Privacy Policy
This Privacy Policy explains how ESGdesk™ processes personal data in accordance with the General Data Protection Regulation (GDPR).
Version: v2.1 | Last updated: 30.04.2026
This document is provided in English as the official and legally binding version of the ESGdesk™ policies and agreements.
1. Controller Identity and Contact Details
The controller responsible for the processing of personal data through the ESGdesk™ website and platform is:
Vivopack sp. z o.o.
Łużycka 104a
59-900 Zgorzelec
Poland
KRS: 0000908021
NIP: 5252867586
REGON: 389279414
Email: privacy@esgdesk.ai
Vivopack sp. z o.o. acts as the Controller for personal data processed in connection with website operations, account administration, billing, and customer relationship management.
Given the nature and scale of data processing activities, the appointment of a Data Protection Officer (DPO) is not required under Article 37 of the GDPR. For any privacy-related inquiries, users may contact us at privacy@esgdesk.ai.
2. Scope of This Privacy Policy
This Privacy Policy applies to:
- Visitors of https://www.esgdesk.ai
- Users of the ESGdesk™ platform who have registered an account
- External auditors invited to access workspaces under the PRO subscription tier
ESGdesk™ is a business-to-business (B2B) service. Platform access is typically provided through organizational accounts managed by the subscribing company ("Customer"). Users accessing the platform on behalf of their employer should also refer to their employer's internal data protection policies.
ESGdesk™ offers multiple subscription tiers (Free Trial, Standard, PRO) and supports role-based access control (Owner, Admin, Contributor, Auditor) to manage data access within each organization.
This Privacy Policy must be read together with the ESGdesk™ Legal Documents Suite, which currently consists of:
- Terms of Service (v2.2)
- Privacy Policy (v2.1 — this document)
- Data Processing Agreement / DPA (v2.1)
- Cookie Policy (v1.0)
All four documents are accepted together at signup ("bulk acceptance"). When any document is updated to a new version, users are prompted to re-accept the updated documents through an in-app notification before continuing to use the platform.
3. Roles Under GDPR (Controller vs Processor)
Under the General Data Protection Regulation (GDPR), the roles of Controller and Processor determine who is responsible for the processing of personal data and under what conditions.
Controller
Vivopack sp. z o.o. acts as the Controller for personal data processed in connection with:
- Website operations (visitors, contact forms, marketing communications)
- Platform account creation, authentication, and account management
- Billing, invoicing, and payment processing
- Transactional communications (email confirmations, password resets, billing notices)
- Internal CRM and customer relationship management
- Security and audit logging required for ISO 27001 compliance
Processor
For personal data that Customers enter, upload, or otherwise submit into their ESGdesk™ workspace (including ESG operational data, employee records, evidence files, and reporting metrics), Vivopack sp. z o.o. acts as a Processor on behalf of the Customer.
Processing of workspace data is carried out solely based on the Customer's documented instructions and in accordance with the Data Processing Agreement (DPA v2.1) available at /legal/dpa.
Customer as Controller
Customers act as independent Controllers for all personal data they process within their ESGdesk™ workspace, including:
- Their own employees' data (headcount, gender, training records)
- Operational ESG metrics they upload
- Evidence files (utility bills, invoices) they submit
- Auditors they invite
Customers are responsible for ensuring a valid legal basis for processing such data and for informing their own employees and data subjects accordingly.
The detailed terms governing such processing are defined in the Data Processing Agreement (DPA v2.1), which forms part of the ESGdesk™ Terms of Service.
4. Categories of Personal Data Processed
Depending on how users interact with the ESGdesk™ website and platform, the following categories of personal data may be processed. This categorization is aligned with the DPA v2.1 Annex A (Categories of Personal Data and Data Subjects).
4.1 Account and Identity Data
Processed for: account creation, authentication, role assignment.
- Email address
- Full name
- Hashed password
- Multi-factor authentication (MFA) credentials and recovery codes
- User session tokens and authentication state
- User role within the workspace (Owner, Admin, Contributor, Auditor)
- Language preference and locale settings
4.2 Operational ESG Data
Processed for: platform service delivery (Customer is the Controller; Vivopack acts as Processor).
