1. Definitions
 

Controller is a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data;

​

Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

​

Third party is a natural or legal person, public authority, agency or body other than the Data Subject, the controller, the processor and persons, who under direct authority by the Controller or the Processor are authorised to process Personal Data;

​

Personal data is any information relating to an identified or identifiable natural person (Data Subject);

​

Data Subject is an identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, surname, identification number, phone number, e-mail address, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

​

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or being made available otherwise, alignment or combination, restriction, erasure or destruction;

​

Platform refers to the Mitigate ESG Platform, a software-as-a-service product that allows users to manage, report, and analyze sustainability and ESG data.

​

Platform User is a registered individual or legal representative of an entity who accesses and uses the Mitigate ESG Platform. Platform Users are responsible for the accuracy and legality of data they input, as well as compliance with all applicable data privacy regulations when using the Platform.

​

AI Data Assistant is a premium feature on the Mitigate ESG Platform, available for an additional fee, which leverages artificial intelligence to assist users with data insights, trend analysis, and data processing within the Platform. The AI Data Assistant processes user-provided data to offer recommendations and insights but does not replace human decision-making.

​

ESG Assistant is an integrated AI functionality in the full Platform package, available as an interactive chat tool to support users in navigating the Platform, answering questions, and assisting with ESG-related tasks.

​

Customer is any natural or legal person who uses, has used, or has expressed a wish to use any services provided by SIA Mitigate or is in any other way related to them;

​

Cooperation Partner is any natural or legal person with whom the Company works on joint projects or whose objectives are shared by the Company;

​

Prospective Employee means any natural person who has submitted an application to the Company for an advertised or potential vacancy, or whom the Company has approached based on contacts available on social networks, or whom the Company has approached and the Prospective Employee (you) has responded to the Company's approach, or you have provided your data to a recruitment agency.

2. General Provisions

2.1. This privacy policy, hereinafter — the Policy, describes the procedure by which the Company handles the personal data that comes into its possession. Depending on the legal basis of the data processing, the Company may be a controller, a processor or a third party;
 

2.2. The Company shall ensure the confidentiality of personal data within the framework of applicable laws and regulations and has implemented appropriate technical and organisational measures to protect personal data from unauthorised access, unlawful processing or disclosure, accidental loss, alteration or destruction;

​

2.3. In cases where the Company acts as a controller of personal data, it shall determine the purposes and means of personal data processing;

​

2.4. In cases where the Company acts as a processor of personal data, the Company shall process personal data on behalf of the controller;

​

2.5. In cases where the Company acts as a third party, the Company is authorised to process personal data under the direct supervision of the controller or processor;

​

2.6. In cases where the Company processes data, the Company may use approved personal data processors for personal data processing. In such cases, it shall take the necessary measures to ensure that such processors process personal data in accordance with the instructions of the Company and in accordance with applicable laws and regulations and require appropriate security measures to be taken;

​

2.7. If the Company updates this Policy, the current version of the Policy shall be published on the Company's website https://www.esgplatform.eu/privacy-policy in the privacy policy section, while you may get acquainted with the historical versions of this Policy by contacting the Company and sending an e-mail to: datuapstrade@mitigate.dev.

3. How the Company Obtains the Data of Natural Persons (You)
 

3.1. The Data Subject (You) submits his/her data to the Company;

​

3.2. The Company receives personal data from its Customers or Cooperation Partners;

​

3.3. The Company receives personal data from third parties;

​

3.4. The Company records your data, which is located in the public space (media, social networks, your workplace website, etc.);

​

3.5. You visit our website (see Cookie Policy);

​

3.6. You participate in corporate events organised by us, where you can be photographed or filmed;

​

3.7. You participate in our surveys, contests, etc.;

​

3.8. You participate in business forums, business networking, your contact information in social networks is created for the exchange of mutual communication, such as LinkedIn, or You follow us on social media, contact us etc.;

​

3.9. You visit our office;

​

3.10. You add Your data in Company's systems;

​

3.11. You apply for our services using the registration forms posted on our website;

​

3.12. Your data is added by representative of Your organisation.

​

In cases where the Company obtains data from the controller, any responsibility for informing the Data Subject shall rest with the relevant controller.

​

The Company does not perform video surveillance in its office. In the building where the office is located, the landlord performs video surveillance of common areas and is responsible for that.

