​Privacy Policy & Cookie Policy

1. Introduction

1.1 We are committed to safeguarding the privacy of our website visitors, service users and clients.

1.2 This policy applies where we act as a data controller — in other words, where we determine the purposes and means of processing your personal data.

1.3 In this policy, “we”, “us” and “our” refer to Carrot and Karma Ltd. For more information, see Section 13.

2. The personal data that we collect

2.1 We collect and process personal data only when necessary to operate our website, deliver our services and communicate with you.

2.2 We may process data that enables us to contact you (“contact data”), such as your name, email address, telephone number and postal address. The source of this data is you.

2.3 We may process information relating to transactions (“transaction data”), including purchases of goods and/or services. This may include your name, contact details, payment details and transaction information.

2.4 We may process information contained in or relating to any communication that you send to us (“communication data”), such as messages via our contact form or by email.

2.5 We may collect minimal, anonymised technical data about your visit (“usage data”), such as browser type or device information, to maintain website security and performance and to understand overall site usage. This data does not identify individual visitors.

2.6 Our website uses Google Search Console to monitor and maintain site health and visibility in search results. Search Console provides anonymised, aggregated data such as the number of page views, search queries and technical performance insights. This information does not identify individual visitors and is used solely to improve website functionality and search performance.

3. Purposes of processing and legal bases

3.1 We process personal data for the following purposes and on the legal bases listed below:

• Operations: to operate our website, process and fulfil orders, and provide our services. (Legal basis: performance of a contract or legitimate interests).
• Relationships and communication: to respond to enquiries, maintain client relationships and handle support requests. (Legal basis: legitimate interests).
• Direct marketing: to send you relevant updates or resources, if you have given consent. (Legal basis: consent).
• Record keeping: to maintain necessary business and financial records. (Legal basis: legitimate interests and legal compliance).
• Security and risk management: to protect our website and users from fraud or misuse. (Legal basis: legitimate interests).
• Legal obligations: where processing is required to comply with the law or to protect vital interests. (Legal basis: legal obligation or vital interests).

4. Providing your personal data to others

4.1 We may disclose your personal data to our professional advisers and insurers where reasonably necessary for risk management and compliance.

4.2 Your data may be stored on secure servers operated by our hosting provider, GreenGeeks.

4.3 We may share data with trusted suppliers or subcontractors when required to deliver our services (for example, graphic designers or payment processors).

4.4 Financial transactions related to our services may be handled by Stripe and PayPal. We only share information required to process payments and refunds.
See their privacy policies: Stripe | PayPal.

4.5 We may also disclose personal data where necessary to comply with legal obligations or to protect vital interests.

5. International transfers of personal data

5.1 We may transfer data between the UK and the European Economic Area (EEA) under applicable adequacy regulations.

5.2 Our hosting facilities are located in the United States and the Netherlands. Transfers to these countries are protected by appropriate safeguards, such as standard contractual clauses, where required.

6. Retaining and deleting personal data

6.1 We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy.

6.2 When data is no longer required, it will be securely deleted unless retention is required for legal or accounting purposes.

7. Use of ScoreApp

7.1 We use a third-party platform called ScoreApp to deliver interactive assessments and resources such as our Regenerative Brand Scorecard. When you complete a scorecard, the information you provide is securely collected and stored by ScoreApp on our behalf.

7.2 What we collect:
Your name, email address and responses to the scorecard questions.
This enables us to send your personalised results and follow up with relevant resources or support.

7.3 Legal basis:
Your consent, which you give when submitting your details through the scorecard form.

7.4 Who processes your data:
ScoreApp acts as a data processor for Carrot and Karma Ltd.
You can view their privacy policy here: https://scoreapp.com/privacy-policy/.

7.5 How we use the data:

• To email you your scorecard results
• To send you follow-up resources or updates related to your results (only if you’ve opted in to hear from us)
• To analyse anonymised, aggregated data to improve our services

We do not sell or share your personal information with any other organisation for marketing purposes.

8. Your rights

8.1 Under data protection law, you have rights including:

• Access to your data
• Rectification of inaccurate data
• Erasure (“right to be forgotten”)
• Restriction of processing
• Objection to processing
• Data portability
• The right to withdraw consent
• The right to lodge a complaint with a supervisory authority

8.2 You may exercise any of these rights by contacting us using the details in Section 13.
Learn more at ico.org.uk/for-organisations/guide-to-data-protection.

9. About cookies

9.1 Cookies are small files placed on your device to help the site function properly and remember your preferences.
9.2 We use only essential cookies that are necessary for the performance, security and basic functionality of the site (for example, to enable secure form submissions).
9.3 We do not use cookies for tracking, analytics or advertising purposes. Our website analytics are provided by Simple Analytics, which operates without cookies and does not collect personal data.

10. Managing cookies

10.1 You can manage or delete cookies through your browser settings. Here are helpful links:

• Chrome
• Firefox
• Opera
• Safari
• Edge

10.2 Blocking or deleting cookies may affect the functionality of certain website features.

11. Use of Simple Analytics

11.1 We use Simple Analytics to understand how people use our website in a privacy-respecting way.

11.2 Simple Analytics provides us with aggregated website statistics, such as page views, referrers and general traffic patterns, so we can improve the performance and content of our website.

11.3 When you visit our website, a small script is loaded from Simple Analytics, which collects limited, anonymised information about your visit. Simple Analytics does not use cookies, does not collect personal data, and does not track individual visitors across websites.

11.4 IP addresses are not stored, and no personal identifiers are created or retained. The data we receive is aggregated and cannot be used to identify you.

11.5 Simple Analytics is designed to comply with UK GDPR, EU GDPR and PECR requirements.
You can learn more about their privacy practices here:https://docs.simpleanalytics.com/privacy.

12. Amendments

12.1 We may update this policy from time to time by publishing a new version on our website.

12.2 You should check this page occasionally to ensure you are happy with any changes.

13. Our details

13.1 This website is owned and operated by Carrot and Karma Ltd.

13.2 We are registered in England and Wales under registration number 11040275.
Registered office: 85 Great Portland Street, First Floor, London, W1W 7LT

13.3 You can contact us:
(a) by post at the above address;
(b) using our website contact form; or
(c) by email via the address published on our website.

This policy was last updated on 1 March 2026.