PRIVACY POLICY

Privacy Policy

Last updated: 2026-06-30

This Privacy Policy explains how SustainAX AB processes personal data in connection with our websites, subdomains, SaaS services, customer relationships, marketing activities and related business operations. SustainAX AB is committed to protecting personal data and processing it in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), applicable Swedish data protection law and other relevant rules.

1. Who we are

SustainAX AB is a Swedish company providing ESG research, ESG risk analysis, SaaS solutions and related services for professional and institutional users. Legal entity: SustainAX AB Swedish organisation number: 559300-8195 Registered address: Anckargripsgatan 3, 211 19 Malmö, Sweden Privacy contact: privacy (at) sustainax.com SustainAX AB has not appointed a formal Data Protection Officer. Questions about privacy and data protection may be sent to privacy (at) sustainax.com.

2. Scope of this Privacy Policy

This Privacy Policy applies to personal data processed by SustainAX AB in connection with: • our websites, including www.sustainax.com; • SustainAX subdomains, including research.sustainax.com, solutions.sustainax.com, intel.sustainax.com and infra.sustainax.com; • contact forms, demo requests, newsletter sign-ups and downloadable content; • our SaaS solutions and related user administration; • customer, prospect, supplier and partner relationships; • CRM, sales and marketing activities; • billing, invoicing and contract administration; • security, compliance and service operations. Separate or additional terms may apply to customer use of our SaaS solutions, including a SaaS subscription agreement and, where applicable, a Data Processing Agreement or Data Processing Addendum.

3. Our role under GDPR

For most processing described in this Privacy Policy, SustainAX AB acts as the data controller. This means that we determine the purposes and means of the processing. We are normally the controller for personal data processed in connection with: • website visitors; • contact forms and demo requests; • CRM and B2B sales activities; • newsletters and marketing communications; • SaaS user accounts and user profiles; • authentication, access management and service notifications; • billing contacts and customer administration; • security logs and service operation. For customer-uploaded content in our SaaS solutions, SustainAX AB may act as a data processor where the customer determines what data is uploaded, why it is processed and who may access it. Such processing is governed by the relevant customer agreement and, where applicable, a Data Processing Agreement.

4. Personal data we process

We process only the personal data that is necessary for the relevant purpose. The categories of personal data may include the following.

4.1 Website visitors

When you visit our websites, we may process: • IP address; • browser and device information; • cookie identifiers; • pages visited; • referral source; • interaction data; • approximate location derived from technical data; • consent preferences. Some of this data is collected only where you have given consent through our cookie consent solution.

4.2 Contact forms, demo requests and downloadable content

When you contact us, request a demo, download content or submit information through our websites, we may process: • name; • business email address; • company or organisation; • job title or role; • phone number; • country; • message content; • interest in our services; • communication history.

4.3 SaaS user profiles and account administration

For users of our SaaS solutions, we may process: • name; • employer or customer organisation; • business email address; • phone number; • title or role; • profile portrait, if used; • authentication data; • password-related authentication information handled by our authentication provider; • login history; • IP address; • usage logs; • user role and access rights; • settings and preferences; • service notifications; • security and audit information. Passwords are handled through our authentication provider and are not visible to SustainAX in plain text. Client administrators may invite and manage users within their organisation. In some cases, SustainAX may create or enter an initial administrator user during customer account setup.

4.4 SaaS usage data

Because our SaaS solutions are research and analysis platforms, we may process usage-related information such as: • logins and session activity; • searches and navigation; • viewed or accessed content; • downloaded reports or materials; • uploads, edits or actions performed in the platform; • user roles, permissions and organisation-level activity; • audit logs and security events. Customer administrators may be able to see activity by users within their own organisation, depending on the configuration of the SaaS solution.

4.5 CRM, sales and business contact data

We use Pipedrive as our CRM. In our CRM and related sales processes, we may process: • name; • business email address; • company or organisation; • job title; • phone number; • LinkedIn profile; • country; • meeting notes; • correspondence; • sales status; • customer or contract status; • newsletter status; • billing contact information; • information from professional interactions. We process B2B professional contact data. We do not intentionally collect private consumer data for CRM purposes. We may collect business contact data from events, public business websites, direct contact, referrals, existing customer relationships and other legitimate professional contexts. We do not use purchased contact lists.

