1. Definitions

Controller is a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data;

Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Third party is a natural or legal person, public authority, agency or body other than the Data Subject, the controller, the processor and persons, who under direct authority by the Controller or the Processor are authorised to process Personal Data;

Personal data is any information relating to an identified or identifiable natural person (Data Subject);

Data Subject is an identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, surname, identification number, prhone number, e-mail address, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or being made available otherwise, alignment or combination, restriction, erasure or destruction;

 

Platform refers to the Mitigate ESG Platform, a software-as-a-service product that allows users to manage, report, and analyze sustainability and ESG data.

 

Platform User, a  registered individual or legal representative of an entity who accesses and uses the Mitigate ESG Platform. Platform Users are responsible for the accuracy and legality of data they input, as well as compliance with all applicable data privacy regulations when using the Platform.

 

AI Data Assistant a premium feature on the Mitigate ESG Platform, available for an additional fee, which leverages artificial intelligence to assist users with data insights, trend analysis, and data processing within the Platform. The AI Data Assistant processes user-provided data to offer recommendations and insights but does not replace human decision-making.

 

ESG Assistant an integrated AI functionality in the full Platform package, available as an interactive chat tool to support users in navigating the Platform, answering questions, and assisting with ESG-related tasks.

Customer is any natural or legal person who uses, has used, or has expressed a wish to use any services provided by SIA Mitigate or is in any other way related to them;

Cooperation Partner is any natural or legal person with whom the Company works on joint projects or whose objectives are shared by the Company;

Candidate is any natural person, who has applied to vakancy or who has been contacted by Company using social media profile contact information, or who has been contacted and candidate (You) have replied to, or You have provided Your personal information to recruitment company.


2. General Provisions

2.1. This privacy policy, hereinafter - the Policy, describes the procedure by which the Company handles the personal data that comes into its possession. Depending on the legal basis of the data processing, the Company may be a controller, a processor or a third party;

2.2. The Company shall ensure the confidentiality of personal data within the framework of applicable laws and regulations and has implemented appropriate technical and organisational measures to protect personal data from unauthorised access, unlawful processing or disclosure, accidental loss, alteration or destruction;

2.3. In cases where the Company acts as a controller of personal data, it shall determine the purposes and means of personal data processing;

2.4. In cases where the Company acts as a processor of personal data, the Company shall process personal data on behalf of the controller;

2.5. In cases where the Company acts as a third party, the Company is authorised to process personal data under the direct supervision of the controller or processor;

2.6. In cases where the Company processes data, the Company may use approved personal data processors for personal data processing. In such cases, it shall take the necessary measures to ensure that such processors process personal data in accordance with the instructions of the Company and in accordance with applicable laws and regulations and require appropriate security measures to be taken;

2.7. If the Company updates this Policy, the current version of the Policy shall be published on the Company's website www.mitigate.dev in the privacy policy section, while you may get acquainted with the historical versions of this Policy by contacting the Company and sending an e-mail to: datuapstrade@mitigate.dev.


3. How the Company obtains the data of natural persons (you)

3.1. The Data Subject (You) submits his/her data to the Company;

3.2. The Company receives personal data from its Customers or Cooperation Partners;

3.3. Company receives personal data from third parties;

3.4. The Company records your data, which is located in the public space (media, social networks, your workplace website, etc.);

3.5. You are visiting our website (see cookie policy);

3.6. You participate in corporate events organised by us, where you can be photographed or filmed;

3.7. You participate in our surveys, contests, etc.;

3.8. You participate in business forums, business networking, your contact information in social networks is created for the exchange of mutual communication, such as LinkedIn, or You follow us on social media, contact us etc.;

3.9. You visit our office.

3.10. You add Your data in Company`s systems;

3.11. You apply for our services using the registration forms posted on our website.

In cases where the Company obtains data from the controller, any responsibility for informing the Data Subject shall rest with the relevant controller.

Company doesn't perform video surveillance in it's office. In building, where office is located, landlord performs video surveillance of common areas and is responsible for that.


