CDR.fyi

CDR.fyi Data Management Policy

Data Management Policy

Last updated: September 7, 2025

1. Purpose and Scope

CDRfyi Inc. ("CDR.fyi," "we") is a Delaware Public Benefit Corporation. Our mission is to accelerate durable carbon removal by creating trust through transparent, high-quality market intelligence.

This Data Management Policy explains how we classify, access, retain, and protect every dataset in our care, whether collected yesterday or years ago. Publishing this policy is part of our pledge to operate in full daylight; you shouldn't have to guess how your data is treated. It is meant to be read together with, and is governed by, our Privacy Policy (PP) and Terms of Service (TOS).

2. Data-Classification Framework

Personal Data (always confidential)

Examples: Names, emails, phone numbers, and user-account details
Default Access: Authorized CDR.fyi staff & processors under NDA
Handling & Disclosure: Never sold. Shared only with contracted sub-processors or regulators where required by law.
Rationale: Required by global privacy laws and our ethical standards.

Confidential Data – High

Examples:

  • Non-public pricing files (default) ¹
  • Survey responses tied to an individual organisation
  • Partner material marked "Confidential"

Default Access: Authorized staff who have signed confidentiality agreements and have no contractual/competitive relationship with the market participants involved
Handling & Disclosure: Stored & processed internally. Published only as anonymized, aggregated statistics combining ≥ 3 contributors.
Rationale: Prevents competitive harm; honours confidentiality pledges.

Confidential Data – Medium

Examples:

  • General survey responses
  • Business-contact details inside non-pricing files
  • Embargoed announcements

Default Access: Authorized CDR.fyi staff under NDA
Handling & Disclosure: Same as High, but embargoed items are published verbatim only at/after the agreed release date.
Rationale: Protects partners' strategic timing; complies with privacy norms.

Public Data

Examples:

  • Registry entries, press releases, or other already-public information

Default Access: Open to everyone
Handling & Disclosure: May be displayed, licensed, sold, or archived verbatim. Once public, it remains part of the historical record.
Rationale: Transparency adds market trust; data is already unrestricted.

Note: All internal access is role-based and logged.
¹ If a contributor explicitly labels a pricing upload "Public," we honour that label.

3. Additional Operational Policies

Aggregation Rule

Raw Confidential Data is disclosed only in anonymized form that combines at least three independent sources. Why three sources? It's the sweet spot that protects confidentiality while still revealing useful trends, especially when there is a scarcity of data.

Partner Benefits & Compensation

Contributors receive Partner Benefits (enhanced features) as the sole consideration for their data; no monetary payment is owed (see TOS § 6.3).

Retention & Deletion

  • Personal Data: kept only as long as necessary for stated purpose or legal obligations, then securely deleted/anonymized.
  • Confidential Data: raw files archived after 5 years unless an active business need or legal requirement exists.
  • Public Data: retained indefinitely for transparency and historical accuracy.

Audit & Compliance

Internal compliance reviews occur quarterly; an independent security/privacy audit is conducted at least once every 24 months. Discrepancies remediated promptly.

Data-breach Response

CDR.fyi will: (i) secure systems, (ii) assess scope, (iii) notify affected parties/regulators without undue delay, (iv) document corrective actions.

Training & Awareness

All personnel complete onboarding privacy training and an annual refresher covering data classification, secure handling, incident reporting, and legal obligations.

4. Questions

For any questions about this Policy, please email us at data@cdr.fyi.