- Energy consumption (electricity, natural gas, vehicle fuel)
- Water consumption and recycled water volumes
- Waste volumes and recycling rates by category
- Health & safety records (accidents, training records)
- Employment data (headcount, new hires, dismissals, gender breakdown by role)
- Financial metrics (sales turnover, total assets — company-wide annual)
- Environmental, social, and governance metrics entered or imported by users
4.3 Evidence Files and Document Metadata
- Uploaded utility bills, invoices, certificates, and supporting documents
- File names, MIME types, file sizes, upload timestamps
- Identity of the uploading user
- Associations with monthly data records
4.4 Billing and Financial Data
Processed for: invoicing, subscription management, tax compliance.
- Company name and registered business address
- VAT identification number (VAT-EU)
- Billing email address
- Payment references (Stripe customer ID, subscription ID)
- Invoice records (Fakturownia)
4.5 Security and Audit Logs
Processed for: platform integrity, fraud prevention, ISO 27001 compliance.
- Login timestamps
- IP addresses (pseudonymized to /24 for IPv4 and /64 for IPv6 in legal acceptance records)
- User agent strings
- Action types performed (data entry, report generation, settings changes)
- Audit trail metadata (who, what, when, from where)
- Sign-up attempt logs (success / rate-limited / blocked)
4.6 Invitation and Auditor Access Data
- Invitee email addresses
- Assigned role (Admin, Contributor, Auditor)
- Location-level access permissions
- Invitation token (hashed before storage)
- Invitation expiration timestamps
- Auditor session start time, IP address, and access configuration hash
- Auditor access expiration date
4.7 Legal Acceptance Records
- Document version accepted (Terms v2.3, Privacy v2.1, DPA v2.1, Cookie v1.0)
- Acceptance timestamp
- User identifier and associated company
- Legal Representative full name and role (declared during company onboarding)
- Acceptance context (signup, onboarding, re-acceptance)
- IP address (pseudonymized) and User Agent
4.8 Communication and Support Data
- Contact form submissions (name, email, company, topic, message)
- Support ticket content
- Booking system data (scheduled calls, language preference)
- Newsletter subscription status and email preferences (GDPR-compliant in 13 languages)
4.9 Technical and Usage Data
Processed for: platform security, performance monitoring, and service improvement.
- Server access logs (IP, timestamp, request URL, response status)
- Error reports and stack traces (via Sentry)
- Performance metrics
- Internal product analytics (aggregated, non-identifying behavioral patterns)
5. Legal Bases for Processing
ESGdesk™ processes personal data based on the following legal grounds under the GDPR:
| Activity | Legal Basis | Reference |
|---|---|---|
| Account creation, authentication, platform access | Performance of contract | Art. 6(1)(b) GDPR |
| Service delivery (workspace operations, ESG data processing on behalf of Customer) | Performance of DPA contract | Art. 28 GDPR |
| Billing, invoicing, payment processing | Performance of contract / Legal obligation | Art. 6(1)(b) and (c) GDPR |
| Tax records retention (5 years) | Legal obligation | Art. 6(1)(c) GDPR (Polish Tax Act) |
| Security monitoring, fraud prevention, audit logs | Legitimate interest | Art. 6(1)(f) GDPR |
| Platform analytics, service improvement | Legitimate interest | Art. 6(1)(f) GDPR |
| Marketing emails (newsletter, product updates) | Consent (opt-in) | Art. 6(1)(a) GDPR |
| Cookies — essential | Legitimate interest | Art. 6(1)(f) GDPR |
| Cookies — functional / analytics | Consent | Art. 6(1)(a) GDPR |
| Defending legal claims (post-contract) | Legitimate interest | Art. 6(1)(f) GDPR |
For data processed under legitimate interest, a balancing test has been conducted to ensure that the processing does not override the rights and freedoms of data subjects. Users may object to processing based on legitimate interest at any time (see Section 13).