4. What personal data may be processed by the Company?

Depending on the nature of the data processing, the Company may process the following personal data:

• Personal identification data - name, surname, personal identification number/ID, date of birth;

• Personal contact information - address, telephone number, e-mail address;

• Personal workplace data - workplace, position held;

• Data on Your experience, education, professional skills, recommendations and other data, which allows to evaluate You as professional;

• Actions taken on internet websites - IP address, actions taken, date and time;

• Data published by a person on social networks;

• Survey and contest data - name or date of the survey or contest, date of the answer, questions/tasks of the survey and answers provided;

• Photos, videos of corporate events, date, place of the photos;

• Photos uploaded to Company systems;

• Your contact details from social media accounts, which are used for detail exchange, as Linkedin;

• Communication data, in case of communication between us;

• Data of various categories, including, in exceptional cases, data of special categories, which the Company processes within the framework of various projects as a controller, processor or as a third party on the basis of the authorisation of the Controller.

• Depending on the provided service, the provided product, the nuances of mutual cooperation, your above-mentioned data may be processed to different extents, in different combinations, with different purposes, and on different legal grounds, as mentioned in this privacy policy.

​

ESG Platform Data: Specific to users of the Mitigate ESG Platform, this includes:

• Sustainability Data Entries: Data input by users for tracking, analyzing, and reporting on environmental, social, and governance (ESG) metrics.

• Reports and Analytical Outputs: Generated reports, including sustainability and compliance reports, based on user data.

• Uploaded Content: Any documents, files, or other content users upload to the Platform for ESG data management, such as images, documents, or spreadsheets related to reporting activities.

• User-Generated Data for AI Assistance: Data input or queries directed to the AI Data Assistant or ESG Assistant, used to provide data insights, recommendations, or support in Platform navigation and usage.

• Survey and Feedback Data: Information collected through user feedback, surveys, or contests, including responses, comments, or suggestions that help improve the Platform.

5. Legal basis for data processing

5.1. Conclusion and performance of the agreement - in order for the Company to be able to conclude and perform the agreement concluded with the Customer or the Cooperation Partner, providing high-quality services, it must collect and process certain personal data. (GDPR clause 6 part 1, b subsection);

5.2. Legitimate interests of the Company - in order to observe the interests of the Company based on compliance with the requirements of applicable laws and regulations and provide high-quality services and timely support to the Customer and/or Cooperation Partner, the Company may process personal data of the Customer or Cooperation Partner to the extent objectively necessary and sufficient. In addition, the processing of personal data providing information about news in the field in which the Company operates, new development opportunities, including direct marketing, as a result of which the Company can individually address various persons to inform them about news in the field, education and development opportunities, on opportunities to provide a new and/or individually prepared offer of the Company's products and services, shall be considered a legitimate interest. However, the Company respects the wishes of the Data Subject and provides an opportunity to opt out of receiving the above information. (GDPR clause 6 part 1, f subsection);

5.3. Fulfilment of legal obligations - the Company is entitled to process personal data in order to comply with the requirements of the laws and regulations, as well as to provide answers to lawful requests of the state and local government authorities. (GDPR clause 6 part 1, c subsection);

5.4. Consent of the Data Subject. The Data Subject himself/herself consents to the collection and processing of personal data for specified purposes. Consent is his/her free will and an independent decision that can be given at any time, thus allowing the Company to process personal data for specified purposes. The Data Subject may withdraw his/her prior consent at any time through the specified channels of communication with the Company. The applied changes shall come into effect within three working days. Revocation of consent shall not affect the lawfulness of processing which is based on the consent before revocation. (GDPR clause 6 part 1, a subsection);

5.5. Protection of vital interests. The Company may process personal data in order to protect the essential interests of the Customer, Cooperation Partner or other natural person, for example if processing is necessary for humanitarian purposes, monitoring of natural disasters and epidemics caused by human beings and the spread thereof, or in emergency humanitarian situations (acts of terror, in technological disaster situations, etc.) (GDPR clause 6 part 1, d subsection);

5.6. Exercise of official authority or public interest. The Company may process data in order to perform a task in the public interest or in the exercise of official authority legally granted to the Company. In such cases the grounds for personal data processing are included in the laws and regulations. (GDPR clause 6 part 1, e subsection);

 

5.7. Processing through AI Functionalities on the ESG Platform - The Company processes personal data through AI functionalities (such as the AI Data Assistant and ESG Assistant) on the Mitigate ESG Platform to support users with data insights and reporting. Processing through these AI tools is necessary for the performance of the contract between the Company and the Customer (GDPR clause 6 part 1, b subsection), allowing users to benefit from enhanced data analytics and insights. This processing also aligns with the legitimate interest of providing efficient and innovative support to Platform users (GDPR clause 6 part 1, f subsection). Users retain the right to opt out of AI features if they prefer to limit processing.

