Privacy Notice

  1. GENERAL

    1. Esgrid Technologies OÜ (“we” or “us”) provides an ESG data management platform for businesses (“Services”). Your privacy is important to us and therefore, it is our policy to respect your privacy and take appropriate measures to protect your personal data. 

    2. This privacy notice (“Notice”) explains the principles on how we process, including collect, use, store and disclose personal data when: (i) you visit or otherwise interact with our website www.esgrid.com (“Website”); (ii) the legal entity you represent wishes to conclude or has concluded an agreement with us (hereinafter “Terms”); (iii) you use our Services, including register an account; (iv) you subscribe to our newsletter and/or receive other direct marketing; (v) you communicate with us through e-mail or other communication channels; or (vi) you take any other actions on our Website or the Service, which entail us receiving and processing your personal data. 

    3. We process your personal data as described in this Notice and in accordance with applicable legislation, including the European Union’s General Data Protection Regulation (2016/679) (“GDPR”) and other data protection legislation, as applicable towards the controller stated in Section 2 of this Notice. 

    4. Please note that this Notice does not apply regarding the personal data that we process on behalf of our clients as a processor when we provide the Services to our clients, including but not limited to distribute the questionnaires and receive the contact details of our clients’ cooperation partners’ representatives’. As we act as a processor, the processing of such data is governed by the data processing agreement concluded with our client, a controller. The controller is responsible for such data processing operations and is obliged to provide you information about such data processing. 

    5. In case you disclose any personal data regarding any third person(s) (e.g., your employee, management board member, co-worker, etc.) to us, you are obligated to refer them to this Notice.

  2. CONTROLLER

    1. For the personal data processing purposes set out in Section 4 of this Notice, the controller of your personal data is Esgrid Technologies OÜ, registry code 16795510, address Marati tn 5/2, 11712 Tallinn, Estonia. 

    2. In case of personal data protection related inquiries please contact us by writing to info@esgrid.ee

  3. CATEGORIES AND SOURCES OF PERSONAL DATA

    1. Personal data is any information that can be used to directly or indirectly uniquely identify you as a private individual. We may obtain and process the following categories of personal data:

      1. For concluding and managing contractual relationship with the legal entity you represent, we may process the following personal data: name, e-mail address, phone number, the legal entity’s information you represent (e.g., legal entity’s name, registry code) (“Main Data”);

      2. If you communicate with us through e-mail or other communication channel, we may process the following personal data: Main Data, date, time and contents of your message (“Communication Data”);

      3. For conducting marketing, we may process the following personal data: Main Data, position, interests, given and withdrawn consents, engagement data (e.g., actions made). Additionally, we may supplement the personal data that you have provided to us directly with information that has been obtained from publicly available resources (i.e. LinkedIn, e-mail search, country specific commercial registrars) (“Marketing Data”);

      4. When you visit the Website, our servers may automatically log the following standard data provided by your web browser or device, which may include your personal data: your device’s Internet Protocol (IP) address, your browser type and version, the webpages you visit on our Website and the time spent on each page, the time and date of your visit (“Log Data”);

      5. We may also collect the following data, which may include your personal data, about the device you’re using to access our Website: device type, operating system, unique device identifiers, device settings, and geo-location data (“Device Data”);

      6. When you use the Services, we may process the following data, which may include your personal data: user ID, user role, action made, attributes to that action, error logs (“Usage Data”).

      7. We use cookies to understand how you use the Website. Cookies are small text files placed on your computer or mobile device when you visit the Website and they may collect your personal data. Please refer to our Cookie Notice for more information.

    2. We may obtain your personal data directly from you, including when you visit the Website, create account or use the Services, the legal entity you represent or other resources (e.g., from public registers).

    3. If you do not provide the required information, we may not be able to provide our Services, contact you or fill any other purposes provided in Section 4 of this Notice. 