6. Website Data Collection and Server Logs
When users visit the ESGdesk™ website, the hosting infrastructure (Lovable Cloud + Cloudflare) automatically collects certain technical information required for delivering the service and maintaining security. This may include:
- IP address (truncated for privacy where applicable)
- Browser type and version
- Operating system
- Timestamps of requests
- Referrer URL
- Cloudflare Turnstile challenge results (anti-bot protection)
This data is processed for security monitoring, performance optimization, fraud prevention, and to prevent platform abuse. Server logs are retained for a limited period (see Section 12 — Data Retention) and are not used to personally identify individual website visitors.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in ensuring the security and availability of the website and platform.
7. Cookies, Local Storage and Similar Technologies
ESGdesk™ uses cookies and similar browser storage technologies to maintain user sessions, store authentication tokens, and support platform functionality.
Essential Cookies
Essential cookies are required for authentication, session management, and security protections (including CSRF protection and session continuity).
Essential cookies are strictly necessary for the operation of the platform and are processed on the basis of legitimate interest under Art. 6(1)(f) GDPR. Because these cookies are required for core platform functionality, they do not require user consent.
Functional Cookies
Functional cookies support user preferences, language selection, reporting year selection, and interface customization. These cookies improve the user experience but are not strictly necessary for platform operation. Where required by applicable law, functional cookies are activated only after user consent.
Local Storage
ESGdesk™ uses browser localStorage to store contextual information such as the selected reporting year, active location, plan selection during signup, billing details (temporary, before company creation), and interface preferences. This data is stored locally on the user's device and is not transmitted to external servers except as part of the user's intentional platform actions.
Cookie Consent
Where required by applicable law, non-essential cookies are only activated after the user has provided consent through the cookie banner displayed on the ESGdesk™ website.
For detailed information about specific cookies used, their purpose, duration, and how to manage them, please refer to the Cookie Policy v1.0 at /legal/cookies.
8. Account Registration and Platform Use
Account Creation and Authentication
When users register for an ESGdesk™ account, the platform collects an email address, full name, and a password (stored in hashed form). Users may also enable multi-factor authentication (MFA) for additional security. Authentication tokens and session data are managed through the platform's identity provider.
Anti-abuse protections are in place during signup, including:
- Cloudflare Turnstile challenge (bot prevention)
- Per-email rate limiting (maximum 5 sign-up attempts per email per 24 hours)
- Per-IP soft limits with progressive challenges
- Sign-up attempt logging (retained for 90 days, see Section 12)
Team Management and Invitations
ESGdesk™ allows account owners and administrators to invite team members by email. Invitation records include the invitee's email address, assigned role, location access permissions, and expiration timestamp. Invitation tokens are hashed before storage and automatically expire after 7 days.
Security and Audit Logging
ESGdesk™ maintains immutable audit logs to support security monitoring and ISO 27001 compliance. Audit log records include action type, user identifier, IP address (pseudonymized), user agent, timestamps, and related metadata. Audit logs are append-only (database-level write protection).
Legal Acceptance Records
When users accept legal documents (Terms of Service, Privacy Policy, DPA, Cookie Policy), ESGdesk™ records the acceptance timestamp, user identifier, document version, associated company, and Legal Representative details (full name and role) declared during company onboarding. These records are retained for 36 months after contract termination (see Section 12).
Evidence File Storage
Users may upload evidence files (utility bills, invoices, certificates) to support their ESG data entries. File metadata includes file name, MIME type, file size, upload timestamp, and the identity of the uploading user. Files are stored in encrypted cloud storage hosted in the European Union (AWS Ireland, eu-west-1, Dublin) with access restricted to authorized company members based on role and location-level permissions.
Auditor Session Logging
When external auditors access an ESGdesk™ workspace (PRO tier feature), the platform records session start time, IP address, and a hash of the access configuration at the time of login. Auditor session logs are retained for the duration of the auditor access period plus 12 months (see Section 12).
9. AI-Assisted Data Import and Conversational Assistance (Elisa)
Nature of AI Processing
ESGdesk™ offers an AI-assisted feature called Elisa that allows users to:
- Upload utility bills, invoices, and similar documents for automated data extraction
- Engage in conversational assistance for ESG data interpretation and reporting
- Use AI for translating reports, executive summaries, and platform content into supported languages
AI features are powered by Google's Gemini large language models, accessed through two channels:
- Lovable AI Gateway — a routing service operated by our platform provider Lovable AB, which proxies requests to Gemini and other LLMs. Used for the majority of AI features (including Elisa scan, structured extraction).