5.8. If the Company processes the data as a processor on the basis of a duly concluded agreement with the data controller, the Company shall follow the instructions given by the controller;

5.9. If the Company performs activities with personal data as a third party on the basis of a duly concluded agreement with the data controller, the Company shall comply with the authorisation granted by the controller.


6. Purposes of data processing

The following purposes of data processing are distinguished:

6.1. General management of relations with the Customer and the Cooperation Partner and provision and administration of access to products and services, in order to enter into and execute an agreement with the Customer and the Cooperation Partner; deliver the purchased service or product, verify the availability and quality of the service or product, to fulfil the obligation imposed by law, provide reports and declarations, calculate and pay taxes, to ensure high-quality, timely service and cooperation during the term of the contractual relationship; to ensure the timeliness and accuracy of the data by checking and supplementing the data.;

6.2. The Company shall process personal data for email marketing purposes and customer relationship management using third-party services such as Mailchimp, a service provided by The Rocket Science Group LLC, to manage email subscriber lists and send emails to our Customers and Cooperation Partners.;

6.3. Create a corporate link between the Company, Customers and Cooperation Partners;

6.4. Find out the opinion of the Customers, Cooperation Partners and others about the work of the Company, necessary improvements;

6.5. Defend Company`s legal rights;

6.6. The Company is entitled to process the data for the above, as well as for other purposes, if there is a legal basis for it.


7. Rights of the Data Subject

The Data Subject has the following rights with regard to the processing of his/her data:

7.1. If the Company receives personal data from the Data Subject, the Company shall provide all the following information to the Data Subject during the acquisition of personal data:

7.1.1. registration number and legal address, contact information of the Company;

7.1.2. the contact details of the data protection specialist, if any;

7.1.3. the purposes of processing for which the personal data is intended, as well as the legal basis for the processing;

7.1.4. legitimate interests if the processing is based on Article 6 (1) (f) of the Regulation;

7.1.5. recipients or categories of recipients of personal data, if any;

7.1.6. whether the data shall be transferred to a third country or international organisation, if so, the relevant information in accordance with the requirements of applicable laws and regulations.

7.2. In addition to the above, during the collection of personal data the Company shall show the Data Subject this Policy, which ensures fair and transparent processing, i.e.:

7.2.1. the Data Subject has the right to be informed of the period for which his or her personal data will be stored or, if that is not possible, the criteria used to determine that period;

7.2.2. the Data Subject has the right of access to his or her data, including the right to request correction, deletion, object to the processing, and exercise data portability;

7.2.3. where processing is based on Article 6 (1) (a) or Article 9 (2) (a) of the Regulation, the right to withdraw consent shall be without prejudice to the lawfulness of the processing based on which the consent was given before the withdrawal;

7.2.4. the Data Subject has the right to submit a complaint to the supervisory authority;

7.2.5. the Data Subject has the right to know whether automated decision-making, including profiling, exists.

 

7.3. If the Company has personal data that is not obtained from the Data Subject, in cases where the Company is the controller, the Company, in addition to the above, shall inform the Data Subject about the source from which the personal data has been received;

7.4. If the controller intends to further process personal data for a purpose other than the purpose for which the personal data were obtained, the Company shall inform the Data Subject of such other purpose before further processing and provide it with all relevant additional information, unless the provision of such information requires a disproportionate effort;

7.5. In cases where the Company is a processor or a third party, the Company shall act in accordance with the task or authorisation of the controller; in the case of a request from the data subject, the controller of the request received shall be informed immediately.

7.6. The Data Subject has the right, by contacting us, to receive clear information on the specifics of data processing, including what data is held, the legal basis for processing, the extent of processing, and duration of retention, tailored to the details of our cooperation.