4. What personal data may be processed by the Company?
 

Depending on the nature of the data processing, the Company may process the following personal data:

• Personal identification data — name, surname, personal identification code/ID, date of birth, and occasionally identity document data;

• Personal contact information — address, telephone number, e-mail address;

• Personal workplace data — workplace, position held;

• Professional data — experience, education, professional skills, references, and other data which allows to evaluate You as a professional;

• Internet activity data — IP address, actions taken, date and time;

• Public profile data — data published by a person on social networks;

• Survey and contest data — name or date of the survey or contest, date of the answer, questions/tasks and answers provided;

• Event data — data created during competitions and training, including your creations, their evaluation and analysis, photo/video materials;

• Photographs — photographs from corporate events, date and location of the photograph, as well as photographs that you add to the Company's systems;

• Social network contacts — your contacts on social networks designed for the exchange of mutual contacts, such as LinkedIn;

• Communication data — in cases where communication has taken place between us;

• Project data — data of various categories, including, in exceptional cases, special category data, which the Company processes within the framework of various projects as a controller, processor or as a third party on the basis of the authorisation of the Controller.

​

ESG Platform Data — specific to users of the Mitigate ESG Platform, this includes:

• Sustainability Data Entries: Data input by users for tracking, analyzing, and reporting on environmental, social, and governance (ESG) metrics.

• Reports and Analytical Outputs: Generated reports, including sustainability and compliance reports, based on user data.

• Uploaded Content: Any documents, files, or other content users upload to the Platform for ESG data management, such as images, documents, or spreadsheets related to reporting activities.

• User-Generated Data for AI Assistance: Data input or queries directed to the AI Data Assistant or ESG Assistant, used to provide data insights, recommendations, or support in Platform navigation and usage.

• Survey and Feedback Data: Information collected through user feedback, surveys, or contests, including responses, comments, or suggestions that help improve the Platform.

​

Depending on the provided service, the provided product, the nuances of mutual cooperation, your above-mentioned data may be processed to different extents, in different combinations, with different purposes, and on different legal grounds, as mentioned in this privacy policy.

5. Legal Basis for Data Processing

5.1. Conclusion and performance of the agreement — in order for the Company to be able to conclude and perform the agreement concluded with the Customer or the Cooperation Partner, providing high-quality services, it must collect and process certain personal data. (GDPR Article 6(1)(b));

5.2. Legitimate interests of the Company — in order to observe the interests of the Company based on compliance with the requirements of applicable laws and regulations and provide high-quality services and timely support to the Customer and/or Cooperation Partner, the Company may process personal data of the Customer or Cooperation Partner to the extent objectively necessary and sufficient. In addition, the processing of personal data providing information about news in the field in which the Company operates, new development opportunities, including direct marketing, as a result of which the Company can individually address various persons to inform them about news in the field, education and development opportunities, on opportunities to provide a new and/or individually prepared offer of the Company's products and services, shall be considered a legitimate interest. However, the Company respects the wishes of the Data Subject and provides an opportunity to opt out of receiving the above information. (GDPR Article 6(1)(f));

5.3. Fulfilment of legal obligations — the Company is entitled to process personal data in order to comply with the requirements of the laws and regulations, as well as to provide answers to lawful requests of the state and local government authorities. (GDPR Article 6(1)(c));

5.4. Consent of the Data Subject — the Data Subject personally gives consent to the collection and processing of personal data for specific purposes. Consent is their free will and independent decision, which may be given at any time, thereby permitting the Company to process personal data for the specified purposes. The Data Subject has the right at any time to withdraw their previously given consent by using the designated communication channels with the Company. The submitted changes will take effect within three business days. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. (GDPR Article 6(1)(a));

5.5. Processing through AI Functionalities on the ESG Platform — the Company processes personal data through AI functionalities (such as the AI Data Assistant and ESG Assistant) on the Mitigate ESG Platform to support users with data insights and reporting. Processing through these AI tools is necessary for the performance of the contract between the Company and the Customer (GDPR Article 6(1)(b)), allowing users to benefit from enhanced data analytics and insights. This processing also aligns with the legitimate interest of providing efficient and innovative support to Platform users (GDPR Article 6(1)(f)). Users retain the right to opt out of AI features if they prefer to limit processing;

5.6. If the Company processes the data as a processor on the basis of a duly concluded agreement with the data controller, the Company shall follow the instructions given by the controller;

 

5.7. If the Company performs activities with personal data as a third party on the basis of a duly concluded agreement with the data controller, the Company shall comply with the authorisation granted by the controller.


