Back to Home

Svetlo Carbon

Privacy Policy

Last updated: 17 April 2026

1. Introduction and scope

This Privacy Policy (“Policy”) explains how Svetlo Carbon Pte. Ltd. (UEN 202523448H), a private company limited by shares incorporated in Singapore (“Svetlo Carbon”, “we”, “us”, or “our”), collects, uses, discloses, retains, and protects personal data. It applies to individuals who:

  • visit or interact with our website at www.svetlocarbon.com;
  • subscribe to our paid business-to-business (B2B) research newsletter under the Svetlo Carbon Subscription Agreement;
  • are nominated as Authorised Users of a subscribing entity and access the EUA Analytics portal; and
  • contact us by email, webform, or other means of correspondence.

The EUA Analytics portal (the “Portal”) provides market data visualisation, options gamma exposure analysis, Commitment of Traders (COT) reports, trading position tracking, market indicators, and daily email market summaries. Use of the Portal is governed by our Terms of Service and, for subscribing entities, the Svetlo Carbon Subscription Agreement.

This Policy is written to meet the requirements of the EU General Data Protection Regulation 2016/679 (“GDPR”), the United Kingdom General Data Protection Regulation as retained and amended under the Data Protection Act 2018 (“UK GDPR”), and the Singapore Personal Data Protection Act 2012 (“PDPA”). Where these laws grant different rights or impose different obligations, the provisions applicable to your jurisdiction apply.

Please read this Policy carefully. If you do not agree with it, please do not use our website or services.

2. Who we are and how to contact us

Svetlo Carbon Pte. Ltd. is the controller of personal data processed in connection with our services (for PDPA purposes, we are the organisation collecting and using the personal data).

2.1 Registered office

Svetlo Carbon Pte. Ltd.
100c Pasir Panjang, #04-03 See Hoy Chan Building
Singapore 118519
UEN: 202523448H

2.2 Data Protection Officer

In accordance with section 11(3) of the PDPA, we have designated a Data Protection Officer (“DPO”) responsible for ensuring our compliance with data protection law. The DPO is also our point of contact for data-subject enquiries and complaints under GDPR and UK GDPR.

DPO email: jamie@svetlocarbon.com

2.3 EU and UK representatives

Because Svetlo Carbon is established in Singapore but offers paid services to subscribers in the European Economic Area (EEA) and the United Kingdom, Article 27 of the GDPR and the UK GDPR may require us to appoint written-mandate representatives in each of those jurisdictions. We will publish the names and contact details of our appointed representatives in this section once they are instructed.

3. Information we collect

We collect personal data directly from you, automatically from your use of our services, and from the entity that nominates you as an Authorised User (if applicable). The categories below describe the data we collect and why. If we start collecting additional categories, we will update this section and, where required, obtain your consent.

3.1 Account and login credentials

When you register for the Portal, we create an account authenticated by username and password. We collect and store:

  • your username (typically your work email address);
  • a salted, one-way cryptographic hash of your password (we never store passwords in clear text);
  • your display name and, where you provide one, an optional profile photo or avatar URL;
  • your assigned subscription tier and role (for example, administrator or standard Authorised User);
  • authentication session metadata (session identifier, login and logout timestamps, session-expiry timestamp).

We may, in future, offer single sign-on via Google OAuth or other identity providers. If we do, we will update this section and describe the additional data such providers share with us (typically an opaque user identifier, your email address, and your name).

3.2 Newsletter subscriber data

When an entity subscribes to our paid research newsletter, or when an individual signs up to a free mailing list, we collect:

  • the subscriber's email address;
  • the subscriber's name, job title, and employing organisation (where provided);
  • subscription tier, start and renewal dates, and communication preferences;
  • email delivery and engagement metrics, including delivery, bounce, open, and click events logged by our email delivery platform. Open and click tracking may rely on tracking pixels or wrapped URLs; you can request suppression of engagement tracking by contacting the DPO.

