not include your personal data.
3. How we use your information
We process your personal data for the following purposes and lawful bases:
| Purpose | Lawful basis |
|---|---|
| Providing and operating the Service | Performance of contract |
| Creating your account and managing authentication | Performance of contract |
| Generating personalised sustainability action plans | Performance of contract |
| Sending service notifications (e.g. plan updates) | Performance of contract |
| Improving and developing the Service | Legitimate interest |
| Responding to support requests | Legitimate interest |
| Sending marketing communications | Consent (opt-in) |
| Analytics and usage statistics | Consent (via cookie preferences) |
| Protecting accounts and the Service from automated attacks, credential-stuffing, and brute-force attempts (rate limiting) | Legitimate interest |
| Complying with legal obligations | Legal obligation |
4. AI-generated content
StepZero uses artificial intelligence (including OpenAI's services) to generate personalised sustainability suggestions for your business. When we process your business profile data through AI:
- We share business profile data with OpenAI to generate personalised suggestions, including your business type, operation type, premises control level, turnover band, employee count band, industry sub-type, postcode region, and logistical details (such as whether your business has vehicles, ships products, or has outdoor space). We never share personal contact details such as your name or email address.
- AI-generated suggestions are clearly marked with a visual indicator.
- We do not use your data to train third-party AI models. OpenAI's API terms prohibit use of API inputs for training without consent.
- You can choose not to use AI-generated suggestions without affecting your access to curated actions.
5. Who we share your data with
We do not sell your personal data. We may share it with:
- Service providers: hosting (cloud infrastructure), email delivery, and analytics providers who process data on our behalf under data processing agreements.
- AI providers: OpenAI, for generating personalised sustainability suggestions (business profile data only, no personal identifiers).
- Carbon data providers: UK Department for Energy Security and Net Zero (DESNZ), whose published emission factors are used in our carbon calculator. All calculations are performed locally, no calculator inputs are sent to external services.
- Security providers: Google reCAPTCHA v3, used on login and signup pages to protect against automated attacks. reCAPTCHA analyses interaction patterns (mouse movements, browsing behaviour) and sends this data to Google. See our Cookie Policy for details.
- Authentication providers: Google Sign-In (if you choose to log in via Google). We receive your name and email address from Google when you use this option.
- Professional advisers: lawyers, auditors, or insurers where necessary.
- Law enforcement or regulators: where required by law or to protect our legal rights.
6. International transfers
Some of our service providers (including cloud hosting and AI services) may process your data outside the UK. Where this happens, we ensure appropriate safeguards are in place, such as:
- The UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses, as approved by the ICO
- Transfers to countries with UK adequacy regulations
- Other lawful transfer mechanisms under UK GDPR Chapter V
7. How long we keep your data
We retain your personal data only for as long as necessary:
- Account data: for as long as your account is open. When you close your account it is hidden from StepZero.eco straight away and enters a 30-day recovery window. During those 30 days you can reactivate it at any time by logging back in with any of your sign-in methods (password, Google, or a magic link). After the 30-day window, your account and personal information are permanently deleted and cannot be recovered. If you ask us to delete your account immediately, we permanently delete it at that point instead of waiting for the window to end.
- Business profile and action data: for the duration of your account.
- Usage analytics: aggregated and anonymised after 26 months. Once anonymised, aggregated data may be retained indefinitely as it no longer constitutes personal data under UK GDPR.
- Support communications: up to 24 months after resolution.
- Rate limit counters: IP addresses used for rate limiting are held in server memory only, for the duration of the applicable rate limit window (between 15 minutes and 1 hour). They are never persisted to a database or disk and are automatically discarded when the window expires.
- Legal and compliance records: as required by applicable law (typically 6 years).
8. Your rights
Under UK GDPR, you have the following rights. To exercise any of these, please email privacy@stepzero.eco:
- Right of access: request a copy of the personal data we hold about you (Subject Access Request).
- Right to rectification: request correction of inaccurate or incomplete data.
- Right to erasure: request deletion of your personal data ("right to be forgotten"). You can also close your account yourself at any time from your account settings, and choose to delete it permanently straight away rather than waiting for the 30-day recovery window to end.
- Right to restrict processing: request that we limit how we use your data.
- Right to data portability: receive your data in a structured, commonly used, machine-readable format.
- Right to object: object to processing based on legitimate interests or for direct marketing.
- Right to withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
- Rights related to automated decision-making: we do not make solely automated decisions with legal or similarly significant effects.
We will respond to your request within one month. In complex cases, we may extend this by a further two months, but we will let you know within the first month if this is necessary. We may ask for identification to verify your identity before processing your request.
9. Data security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS) and at rest
- Secure password hashing
- Rate limiting on all authentication endpoints to protect against credential-stuffing, brute-force attacks, and account enumeration
- Access controls and authentication for staff access
- Regular security reviews
- Incident response procedures
While we take all reasonable precautions, no method of transmission over the internet is 100% secure. If you become aware of a security vulnerability, please contact us immediately at security@stepzero.eco.
In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to individuals, we will also notify affected users without undue delay.
10. Children's privacy
StepZero is a business tool designed for use by adults. We do not knowingly collect personal data from children under the age of 18. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.
12. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
We would appreciate the opportunity to address your concerns before you contact the ICO. However, you are not obligated to contact us first, you may lodge a complaint with the ICO at any time, directly and without prior notice to us. If you do wish to raise concerns with us first, please contact privacy@stepzero.eco.
13. Contact us
For any questions about this Privacy Policy or your personal data:
- Email: privacy@stepzero.eco
- Post: StepZero, Data Protection, United Kingdom