8. Retention period

Personal data is only processed for as long as necessary for achieving the purpose of processing. The retention period may be based on the concluded agreements, the Company's legitimate interests or applicable laws and regulations.


9. Technical and organisational requirements for data protection

9.1. The Controller shall ensure, review on a regular basis and improve the personal data protection measures in order to protect personal data of the Data Subject from unauthorised access, accidental loss, disclosure or destruction. To ensure this, the Company shall use modern technologies, technical and organisational requirements, including appropriate software, using firewalls, intrusion detection, analysis software and data encryption, as well as physical data protection (access code at the front door), alarm;

9.2. The Company shall carefully inspect all service providers who process personal data on behalf and upon instruction of the Company, as well as assess whether cooperation partners (processors of personal data) apply appropriate security measures to ensure that personal data is processed in accordance with the Company's delegation and requirements of the laws and regulations. Regular assessments are conducted to verify that these third-party providers, including AI service providers and Mailchimp, adhere to GDPR and equivalent security standards, ensuring the continuous compliance and protection of user data.

9.3. The Company shall regularly train its employees and ensure their qualifications are maintained, with specific training on data protection measures, data minimization, and best practices for managing personal data securely.

9.4. The Company shall not be liable for any unauthorised access to personal data and/or loss of personal data if it is beyond the Company's control, for example due to the fault and/or negligence of the Customer or the Cooperation Partner or the Data Subject.

 

9.5. Mitigate ESG Platform Security Details: For comprehensive information on the security measures specifically implemented within the Mitigate ESG Platform, please refer to our Platform Security Policy, which provides in-depth coverage of access controls, encryption, infrastructure security, third-party assessments, and incident response.


10. Processing area

10.1. Personal data may be processed within the EU/EEA and, for the purposes of email marketing, may be transferred to Mailchimp’s servers located in the United States. The Company ensures that all data transfers to Mailchimp are covered by appropriate safeguards in line with GDPR requirements, such as standard contractual clauses or Mailchimp’s Privacy Shield certification;

10.2. The transfer and processing of personal data outside the EU/EEA may take place if there is a legal basis for doing so, namely to fulfil a legal obligation, enter into or perform an agreement, or in accordance with the Customer's consent, and appropriate security measures have been taken.

The European Commission has recognized which countries provide a level of personal data protection that corresponds to the relevant level of data protection in the European Union (Article 45 of the Regulation "Transmission based on a decision on the adequacy of the level of protection"). On the other hand, if the Company transfers personal data to countries for which the EC decision on the adequacy of the level of protection has not been adopted, the Company performs additional supervision over the implementation of relevant protection measures. For example, according to Article 46 of the Regulation "Shipping based on appropriate guarantees". Ensuring the appropriate guarantees by including the requirements for the personal data protection framework in a legally binding document (agreement, agreement, etc.) for both parties (both the sender of personal data and the recipient of personal data), clearly indicating the procedure for implementing the data subject's rights and the legal remedies available to the data subject means of protection;

10.3. Upon request, the Customer can receive more detailed information on the transfer of personal data to countries outside the EU/EEA.

 

11. Updates to the Policy

​

11.1. The Company may update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements. When significant updates are made, the latest version of this Policy will be published on our website for public access. For users of the ESG Mitigate Platform, we will provide additional notification via email or through the Platform interface to ensure they are informed of any modifications.

​

11.2. Previous versions of the Policy are archived and available upon request. Users may contact the Company to obtain historical versions of the Privacy Policy, providing a clear record of changes over time and ensuring users can stay informed about past practices.

12. Contact information

12.1. The Data Subject may contact the Company regarding any matter, withdraw his/her consent, make requests for information, use Data Subject rights and submit complaints on the processing of personal data;

12.2. The contact information of the Company is available at www.mitigate.dev in the contact section;

12.3. Responsible for data processing datuapstrade@mitigate.dev.

12.4. For any questions regarding the management of your data by Mailchimp, or if you wish to opt-out of email marketing communications, please contact us using the details provided below. You may also directly unsubscribe using the link provided in every marketing email.

Approved on September 18, 2024.
The next review shall take place by no later than October 18, 2025.

​

​