E
ESGFluxStart free trial

Privacy Policy

Last updated: 17 April 2026

This Privacy Policy explains how ESGFlux.com (“ESGFlux”, “we”, “us”, or “our”), operated by Austen Plummer from Dubai, United Arab Emirates, collects, uses, and protects your personal data when you use our regulatory intelligence service.

We comply with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, and applicable UAE data protection laws.

1. Data we collect

We collect only what is necessary to provide the service:

  • Account data: name, email address, company name, job title.
  • Preferences: selected jurisdictions, digest frequency, watchlists.
  • Billing data: processed by Paddle (see Third Parties); we store only a Paddle customer ID and subscription status.
  • Usage data: pages visited, feature interactions, email open/click events (for product improvement and deliverability).

2. How we use your data

  • Deliver regulatory updates matching your jurisdictions and preferences.
  • Send digest emails and critical-item alerts.
  • Process payments and manage subscriptions.
  • Respond to support requests.
  • Improve the service based on aggregate usage patterns.

We do not sell your data, share it with advertisers, or use it to train third-party AI models.

3. Legal basis (GDPR)

We process your data under the following bases:

  • Contract: to deliver the service you signed up for.
  • Legitimate interest: to operate and improve the product.
  • Legal obligation: to retain billing records for tax purposes.
  • Consent: where you have opted in to non-essential communications.

4. Third parties

We share data with the following processors, each bound by data processing agreements:

  • Supabase — database hosting and authentication (EU/US region).
  • Paddle — payment processing and tax remittance as Merchant of Record.
  • Resend — transactional email delivery.
  • Anthropic — AI summarisation of public regulatory content. Customer data is not sent to Anthropic; only publicly available regulatory text is processed.
  • Vercel — application hosting and analytics.

5. Data retention

We retain your account and preference data for as long as your subscription is active. After you cancel, we keep your data for 90 days to allow reactivation, after which it is deleted from our production systems. Billing records are retained for 7 years to comply with tax regulations.

6. Your rights

Under GDPR and equivalent laws, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion (“right to be forgotten”).
  • Export your data in a portable format.
  • Object to processing or withdraw consent.
  • Lodge a complaint with a supervisory authority.

To exercise any of these rights, email us at hello@esgflux.com. We respond within 30 days.

7. Security

Your data is encrypted in transit (TLS) and at rest. Database access is restricted via row-level security policies ensuring users can only access their own data. Passwords are hashed using industry-standard algorithms.

8. Cookies

We use only essential cookies required for authentication and session management. We do not use advertising or tracking cookies.

9. International transfers

Your data may be processed outside the UAE and EU by our service providers. Where this occurs, we rely on Standard Contractual Clauses and equivalent safeguards to ensure adequate protection.

10. Changes to this policy

We will notify you by email of any material changes to this policy at least 30 days before they take effect.

11. Contact

Questions about this policy or your data: hello@esgflux.com.