Legal

Privacy Policy

Last updated 13 July 2026Applies to esgmatrics.com and the ESG Matrics application

This policy explains what data ESG Matrics collects, why we process it, and the choices and rights you have. It covers our marketing site, our web application, and the passwordless supplier portal — and it is written to be read, not buried.

1.Who we are

ESG Matrics (“ESG Matrics”, “we”, “us”) provides carbon-compliance software that helps manufacturers collect emissions data once and produce audit-ready reports for EU CSRD, Singapore IFRS S2, the UAE Federal Climate Law and California SB 253/261.

Our roles differ depending on the data. For the company and emissions records our customers upload, we act as a data processor— handling that data on the customer's documented instructions under a data-processing agreement (DPA). For our marketing site, account administration and billing, we act as a data controller. This policy covers both roles. You can reach us any time at privacy@esgmatrics.com.

2.Data we collect

We keep collection to what the service actually needs, grouped into four categories.

Account & contact data

Your name, work email, company, job role, password hash or single sign-on identifier, and the preferences you set. We collect this when you create an account, book a demo, subscribe to updates, or contact us.

Emissions & company data you upload

The activity data, facility records, utility bills, invoices, spend figures and supporting evidence you enter or import so we can calculate your footprint and build your reports. This is your data. We process it only to run the service — we never sell it, and we never use it to train models.

Supplier-provided data

When you invite a supplier through the portal, they submit activity data — for example energy use or materials consumed — through a one-time passwordless link. We collect the responder's name and email solely to route, attribute and follow up on their response; suppliers do not create accounts.

Usage & technical data

IP address, device and browser type, pages viewed, and product events, gathered through first-party logging and limited analytics. We use this to keep the service secure, diagnose problems, and understand how the product is used.

3.How we use your data

  • Provide, operate and secure the platform — calculate emissions, generate jurisdiction reports, and maintain the evidence trail behind every number.
  • Authenticate users and administer accounts, including issuing and validating passwordless supplier links.
  • Provide support, and send service, billing and security notices you can't opt out of while you hold an account.
  • Improve the product and its calculation engine using operational and aggregated data — not by training models on your emissions data.
  • Send marketing about ESG Matrics where you have opted in or where permitted by law; every marketing message includes a way to unsubscribe.
  • Meet our legal, tax and accounting obligations, and detect, prevent and investigate fraud, abuse or security incidents.

5.Sharing & sub-processors

We do not sell your personal data, and we do not share it for cross-context behavioural advertising. We disclose data only in these limited cases:

  • Sub-processors — vetted vendors that host and support the service (cloud infrastructure, email delivery, error monitoring and analytics), each bound by contract to protect your data and use it only to provide their service to us.
  • Professional advisers & authorities — where required by law, regulation or legal process, or to establish and defend our rights.
  • Corporate transactions — in connection with a merger, acquisition or asset sale, subject to the protections of this policy.

Transparency note. We maintain a current sub-processor list that names each vendor, what it does and where it processes data, and we give customers advance notice of material changes so they can raise objections. Email privacy@esgmatrics.com to receive the list or subscribe to change notices.

6.International transfers

We offer data residency by region: you can pin your data to an EU, Gulf or US region and it stays there. Where personal data does move across borders — for example to a sub-processor — we rely on appropriate safeguards such as the EU Standard Contractual Clauses and equivalent transfer mechanisms, with additional technical and organisational measures where they are needed. Pinning residency to the jurisdiction you report into keeps your data close to where it is regulated.

7.Data retention

We keep personal data only as long as it is needed for the purposes described here. Account and contact data is retained for the life of your subscription and a short period afterward, then deleted or anonymised.

Emissions data and its supporting evidence are retained for at least five years, matching the strictest of the regimes we support — the UAE Federal Climate Law — so you can reproduce any past report exactly, line by line. Our calculation history is append-only and versioned: numbers are never overwritten. On account closure we delete or return your data within a defined window, subject to any retention you are legally required to keep.

8.Security

The discipline we apply to every emissions number — evidence, immutability, least privilege — is how we run the platform itself. We protect data with TLS 1.2+ in transit and AES-256 at rest, per-tenant PostgreSQL row-level isolation, least-privilege role-based access, immutable evidence in WORM storage, and continuous monitoring and logging. See our Security page for the full set of controls, our residency options and how to report a vulnerability. No method of transmission or storage is ever perfectly secure, but we work continuously to protect your data and to notify you promptly if an incident affects it.

9.Your rights

Under the GDPR & UK GDPR

You have the right to access, rectify, erase, restrict, port and object to the processing of your personal data, and to withdraw consent where we rely on it — as well as the right to lodge a complaint with your local supervisory authority.

Under the CCPA & CPRA (California)

You have the right to know, access, correct and delete the personal information we hold about you, and to opt out of its sale or sharing. We do not sell personal information, and we do not share it for cross-context behavioural advertising, so there is nothing to opt out of. We will never discriminate against you for exercising your rights.

To exercise any right, email privacy@esgmatrics.com. If the data was uploaded by one of our customers (where we act as a processor), we will refer your request to that customer and support them in responding.

10.Cookies

Our site uses first-party cookies that are strictly necessary to sign you in and keep the service secure, plus a limited set of privacy-respecting analytics to understand how the site is used. We do not use third-party advertising cookies or sell cookie data. You can control non-essential cookies through your browser settings or through the cookie controls we surface where required by law.

11.Children

ESG Matrics is a business product and is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

12.Changes to this policy

We may update this policy as our product, the law, or our sub-processors change. When we do, we will post the new version here with a revised “Last updated” date, and for material changes we will give reasonable notice — for example by email or an in-product notice — before they take effect.

13.Contact us

For any question, request or complaint about privacy or this policy, email privacy@esgmatrics.com or reach us through our contact page. We aim to respond to rights requests within 30 days.

Prefer to see how we secure the data behind these commitments? Read the Security & trust page.