← Back to home

Privacy Policy

Small Business Climate Map Operated by Ransome-Wallis Pty Ltd (ABN 49 630 459 068) Last updated: 27 April 2026

1. Who We Are

Small Business Climate Map is operated by Ransome-Wallis Pty Ltd (ABN 49 630 459 068), registered in Queensland, Australia.

Registered address: 2/290 Boundary Street, Spring Hill, QLD 4000, Australia Contact: helpfulperson@smallbusinessclimatemap.com

We are the data controller for the personal data described in this policy. We comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For users in the European Union and United Kingdom, we also comply with the General Data Protection Regulation (GDPR) and the UK GDPR.

2. What Data We Collect

2.1 Account Data

When you create an account, we collect:
  • Your email address (required for account creation and verification)
  • Your password (stored encrypted, we cannot read it)

    • 2.2 Anonymous Usage Data

    When you use the tool, we log the following non-personal data:
  • Industry, country, and business profile selections (not linked to your account)
  • Scenario and mode selections
  • Visitor country (derived from IP address, the IP itself is never stored)
  • Timestamp

    • This data is used to understand which industries, countries, and scenarios are most commonly analysed. It is impossible to identify an individual from this data.

    2.3 Payment Data

    Payments are processed by Paddle.com Market Limited, who acts as the Merchant of Record. We do not see, store, or process your credit card details, bank account numbers, or other financial information. Paddle's privacy policy applies to payment data: https://www.paddle.com/legal/privacy

    2.4 What We Do NOT Collect

  • We do not use tracking or marketing cookies. We only use essential session cookies/tokens required for account authentication and security
  • We use Umami for anonymous, cookie-free analytics. Umami does not collect personal data or track users across websites. We do not use Google Analytics or any other tracking service
  • We do not store IP addresses
  • We do not track your browsing behaviour
  • We do not sell, share, or transfer any personal data to third parties for marketing purposes
  • The free-text business description you enter is sent to the AI model for analysis but is not stored by us

    • 3. How We Use Your Data

    | Data | Purpose | Legal Basis (GDPR) | APP Reference | |------|---------|-------------------|---------------| | Email address | Account creation, email verification, essential service communications (you may opt out of non-transactional emails at any time) | Contractual necessity (Art. 6(1)(b)) | APP 6, APP 7 | | Encrypted password | Account security | Contractual necessity (Art. 6(1)(b)) | APP 6 | | Anonymous usage data | Service improvement, market research | Legitimate interest (Art. 6(1)(f)) | APP 6 | | Visitor country | Understanding geographic demand | Legitimate interest (Art. 6(1)(f)) | APP 6 |

    4. Data Processors

    We use the following third-party processors:

    | Processor | Purpose | Location | Safeguards | |-----------|---------|----------|------------| | Hetzner Online GmbH | Server hosting | Germany (EU) | DPA in place, GDPR compliant, ISO 27001 certified | | Hetzner Online GmbH (Storage Box BX11) | Encrypted offsite backup storage | Helsinki, Finland (EU) | Same DPA. Backups encrypted with AES-256 before transmission. SSH key authentication only. 90-day retention. | | MailerSend | Transactional email delivery (account verification, password reset) | Šiauliai, Lithuania (EU) | DPA in place, GDPR compliant, SMTP STARTTLS | | DeepSeek | AI text generation | China | Prompts sent for processing only, no personal data included in prompts | | Groq, Inc. | Fast AI classification and parsing | United States | Business profile selections and short free-text descriptions sent for processing only. No personal data included in prompts. | | Tavily | Web search (Climate Solutions only) | United States | Your question text sent to find external sources. No personal data included. | | Paddle.com Market Limited | Payment processing | United Kingdom | Merchant of Record, PCI DSS compliant |

