Back to LoginTerms of Service

Privacy Policy

Last updated: March 10, 2026

1. Introduction

CLIMA AI, Inc. ("Company," "we," "us") is committed to protecting the privacy and security of the information we collect and process. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our climate-risk analytics platform ("Service"). This policy is designed to comply with the Gramm-Leach-Bliley Act (GLBA), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and applicable state privacy laws.

2. Information We Collect

2.1 Account Information

When you register for the Service, we collect:

  • Name (first and last)
  • Business email address
  • Phone number (optional)
  • Job title
  • Organization name and details (institution type, estimated AUM, employee count)
  • Password (stored as a salted cryptographic hash; we never store plaintext passwords)

2.2 Portfolio Data

When you upload portfolio files for analysis, those files may contain:

  • Loan identifiers
  • Property addresses, ZIP codes, states, and county FIPS codes
  • Loan amounts, interest rates, LTV ratios, DTI ratios
  • FICO scores (area-level or individual)
  • Flood zone designations
  • Property type and occupancy status

We treat all portfolio data as confidential Nonpublic Personal Information (NPI) under GLBA and process it solely for delivering the Service.

2.3 Usage & Security Data

We automatically collect:

  • IP addresses and user-agent strings (for security and audit logging)
  • Authentication events (login, logout, failed attempts)
  • Data access events (uploads, downloads, views)
  • Timestamps and session identifiers

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and improve the Service
  • Process and analyze your portfolio data to generate climate-risk scores and reports
  • Authenticate your identity and manage your account
  • Maintain audit logs for security and regulatory compliance
  • Communicate with you about the Service (updates, security alerts, support)
  • Comply with legal and regulatory obligations

We do NOT sell, rent, or share your personal information or portfolio data with third parties for marketing purposes.

4. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption at rest: All uploaded portfolio files are encrypted using AES-256 symmetric encryption before storage.
  • Encryption in transit: All data transmitted between your browser and our servers is protected by TLS 1.2 or higher.
  • Access controls: Role-based access control (RBAC) limits data access to authorized users within your organization.
  • Authentication: JWT-based authentication with session management, automatic expiration, and single-session enforcement.
  • File integrity: SHA-256 hashing verifies uploaded files have not been tampered with during storage.
  • Audit logging: All data access and authentication events are logged with timestamps, IP addresses, and user identifiers.
  • Password security: Passwords are hashed using PBKDF2-SHA256 with per-user salts.

5. Data Retention & Deletion

  • Portfolio data: Retained for the duration of your subscription plus thirty (30) days, then securely deleted.
  • Account data: Retained for the duration of your account plus ninety (90) days after closure.
  • Audit logs: Retained for seven (7) years, consistent with financial services regulatory requirements.
  • Encrypted files: Securely deleted using cryptographic erasure (destroying the encryption key).

You may request deletion of your data at any time by contacting us. Deletion requests will be processed within thirty (30) days, subject to legal retention requirements.

6. Disclosure of Information

We may disclose your information only in the following circumstances:

  • Service providers: To trusted third-party providers who assist in operating the Service (e.g., cloud hosting), subject to confidentiality agreements and data processing terms.
  • Legal requirements: When required by law, regulation, legal process, or governmental request.
  • Protection of rights: To protect the safety, rights, or property of CLIMA AI, our users, or the public.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.

7. GLBA Compliance

As a service provider to financial institutions, we comply with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. Our information security program includes:

  • A written Information Security Program identifying risks to NPI
  • Administrative, technical, and physical safeguards
  • Regular risk assessments and security testing
  • Employee training on data security
  • Oversight of service providers with access to NPI
  • Incident response procedures

8. Your Rights Under CCPA/CPRA

If you are a California resident, you have the right to:

  • Know: Request what personal information we collect, use, and disclose about you.
  • Delete: Request deletion of your personal information, subject to legal exceptions.
  • Correct: Request correction of inaccurate personal information.
  • Opt out of sale: We do not sell personal information, so this right is automatically satisfied.
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at privacy@clima.solutions. We will verify your identity and respond within forty-five (45) days.

9. Your Rights Under Other State Laws

Residents of Virginia, Colorado, Connecticut, and other states with comprehensive privacy laws may have similar rights to access, correct, delete, and opt out of the processing of personal data. Contact us at the address below to exercise these rights.

10. Cookies & Tracking

The Service uses only essential cookies required for authentication and session management. We do not use advertising cookies, analytics trackers, or third-party tracking pixels.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

12. International Data

The Service is operated in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least thirty (30) days before they take effect. The "Last updated" date at the top reflects the most recent revision.

14. Contact Us

For questions about this Privacy Policy or to exercise your data rights:

© 2026 CLIMA AI, Inc. All rights reserved.