6. Purposes of Data Processing

The following purposes of data processing are distinguished:

6.1. Service provision and contract management — general management of relations with the Customer and the Cooperation Partner and provision and administration of access to products and services, in order to enter into and execute an agreement with the Customer and the Cooperation Partner; deliver the purchased service or product, verify the availability and quality of the service or product;

6.2. Fulfilment of legal and tax obligations — to fulfil the obligation imposed by law, provide reports and declarations, calculate and pay taxes;

6.3. Customer relationship management — to ensure high-quality, timely service and cooperation during the term of the contractual relationship; to ensure the timeliness and accuracy of the data by checking and supplementing the data;

6.4. Email marketing — the Company processes personal data for email marketing purposes and customer relationship management using third-party services such as Mailchimp (provided by The Rocket Science Group LLC), to manage email subscriber lists and send emails to our Customers and Cooperation Partners;

6.5. Community and engagement — to create a corporate link between the Company, Customers, Cooperation Partners and other persons who wish to participate in the Company's activities;

6.6. Feedback and improvements — to find out the opinion of Customers, Cooperation Partners and others about the work of the Company and necessary improvements;

​

6.7. Legal protection — to defend the Company's legal rights;

 

6.8. Personnel recruitment — to evaluate Prospective Employees for vacancies, manage the recruitment process, and communicate with Prospective Employees about employment opportunities;

 

6.9. Post-demo communication — the Company may contact Customers after demo registration to request feedback or offer additional products or services. This communication is based on the Company's legitimate interest in improving services and ensuring customer satisfaction;

 

6.10. Service notifications — the Company may send newsletters and functional updates regarding the Platform to all Customers. These updates may include information about new features, improvements, and other relevant service notifications, including updates to the Terms of Service and Privacy Policy. Customers cannot unsubscribe from these mandatory notifications, which are essential to maintain service transparency and compliance.


7. Data Recipients

The Company may transfer personal data to the following categories of recipients:

7.1. IT service providers and hosting providers that ensure the operation of the Company's systems and infrastructure;

​

7.2. Email marketing service providers (Mailchimp / The Rocket Science Group LLC) for the purposes of sending marketing communications;

​

7.3. Website analytics service providers (Google Analytics) for the purpose of website usage analysis;

​

7.4. Accounting and financial service providers for the purpose of fulfilling tax and accounting obligations;

​

7.5. Legal advisors and auditors, where necessary for the defence of the Company's legitimate interests or compliance with legal obligations;

​

7.6. State and municipal authorities, if required by applicable regulatory enactments;

​

7.7. Cooperation Partners, where necessary for the execution of joint projects, on the basis of a data processing agreement;

​

7.8. Recruitment platforms and agencies for the management of the recruitment process;

 

7.9. Third-party AI service providers for processing through AI functionalities on the Platform, with appropriate data processing agreements in place.

 

The Company ensures that all data recipients apply appropriate data protection measures in accordance with applicable regulatory enactments. Regular assessments are conducted to verify that these third-party providers, including AI service providers and Mailchimp, adhere to GDPR and equivalent security standards.


8. Rights of the Data Subject

The Data Subject has the following rights with regard to the processing of his/her data:

​

8.1. Right to information — When the Company obtains personal data from the Data Subject, it provides the following information:

• The Company's registration number and legal address, contact information;

• Contact information of the data protection officer, if one has been appointed;

• The purposes of processing and the legal basis;

• Legitimate interests, if processing is based on GDPR Article 6(1)(f);

• The recipients or categories of recipients of personal data;

• Whether data will be transferred to a third country or an international organisation.

​

8.2. Right of access — You have the right to request confirmation as to whether your personal data are being processed and, if so, to receive a copy of such data;

​

8.3. Right to rectification — You have the right to request the rectification of inaccurate personal data;

​

8.4. Right to erasure — You have the right to request the erasure of your personal data if there is no legal basis for further processing;

​

8.5. Right to restriction of processing — You have the right to request the restriction of processing in certain circumstances;

​

8.6. Right to data portability — You have the right to request a copy of your personal data in a usable format, insofar as this is technically feasible and complies with the conditions of GDPR Article 20;

​

8.7. Right to object — You have the right to object to the processing of your personal data, including for the purposes of direct marketing;

​

8.8. Right to withdraw consent — If processing is based on consent, you have the right to withdraw it at any time, without affecting the lawfulness of processing carried out prior to the withdrawal;

​

8.9. Right to lodge a complaint — You have the right to lodge a complaint with the Data State Inspectorate (www.dvi.gov.lv);

​

8.10. Right regarding automated decisions — You have the right to know whether automated decision-making, including profiling, is applied with respect to your data;

​

8.11. Right to detailed information — The Data Subject has the right, by contacting us, to receive clear information on the specifics of data processing, including what data is held, the legal basis for processing, the extent of processing, and duration of retention, tailored to the details of our cooperation.

​

How to exercise your rights: Contact us by email at datuapstrade@mitigate.dev. We will respond to your request within 30 days. If additional time is required, we will inform you within the initial 30-day period.