- Direct Google Generative Language API (Gemini) — accessed via Google AI Studio API key. Used for specific tasks: Elisa streaming chat assistant, executive summary translation, mass i18n key translation, newsletter translation, and platform health monitoring.
In both channels, AI processing involves the transfer of input data (documents, text, chat conversations) to servers operated by Google LLC, which may be located in the United States. Such transfers are made under Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework (DPF).
Lovable AB (Lovable AI Gateway) and Google LLC / Google Ireland Limited (Gemini API) are listed as separate sub-processors in Section 10 below and at /legal/sub-processors.
Data Processing and Accuracy
Uploaded documents are processed in real-time to extract structured data fields such as consumption values, units, periods, and provider names. AI-extracted data is presented as draft suggestions for mandatory review and confirmation by the user before being saved to the workspace.
ESGdesk™ does not guarantee the accuracy of AI-generated extractions. The Customer remains solely responsible for verifying and confirming all data before submission.
No AI Training with Customer Data
By contractual agreement and the documented policies of our AI providers, ESGdesk™ does not use customer-uploaded documents, extracted data, or chat conversations to train, fine-tune, or improve AI models.
- Lovable AI Gateway: subject to Lovable's Data Processing Agreement, which excludes customer data from model training.
- Google Generative Language API (Gemini): Google's API Terms of Service for paid Gemini API access exclude customer prompts and outputs from being used to train Google's models.
Documents and conversations are processed solely for the purpose of fulfilling the user's request within the active session. For more details on AI use and limitations, see the AI Use Policy at /legal/ai-policy.
10. Service Providers and Sub-Processors
ESGdesk™ uses the following third-party service providers ("sub-processors") to deliver and support the platform. The list below mirrors the DPA v2.1 Annex C ordering and is published with full details (purposes, contacts, transfer mechanisms) at /legal/sub-processors.
Current Sub-Processors
| # | Sub-processor | Role | Location | Transfer Mechanism |
|---|---|---|---|---|
| 1 | Cloudflare, Inc. | CDN, DNS, bot protection (Turnstile), social preview worker (news subdomain) | Global edge network; USA control plane | SCCs |
| 2 | Fakturownia sp. z o.o. | VAT invoice generation for Polish billing requirements | Poland (EU) | EU hosting (no transfer) |
| 3 | Functional Software, Inc. (Sentry) | Error monitoring and diagnostics (frontend + backend) | EU (Frankfurt) ingest; USA control plane | SCCs |
| 4 | Google Ireland Ltd. (Gemini AI) | AI document scanning, Elisa assistant, content translation; accessed via Lovable AI Gateway and directly via Google AI Studio API | Ireland (EU); processing also in USA | SCCs |
| 5 | Lovable Technologies AB | Application hosting, build and deployment, backend infrastructure routing (Supabase Inc. acts as sub-sub-processor; primary database and storage hosted on AWS Ireland eu-west-1) | EU (Sweden — Lovable HQ); EU (Ireland — infrastructure) | EU hosting (no transfer) |
| 6 | Resend, Inc. | Transactional email delivery from no-reply@esgdesk.ai (signup confirmations, password resets, billing notices, support, newsletters) | USA; EU edge delivery | SCCs |
| 7 | Stripe Payments Europe, Ltd. | Subscription billing and payment processing | Ireland (EU); processing also in USA | SCCs |
General Principles
All third-party sub-processors operate under written Data Processing Agreements that ensure compliance with GDPR requirements, including appropriate technical and organizational measures for data protection.
ESGdesk™ provides 30 days advance notice to Customers before adding or replacing any sub-processor (per DPA v2.1 Section 6.3). The current authoritative list is always available at /legal/sub-processors.
Customers may object to sub-processor changes in accordance with the procedure set out in the DPA. For the most up-to-date sub-processor list with detailed processing purposes and contact information, please refer to /legal/sub-processors.