  4. LEGAL BASES AND PURPOSES OF PROCESSING PERSONAL DATA

    1. The legal basis for processing your personal data depends on the objective and context in which we collect personal data. The following depicts a descriptive list of processing purposes that are linked to the specific data categories and legal basis for processing


Processing purpose

Legal basis

Personal data category used for the processing purpose

Handling pre-contractual negotiations and communications and concluding the Terms, including creating an account

Our legitimate interest in taking and implementing pre-contractual measures of the potential Terms to be concluded between the legal entity and us

Main Data, Communication Data

Performing the contract and managing contractual relationship, including but not limited to providing the Services, managing your account, providing customer support, monitoring the fulfilment of the Terms

Our legitimate interest in performing the Terms concluded between the legal entity and us

Responding to your enquiries and requests, including but not limited to providing information about our Services

Our legitimate interest in taking and implementing pre-contractual measures of the potential Terms to be concluded between the legal entity and us or our legitimate interest in performing the Terms concluded between the legal entity and us

Sending information about our Services’ updates, including new features and other news

Our legitimate interest in providing information about the Services’ updates

Main Data

Sending information, including marketing information, regarding our Services, features, offers, promotions, news and events via e-mail or newsletter

Consent

If the legal entity you represent is already our client: our legitimate interest in informing you about Services and information that we consider may be of interest to you

Main Data, Marketing Data

Sending our existing clients’ information about our other products and services that we think they might be interested in based on the products and services they have previously sourced from us

Our legitimate interest in providing information on our products and services similar to which the legal entity you represent has already previously sourced from us

Measuring the effectiveness of marketing tools

Our legitimate interest in improving the efficiency of marketing tools

Administering given and withdrawn consents list

Our legitimate interest in ensuring valid legal basis and recording given and withdrawn consents

Marketing Data

Making available the basic functions of the Website and the Services and administering it, including gathering information about visitor’s navigation

Our legitimate interest in providing the Website and the Services and understanding the use patterns to be able to improve the Website and the Services and enhance the user experience

Log Data, Technical Data, Usage Data


Diagnosing and repairing problems with the Website and the Services

Our legitimate interest in (i) providing data security and preventing fraudulent actions related to the Website and the Services; (ii) ensuring the functioning of the Website and the Services

Analysing use of Website and Services

Our legitimate interest in (i) analysing the use of the Website and Services to understand the suitability to the user; (ii) improving, upgrading and enhancing the operation of the Website and Services; (iii) developing new features and functionalities

All data categories

Storing information containing personal data in our backup systems

Our legitimate interest in ensuring the continuity and security of data processing operations

Complying with legal or regulatory obligations or requests

Performance of legal obligations

Disclosing data to public sector authorities, supervisory and law enforcement authorities


Performance of legal obligations


Disclosing data to our legal advisors and establishing, exercising, or defending legal claims, whether in court proceedings or in an administrative or out-of-court procedure in relation to our, our clients’ or employees’ rights

Our legitimate interest in seeking legal advice and managing legal claims, facilitating effective establishment, exercise, or defence of legal claims

Disclosing data to our service providers

Our legitimate interest in providing the Website and the Services and ensuring our proper economic activity

Arranging the sale or merger of our company and providing information for conducting the legal or other audit and the data exchange thereof; disclosing data to legal successors and/or potential acquirers of the company

Our legitimate interest in facilitating proper due diligence process and business continuity by ensuring a successful merger, acquisition or restructuring of the company

Processing purpose

Legal basis

Personal data category used for the processing purpose

Handling pre-contractual negotiations and communications and concluding the Terms, including creating an account

Our legitimate interest in taking and implementing pre-contractual measures of the potential Terms to be concluded between the legal entity and us

Main Data, Communication Data

Performing the contract and managing contractual relationship, including but not limited to providing the Services, managing your account, providing customer support, monitoring the fulfilment of the Terms

Our legitimate interest in performing the Terms concluded between the legal entity and us

Responding to your enquiries and requests, including but not limited to providing information about our Services

Our legitimate interest in taking and implementing pre-contractual measures of the potential Terms to be concluded between the legal entity and us or our legitimate interest in performing the Terms concluded between the legal entity and us

Sending information about our Services’ updates, including new features and other news

Our legitimate interest in providing information about the Services’ updates

Main Data

Sending information, including marketing information, regarding our Services, features, offers, promotions, news and events via e-mail or newsletter

Consent

If the legal entity you represent is already our client: our legitimate interest in informing you about Services and information that we consider may be of interest to you

