Privacy Policy

1. Who we are

SustainMetrics AI ("we", "us", "our") is the data controller for personal data processed via this service. We are registered in England and Wales. For privacy enquiries, contact privacy@sustainmetrics.ai.

2. What data we collect

• Account data: name, work email, company, password hash.
• Workspace data: the financial, energy and supplier records you import or enter for ESG reporting.
• Technical data: IP address, device, browser, log timestamps, and audit events.
• Cookies: only strictly necessary cookies by default. Analytics and preference cookies require consent (see our Cookie Policy).

3. Lawful bases (UK GDPR Art. 6)

• Contract — to provide the SustainMetrics AI service you signed up for.
• Legal obligation — to retain audit records relevant to ESG reporting.
• Legitimate interests — service security, fraud prevention, product improvement.
• Consent — marketing communications and non-essential cookies.

4. Sharing & sub-processors

We use vetted sub-processors (cloud hosting, database, AI inference). A current list is available on request. We do not sell personal data.

5. International transfers

Where data leaves the UK/EEA we rely on UK IDTA / Standard Contractual Clauses with appropriate supplementary measures.

6. Retention

Account data is kept while your workspace is active and for 30 days after deletion. Audit logs are retained for up to 7 years to support compliance reporting.

7. Your rights

Under UK GDPR you may request access, rectification, erasure, restriction, portability, and objection. You may also withdraw consent at any time and complain to the ICO.

To exercise your rights email privacy@sustainmetrics.ai. We respond within one month.

8. Security

We use TLS in transit, encryption at rest, role-based access control, and audit logging. Report suspected vulnerabilities to security@sustainmetrics.ai.