    Note on AI providers

    When you use the tool, your business profile selections (industry, country, size), free-text descriptions, and questions are sent to one or more AI providers to generate the results. Short free-text descriptions of a business may be sent to Groq (USA) for industry classification. Full analyses and generations are sent to DeepSeek (China). Climate Solutions may send your question to Tavily (USA) for a web search to find external sources. The Emissions Playbook sends the emissions numbers and activity descriptions you paste in to DeepSeek (China) to generate reduction suggestions; do not paste personally identifiable information into those fields. The Dependency Map sends the postcodes you enter and the named UK business name to public APIs (Companies House, postcodes.io, UK government flood maps, UK climate projections) and may send the name to Tavily (USA) for recent UK news; the synthesis is generated by DeepSeek (China). No account data (email, password) is ever sent in prompts. We have no control over these providers' internal data retention policies. Review each provider's privacy policy if you have concerns.

    Important: Do not enter personal names, specific contact details, or any information that could identify an individual in the free-text business description field. This field is for describing your business type and activities only. By using this field, you confirm that you have not included any personal data.

    5. Data Retention

  • Account data (live): Retained while your account is active. Deleted within 30 days of you closing your account.
  • Account data (encrypted backups): Encrypted backup copies are retained for up to 90 days after they are created and then automatically deleted. If you close your account, residual encrypted copies disappear within 90 days at the latest.
  • Anonymous usage data: Retained indefinitely as it contains no personal data.
  • Payment data: Managed by Paddle in accordance with their retention policy.

    • 6. Your Rights

    Under Australian Privacy Law

    You have the right to:
  • Access your personal information held by us
  • Request correction of inaccurate information
  • Complain about a breach of the Australian Privacy Principles

    • Under GDPR (EU/UK users)

    You also have the right to:
  • Erasure of your data ("right to be forgotten")
  • Restrict processing
  • Data portability (receive your data in a machine-readable format)
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (where processing is based on consent)

    • To exercise any of these rights, contact: helpfulperson@smallbusinessclimatemap.com

    We will respond within 30 days.

    7. Data Security

  • All data is transmitted over HTTPS (TLS encryption)
  • Passwords are stored using industry-standard encryption
  • Server access is restricted by firewall, SSH key, and brute-force protection
  • The server is hosted in Germany (EU) by Hetzner Online GmbH, which holds ISO 27001 certification
  • Backups are encrypted (AES-256) on our application server before being transmitted to a separate offsite storage location in Helsinki, Finland. The decryption passphrase is held only on the application server and offline, never on the backup destination
  • Backups are tested daily for freshness and quarterly for full restorability

    • Data Breach Response

    In the event of a data breach likely to result in serious harm (under the Australian Notifiable Data Breaches scheme) or a high risk to the rights and freedoms of individuals (under GDPR/UK GDPR), we will notify the relevant supervisory authority and affected individuals as required by law, within the applicable timeframes (72 hours under GDPR, as soon as practicable under Australian law).

    8. International Transfers

    Your data is primarily processed within the European Union (live database in Germany, encrypted offsite backups in Finland). When you generate an analysis, prompt data (containing no personal information) is sent to DeepSeek's API servers, which may be located outside the EU and Australia. No personal data is included in these transfers.

    9. Children

    The Service is not intended for use by anyone under the age of 18. We do not knowingly collect data from children.

    10. Changes to This Policy

    We may update this policy from time to time. We will notify you of material changes via email. The "last updated" date at the top of this page indicates the most recent revision.

    11. Complaints

    If you believe your privacy rights have been violated, you have the right to lodge a complaint with:

  • Australia: Office of the Australian Information Commissioner (OAIC) - https://www.oaic.gov.au - Phone: 1300 363 992
  • United Kingdom: Information Commissioner's Office (ICO) - https://ico.org.uk
  • European Union: Your local data protection authority

    • 12. Contact

    For any privacy-related questions or requests: Email: helpfulperson@smallbusinessclimatemap.com Address: Ransome-Wallis Pty Ltd, 2/290 Boundary Street, Spring Hill, QLD 4000, Australia