Privacy Policy
Your privacy is important to us. This policy explains how ESGLite collects, uses, and protects your data.
Contents
1. Data Controller
The data controller responsible for your personal data is:
ESGLite
IMPACTIO TECHNOLOGY OÜ
Registry code: 14817064
Mõisa tn 4, Tallinn, Harjumaa 13522, Estonia
Email: support@esglite.ee
2. Data We Collect
We collect the following types of data:
2.1 Account Information
- Email address
- Name (if provided)
- Organization name
- Role within organization
2.2 ESG Reporting Data
- Environmental data (emissions, energy consumption, waste)
- Social data (employee counts, health & safety metrics)
- Governance data (policies, compliance information)
- Uploaded documents and evidence files
2.3 Technical Data
- IP address (for security purposes)
- Browser type and version
- Session tokens (for authentication)
- Activity logs (for audit trail)
3. Purpose of Processing
We process your data for the following purposes:
- Service delivery: To provide ESG reporting and sustainability management services
- Authentication: To verify your identity and manage access to your account
- Compliance: To help you comply with CSRD, ESRS, and other sustainability reporting requirements
- AI assistance: To provide AI-powered suggestions and insights (with your explicit consent)
- Support: To respond to your inquiries and provide customer support
- Improvement: To improve our services and develop new features
4. Legal Basis for Processing
Under GDPR, we process your personal data based on the following legal grounds:
- Contract performance: Processing necessary to provide our services (Art. 6(1)(b) GDPR)
- Legal obligation: Processing required by law, including audit trail requirements (Art. 6(1)(c) GDPR)
- Legitimate interest: Processing for security, fraud prevention, and service improvement (Art. 6(1)(f) GDPR)
- Consent: For AI-powered features and optional analytics (Art. 6(1)(a) GDPR)
5. Data Sharing
We may share your data with the following categories of recipients:
- Cloud infrastructure: Supabase (database hosting, EU region) - Supabase Privacy Policy
- Hosting provider: Vercel (application hosting) - Vercel Privacy Policy
- AI provider: OpenAI (for AI-assisted features, with DPA in place) - OpenAI Privacy Policy
We do not sell your personal data to third parties. Data shared with service providers is governed by Data Processing Agreements (DPAs) that ensure GDPR compliance.
6. Data Retention
We retain your data for the following periods:
- Account data: Until you delete your account, plus 30 days for backup recovery
- ESG reporting data: For the duration of your subscription, plus legal retention requirements (typically 7-10 years for financial/compliance data)
- Audit logs: 7 years (as required by CSRD/ESRS for audit trail)
- AI interaction logs: 3 years (for compliance and quality assurance)
7. Your Rights Under GDPR
As a data subject in the European Union, you have the following rights:
Right of Access (Art. 15)
Request a copy of your personal data
Right to Rectification (Art. 16)
Request correction of inaccurate data
Right to Erasure (Art. 17)
Request deletion of your data ("right to be forgotten")
Right to Restriction (Art. 18)
Request limitation of processing
Right to Data Portability (Art. 20)
Receive your data in a machine-readable format
Right to Object (Art. 21)
Object to processing based on legitimate interest
Right to Withdraw Consent (Art. 7)
Withdraw consent at any time for consent-based processing
To exercise any of these rights, please contact us at support@esglite.ee. You can also delete your account directly from the Settings page in the application.
If you believe your rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Estonia, this is the Data Protection Inspectorate (Andmekaitse Inspektsioon).
8. Security Measures
We implement appropriate technical and organizational measures to protect your data:
- Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access control: Role-based access control (RBAC) and Row Level Security (RLS)
- Authentication: Secure authentication with session management
- Audit logging: Comprehensive logging of all data access and modifications
- Infrastructure: Hosted on SOC 2 Type II certified infrastructure
- Security headers: HSTS, CSP, X-Frame-Options, and other security headers
10. AI and Automated Processing
Our service includes AI-powered features to assist with ESG reporting. Important information about AI usage:
- Human oversight: AI provides suggestions only; all decisions require human confirmation
- No automated decision-making: We do not make automated decisions with legal effects based on AI
- Transparency: AI-generated content is clearly labeled
- Audit trail: All AI interactions are logged for compliance purposes
- Data processing: Data sent to AI providers is covered by Data Processing Agreements
You can use the service without AI features if preferred. AI assistance is optional and can be disabled in settings.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
- Posting the new policy on this page with an updated "Last updated" date
- Sending an email notification for significant changes
- Displaying a notice in the application
12. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
ESGLite
IMPACTIO TECHNOLOGY OÜ (reg. 14817064)
Mõisa tn 4, Tallinn, Harjumaa 13522, Estonia
Email: support@esglite.ee
Website: https://app.esglite.ee
We aim to respond to all privacy-related inquiries within 30 days.
© 2026 ESGLite. All rights reserved.