Privacy & Data Protection Policy
Comprehensive corporate data protection policy for ESG Data Core and the Corporate Impact Stewardship (CIS) Platform.
Last Updated: January 5th, 2026
ESG DATA CORE ("Company", "we", "us", or "our"), a legal entity incorporated in Dublin, Ireland, provides the Corporate Impact Stewardship (CIS) platform, a SaaS solution for ESG data management, sustainability benchmarking, and automated reporting.
This Privacy Policy explains how we collect, use, and protect information when the Customer uses our CIS Platform ("Service"). It is designed to be read in conjunction with our Terms of Use and our Data Processing Agreement (DPA).
1. Our Role (Controller vs. Processor)
To ensure compliance with global privacy laws (including GDPR and LGPD), we distinguish between two types of data processing:
- Data Controller: We act as a Controller for the personal information provided to create accounts, manage billing, and communicate with customers (e.g., names and business emails of platform administrators).
- Data Processor: We act as a Processor for the "Customer Data" (ESG metrics, sustainability indicators, employee metrics, supplier surveys) uploaded to the Service. We process this data strictly under the Customer’s instructions.
2. Information We Collect
A. Account Information (Controller Data)
- Identity Data: Name, job title, and company details.
- Contact Data: Business email address and phone number.
- Credentials: Login information used to access the platform. Customers are responsible for maintaining the confidentiality of these credentials.
- Billing Data: Information necessary to process payments as specified in the Order Form (e.g., VAT number, billing address).
B. Service Data (Processor Data)
This includes the ESG metrics and sustainability indicators submitted to the Platform:
- Automated Processing: We process this data via automated algorithms. Manual access by our staff is strictly limited to technical support or maintenance requests authorized by the Customer.
- Sensitive Data Prohibition: Customers agree not to upload sensitive personal data (e.g., biometric, health, sexual orientation, or genetic data) to the platform.
C. Usage Data & Cookies (Collected Automatically)
- Security Logs: We collect logs regarding interactions with the Service, including IP addresses, access times, and device information for real-time security monitoring and threat detection.
- Cookies: We use strictly necessary cookies to maintain user sessions and platform security. We do not use third-party tracking cookies for advertising without explicit consent.
3. Legal Basis for Processing
Under GDPR, we process personal data based on:
- Contractual Necessity: To provide the core CIS SaaS solution and ongoing customer support.
- Legal Obligation: For tax, billing, and regulatory compliance under Irish and European corporate laws.
- Legitimate Interest: To ensure platform security, prevent fraudulent sign-ups, and improve Service performance through aggregated and anonymized analytics.
4. How We Use Your Information
- Service Delivery: To provide the SaaS solution for ESG management, carbon calculation, and automated reporting.
- Security & Resilience: To conduct vulnerability assessments, monitor logs, and maintain our robust AWS hosting environment.
- Communication: To send invoices, security updates, and critical system alerts.
Anonymized Benchmarking & AI training
ESG DATA CORE shall have the right to aggregate and anonymize Customer Data to generate industry benchmarks and improve our automated algorithms (Machine Learning). This process uses Differential Privacy mathematical techniques to ensure that no individual, entity, or specific data point can be re-identified. Once data is irreversibly anonymized, it ceases to be personal data.
5. Infrastructure and Security
- Hosting: The Service is hosted on Amazon Web Services (AWS) within private VPC subnets behind secure load balancers, isolated from the public internet.
- Encryption: Data is encrypted via TLS 1.2 or superior protocols (in transit) and AES-256 (at rest).
- Isolation: Customer data is logically segregated at the database and application layers, ensuring each customer's metrics remain strictly private and isolated.
6. Data Retention and Deletion
- Subscription Term: Data is retained throughout the active Subscription Term specified in the Customer Order Form.
- Post-Termination: Upon account termination, Customer Data remains available for export (CSV format) for 60 days.
- Permanent Deletion: After this 60-day period, all Customer Data is permanently and irreversibly deleted from our production systems, subject to standard backup rotation cycles.
7. Data Sharing and Transfers
- Sub-processors: We utilize third-party infrastructure providers (primarily AWS). A current list of sub-processors is available upon request.
- International Transfers: As an Irish entity, we ensure that any data transfers outside the EEA comply with GDPR through Standard Contractual Clauses (SCCs) or other legal adequacy mechanisms.
- No Sale of Data: We do not sell, rent, or trade your data with third parties.
8. Your Rights
Under GDPR and applicable data protection legislation, you have the following rights:
- Access and Rectification: View or update your administrative details at any time via the Service settings.
- Erasure ("Right to be Forgotten"): Request the permanent deletion of your administrative account.
- Data Portability: Export your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
To exercise these rights, please contact our CTO at the email below. If you are an end-user of one of our Customers, please contact the Customer (the Data Controller) directly.
9. Jurisdiction
This Privacy Policy is governed by the laws of Ireland. Any disputes arising from privacy matters shall be resolved exclusively in the courts of Dublin, Ireland.