CDR.fyi

CDR.fyi Data Management Policy

Data Management Policy

Last updated: Mar 19, 2026

1. Purpose and Scope

CDRfyi Inc. ("CDR.fyi," "we") is a Delaware Public Benefit Corporation. Our mission is to accelerate durable carbon removal by creating trust through transparent, high-quality market intelligence.

This Data Management Policy explains how we classify, access, retain, and protect every dataset in our care, whether collected yesterday or years ago. Publishing this policy is part of our pledge to operate in full daylight; you shouldn't have to guess how your data is treated. It is meant to be read together with our Privacy Policy (PP) and Terms of Service (TOS).

2. Data-Classification Framework

Restricted Data

A subset of Confidential Data that requires the highest level of protection because unauthorized access, use, or disclosure could cause significant commercial, legal, strategic, or privacy harm. Access is limited to a small, specifically authorized group of personnel with a strict need to know, and additional handling controls apply.

Examples:

  • Non-public pricing files and other non-public commercially sensitive transaction data
  • Survey responses tied to an individual organization
  • Partner material marked "Confidential"

Default Access: Authorized staff who have signed confidentiality agreements and have no contractual/competitive relationship with the market participants involved
Handling & Disclosure: Access is limited to specifically authorized personnel with a strict need to know. Raw Restricted Data is not published or shared externally except as required by law or to contracted service providers acting on CDR.fyi's behalf under appropriate confidentiality and security obligations. Where insights derived from Restricted Data are disclosed, they are disclosed only in anonymized, aggregated form combining at least three independent sources.
Rationale: Prevents competitive harm; honors confidentiality pledges.

Confidential Data

Non-public information to be protected against unauthorized access, use, or disclosure because it could create business, legal, operational, or privacy risk for CDR.fyi, a data partner, or other market participants. Access is limited to authorized personnel with a legitimate business need.

Examples:

  • General survey responses
  • Business-contact details inside non-pricing files
  • Embargoed announcements

Default Access: Authorized CDR.fyi staff under NDA
Handling & Disclosure: Access is limited to authorized personnel with a legitimate business need. Raw Confidential Data is not published or shared externally. Embargoed items may be published verbatim only at or after the agreed release date.
Rationale: Protects partners' strategic timing; complies with privacy norms.

Public Data

Information that is already public or intended for public disclosure. Public Data may be shared, published, or distributed without confidentiality restrictions, subject to applicable law and any required attribution or source-verification standards.

Examples:

  • Registry entries, press releases, public transaction announcements, or other already-public information

Default Access: Open to everyone
Handling & Disclosure: May be displayed, licensed, sold, or archived verbatim. Once public, it remains part of the historical record.
Rationale: Transparency adds market trust; data is already unrestricted.

Note: Personal Data is information that identifies, relates to, describes, or can reasonably be linked to an identified or identifiable natural person. Personal Data is not a separate classification level. Instead, it is classified and handled as Restricted Data or Confidential Data, as applicable, and in all cases in accordance with CDR.fyi's Privacy Policy and applicable law.

3. Additional Operational Policies

Aggregation Rule

Raw Confidential Data is disclosed only in anonymized form that combines at least three independent sources. Pricing insights derived from non-public pricing data are published only in aggregated and anonymized form. For purposes of this Policy, "independent sources" means distinct market participants not under common control. Multiple transactions involving the same organization, or affiliated organizations under common control, count as one source.

Partner Benefits & Compensation

Contributors receive Partner Benefits (enhanced features) as the sole consideration for their data; no monetary payment is owed (see TOS § 6.3).

Access Control

Internal access to Confidential Data and Restricted Data is granted only on a role-based, need-to-know basis.

Retention & Deletion

  • Personal Data: kept only as long as necessary for stated purpose or legal obligations, then securely deleted/anonymized.
  • Restricted Data: retained only as long as necessary for the applicable business purpose, contractual commitments, or legal obligations. While retained, access remains tightly limited, and raw files are not published or shared externally.
  • Confidential Data: retained as long as reasonably necessary for business, contractual, or legal purposes. Raw files may be archived after 5 years unless an active business need or legal requirement exists.
  • Public Data: retained indefinitely for transparency and historical accuracy.

Where data falls into more than one category, CDR.fyi applies the stricter retention and handling standard.

Audit & Compliance

Internal compliance reviews occur quarterly; an independent security/privacy audit is conducted at least once every 24 months. Discrepancies remediated promptly.

Data-breach Response

CDR.fyi will: (i) secure systems, (ii) assess scope, (iii) notify affected parties/regulators without undue delay, (iv) document corrective actions.

Training & Awareness

All personnel complete onboarding privacy training and an annual refresher covering data classification, secure handling, incident reporting, and legal obligations.

4. Questions

For any questions about this Policy, please email us at data@cdr.fyi.