Main Data, Marketing Data

Sending our existing clients’ information about our other products and services that we think they might be interested in based on the products and services they have previously sourced from us

Our legitimate interest in providing information on our products and services similar to which the legal entity you represent has already previously sourced from us

Measuring the effectiveness of marketing tools

Our legitimate interest in improving the efficiency of marketing tools

Administering given and withdrawn consents list

Our legitimate interest in ensuring valid legal basis and recording given and withdrawn consents

Marketing Data

Making available the basic functions of the Website and the Services and administering it, including gathering information about visitor’s navigation

Our legitimate interest in providing the Website and the Services and understanding the use patterns to be able to improve the Website and the Services and enhance the user experience

Log Data, Technical Data, Usage Data


Diagnosing and repairing problems with the Website and the Services

Our legitimate interest in (i) providing data security and preventing fraudulent actions related to the Website and the Services; (ii) ensuring the functioning of the Website and the Services

Analysing use of Website and Services

Our legitimate interest in (i) analysing the use of the Website and Services to understand the suitability to the user; (ii) improving, upgrading and enhancing the operation of the Website and Services; (iii) developing new features and functionalities

All data categories

Storing information containing personal data in our backup systems

Our legitimate interest in ensuring the continuity and security of data processing operations

Complying with legal or regulatory obligations or requests

Performance of legal obligations

Disclosing data to public sector authorities, supervisory and law enforcement authorities


Performance of legal obligations


Disclosing data to our legal advisors and establishing, exercising, or defending legal claims, whether in court proceedings or in an administrative or out-of-court procedure in relation to our, our clients’ or employees’ rights

Our legitimate interest in seeking legal advice and managing legal claims, facilitating effective establishment, exercise, or defence of legal claims

Disclosing data to our service providers

Our legitimate interest in providing the Website and the Services and ensuring our proper economic activity

Arranging the sale or merger of our company and providing information for conducting the legal or other audit and the data exchange thereof; disclosing data to legal successors and/or potential acquirers of the company

Our legitimate interest in facilitating proper due diligence process and business continuity by ensuring a successful merger, acquisition or restructuring of the company

Category

Purpose of disclosure

Public sector authorities, supervisory and law enforcement authorities

To fulfil our statutory obligation, a court order, to establish, exercise or defend our legal rights or in other cases where this is necessary to prevent and deter unlawful acts.

For example: Estonian Police and Border Guard Board, Estonian Data Protection Inspectorate.

Professional advisors

To ensure our proper economic activity and to establish, exercise or defend our legal rights.

For example: auditors, legal advisors.

Service providers

To help us in providing the Services, including the Website to you.

For example: IT service providers, marketing and advertising service providers.

Our legal successors and/or potential acquirers of the company

To successfully transfer our business or for the purposes of merger and/or acquisition, we would include data among the assets transferred to any parties who acquire us.


  1. RECIPIENTS OF PERSONAL DATA AND DATA TRANSFERS

    1. We disclose your personal data to third parties only in accordance with this Notice and to those who have undertaken to observe confidentiality or are subject to statutory confidentiality. 

    2. We may disclose your personal data to separate controllers, who themselves determine the purposes of the processing of personal data or processors, who process your personal data on our behalf. These data recipients belong to the following categories:



Category

Purpose of disclosure

Public sector authorities, supervisory and law enforcement authorities

To fulfil our statutory obligation, a court order, to establish, exercise or defend our legal rights or in other cases where this is necessary to prevent and deter unlawful acts.

For example: Estonian Police and Border Guard Board, Estonian Data Protection Inspectorate.

Professional advisors

To ensure our proper economic activity and to establish, exercise or defend our legal rights.

For example: auditors, legal advisors.

Service providers

To help us in providing the Services, including the Website to you.

For example: IT service providers, marketing and advertising service providers.

Our legal successors and/or potential acquirers of the company

To successfully transfer our business or for the purposes of merger and/or acquisition, we would include data among the assets transferred to any parties who acquire us.
  1. For service providers located outside the European Union or the European Economic Area (“EU/EEA”), we use safeguards (e.g., standard contractual clauses approved by the European Commission, binding corporate rules) to ensure that a level of protection of personal data comparable to that applicable in the EU/EEA is applied to your personal data. We monitor the compliance of our service providers with the above requirements. Upon your request we will make available further information on the safeguards applied.   


