info@esgtree.com

Privacy & Terms

Privacy Policy

1) Legal Entity & Contact

This Privacy Policy is issued by Blue Sky Sustainability Inc. d.b.a. ESGTree (“ESGTree”, “we”, “us”, or “our”). Our registered office is at [insert full legal address].

For the purposes of privacy laws:

  • In Canada: ESGTree is the organization responsible for your personal information under PIPEDA.
  • In the EEA or UK: ESGTree is the data controller for personal data we collect and determine the purposes and means of processing. Where required by law, we will appoint an EU/UK representative and publish their details in this Policy.

You may contact our Privacy Officer/Data Protection Officer (DPO) at privacy@esgtree.com or by mail at the address above.

2) Comprehensive Personal Information We Collect

In addition to the information already described in this Policy, we may collect and process the following categories of personal information, depending on how you use our services:

  • Identifiers & Contact Details – name, business title, employer, postal address, email address, phone number, and country.
  • Account & Authentication – username, hashed passwords, role and permissions, access logs, and account preference settings.
  • Commercial & Billing – purchase and subscription history, invoices, tax status, billing contact details, and payment method tokens processed by PCI-compliant providers.
  • Device & Technical Data – IP address, device identifiers, browser type and version, operating system, language and time zone, referring/exit pages, clickstream activity, app telemetry, and cookie or similar technology data.
  • Usage & Support Data – feature interaction metrics, diagnostic and performance data, error reports, support tickets, emails and chat messages, feedback, and survey responses.
  • Professional Information – employer, department or team, role-based access assignments, project membership, and compliance or training records relating to ESGTree.
  • Approximate Geolocation – determined from IP address or device settings to support service optimization and security.
  • Content You Upload or Enter – files, forms, dashboards, comments, and other content you or your organization input to the platform (which may incidentally contain personal information about you or others).
  • Inferences – insights derived from engagement patterns to improve features, user security, and product design.
  • Sensitive or Special Categories (Handled with Enhanced Safeguards) – We do not intentionally collect sensitive data such as government IDs, financial account numbers, precise geolocation, racial or ethnic origin, union membership, or health/biometric/genetic information. However, limited sensitive data may be processed if:
    • (a) you or your organization choose to submit it for a defined business purpose, or
    • (b) we must process it to comply with legal obligations (e.g., sanctions screening, fraud prevention).
    When processed, we apply additional access controls and restrict use strictly to the stated purpose or legal requirement.

Third-Party Sources: We may receive personal information from service providers (identity/SSO, payment processors, analytics), your organization administrators, and authorized integration partners, in each case consistent with applicable law and organizational permissions.

3) Storage of Personal Information

Your personal information is stored securely using encrypted databases and industry-standard safeguards. ESGTree’s production systems are hosted in U.S. Central and Poland through reputable cloud service providers that comply with recognized security and privacy frameworks (such as SOC 2 Type II and ISO 27001).

We retain personal information only as long as necessary to fulfill the purposes described in this Policy, meet contractual obligations, comply with applicable laws, resolve disputes, or enforce agreements. When no longer required, data is securely deleted or irreversibly anonymized in accordance with our data retention schedule.

4) Sharing Personal Information

ESGTree limits access to personal information to employees, contractors, and service providers who require it to perform their duties.

We may share your information with:

  • Cloud hosting and infrastructure providers that support our platform
  • Payment processors for billing and subscription management
  • Analytics and customer support vendors to help improve user experience
  • Professional advisers (e.g., auditors, legal counsel) for compliance and reporting
  • Authorities or regulators when required by law or court order
  • Successors or acquirers in the event of a merger or corporate transaction (with equivalent privacy safeguards)

We do not sell or rent personal information to third parties. All third-party processors are bound by confidentiality and data protection agreements consistent with this Policy.