​

In cases where the Company is a processor or a third party, the Company shall act in accordance with the task or authorisation of the controller; in the case of a request from the Data Subject, the Company shall promptly inform the Controller of the received request.

9. Retention Period

Personal data is processed only for as long as necessary for achieving the purpose of processing. The specific retention periods are as follows:

​​

​

​

​

​

​

​

​

​

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Upon expiry of the retention period, the Company shall erase or anonymise personal data, unless further retention is required in accordance with regulatory enactments.

​

​

10. Technical and Organisational Requirements for Data Protection

10.1. The Controller shall ensure, review on a regular basis and improve the personal data protection measures in order to protect personal data of the Data Subject from unauthorised access, accidental loss, disclosure or destruction. To ensure this, the Company shall use modern technologies, technical and organisational requirements, including appropriate software, using firewalls, intrusion detection, analysis software and data encryption, as well as physical data protection (access code at the front door) and alarm systems;

10.2. The Company shall carefully inspect all service providers who process personal data on behalf and upon instruction of the Company, as well as assess whether cooperation partners (processors of personal data) apply appropriate security measures to ensure that personal data is processed in accordance with the Company's delegation and requirements of the laws and regulations. Regular assessments are conducted to verify that these third-party providers, including AI service providers and Mailchimp, adhere to GDPR and equivalent security standards, ensuring the continuous compliance and protection of user data;
 

10.3. The Company shall regularly train its employees and ensure their qualifications are maintained, with specific training on data protection measures, data minimization, and best practices for managing personal data securely;

​

10.4. The Company shall not be liable for any unauthorised access to personal data and/or loss of personal data if it is beyond the Company's control, for example due to the fault and/or negligence of the Customer or the Cooperation Partner or the Data Subject;

​

10.5. For comprehensive information on the security measures specifically implemented within the Mitigate ESG Platform, please refer to our Platform Security Policy, which provides in-depth coverage of access controls, encryption, infrastructure security, third-party assessments, and incident response;

​

10.6. Regarding certain personal data processing, projects, etc., specific technical and organisational requirements for data processing may be determined. You can get detailed information about each individual data processing, if your personal data is processed as part of it, by contacting us at datuapstrade@mitigate.dev.

 

​

11. Processing Territory​

​

11.1. Personal data are primarily processed within the EU/EEA territory. For the purposes of email marketing, data may be transferred to Mailchimp servers located in the United States of America. The Company ensures that all data transfers to Mailchimp are protected by appropriate security measures that comply with the requirements of the GDPR, such as Standard Contractual Clauses (SCCs);

​

11.2. The transfer and processing of personal data outside the EU/EEA may occur if there is a legal basis for it, namely, to fulfil a legal obligation, to conclude or perform a contract, or in accordance with the Client's consent, and appropriate security measures have been taken.

​

The European Commission has recognised which countries ensure a level of personal data protection that corresponds to the appropriate level of data protection in the European Union (GDPR Article 45 — adequacy decisions). If the Company transfers personal data to countries for which no adequacy decision has been adopted, the Company ensures appropriate safeguards in accordance with GDPR Article 46, such as Standard Contractual Clauses;

​

11.3. Upon request, the Customer may receive more detailed information regarding the transfer of personal data to countries outside the EU/EEA.

12. Updates to the Policy
 

12.1. The Company may update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements. When significant updates are made, the latest version of this Policy will be published on our website for public access. For users of the ESG Mitigate Platform, we will provide additional notification via email or through the Platform interface to ensure they are informed of any modifications;

​

12.2. Previous versions of the Policy are archived and available upon request. Users may contact the Company to obtain historical versions of the Privacy Policy, providing a clear record of changes over time and ensuring users can stay informed about past practices.

​

​

13. Contact Information

​

13.1. The Data Subject may contact the Company regarding any questions, withdrawal of consent, information requests, exercise of Data Subject rights, and complaints about the processing of personal data;

​

13.2. The Company's contact information is available at www.mitigate.dev in the contacts section;

​

13.3. Person responsible for data processing: datuapstrade@mitigate.dev;

​

13.4. For any questions regarding the management of your data in Mailchimp, or if you wish to opt out of email marketing communications, please contact us using the contact information provided above. You may also opt out directly by using the link provided in each marketing email;

​

13.5. Before submitting a complaint to the Data State Inspectorate, in the interest of saving time and resources of all parties involved, the Company recommends contacting us in advance.

​

​

Approved on 25.03.2026.

Reviewed on 25.03.2026.

Next review no later than 25.03.2027.

​

​