3.3 B2B subscriber and authorised user data

Before a subscribing entity is granted access, we ask it (and, where applicable, each Authorised User) to complete a self-certification questionnaire. The questionnaire is a regulatory-compliance and eligibility check: it ensures that the newsletter and Portal are supplied only to recipients who qualify as professional or institutional users in their jurisdiction, and that we meet our anti-money-laundering and sanctions-screening obligations. The questionnaire collects:

  • Entity details — full legal name, jurisdiction of incorporation, registered address, company registration number, and primary contact;
  • Professional-status warranties — confirmation that the subscriber meets at least one qualifying criterion (for example: net assets of at least GBP 5 million or local equivalent; authorised person under a financial-services regime; government or public authority; institutional investor, pension fund, or investment fund; or employment of staff with professional experience in financial or carbon markets);
  • Sanctions declarations — confirmation that neither the subscriber, any beneficial owner holding 25% or more, nor any Authorised User is subject to sanctions imposed by the United Kingdom (OFSI), the European Union, the United States (OFAC), the United Nations, or the Monetary Authority of Singapore;
  • Authorised User list — the names and work email addresses of each individual nominated to access the service, together with the subscribing entity's confirmation that it has authority to share those details with us and has given the required privacy notices to those individuals;
  • Acknowledgements — the subscriber's confirmation that it has read and understood the disclaimers in Clause 3 of the Subscription Agreement (including that the newsletter is not personal advice, not a regulated recommendation, and is to be used for internal business purposes only).

We also retain copies of the questionnaire responses as part of our onboarding and compliance records. Subscribing entities are responsible for notifying their Authorised Users that their details will be provided to Svetlo Carbon for these purposes.

3.4 Billing and payment data

When a subscribing entity pays for the service, we collect:

  • billing contact name, email, postal address, and (where applicable) VAT or GST registration number;
  • invoice records, payment status, and the last four digits and card scheme of the payment instrument used (full card details are held only by our payment processor — we do not store full PAN or CVV);
  • any payment-dispute or chargeback correspondence.

Card payments are processed by our PCI-DSS-certified payment provider.

3.5 Trading and analysis data in the Portal

When you use the Portal's trading, tracking, and analysis tools, we store the information you enter or upload:

  • trade entries, positions, and notes you record;
  • risk parameters, custom indicators, and personalised settings;
  • files you upload (for example, COT reports or options data);
  • saved queries, watchlists, and dashboard configurations.

This content is associated with your account and is visible only to you and to the administrators of your subscribing entity (if any), subject to access controls within the Portal.

3.6 Usage data

We automatically collect technical information about how you interact with our website and Portal, including:

  • your Internet Protocol (IP) address (used for security, abuse prevention, and to determine which regional cookie banner to display — see section 11);
  • approximate geographic location derived from your IP address (country-level only);
  • browser type and version, operating system, and device characteristics;
  • pages and features accessed, timestamps, referrer URL, and (for authenticated users) your session identifier;
  • diagnostic information such as error traces and performance metrics.

3.7 Cookies and similar technologies

We use a small number of strictly necessary cookies to authenticate you, remember your region for the purpose of displaying the correct consent banner, and record your cookie choices. We do not currently operate any analytics or marketing cookies. A full list and description is set out in section 11.

3.8 Support correspondence

If you contact us by email, submit a support ticket, or otherwise correspond with us, we retain the content of those communications (including attachments), your contact details, and any metadata needed to respond to you and to keep a record of the request.

4. How we use your information and our GDPR lawful bases

Under Article 6 of the GDPR and UK GDPR, every processing activity must have a lawful basis. We rely on the following bases for the processing described in this Policy:

  • Contract (Art. 6(1)(b)) — delivering the newsletter, authenticating portal access, processing subscription payments, and providing support. This basis covers the steps necessary to enter into the Subscription Agreement at your request and to perform it.
  • Legitimate interests (Art. 6(1)(f)) — system security, fraud prevention, sanctions and AML screening of counterparties, business records, and service-related communications to existing customers. We have assessed that these interests are not overridden by your rights and freedoms; a Legitimate Interests Assessment (LIA) is available on request from the DPO.
  • Legal obligation (Art. 6(1)(c)) — tax and accounting record-keeping, sanctions compliance, and responding to lawful regulator or court requests.
  • Consent (Art. 6(1)(a)) — optional analytics and marketing cookies (once introduced), and direct marketing emails sent to individuals where consent is the required basis.

The table below maps specific purposes to the lawful basis (or bases) on which we rely:

PurposeLawful basis
Creating and maintaining your Portal account; authenticating loginsContract; Legitimate interests (security)
Delivering the newsletter and Portal features to subscribersContract
Processing self-certification questionnaires and onboardingContract; Legitimate interests (eligibility verification); Legal obligation (AML/sanctions where applicable)
Sanctions and AML screening of subscribers and beneficial ownersLegitimate interests; Legal obligation (where a regulated obligation applies)
Invoicing, tax reporting, and accounting recordsContract; Legal obligation
Service-related communications (service updates, outages, security notices)Contract; Legitimate interests
Marketing emails to non-customersConsent (where required)
Server logs, abuse detection, rate-limitingLegitimate interests (security)
Optional analytics and marketing cookiesConsent
Defending or bringing legal claimsLegitimate interests

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. Where we rely on legitimate interests, you have the right to object — see section 9.