11. International Data Transfers
Personal data processed by ESGdesk™ is primarily stored and processed within the European Union:
- Database (Postgres) and file storage: AWS Ireland (eu-west-1, Dublin)
- Invoicing (Fakturownia): Poland
- Payment processing (Stripe): Ireland
- Sentry telemetry ingest: Frankfurt (Germany)
- Edge functions: distributed across EU edge nodes, primary execution through the Ireland regional gateway
Where data is transferred to service providers located outside the European Economic Area (EEA), such transfers are governed by:
- Standard Contractual Clauses (SCCs) approved by the European Commission (EU 2021/914), or
- The EU-US Data Privacy Framework (DPF) for sub-processors that have certified under the framework, or
- Other legally recognized transfer mechanisms under Articles 44-49 GDPR.
Specific transfer mechanisms applicable to each sub-processor are listed in Section 10 above and at /legal/sub-processors.
Users may request information about the specific safeguards applied to international transfers by contacting privacy@esgdesk.ai.
12. Data Retention
ESGdesk™ retains personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law. The specific retention periods below apply to each category of personal data:
| Category | Retention Period | Legal Basis / Reason |
|---|---|---|
| Account data (email, name, hashed password, MFA) | Duration of active account + 30 days post-deletion | Contract performance + grace period |
| Operational ESG data (Customer's workspace) | Duration of subscription + 90 days post-deletion (full export available) | Customer instructions (Customer is Controller) |
| Evidence files | Duration of subscription + 5 years (audit-trail support) | Customer instructions + statutory documentation requirements |
| Free Trial workspace data | Trial duration + 30 days post-expiry, deleted automatically if no paid subscription | Trial limit |
| Billing and invoice data | 5 years from end of fiscal year | Polish Tax Act (VAT records) |
| Audit logs (ISO 27001) | 24 months from creation | ISO 27001 compliance + security investigations |
| Data access logs | 18 months from creation | Security monitoring + GDPR accountability |
| Auditor session logs | Auditor access duration + 12 months | Audit trail integrity |
| Legal acceptance records | 36 months post-contract termination | Statute of limitations + GDPR demonstrable consent (Art. 7) |
| Sign-up attempt logs (signup_attempts table) | 90 days from creation | Anti-abuse / fraud prevention |
| AI activity logs | 12 months from creation | Service quality + accuracy monitoring (NO model training) |
| Invitation tokens | 7 days from issuance (auto-cleanup) | Token expiry / security hygiene |
| Server access logs | 30 days rolling window | Security monitoring |
| Marketing email consent records | Until consent withdrawal + 12 months | Demonstrable consent (Art. 7) |
| Newsletter subscription state | Until unsubscribe + 12 months | Demonstrable consent |
| Support ticket content | 24 months after ticket closure | Service quality + dispute resolution |
| Sentry error reports | 90 days | Operational debugging |
12.1 GDPR Data Export (Right of Access)
Users can download a structured export of their personal data directly from the User Settings page in the platform. The export is provided under GDPR Article 15 (Right of Access) and includes:
- Account profile data
- Company memberships and role assignments
- Login history (last 90 days)
- Legal acceptance records
- Monthly ESG records (where the user is a Controller)
- Audit logs related to the user's actions
- Data access logs
The export is delivered in machine-readable JSON format. Some log data (e.g. audit trails, anti-abuse signup logs) may be retained beyond the export for security and legal compliance purposes, in accordance with the retention periods above.
12.2 Account Deletion
Upon account deletion request:
- Personal account data is pseudonymized in audit logs (replaced with
[pseudonymized]token) — required to maintain audit log integrity per ISO 27001 - Workspace data is permanently deleted within 30 days
- Billing records are retained for 5 years per Polish Tax Act (anonymized where possible)
- Legal acceptance records are retained for 36 months post-deletion (statute of limitations)
Permanent deletion is irreversible. Users should download a full data export before requesting deletion if they wish to retain a copy.
