Privacy policy.

Effective Date: 10/11/2025

1. Introduction and Controller Details

MedTech Carbon Solutions ("We," "Us," "Our") is a specialist sustainability advisory firm based in Ireland, providing CSRD compliance, carbon accounting, and operational efficiency services to the Irish MedTech supply chain.

This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the EU General Data Protection Regulation (GDPR).

  • Data Controller: MedTech Carbon Solutions.

  • Contact for Privacy Matters: info@medtechcarbonsolutions.ie

  • Business Address: Seaview Cottages, Greystones Co. Wicklow

2. Personal Data We Collect

We collect data necessary to provide our B2B services. Data is categorized into Marketing data and Operational data:

  • Data Collected via Website and Consultation (Marketing):

  • Identity & Contact Data: Name, job title, company name, business email address, and business phone number.

  • Enquiry Data: Company size, specific compliance challenges, and service of interest (collected via website forms).

  • Operational Data Collected During Service Provision (Contractual):

  • Contractual Data: Contract signatory name, financial contact details, and invoice records.

  • Facility Data (for Audit & Reporting): Utility bill consumption (electricity, gas, fuel), waste volumes, facility manager's name, equipment specifications, and employee headcount (for Scope 3 calculations).

  • Eligibility Data: Information provided via our embedded forms (Tally), including energy spend ranges, location, and tax compliance status.

3. How We Use Your Data and Our Lawful Basis

We process your data only where we have a lawful basis under GDPR, primarily Contractual Necessity and Legitimate Interest.

  • Service Provision & GHG Reporting:

    • Purpose: To execute the CSRD Audit and ongoing Profit Centre contracts, specifically calculating Scope 1, 2, and 3 emissions.

    • Lawful Basis: Contractual Necessity.

  • Grant Applications & Management:

    • Purpose: To manage and submit documentation to the LEO, SEAI, and other bodies on your company's behalf to secure grant funding.

    • Lawful Basis: Contractual Necessity.

  • Sales & Communications:

    • Purpose: To respond to direct enquiries, schedule consultations, and promote our Profit Centre services to clients who have completed the Audit.

    • Lawful Basis: Legitimate Interest.

  • Website Operation:

    • Purpose: To monitor website traffic, maintain security, and use cookies for functionality and non-essential analytics (where consent is given).

    • Lawful Basis: Legitimate Interest / Consent.

4. Data Sharing and Third Parties

We share your data with trusted partners only when necessary to deliver our services.

  • IT Service Providers: We use Microsoft 365 (Email, Calendar, Teams) and Squarespace (Website Hosting).

  • Strategic Audit Partner: To facilitate your SEAI Audit, we share necessary site data and contact details with our appointed SEAI Registered Energy Auditor (Scope Energy). This is essential for the voucher application and site visit.

  • Payment Processing: We use Stripe for secure payments. We do not store your credit card details; they are processed directly by Stripe.

  • Data Collection & Scheduling: We use Tally.so for eligibility screening and forms, and Acuity Scheduling for booking consultations.

  • Carbon Accounting Software: We use dedicated, secure, third-party SaaS platforms to process and store your company's operational data for reporting.

  • Government Bodies: We share relevant data with the LEO and SEAI when managing your grant applications.

  • Professional Advisers: Your data may be shared with our auditors, lawyers, or insurers when necessary to protect our legal interests.

5. Data Security and International Transfers

  • We employ strong security measures, including multi-factor authentication on all accounts and encryption (SSL) on our website.

  • As we use Microsoft 365, data may be processed outside the EEA. We ensure such transfers are protected by standard contractual clauses (SCCs) and comply with all GDPR requirements.

6. Data Retention

We retain your data only for as long as necessary to fulfil the purpose it was collected for, including satisfying any legal, accounting, or reporting requirements.

  • Contractual Data: Retained for the duration of the contract plus a maximum of six years thereafter to satisfy Irish tax and legal requirements.

  • Marketing Data: Retained until you unsubscribe or request deletion.

7. Your Data Protection Rights

Under GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at info@medtechcarbonsolutions.ie.

  • The right to Access (receive a copy of the data we hold).

  • The right to Rectification (correct inaccurate or incomplete data).

  • The right to Erasure (the ‘right to be forgotten’).

  • The right to Restrict Processing.

  • The right to Data Portability (transfer your data to another party).

  • The right to Object to processing (especially for direct marketing).

8. Lodging a Complaint

If you have a complaint about how we have handled your data, you have the right to lodge a complaint with the Data Protection Commission (DPC) in Ireland:

  • Data Protection Commission (DPC) Website: [Provide DPC website address]

  • DPC Address: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28.