5) Your Privacy Rights (Data Subject Rights)

Depending on your location, you may have the following rights over your personal information:

  • Access – request confirmation that we process your personal information and obtain a copy.
  • Rectification – request that inaccuracies be corrected and incomplete data completed.
  • Erasure (“Right to be Forgotten”) – request deletion where the data is no longer needed, consent is withdrawn, or processing is unlawful (subject to legal/contractual retention obligations).
  • Restriction – request we limit processing in certain circumstances.
  • Portability – receive personal information you provided to us in a structured, commonly used, machine-readable format and request we transmit it to another controller, where technically feasible.
  • Objection – object to processing based on our legitimate interests, and object at any time to direct marketing (including profiling for such marketing).
  • Automated Decisions – ask for human review of decisions made solely by automated means that significantly affect you (we do not typically conduct such processing).
  • Withdraw Consent – where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
  • Complain – you may lodge a complaint with a supervisory authority. In Canada, that is the Office of the Privacy Commissioner of Canada (OPC) or your provincial commissioner. In the EEA/UK, contact your local data protection authority.

How to exercise your rights.
Email privacy@esgtree.com with “Privacy Request” in the subject, describing your request and the jurisdiction you reside in. We will verify your identity, respond within 30 days under PIPEDA (or one month under GDPR/UK GDPR, extendable where permitted), and explain any lawful grounds for denial or delay (e.g., legal privilege, rights of others, security or compliance obligations).

6) Consent & Preference Management

We rely on different legal bases to process personal information, including your consent, contractual necessity (to provide the services), legitimate interests (e.g., to secure and improve the services, prevent fraud, and communicate service-related updates), and legal obligations.

  • Obtaining Consent. Where required, we will obtain your express or implied consent (as permitted by law) for specific purposes (e.g., marketing emails, optional cookies, certain integrations).
  • Withdrawing Consent. You may withdraw consent at any time by:
    • using self-serve controls in your account,
    • clicking unsubscribe in marketing emails, or
    • emailing privacy@esgtree.com
    Your withdrawal will not affect processing already carried out, and some service features may no longer function without the relevant processing.
  • Organization-Managed Accounts. If your account is provisioned by your employer or another organization, that organization may control certain permissions and retention. Please direct requests for such organization-managed data first to your administrator, with whom we will cooperate as processor or service provider where applicable.

7) Security Incident & Data Breach Response

We maintain administrative, technical, and physical safeguards designed to protect personal information. If we discover a security incident that compromises the confidentiality, integrity, or availability of personal information:

  1. We will investigate promptly, contain, and remediate the incident;
  2. We will assess risk to individuals and our systems;
  3. Where required by law, we will notify applicable regulators and affected individuals without undue delay (and within 72 hours for EEA/UK personal data where GDPR requires regulator notification), including a description of the incident, likely consequences, and steps you can take;
  4. We will cooperate with your organization administrators and relevant authorities, and maintain records of incidents in accordance with legal requirements.

If you suspect unauthorized access to your account or personal information, please contact us immediately at privacy@esgtree.com.

8) International Data Transfers

While ESGTree primarily serves clients in Canada and the United States, your information may be transferred, processed, or stored in other countries where our vendors or partners operate.

These countries may have different privacy laws, and in some cases may not provide the same level of protection as your home jurisdiction. ESGTree takes reasonable contractual and technical measures (such as Standard Contractual Clauses and encryption) to ensure your data remains protected and processed in line with this Policy.

We strive to comply with applicable international data protection laws and protect all users’ personal information, regardless of where it is processed.

9) Children’s Privacy Notice (Under Age 13)

ESGTree software and services are not intended for children under 13 years of age. We do not knowingly collect or maintain personal or non-personal information from anyone under 13. If we become aware that a child under 13 has provided information, we will promptly delete it and close the account.

Parents or guardians who believe their child has provided such information should contact privacy@esgtree.com so we can take corrective action.

10) Privacy Officer / Data Protection Officer (DPO)

Privacy Officer / DPO
Blue Sky Sustainability Inc. d.b.a. ESGTree
Email: privacy@esgtree.com

The DPO oversees privacy compliance, provides guidance on obligations, serves as the contact for regulators, and responds to privacy-related inquiries.