5. Singapore PDPA

Svetlo Carbon is incorporated in Singapore and is therefore subject to the Personal Data Protection Act 2012 (“PDPA”). We collect, use, and disclose personal data in accordance with the PDPA, including the following key obligations:

  • Consent and notification (ss.13–14, 20) — we collect personal data only with your consent (or where an exception applies), and only for purposes that a reasonable person would consider appropriate in the circumstances. We notify you of those purposes at or before collection through this Policy and through just-in-time notices at collection points.
  • Deemed consent and legitimate interests (ss.15 and 18) — where you voluntarily provide personal data (for example by signing up for an account or corresponding with us), you may be deemed to have consented to its use for the purposes reasonably necessary to provide the requested service. We also rely on the legitimate-interests exception where appropriate, subject to an assessment that the benefit to the public or our business is not outweighed by any adverse effect on you.
  • Access and correction (ss.21 and 22) — you may request access to personal data about you that we hold or have used in the preceding year, and you may request correction of errors or omissions. We will respond within 30 days or let you know when we can.
  • Withdrawal of consent (s.16) — you may withdraw any consent given for the collection, use, or disclosure of personal data at any time by contacting the DPO. Withdrawal may affect our ability to provide the service.
  • Protection and retention (ss.24 and 25) — we protect personal data with reasonable security arrangements and cease to retain personal data (or anonymise it) as soon as the retention is no longer necessary for the purpose for which it was collected or for a legal or business purpose.
  • Transfer limitation (s.26) — we transfer personal data out of Singapore only where the recipient is bound by legally enforceable obligations providing a comparable standard of protection. See section 7.
  • Data breach notification (ss.26A–26D) — we will notify the Personal Data Protection Commission and (where required) affected individuals of a notifiable data breach. See section 12.
  • Do Not Call (s.37 and following) — if we send marketing calls, SMS, or faxes to Singapore telephone numbers, we will first check the relevant Do Not Call registers and obtain the required consent. We do not currently conduct such campaigns.
  • Data Protection Officer (s.11(3)) — our designated DPO is contactable at jamie@svetlocarbon.com.

6. Sharing and processors

We do not sell personal data. We share personal data only with carefully selected service providers, professional advisers, group companies (if any), and third parties where required by law. Every processor acts under a written contract meeting the requirements of Article 28 of the GDPR / UK GDPR and the equivalent PDPA transfer safeguards.

6.1 Service providers

We use the following categories of processor:

  • Hosting and delivery — Vercel Inc. (serverless hosting and content delivery) and underlying cloud infrastructure providers;
  • Email delivery — a third-party transactional and newsletter email platform, used to send the newsletter, account-related emails, and delivery/engagement metrics.
  • Payment processing — a PCI-DSS-certified payment processor that collects and handles full card details on our behalf.
  • Sanctions and KYC screening — screening tools used to check subscribers and their beneficial owners against sanctions and PEP lists;
  • Professional advisers — legal, accounting, audit, and tax advisers who are subject to professional duties of confidentiality.

6.2 Legal and regulatory disclosures

We may disclose personal data where required by applicable law or regulation, in response to a valid legal request from a court, regulator, or law-enforcement authority, to enforce our legal rights, or to protect the vital interests of an individual. Where permitted, we will challenge requests that we consider overbroad or unlawful.

6.3 Business transfers

If Svetlo Carbon is involved in a merger, acquisition, financing, reorganisation, insolvency, or sale of assets, personal data may be transferred as part of that transaction. The recipient will be bound by this Policy or by a notice at least as protective.

6.4 With your consent

We may share personal data for other purposes where you have given us your consent to do so.

7. International data transfers

Because Svetlo Carbon is established in Singapore and engages service providers outside the EEA and the United Kingdom, your personal data will typically be transferred across borders. We apply the following safeguards:

Where we transfer personal data of EU/EEA or UK subjects to Singapore or to processors outside the UK/EEA, we rely on: (a) the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and (b) for UK data subjects, the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs. We conduct transfer risk assessments and apply supplementary measures (encryption in transit and at rest, access controls, contractual audit rights) per Schrems II. For transfers out of Singapore, we comply with PDPA section 26 by ensuring recipients are bound by legally enforceable obligations providing a comparable standard of protection. Copies of transfer mechanisms are available from our DPO.