4.6 Newsletter and marketing data

If you subscribe to our newsletters or receive marketing communications from us, we may process: • name; • business email address; • company; • role or job title; • subscription status; • communication preferences; • email open and click data; • unsubscribe information; • CRM segmentation data. We may use Pipedrive Campaigns for newsletters and email marketing.

4.7 Billing and contract data

For customer contracts, billing and invoicing, we may process: • customer contact names; • business email addresses; • company details; • billing address; • invoice references; • correspondence related to contracts, invoices and payments. We currently invoice customers directly and use Spiris SaaS for billing/accounting-related purposes. If we later introduce online payment services, payment data may be processed by the relevant payment provider as described at the time of payment.

4.8 ESG research-related personal data

When you visit our websites, we may process: • IP address; • browser and device information; • cookie identifiers; • pages visited; • referral source; • interaction data; • approximate location derived from technical data; • consent preferences. Some of this data is collected only where youIn connection with ESG research, issuer analysis, publications and related professional activities, we may process limited business-related personal data. This may include: • names of executives, board members or other company representatives; • professional roles and affiliations; • names of analysts, employees, alumni or contributors; • names and statements in customer testimonials, where consent has been obtained; • information contained in corporate reports, public filings, annual reports or other legitimate sources. We do not process such information to evaluate individuals as private persons. It is processed as part of company-level ESG research, analysis, publication or professional communication.

5. Customer-uploaded content in the SaaS

Our SaaS solutions are intended for company, issuer, research and business-related data. Customers and users should not upload unrelated personal data or sensitive personal data unless this has been explicitly agreed in writing and is lawful under the customer’s own obligations. Customer-uploaded documents may technically contain personal data, for example names of board members, executives or other individuals appearing in annual reports, sustainability reports or similar materials. Where customers upload documents or other content to the SaaS, such content may be processed within our SaaS infrastructure for purposes such as: • ingestion; • indexing; • semantic chunking; • extraction; • search; • analysis; • conversion of tables or complex elements into text; • generation of structured outputs; • storage of outputs in the SaaS database. Customer-uploaded content is private to the relevant customer organisation and is governed by the relevant SaaS agreement and, where applicable, a Data Processing Agreement.

6. AI processing

SustainAX may use AI services as part of the technical delivery of its SaaS solutions. AI services may include providers such as Cohere, OpenAI, Anthropic, Mistral and other providers, depending on the configuration of the relevant service. We do not send SaaS user profile data to AI providers for training purposes. Where customer-uploaded documents or other customer content are processed using AI, this is done to provide the SaaS functionality to the relevant customer, such as semantic processing, interpretation of complex content, extraction, summarisation or conversion of tables and other elements into text or structured outputs. AI-generated outputs may be stored in the SaaS database as part of the customer’s service environment. SustainAX does not use customer data to train or fine-tune public AI models. SustainAX does not use customer data to improve its own models, prompts, workflows or evaluation sets unless this has been separately agreed in writing with the relevant customer. Users are responsible for ensuring that content entered into free-text fields, comments, prompts, notes or uploaded documents is appropriate, lawful and in accordance with their organisation’s instructions and agreement with SustainAX.

