Privacy Policy

1. Data Controller

ESGorithm is operated by BYKAR PLASTİK MAKİNA KALIP İTHALAT İHRACAT SANAYİ TİCARET LİMİTED ŞİRKETİ, which acts as the data controller for personal data processed through the Service. For all privacy-related inquiries, contact us at privacy@esgorithm.com.

2. Data We Collect

We collect only the data necessary to provide the Service:

• Account data: email address, full name, job title, and company details you provide during registration
• ESG metric data: environmental, social, and governance metrics you enter into the platform
• Documents: files you upload as source evidence for metric entries
• Usage data: pages visited and features used, collected in aggregate to improve the Service

We do not collect payment card details. Billing is handled entirely by our payment processor.

3. Legal Basis for Processing (GDPR)

For users in the EU/EEA, we process personal data on the following legal bases under GDPR:

• Contract performance (Art. 6(1)(b)): processing necessary to deliver the Service you signed up for
• Legitimate interests (Art. 6(1)(f)): aggregate usage analytics to improve the Service, and security monitoring
• Legal obligation (Art. 6(1)(c)): compliance with applicable laws and regulatory requests

We do not rely on consent as a legal basis for core Service operations. If we introduce any optional processing that requires consent in the future, we will request it separately and you will be able to withdraw it at any time without affecting your ability to use the Service.

4. AI Features & Data Processing

ESGorithm uses AI to provide gap analysis, recommendations, and report narrative generation. When you use AI features, the following data is sent to an AI provider:

• Your industry, country, and employee count
• Selected ESG frameworks and reporting period
• Aggregated metric values (e.g. “scope1_emissions: 1,243 tCO2e”)

Your company name is never sent to AI providers. Our AI provider does not use API data for model training. Data is processed under standard contractual protections. You may choose not to use AI features at any time — this does not affect core Service functionality.

5. Cookies

We use only essential cookies required for authentication and session management. These cookies are strictly necessary for the Service to function and cannot be disabled.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies. We do not share cookie data with advertisers or data brokers.

6. Data Storage and Security

Your data is stored in a secure cloud database with row-level security enabled. Each organisation's data is strictly isolated — no organisation can access another's data. Uploaded documents are stored with access controls that prevent unauthorised access.

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS) and access controls limited to authorised personnel. No system is completely secure and we cannot guarantee absolute security.

7. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Affected users will be notified without undue delay where the breach is likely to result in a high risk to their rights.

8. International Data Transfers

Some services we use to operate the platform may process data outside the EU/EEA. Where this occurs, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Third-Party Service Providers

We use a limited number of third-party services to operate the platform, including database and authentication infrastructure, an AI inference provider, a payment processor, and a transactional email provider. These providers process data only as necessary to deliver their respective services and are contractually prohibited from using your data for other purposes.

We do not sell, rent, or share your personal data with any third party for marketing or advertising purposes.

10. Data Retention

We retain your personal data for as long as your account is active and as necessary to provide the Service. Upon account deletion, we will delete your personal data within a reasonable period, subject to any legal retention obligations we may have. ESG metric data may be retained in anonymised, aggregated form for product analytics.

11. Your Rights (GDPR)

If you are located in the EU or EEA, you have the right to:

• Access the personal data we hold about you
• Rectification of inaccurate or incomplete data
• Erasure (“right to be forgotten”) — subject to any legal retention obligations
• Restriction of processing in certain circumstances
• Data portability — receive your data in a machine-readable format
• Object to processing based on legitimate interests

To exercise any of these rights, contact privacy@esgorithm.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

12. Children's Privacy

The Service is intended for business use only and is not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you via email or an in-app notice at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact

BYKAR PLASTİK MAKİNA KALIP İTHALAT İHRACAT SANAYİ TİCARET LİMİTED ŞİRKETİ
For privacy inquiries or to request a Data Processing Agreement (DPA): privacy@esgorithm.com