In narrowly defined circumstances and where no other safeguard applies, we may rely on the derogations in Article 49 of the GDPR / UK GDPR (for example, explicit consent, necessity for the performance of a contract with you, or the establishment, exercise, or defence of legal claims). We do not rely on Article 49 for routine processing.

As at the date of this Policy, the European Commission has not adopted an adequacy decision for Singapore; we will update this section if that status changes.

8. Data retention

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, regulatory, or reporting requirements, to resolve disputes, or to enforce our agreements. The table below summarises the retention periods we currently apply. Where a retention period is driven by a limitation statute, we apply the longer of the statutory period and any internal business need.

Data categoryPeriodBasis
Subscriber account & login credentialsDuration of subscription + 12 monthsContract + limitation buffer
Billing & invoice records6 years after end of financial yearCompanies Act / SG IRAS s.67 (5y minimum)
Sanctions / AML screening records5 years after relationship endsSG CDSA / UK MLR 2017 reg. 40
Self-certification questionnaire responsesDuration of subscription + 6 yearsLimitation Act 1980 s.5 (contract claims)
Trading/analysis data (portal)Duration of account + 30 days (then purge)Legitimate interests — user reference
Marketing consent logs3 years after withdrawalGDPR Art. 5(2) accountability
Website server logs30 daysSecurity — legitimate interests
Cookie consent record12 months (then re-prompt)Proof of consent
Support correspondence3 years after ticket closeLegitimate interests

At the end of the retention period we securely delete, anonymise, or (for backup media) retire the data in line with our data-disposal procedures. Aggregated or anonymised information that can no longer be attributed to you may be retained indefinitely.

9. Your rights under the GDPR and UK GDPR

If you are in the EEA or the United Kingdom, you have the following rights in relation to your personal data:

  • Right of access — to be told whether we process personal data about you and, if so, to receive a copy and the information required by Art. 15 GDPR.
  • Right to rectification — to have inaccurate personal data corrected and incomplete data completed.
  • Right to erasure (“right to be forgotten”) — to have personal data deleted where the conditions in Art. 17 are met (for example, the data is no longer necessary for the purpose, or you have withdrawn consent).
  • Right to restriction of processing — to have processing restricted in the circumstances set out in Art. 18.
  • Right to data portability — to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller where technically feasible.
  • Right to object — to object to processing based on legitimate interests, including any profiling; and to object at any time to direct marketing.
  • Rights relating to automated decision-making — not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently carry out such decision-making.
  • Right to withdraw consent — where we rely on consent, to withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact the DPO at jamie@svetlocarbon.com. We will respond within one month of receipt (extendable by two further months for complex or numerous requests, with notice to you). We do not charge a fee for routine requests, but we may charge a reasonable fee, or refuse to act, where a request is manifestly unfounded or excessive.

You also have the right to lodge a complaint with a supervisory authority. If you are in the United Kingdom, the lead authority is the Information Commissioner's Office (ico.org.uk). If you are in the EEA, you may complain to the supervisory authority in your member state of residence, place of work, or place of the alleged infringement. We would, however, appreciate the opportunity to address your concerns first — please contact our DPO.

10. Your rights under the Singapore PDPA

If you are in Singapore (or your personal data is processed under the PDPA), you have the following rights:

  • Right of access (s.21) — to request access to personal data about you that we hold or have used within the past year, and to be informed of the ways in which it has been used or disclosed.
  • Right of correction (s.22) — to request correction of an error or omission in your personal data.
  • Right to withdraw consent (s.16) — to withdraw any consent given for the collection, use, or disclosure of personal data, on reasonable notice.
  • Right to data portability — when the data-portability provisions of the PDPA come into force, to request that certain personal data be transmitted to another prescribed organisation.
  • Right to lodge a complaint — to complain to the Personal Data Protection Commission (pdpc.gov.sg) if you believe we have breached the PDPA.

We aim to respond to access and correction requests within 30 days. If we cannot respond within 30 days, we will inform you of the likely timeframe. We may charge a reasonable fee for an access request in accordance with the PDPA and publicise any such fee on request.

11. Cookies and similar technologies

A cookie is a small text file stored on your device when you visit a website. We use cookies only for strictly necessary purposes described below. We do not currently set any analytics, advertising, or marketing cookies; if we do so in the future, we will update this Policy and, where required, obtain your consent first.

