E
ESGFlux

Privacy Policy

Last updated: 18 May 2026

This Privacy Policy explains how ESGFlux.com (“ESGFlux”, “we”, “us”, or “our”), operated by Austen Plummer from Dubai, United Arab Emirates, collects, uses, and protects your personal data when you use our regulatory intelligence service.

We comply with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, and applicable UAE data protection laws.

1. Data we collect

We collect only what is necessary to provide the service:

  • Account data: name, email address, company name, job title.
  • Preferences: selected jurisdictions, digest frequency, watchlists.
  • Billing data: processed by Paddle (see Third Parties); we store only a Paddle customer ID and subscription status.
  • Usage data: pages visited, feature interactions, email open/click events (for product improvement and deliverability).

2. How we use your data

  • Deliver regulatory updates matching your jurisdictions and preferences.
  • Send digest emails and critical-item alerts.
  • Process payments and manage subscriptions.
  • Respond to support requests.
  • Improve the service based on aggregate usage patterns.

We do not sell your data, share it with advertisers, or use it to train third-party AI models.

3. Legal basis (GDPR)

We process your data under the following bases:

  • Contract: to deliver the service you signed up for.
  • Legitimate interest: to operate and improve the product.
  • Legal obligation: to retain billing records for tax purposes.
  • Consent: where you have opted in to non-essential communications.

4. Third parties

We share data with the following processors, each bound by data processing agreements:

  • Supabase — database hosting and authentication (EU/US region).
  • Paddle — payment processing and tax remittance as Merchant of Record.
  • Resend — transactional email delivery.
  • Anthropic — AI summarisation of public regulatory content. Customer data is not sent to Anthropic; only publicly available regulatory text is processed.
  • Vercel — application hosting and analytics.
  • Google Analytics 4 — aggregate website usage analytics (see Section 8). Operates under Consent Mode: analytics cookies and identifiers are disabled until you accept via our cookie banner. IP anonymisation is enabled.
  • Sentry — application error monitoring. Captures stack traces and request metadata when errors occur; we do not send authentication tokens or message bodies.
  • Apollo.io — B2B website visitor identification (see Section 8). Used only with your consent. Identifies the company associated with your IP address for sales-and-marketing purposes; does not identify you personally.

5. Data retention

We retain your account and preference data for as long as your subscription is active. After you cancel, we keep your data for 90 days to allow reactivation, after which it is deleted from our production systems. Billing records are retained for 7 years to comply with tax regulations.

6. Your rights

Under GDPR and equivalent laws, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion (“right to be forgotten”).
  • Export your data in a portable format.
  • Object to processing or withdraw consent.
  • Lodge a complaint with a supervisory authority.

To exercise any of these rights, email us at hello@esgflux.com. We respond within 30 days.

7. Security

Your data is encrypted in transit (TLS) and at rest. Database access is restricted via row-level security policies ensuring users can only access their own data. Passwords are hashed using industry-standard algorithms.

8. Cookies and tracking

We use the following categories of cookies and tracking technologies:

  • Essential cookies: required for authentication, session management, and CSRF protection. These cannot be disabled.
  • Privacy-friendly analytics: Vercel Analytics and Vercel Speed Insights collect aggregate, anonymised usage data (page views, performance metrics). No personal identifiers are stored.
  • Google Analytics 4: aggregate traffic and content analytics. Runs under Google Consent Mode v2 — until you accept via our cookie banner, GA operates without analytics cookies or advertising identifiers (cookieless, modelled data only). On acceptance, standard GA4 cookies are set. IP anonymisation is always on. You can withdraw consent at any time by clearing site data in your browser.
  • B2B visitor identification (Apollo.io): when enabled, the Apollo.io website tracker identifies the company associated with your IP address using publicly available IP-to-company mapping. This is used for our sales and marketing outreach to businesses, not for personalised advertising. We do not identify individual visitors, build behavioural profiles, or share data with advertising networks.

The Apollo.io tracker only loads if you have accepted tracking via our cookie banner (your decision is stored in your browser's localStorage). You can change your decision at any time by clearing site data in your browser. We rely on consent (GDPR Article 6(1)(a)) for this processing in the EU/UK, and on legitimate interest (GDPR Article 6(1)(f)) for the underlying B2B sales activity it supports.

We do not use advertising cookies, retargeting pixels, or third-party social media tracking.

9. International transfers

Your data may be processed outside the UAE and EU by our service providers. Where this occurs, we rely on Standard Contractual Clauses and equivalent safeguards to ensure adequate protection.

10. Changes to this policy

We will notify you by email of any material changes to this policy at least 30 days before they take effect.

11. Contact

Questions about this policy or your data: hello@esgflux.com.