Privacy Policy
Last updated: 24 February 2026
1. Introduction
ExecutESG Oy ("we", "us", "our"), a company registered in Finland (Business ID pending), with its registered office at Lapinlahdenkatu 16, 00180 Helsinki, Finland, operates the VSME platform (the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service.
We process personal data in accordance with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Finnish Data Protection Act (1050/2018).
2. Data Controller
| Controller | ExecutESG Oy |
| Address | Lapinlahdenkatu 16, 00180 Helsinki, Finland |
| Contact Email | privacy@executesg.com |
3. Personal Data We Collect
We collect the following categories of personal data:
3.1 Account Data
- Full name
- Email address
- Password (stored as a one-way hash — we cannot read your password)
- Account role and preferences
3.2 Company Profile Data
- Company legal name and legal form
- Legal Entity Identifier (LEI)
- NACE industry classification code
- Country of registration
3.3 ESG Questionnaire Responses
- All answers provided through the VSME sustainability reporting questionnaire
- Generated sustainability reports and XBRL exports
3.4 Payment Data
- Stripe customer identifier
- Subscription plan and status
- We do not store credit card numbers — all payment processing is handled by Stripe, Inc.
3.5 Technical Data
- IP address and browser type (server access logs)
- Session cookies (essential, for authentication)
- Activity logs (actions within the platform)
4. Legal Basis for Processing (GDPR Art. 6)
| Purpose | Legal Basis |
|---|---|
| Providing the Service (account, questionnaire, reports) | Performance of a contract (Art. 6(1)(b)) |
| Payment processing | Performance of a contract (Art. 6(1)(b)) |
| Security & fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
| Service improvement & analytics | Legitimate interest (Art. 6(1)(f)) |
5. Data Sharing & Third Parties
We share personal data only with the following categories of recipients, and only to the extent necessary:
| Recipient | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | USA (with EU Standard Contractual Clauses) |
| Hosting provider | Infrastructure & data storage | EU (Finland / Germany) |
| Email provider | Transactional emails | EU / USA (with SCC) |
We do not sell personal data to third parties.
6. Data Retention
- Account & profile data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
- ESG questionnaire responses & reports: Retained for the duration of your account plus 12 months after deletion (for regulatory compliance).
- Payment records: Retained for 7 years as required by Finnish accounting law.
- Server logs: Retained for 14 days, then automatically purged.
7. Your Rights Under GDPR
As an EU data subject, you have the following rights:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you |
| Rectification (Art. 16) | Correct inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion of your data ("right to be forgotten") |
| Restriction (Art. 18) | Restrict processing of your data in certain circumstances |
| Portability (Art. 20) | Receive your data in a machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interest |
To exercise any of these rights, contact us at privacy@executesg.com. We will respond within 30 days.
8. Cookies
We use only essential cookies required for the Service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| session | Authentication & CSRF protection | Session (expires on browser close) |
| cookie_consent | Remember your cookie preference | 1 year |
We do not use tracking, analytics, or advertising cookies.
9. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Password hashing with industry-standard algorithms (bcrypt)
- Role-based access control
- Regular security audits and automated backups
- Server infrastructure within the EU
10. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised.
12. Complaints
If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman:
- Office of the Data Protection Ombudsman
- Lintulahdenkuja 4, 00530 Helsinki, Finland
- Website: tietosuoja.fi
- Email: tietosuoja@om.fi
13. Contact Us
For any questions regarding this Privacy Policy or your personal data, please contact:
- ExecutESG Oy
- Lapinlahdenkatu 16, 00180 Helsinki, Finland
- Email: privacy@executesg.com