13. Data Subject Rights
Under the GDPR, individuals whose personal data is processed by ESGdesk™ have the following rights:
| Right | Article | What It Means |
|---|---|---|
| Right of access | Art. 15 GDPR | Confirmation of whether personal data is being processed and access to a copy of that data |
| Right to rectification | Art. 16 GDPR | Correction of inaccurate or incomplete personal data |
| Right to erasure | Art. 17 GDPR | Deletion of personal data where there is no longer a legal basis for processing ("right to be forgotten") |
| Right to restriction | Art. 18 GDPR | Restriction of processing under certain conditions |
| Right to data portability | Art. 20 GDPR | Receive personal data in structured, commonly used, machine-readable format |
| Right to object | Art. 21 GDPR | Object to processing based on legitimate interest or for direct marketing |
| Right to withdraw consent | Art. 7(3) GDPR | Withdraw consent at any time for processing based on consent (e.g. marketing emails) |
| Right not to be subject to automated decision-making | Art. 22 GDPR | ESGdesk™ does not perform automated decision-making with legal effects on data subjects (see Section 16 for trial abuse scoring exception) |
How to Exercise Your Rights
For data where Vivopack is the Controller (account, billing, security logs):
Contact privacy@esgdesk.ai. Vivopack will respond to data subject requests without undue delay and in any event within one month (30 days) of receipt, in accordance with Article 12(3) GDPR.
Where requests are complex or numerous, this period may be extended by up to two further months. The data subject will be informed of the extension and the reasons for it within the initial month.
For data where the Customer is the Controller (workspace ESG data, employee data, evidence files):
Requests should be directed to the Customer organization (the company that operates the ESGdesk™ workspace). Vivopack will assist the Customer in responding to such requests in accordance with the Data Processing Agreement (DPA v2.1).
If you are uncertain whether Vivopack or the Customer is the Controller for your data, you may contact privacy@esgdesk.ai for guidance.
Right to Lodge a Complaint
Users have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Vivopack sp. z o.o. is:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
https://uodo.gov.pl
Users may also lodge a complaint with the supervisory authority in their country of residence or the country where the alleged GDPR violation occurred.
14. Security Measures
ESGdesk™ implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures are designed to align with ISO 27001 principles and include:
Technical Measures
- TLS 1.2+ encryption for all data in transit (HTTPS only, HSTS enforced)
- Encryption at rest for stored data and evidence files (AES-256)
- Cryptographic hashing for invitation tokens, password storage (bcrypt), and sensitive identifiers
- Database-level Row-Level Security (RLS) on all tables to enforce tenant isolation
- Append-only audit logs with database trigger-enforced write protection
- IP pseudonymization in legal acceptance records (/24 for IPv4, /64 for IPv6) per data minimization principle
Access Controls
- Role-Based Access Control (RBAC) with four tiers (Owner, Admin, Contributor, Auditor)
- Location-level access control (per-user, per-location permissions)
- Multi-Factor Authentication (MFA) support for enhanced account security
- Progressive authentication throttling (6 / 10 / 20 failed attempts → 60s / 15min / 60min lock)
- Time-limited auditor access (90 days, 180 days, or unlimited per Customer choice)
Operational Measures
- Comprehensive audit trails for all security-relevant actions (login, data entry, settings changes, role changes)
- Cloudflare Turnstile bot protection on signup, login, password reset, contact forms
- Rate limiting on critical endpoints (signup, password reset, API calls)
- Pseudonymization safeguard on user deletion (audit log integrity preservation)
- Automated cleanup of expired tokens and outdated logs
Monitoring and Incident Response
- Sentry error monitoring for application-level issues
- Server access logs with anomaly detection
- Documented incident response procedure with notification timelines per Art. 33-34 GDPR
While ESGdesk™ applies industry-standard security practices, no system can guarantee absolute security. Users are encouraged to:
- Use strong, unique passwords
- Enable MFA on their account
- Report any suspected security incidents to privacy@esgdesk.ai
15. Children's Data
ESGdesk™ is a business-to-business platform intended exclusively for use by organizations and their authorized representatives. The platform is not designed for, marketed to, or intended for use by individuals under the age of 16.
ESGdesk™ does not knowingly collect personal data from children. If we become aware that a child under 16 has provided personal data to the platform without verifiable parental consent, we will delete such data without undue delay.