11.1 Cookies in use

CookiePurposeCategoryDuration
svetlo_authSession authenticationStrictly necessary7 days
svetlo_region_tierDetermines whether consent banner is shownStrictly necessary24 hours
svetlo_consentRecords your consent choicesStrictly necessary12 months

Strictly necessary cookies do not require your consent under the GDPR, UK GDPR, or PDPA because they are essential to provide the service you requested (for example, authenticating your login, or remembering whether you have already made a cookie choice).

11.2 Region-tiered consent banner

We present a region-aware consent banner that tailors its behaviour to your jurisdiction:

  • EEA, UK, Switzerland, Norway, Iceland, and Liechtenstein (GDPR tier) — an opt-in banner appears. Non-essential cookies are off by default and are only set if you actively accept them.
  • Singapore (PDPA tier) — a banner appears with a clear option to reject non-essential cookies. Non-essential categories may be enabled by default on the basis of deemed consent under the PDPA, where permissible.
  • Other regions — no banner is shown and only strictly necessary cookies are set.

You can review or change your cookie choices at any time by clicking Cookie preferences in the site footer. Changes take effect immediately and are recorded in the svetlo_consent cookie.

Most browsers also let you block or delete cookies directly. If you disable strictly necessary cookies, parts of the service (including login) will not work.

11.3 Do Not Track and Global Privacy Control

We do not currently respond to browser “Do Not Track” signals because there is no industry consensus on how to interpret them. Where applicable law recognises Global Privacy Control (GPC) as a valid opt-out signal, we will honour it.

12. Security and incident notification

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures include:

  • Encryption of personal data in transit using TLS 1.2 or later, and encryption of sensitive data at rest;
  • Salted, one-way hashing of passwords; no storage of plaintext passwords;
  • Role-based access control, least-privilege principles, and multi-factor authentication for administrative access;
  • Network segmentation, logging, and monitoring of access to production systems;
  • Regular review of third-party subprocessors, including contractual security and audit rights;
  • Employee training, confidentiality obligations, and need-to-know restrictions.

Despite these measures, no method of transmission over the Internet or electronic storage is completely secure; we cannot guarantee absolute security.

12.1 Breach notification

In the event of a personal data breach, we will assess the breach promptly and notify:

  • the competent GDPR / UK GDPR supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33;
  • affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34; and
  • the Personal Data Protection Commission of Singapore and affected individuals in accordance with the mandatory breach-notification provisions in sections 26A to 26D of the PDPA, where the notification thresholds are met.

We maintain an internal incident register for every personal data breach in accordance with Art. 33(5) GDPR and the PDPA, including breaches that do not meet the notification thresholds.

13. Children

Our services are intended only for business-to-business use by professional users aged 18 or over. We do not knowingly market to, or collect personal data from, children. If you believe a child has provided personal data to us, please contact the DPO and we will take prompt steps to delete the relevant records.

14. Changes to this Policy

We may update this Policy from time to time to reflect changes to our services, applicable law, or our internal practices. When we make material changes we will update the “Last updated” date at the top of the Policy and, where appropriate, give you additional notice (for example, by email to registered subscribers or an in-site banner). If a change requires a fresh consent under applicable law, we will seek it before applying the change. We encourage you to review this Policy periodically.

15. Contact and complaints

If you have questions about this Policy, want to exercise a data-protection right, or want to complain about our handling of your personal data, please contact our Data Protection Officer:

Data Protection Officer
Svetlo Carbon Pte. Ltd.
100c Pasir Panjang, #04-03 See Hoy Chan Building
Singapore 118519

Email: jamie@svetlocarbon.com

We will acknowledge your enquiry promptly and aim to provide a substantive response within the timeframes required by applicable law (one month under the GDPR / UK GDPR; 30 days under the PDPA).

15.1 Supervisory authorities

You also have the right to complain to a supervisory authority if you believe we have breached data protection law:

  • United Kingdom — Information Commissioner's Office (ICO), ico.org.uk, helpline +44 (0)303 123 1113.
  • European Economic Area — the supervisory authority in your member state of residence, place of work, or place of the alleged infringement. A list is maintained by the European Data Protection Board at edpb.europa.eu.
  • Singapore — Personal Data Protection Commission (PDPC), pdpc.gov.sg.

We would, however, appreciate the chance to address your concerns before you contact a regulator.

Privacy Policy — Svetlo Carbon