Privacy Policy

GaiaScore | Effective Date: June 1, 2026 | Last Updated: June 1, 2026

Autumn hillside with evergreen trees and fog covering the valley below, with distant misty mountains in the background.

Introduction

GaiaScore ("we," "our," or "us") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (gaiascore.com) or use our ESG intelligence platform (the "Platform").

Please read this policy carefully. By accessing our website or using the Platform, you agree to the practices described here. If you do not agree, please discontinue use.

1. Who We Are

GaiaScore operates an ESG (Environmental, Social, and Governance) intelligence platform designed for SMBs and growth-stage businesses. We provide ESG scoring, data collection, framework alignment, and reporting services to help companies measure and improve their sustainability standing.

Data Controller:GaiaScoreEmail: hello@gaiascore.com

2. Information We Collect

2.1 Information You Provide Directly
  • Account information: Name, email address, company name, role/title, and password when you create an account.
  • Company & ESG data: Environmental metrics, social data, governance disclosures, and other ESG-related information you submit through the Platform for scoring and reporting.
  • Billing information: Payment card details and billing address, processed securely through our payment provider (we do not store full card numbers).
  • Communications: Messages, emails, support requests, or feedback you send to us.
  • Demo/contact requests: Name, email, company, and any details submitted via our contact or demo booking forms.
2.2 Information We Collect Automatically

When you visit our website or use the Platform, we automatically collect:

  • Usage data: Pages visited, features accessed, session duration, clicks, and navigation paths.
  • Device & technical data: IP address, browser type and version, operating system, screen resolution, and referring URLs.
  • Cookies and tracking technologies: As described in Section 7 below.
2.3 Information from Third Parties

We may receive information about you from:

  • Single sign-on (SSO) providers (e.g., Google, Microsoft) if you use them to log in.
  • Payment processors (e.g., Stripe) for billing verification.
  • Analytics providers for aggregated usage insights.

3. How We Use Your Information

We use your information to:

  • Provide the Platform: Generate your ESG score, produce reports, align data to frameworks (GRI, ISSB, CSRD, UN SDGs), and deliver core product features.
  • Personalize your experience: Tailor dashboards, recommendations, and improvement roadmaps to your company's ESG profile.
  • Process transactions: Manage subscriptions, billing, and invoicing.
  • Send product communications: Account confirmations, feature announcements, product updates, and service notifications. You can unsubscribe from non-essential emails at any time.
  • Provide customer support: Respond to inquiries and resolve issues.
  • Improve the Platform: Analyze usage patterns, fix bugs, and develop new features.
  • Ensure security: Detect, prevent, and investigate fraud, unauthorized access, or policy violations.
  • Comply with legal obligations: Meet applicable regulatory and legal requirements.

We do not sell your personal data or your company's ESG data to third parties for marketing purposes.

4. Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA) or UK, our legal bases for processing your data are:

  • Contract performance: To provide the services you have signed up for.
  • Legitimate interests: To improve the Platform, ensure security, and communicate relevant product updates — where these interests are not overridden by your rights.
  • Consent: For optional cookies, marketing emails, and any processing where we have asked for your explicit permission.
  • Legal obligation: Where processing is required by applicable law.

5. How We Share Your Information

We share your information only as described below:

  • Service providers: Trusted vendors who help us operate the Platform (cloud hosting, payment processing, email delivery, analytics). These providers are contractually bound to process data only on our instructions and in accordance with this policy.
  • Framework & standards bodies: We do not share your raw data with GRI, ISSB, CSRD bodies, or any other regulatory body unless you explicitly instruct us to submit a report.
  • Business transfers: If GaiaScore is acquired or merges with another company, your data may transfer as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
  • Legal requirements: We may disclose information where required by law, court order, or to protect the rights, safety, or property of GaiaScore, our users, or the public.
  • With your consent: For any other sharing, we will ask for your explicit permission first.

6. Data Retention

We retain your personal data and ESG data for as long as your account is active or as needed to provide services. Specifically:

  • Active accounts: Data is retained throughout the life of your subscription.
  • Deleted accounts: We delete or anonymize personal data within 90 days of account deletion, unless we are required to retain it for legal or regulatory purposes.
  • ESG reports and scoring history: If you request export or deletion of your reports before account closure, we will honor that request.
  • Billing records: Retained for up to 7 years to comply with financial and tax regulations.

7. Cookies & Tracking Technologies

We use cookies and similar technologies to:

  • Keep you logged in (essential cookies)
  • Remember your preferences (functional cookies)
  • Understand how you use the Platform (analytics cookies)
  • Support marketing attribution (optional cookies)

You can control cookie preferences via the cookie banner on our site or through your browser settings. Disabling non-essential cookies will not affect core Platform functionality.

8. Data Security

We implement industry-standard security measures to protect your information, including:

  • Encryption in transit (TLS) and at rest (AES-256)
  • Access controls and least-privilege principles for staff
  • Regular security audits and vulnerability assessments
  • Secure data centers with physical access controls

We are working toward SOC 2 Type II certification. While we take security seriously, no system is completely immune to breach. In the event of a data breach affecting your rights, we will notify you in accordance with applicable law.

9. International Data Transfers

GaiaScore operates primarily in UK. If you access the Platform from outside this jurisdiction, your data may be transferred internationally. For transfers from the EEA or UK, we rely on:

  • EU Standard Contractual Clauses (SCCs)
  • UK International Data Transfer Agreements (IDTAs)
  • Other lawful transfer mechanisms as applicable

10. Your Privacy Rights

Depending on your location, you may have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data ("right to be forgotten").
  • Portability: Receive your data in a machine-readable format.
  • Restriction: Ask us to limit processing of your data in certain circumstances.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

California residents (CCPA/CPRA): You have the right to know what personal information we collect, the right to delete it, the right to opt out of sale (we do not sell personal data), and the right to non-discrimination for exercising these rights.

To exercise any of these rights, email us at hello@gaiascore.com. We will respond within 30 days (or as required by applicable law).

11. Children's Privacy

GaiaScore is a B2B platform intended for business use. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has submitted information to us, please contact us and we will delete it promptly.

12. Third-Party Links

Our website and Platform may contain links to third-party websites (e.g., framework documentation, blog references). We are not responsible for the privacy practices of those sites and encourage you to review their policies independently.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Notify you by email (if you have an account)
  • Display a notice on the Platform

Continued use of GaiaScore after changes take effect constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

GaiaScore Email: hello@gaiascore.com Website: gaiascore.com/privacy

If you are in the EEA and believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority (DPA).

GaiaScore — Know your ESG score. Fix what matters. Prove it to the world.