  1. PERSONAL DATA RETENTION PERIOD 

    1. We retain your personal data as long as reasonably necessary to attain the objectives stated in Section 4 of this Notice, or until the legal obligation stipulates that we do so. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the processing purposes and whether we can achieve these purposes through other means, and applicable statutory obligations. Whilst retaining the personal data, we take into account the need to resolve disputes and enforce the contract between us or anonymize your personal data and retain this anonymized information indefinitely. 

    2. Following the retention period or if we no longer need the respective personal data for the purposes specified in Section 4 of the Notice, we shall destroy the respective personal data within a reasonable time, unless the retention of personal data is required to perform duties or fulfil requirements arising from the legislation or to protect against ongoing or threatened disputes. 

    3. After the expiry of the retention period or the termination of the legal basis of the processing purpose, we may retain the materials containing personal data in the backup systems, from which the corresponding materials will be deleted after the end of the backup cycle. We ensure that during the backup period reasonable safeguards are applied and the backed-up materials are put beyond the use. 

  2. YOUR RIGHTS AS A DATA SUBJECT
    You may, at any time, exercise the following rights with respect to our processing of your personal data:

    1. Right to access: you have the right to request access, including receive a copy, of your personal data. This includes the right to be informed on whether we process your personal data, what personal data categories are being processed by us, and the purpose of the data processing;

    2. Right to rectification: you have the right to request that we correct any of your personal data if you believe that we are processing inaccurate or incomplete personal data;

    3. Right to object: you are entitled to object to certain processing of your personal data, for example when we process your personal data based on our legitimate interest or for direct marketing purposes;

    4. Right to restriction: you have the right to request that we restrict the processing of your personal data, for example if you wish to dispute the accuracy of certain personal data we are processing or if we no longer need the personal data for the purposes of the processing, but you require the personal data to establish, exercise or defend legal claims;

    5. Right to erasure: you have the right to request that we erase your personal data for example if the personal data is no longer necessary for the purposes for which it was collected or if you consider that the processing is unlawful;

      • Should you wish to delete your account, for example if there is a change in the person who represents the company, please contact us and we will assign the company’s account to a new representative and delete your account accordingly;

    6. Right to data portability: you have the right to receive your personal data in a structured, commonly used and machine-readable format if it the processing is carried out by automated means and is based on your consent or a mutual contractual relationship. Moreover, you may request that the personal data is transmitted to another controller. Bear in mind that the latter can only be done if that is technically feasible;

    7. Right to withdraw your consent: in cases where the processing is based on your consent, you have the right to withdraw your consent to such processing at any time;

      • To unsubscribe from the newsletter, please contact us or opt-out using the link provided in the newsletter;

    8. Complaints: If you wish to make a complaint, please contact us. We will promptly investigate your complaint and respond to you, setting out the outcome of our investigation and the steps we will take to deal with your complaint. 

      • If you are not satisfied with our response to your request in relation to your personal data processing or you believe we are processing your personal data not in accordance with the legislation, you can submit your claim to the data protection authority, e.g., in Estonia to the Estonian Data Protection Inspectorate (in Estonian: Andmekaitse Inspektsioon) at info@aki.ee or www.aki.ee.

    9. To exercise the above rights, please contact us as specified in Section 2 of this Notice. Please note that you should supply us with adequate information for us to respond to your requests concerning the rights. Prior answering your request, we may ask you to provide additional information for the purposes of authenticating you and evaluating your request.

  1. LINKS TO OTHER WEBSITES

Our Website may link to external sites that are not operated by us; therefore, this Notice does not apply to data processing conducted by such third parties. Please be aware that we have no control over the content and policies of those sites and cannot accept responsibility or liability for their respective privacy practices. To find out more about how such third parties process your personal data, please refer to the respective privacy notices on the other websites you visit. 

  1. CHANGES TO THIS NOTICE

This Notice may be amended or modified from time to time to reflect the changes in the way we process personal data, and in such case, the most recent version of the Notice will be published on this page. Please check back periodically, and especially before you provide any new personal data. 


Version: September 2023