carbon ink
Legal

Privacy Policy

Last updated: May 29, 2026

Carbon Ink is a B2B field-sales platform for companies running on NetSuite. We collect only what we need to run the Service, we act as a processor for the operational data our customers load or connect (including NetSuite-synced records), we isolate every customer's data, and we never sell personal information. This page explains the details.

1. Overview

This Privacy Policy explains how Cosmic Jellyfish, LLC, doing business as Carbon Ink ("Carbon Ink," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use our website at carbonink.app, our web admin portal, and our Android rep application (together, the "Service").

Carbon Ink is a business-to-business field-sales platform for companies that run on NetSuite. We are committed to handling personal information responsibly, collecting only what we need to operate the Service, and being clear about what we do with it.

If you access the Service as an employee or authorized user of a company that subscribes to Carbon Ink (a "Customer"), this policy describes our own practices. The Customer's own privacy policies may also apply to your use of the Service.

2. Our role: controller and processor

Privacy law distinguishes between the party that decides why and how data is processed (a "controller") and the party that processes data on another's behalf (a "processor" or "service provider"). Carbon Ink acts in both roles, depending on the data:

  • As a controller for account and website data — the information we collect to create accounts, communicate with you, bill subscriptions, secure the Service, and operate our site.
  • As a processor / service provider for Customer Data — the operational records a Customer loads into or connects to the Service (including data synced from the Customer's NetSuite account). We process Customer Data only to provide the Service under our agreement with the Customer and on the Customer's instructions.

For Customer Data, the Customer is the controller. If you are an individual whose personal information appears in Customer Data and you wish to exercise your rights, please contact the relevant Customer directly; we will support them in responding.

3. Information we collect

Account and contact information

When you sign up or are invited, we collect your name, work email address, company name, and your role within the workspace. If you sign in with Google or Microsoft, we receive basic profile and email information from that provider.

Authentication data

We use a third-party authentication provider (Supabase Auth) and sign-in with Google, Microsoft, or an emailed magic link. We do not create or store account passwords.

Customer Data you provide or connect

To operate field sales, the Service stores operational records such as customers, items, prices, orders, and the user accounts that act on them. Where a Customer connects NetSuite, the Service synchronizes records from the Customer's NetSuite account — which may include customer lists, item catalogs, pricing, accounts-receivable balances, and related transaction data. This information may include personal information of the Customer's own customers and contacts.

Usage, device, and log data

We collect technical information generated when you use the Service: application and device details (such as platform, model, and app version), IP address, timestamps, diagnostic logs, and an audit trail of significant actions taken in the Service (for example, who edited a price or approved an order).

Communications

If you email us, request a demo, or book a call, we keep that correspondence and any information you choose to share.

Cookies and local storage

We use strictly necessary cookies and local storage to keep you signed in and to operate the Service. We do not use the Service to serve third-party advertising.

4. How we use information

We use the information described above to:

  • Provide, maintain, and secure the Service.
  • Authenticate users and synchronize data with connected systems such as NetSuite.
  • Process subscriptions, trials, billing, and seat counts.
  • Provide support, respond to inquiries, and send service-related communications.
  • Monitor, detect, and prevent fraud, abuse, and security incidents, and maintain audit logs.
  • Operate, troubleshoot, and improve the reliability and performance of the Service.
  • Comply with legal obligations and enforce our agreements.

We do not use Customer Data to train generalized machine-learning models for use outside the Customer's own workspace, and we do not sell personal information.

5. How we share information

We do not sell personal information and do not share it for cross-context behavioral advertising. We disclose information only as follows:

Subprocessors and service providers

We rely on a small set of vendors to run the Service. They process information under contract, only to provide services to us, and are not permitted to use it for their own purposes:

  • Supabase (hosted on Amazon Web Services) — database, authentication, and backend hosting.
  • Amazon Web Services — underlying cloud infrastructure (United States).
  • Vercel — hosting for our marketing website.
  • Resend — transactional and account email delivery.
  • Google and Microsoft — optional sign-in providers; Google also powers demo and onboarding call scheduling.

We maintain a current list of subprocessors and will provide it on request to privacy@carbonink.app.

Connected systems

When a Customer connects NetSuite, data flows between the Service and that Customer's own NetSuite account at the Customer's direction. That account is operated by the Customer and governed by the Customer's agreement with Oracle NetSuite.

Legal, safety, and business transfers

We may disclose information if required by law or legal process, to protect the rights, safety, and security of Carbon Ink, our users, or the public, or in connection with a merger, acquisition, financing, or sale of assets — in which case we will require the recipient to honor this policy.

6. NetSuite and third-party connections

A Customer's administrator authorizes the NetSuite connection using their own NetSuite integration credentials. The level of access the Service has is governed by the NetSuite role the Customer assigns. We recommend granting least-privilege, read-only access and using a NetSuite sandbox where appropriate.

Today, the Service's NetSuite integration reads data from the connected account to power the Service; it does not write records back to NetSuite. We will update this policy and our documentation if and when write-back functionality is enabled.

Third-party services are governed by their own terms and privacy policies. We are not responsible for the practices of NetSuite or other third-party systems you choose to connect.

7. Data retention

We retain personal information for as long as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. We retain Customer Data for the duration of the Customer's subscription.

After an account or subscription ends, we make Customer Data available for export for a limited period and then delete or de-identify it in the ordinary course, subject to legal retention requirements. Residual copies may persist in routine backups for a limited time before being overwritten.

8. Security

We take security seriously and design the Service with tenant isolation in mind. Measures include:

  • Tenant isolation enforced by row-level security at the database, so one Customer cannot access another's data.
  • Encryption of data in transit using industry-standard TLS.
  • Storage of integration secrets and tokens in a dedicated, access-controlled secrets vault.
  • Least-privilege access controls and an audit trail of actions.

No method of transmission or storage is completely secure. While we work hard to protect your information, we cannot guarantee absolute security. If you believe your account has been compromised, contact us at security@carbonink.app.

9. International data transfers

The Service is operated and hosted in the United States. If you access the Service from outside the United States, you understand that your information will be processed in the United States, where data protection laws may differ from those in your jurisdiction. Where required, we use appropriate safeguards for international transfers.

10. Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, or to object to or restrict certain processing. To exercise these rights with respect to account data we control, contact privacy@carbonink.app. We will respond consistent with applicable law and may need to verify your identity.

For personal information contained in Customer Data, the Customer is the controller. Please direct your request to the relevant Customer; we will assist them as their processor.

California residents: we do not sell or share personal information as those terms are defined under the California Consumer Privacy Act, and we do not discriminate against you for exercising your rights.

11. Children's privacy

The Service is a workplace tool intended for businesses and is not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, provide additional notice. Your continued use of the Service after an update means you accept the revised policy.

13. Contact us

Questions about this policy or our privacy practices? Email privacy@carbonink.app or write to Cosmic Jellyfish, LLC, Attn: Privacy (Carbon Ink).