7. Purposes and legal bases

We process personal data for the following purposes and legal bases. Providing and administering SaaS services We process personal data such as name, business email address, employer, user role, login data, settings and service notifications. The legal basis is performance of a contract, steps prior to entering into a contract, and our legitimate interests in administering and operating the service. Authentication, account access and user administration We process authentication data, login history, 2FA data, access rights and user roles. The legal basis is performance of a contract and our legitimate interests in secure access management. Responding to contact forms, demo requests and enquiries We process personal data such as name, business email address, company, role, phone number and message content. The legal basis is our legitimate interests in responding to enquiries and developing our business. Where the enquiry relates to a potential or existing customer relationship, the legal basis may also be performance of a contract or steps prior to entering into a contract. CRM, sales and business development We process business contact details, meeting notes, correspondence, sales status and professional relationship history. The legal basis is our legitimate interests in developing and maintaining B2B relationships, marketing our services and communicating with relevant professional contacts. Newsletters and marketing communications We process personal data such as name, business email address, company, role, subscription status and email engagement data. The legal basis is consent where required, and our legitimate interests for relevant B2B communications where permitted by applicable law. Website analytics and improvement We process cookie identifiers, website usage data, device and browser data, and analytics events. The legal basis is consent. Security, logging and service protection We process IP addresses, logs, access events, audit trails and technical security data. The legal basis is our legitimate interests in maintaining the security, integrity and availability of our services, systems and customer data. Where relevant, processing may also be necessary for contractual purposes. Billing, invoicing and contract administration We process billing contacts, invoice references, contract correspondence and customer details. The legal basis is performance of a contract and legal obligation. Legal, audit and compliance purposes We process relevant records, correspondence, logs and accounting data. The legal basis is legal obligation and our legitimate interests in establishing, exercising or defending legal claims and complying with audit or contractual requirements. ESG research, publications and professional communications We process names, professional roles and public business-related information about company representatives, analysts, team members, alumni or testimonial providers. The legal basis is our legitimate interests in conducting and publishing ESG research, communicating professional analysis and providing research services to professional clients. Cookie consent management We process consent preferences, cookie choices, timestamps and technical consent identifiers. The legal basis is legal obligation and our legitimate interests in documenting consent and preferences. Where we rely on legitimate interests, we do so only where we consider that our interests are not overridden by the rights and freedoms of the individuals concerned. Where we rely on consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal.

8. Cookies and similar technologies

We use cookies and similar technologies on our websites and in our SaaS services. We use essential cookies and similar technologies that are necessary for website functionality, SaaS login, authentication, session management, security and user preferences. Subject to your consent, we may also use analytics cookies and similar technologies, including tools such as Google Analytics, Google Tag Manager and Hotjar. We use Cookiebot as our cookie consent platform. You can manage or withdraw your cookie consent through the cookie settings available on our websites. More detailed information about cookies, cookie categories, specific tools and retention periods will be provided in our Cookie Policy.

9. Recipients and processors

We may share personal data with trusted service providers and processors where necessary for the purposes described in this Privacy Policy. These may include providers of: • hosting and infrastructure, including Vercel and AWS; • authentication, including Supabase; • databases and storage; • CRM, including Pipedrive; • newsletters and email campaigns, including Pipedrive Campaigns; • business email and communications, including Microsoft Office 365; • billing and accounting, including Spiris SaaS; • analytics and website tools, including Google Analytics, Google Tag Manager and Hotjar; • AI services, including Cohere, OpenAI, Anthropic and Mistral where used for service delivery; • security, logging and monitoring tools; • professional advisers, including legal, accounting, cybersecurity and compliance advisers. Service providers may process personal data only in accordance with our instructions, applicable agreements and applicable data protection law. We may also disclose personal data where required by law, court order, authority request, legal claim, audit requirement or to protect our legal rights.

10. International transfers

SustainAX is based in Sweden and aims to use EU/EEA-based infrastructure where reasonably possible. Some service providers may process personal data outside the EU/EEA, including in the United States or other countries. This may apply, for example, to certain authentication, infrastructure, analytics, CRM, AI or communication providers depending on their configuration and sub-processors. Where personal data is transferred outside the EU/EEA, we take steps to ensure that appropriate safeguards are in place. These may include an adequacy decision by the European Commission, the EU Standard Contractual Clauses, transfer impact assessments and supplementary technical and organisational measures where required. SustainAX is working to move relevant SaaS infrastructure, database and authentication processing toward EU-based AWS infrastructure where appropriate.s or other customer content are processed using AI, this is done to provide the SaaS functionality to the relevant customer, such as semantic processing, interpretation of complex content, extraction, summarisation or conversion of tables and other elements into text or structured outputs. AI-generated outputs may be stored in the SaaS database as part of the customer’s service environment. SustainAX does not use customer data to train or fine-tune public AI models. SustainAX does not use customer data to improve its own models, prompts, workflows or evaluation sets unless this has been separately agreed in writing with the relevant customer. Users are responsible for ensuring that content entered into free-text fields, comments, prompts, notes or uploaded documents is appropriate, lawful and in accordance with their organisation’s instructions and agreement with SustainAX.

11. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law, contract, audit, security, accounting or legal-claims reasons. The following retention periods normally apply. SaaS user account data SaaS user account data is retained during the customer agreement and normally for up to 3 years after termination, unless earlier deletion is requested by the customer or a longer period is required. Inactive SaaS users Inactive SaaS users are deleted or anonymised after 3 years of inactivity, unless the customer agreement or legal reasons require otherwise. CRM prospect data CRM prospect data is reviewed after 3 years from the last meaningful interaction and deleted or anonymised unless there is a continuing legitimate business reason to retain it. Customer contact data Customer contact data is retained during the customer relationship and normally for up to 3 years after termination, unless it is needed for a longer period for legal, audit, contractual or compliance reasons. Support and customer correspondence Support and customer correspondence is retained during the customer relationship and thereafter deleted or anonymised when no longer needed, normally within 3 years after termination. Security logs Security logs are normally retained for up to 24 months. They may be retained for longer where necessary for security incidents, investigations, audit, legal claims, contractual obligations or compliance. Newsletter records Newsletter records are retained until you unsubscribe or withdraw consent. Suppression records may be retained to ensure that you are not re-subscribed. Billing and accounting records Billing and accounting records are retained as required under Swedish accounting law. Cookie consent records Cookie consent records are retained as necessary to document consent and preferences. Website analytics data Website analytics data is retained in accordance with the relevant analytics configuration and consent settings. We may anonymise data instead of deleting it where appropriate. Anonymised data is no longer personal data under GDPR.

12. Security

We apply technical and organisational measures appropriate to the nature, scope and risk of the processing. These measures may include: • access controls; • role-based permissions; • 2FA/MFA where available; • customer-organisation separation; • administrator access controls; • backups; • logging and monitoring; • least-privilege principles; • secure development practices; • supplier review and contractual controls; • incident response procedures; • cybersecurity advice and improvement work. SustainAX is working with cybersecurity advisers to strengthen its security programme, including measures relevant to NIS2 and DORA-readiness for financial-sector customers, proportionate to SustainAX’s size, role and risk profile. SustainAX is not currently ISO 27001 or SOC 2 certified. SOC 2 readiness is a target. No system can be guaranteed to be completely secure. If you believe that personal data or customer data has been affected by a security incident, please contact us at privacy (at) sustainax.com.

13. Children and sensitive personal data

Our websites and SaaS solutions are intended for professional and business users aged 18 or above. They are not intended for children. We do not intentionally collect special-category personal data, such as health data, religious beliefs, political opinions, trade-union membership, biometric data or similar sensitive personal data. Users must not upload or enter sensitive personal data into the SaaS unless this has been explicitly agreed in writing and is lawful under the relevant customer agreement and applicable data protection law.

14. Your GDPR rights

Subject to the conditions and limitations in GDPR, you have the following rights: • the right to access your personal data; • the right to rectification of inaccurate or incomplete data; • the right to erasure; • the right to restriction of processing; • the right to data portability; • the right to object to processing based on legitimate interests; • the right to withdraw consent where processing is based on consent; • the right not to be subject to certain automated decisions with legal or similarly significant effects. You may exercise your rights by contacting us at privacy (at) sustainax.com. We normally respond to GDPR rights requests within one month. This period may be extended where permitted by GDPR, for example if the request is complex or if we receive multiple requests. If your personal data is processed as part of customer-uploaded SaaS content where SustainAX acts as processor, we may need to refer your request to the relevant customer organisation, which is the controller for that processing.

15. Right to object to direct marketing

You may object to direct marketing at any time. You may also unsubscribe from newsletters and marketing emails by using the unsubscribe link in the relevant email or by contacting us at privacy (at) sustainax.com.

16. Complaints

If you are dissatisfied with how we process your personal data, we encourage you to contact us first at privacy (at) sustainax.com. You also have the right to lodge a complaint with the Swedish data protection authority: Integritetsskyddsmyndigheten (IMY) Website: www.imy.se You may also contact the data protection authority in the EU/EEA country where you live, work or where you believe an infringement has occurred.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our services, technologies, legal requirements or business operations. The latest version will be published on our website with the date of the latest update. Material changes may be communicated through our websites, SaaS services, email or other appropriate channels.

From manual research to automated ESG risk intelligence.

Book a demo to see how SustainAX helps teams move faster and work smarter.