16. Automated Decision-Making and Profiling
ESGdesk™ uses limited automated processing for one specific purpose: trial abuse prevention. Outside of this scope, ESGdesk™ does not perform automated decision-making with legal or similarly significant effects on data subjects within the meaning of GDPR Article 22.
16.1 Trial Abuse Prevention
To prevent abuse of the Free Trial offering, ESGdesk™ applies an automated risk score during sign-up. The score is based on non-personal signals such as IP address reputation, email domain patterns, and prior account activity from the same network or device.
Based on this score, the platform may:
- Grant a standard 14-day Free Trial
- Grant a reduced 7-day Free Trial
- Decline the Free Trial offer (in which case the user may still subscribe to the Standard or PRO plan to access the platform)
This processing is based on legitimate interest (Art. 6(1)(f) GDPR) in preventing abuse and ensuring fair access to free resources.
16.2 Right to Manual Review
If your Free Trial application is declined or shortened by automated processing, you have the right under GDPR Article 22 to:
- Request human review of the decision
- Express your point of view and provide additional context
- Contest the decision
To request manual review, contact support@esgdesk.ai with the subject "Trial review request" and include the email address used during sign-up. ESGdesk™ will respond within 7 working days. Where the manual review finds the automated decision incorrect, the Free Trial will be granted retroactively.
16.3 No Other Automated Decision-Making
Beyond trial abuse prevention described above, ESGdesk™ does not perform automated decision-making with legal or similarly significant effects on data subjects.
The platform uses AI-assisted features (Elisa) for document data extraction and conversational assistance, but all AI-generated outputs are presented as draft suggestions for mandatory user review and confirmation. Users retain full control over which data is saved to the workspace.
ESGdesk™ does not use automated profiling for marketing, pricing, eligibility assessment beyond trial abuse, or any other decision affecting Customer rights.
17. Changes to This Privacy Policy
ESGdesk™ may update this Privacy Policy from time to time to reflect changes in:
- Platform functionality
- Legal or regulatory requirements
- Data processing practices or sub-processors
- Industry best practices
Versioning and Notification
The current version of this Privacy Policy is always available at /legal/privacy and labeled with a clear version number and last-updated date.
When this Privacy Policy is updated to a new major version, all active platform users will be required to re-accept the updated policy through an in-app notification before continuing to use the platform. This re-acceptance flow ensures demonstrable consent under GDPR Article 7.
For minor changes (clarifications, formatting, non-substantive updates), users will be informed via:
- A "Last updated" date change visible at the top of the document
- An optional notification banner displayed upon login
Version History
| Version | Date | Summary of Changes |
|---|---|---|
| v2.1 | 30.04.2026 | Updated entity references for "Lovable AI Gateway" sub-processor: "Lovable Technologies GmbH" → "Lovable AB" (§§4 AI Use, 10 Sub-processors). Extended Operational ESG data post-deletion retention from 30 → 90 days to align with the DPA v2.1 §11.4 export window. |
| v2.0 | 28.04.2026 | Aligned sub-processors list with DPA v2.1 Annex C (7 sub-processors: Cloudflare, Fakturownia, Sentry, Google/Gemini, Lovable, Resend, Stripe). Removed HubSpot reference (no longer used). Clarified primary data hosting region (AWS Ireland eu-west-1). Disclosed dual-channel access to Google Gemini AI (Lovable AI Gateway and direct Google AI Studio API). Added Cookie Policy v1.0 cross-reference. Consolidated retention sections into a single table. Added Section 16 (Automated Decision-Making) with explicit trial abuse scoring disclosure and manual review rights. Reorganized data categories (Section 4) into 9 structured subcategories. Restructured legal bases (Section 5) as a mapping table. Updated security measures (Section 14) with current platform protections. |
| v1.1 | 14.03.2026 | Initial published version. |
If you have questions about this Privacy Policy or the processing of personal data within ESGdesk™, please contact us at privacy@esgdesk.ai.
This document is provided in English as the official and legally binding version of the ESGdesk™ policies and agreements. Translations may be available for convenience, but in case of discrepancy, the English version prevails.
