Privacy Policy

GaiaScore Ltd is the data controller responsible for your personal data. Contact us at support@gaiascore.com for any privacy questions. We respond within 5 business days.

Account & Identity

• •Name and email address
• •Profile avatar (optional)
• •Organisation name, industry, size, location
• •Your role within the Organisation
• •Google account ID (if using Google sign-in)

Usage & Technical Data

• •IP address and approximate location
• •Browser type and operating system
• •Pages visited and features used
• •Login timestamps and session information

ESG & Business Data

• •ESG metrics in Assessments (energy, water, waste, people, governance)
• •Targets, action plans, and materiality assessment data
• •Advisory chat messages and AI interaction history
• •Data Request responses from team members
• •Evidence files uploaded to the Platform

Payment Data

• •Billing name and address
• •Payment method details (processed by Stripe — we never store card numbers)
• •Transaction history and subscription status

We process your data under the following legal bases:

• •Contract — to provide the Platform services you signed up for
• •Contract — to process payments and manage your subscription
• •Legitimate Interests — to improve the Platform, monitor security, and prevent fraud
• •Legal Obligation — to comply with UK tax, accounting, and regulatory requirements
• •Consent — to send marketing communications (only where you have opted in)

AI Processing

When you use the AI Advisory feature, your ESG data is sent to Anthropic's API. We do not permit Anthropic to use your data to train their models.

Aggregated Benchmarking

GaiaScore may produce anonymised industry benchmarks. No Organisation-specific data is ever published without explicit consent.

Shareable Reports

If you enable the shareable report link, your report becomes accessible to anyone with the link. You control this setting and can disable it anytime.

We never sell your data. We share it only with:

• •Members of your Organisation (according to their assigned Role)
• •Service providers who help operate the Platform (Stripe, Resend, Anthropic, Railway)
• •Authorities if required by law or court order
• •An acquiring entity in the event of a merger or acquisition (with advance notice)

The following processors handle data on our behalf:

• •Stripe — payment processing (stripe.com/privacy)
• •Resend — transactional emails (resend.com/privacy)
• •Anthropic — AI Advisory chat (anthropic.com/privacy)
• •Google OAuth — optional sign-in (policies.google.com/privacy)
• •Railway — platform hosting and infrastructure

GaiaScore products are ad-free. We do not use Google Analytics, Facebook Pixel, or any third-party behavioural tracking tools.

Some of our processors operate in the United States. We ensure appropriate safeguards (UK IDTAs or Standard Contractual Clauses) are in place for all international transfers. Contact us for details.

• •Account and ESG data — duration of subscription + 90 days after closure
• •Payment records — 7 years (UK legal requirement)
• •Support correspondence — 3 years from last contact
• •Usage logs — 12 months rolling
• •Anonymised/aggregated data — indefinitely (no personal data)

You can export your data at any time from the Reports section.

• •Right of Access — request a copy of all data we hold about you
• •Right to Rectification — correct inaccurate data
• •Right to Erasure — request deletion ('right to be forgotten')
• •Right to Restriction — pause processing in certain circumstances
• •Right to Data Portability — receive your data in a machine-readable format
• •Right to Object — object to processing based on legitimate interests
• •Right to Withdraw Consent — withdraw marketing consent at any time

To exercise any right, email support@gaiascore.com with subject 'Data Protection Request'. We verify your identity before processing.

We use only strictly necessary cookies and browser localStorage — no advertising cookies, no tracking pixels.

• •gs_token (cookie) — authentication, 15 minutes
• •gs_org_id (cookie) — active organisation, 7 days
• •gs_user (localStorage) — profile cache, until logout
• •gs_plan (localStorage) — subscription plan cache, until logout
• •gs_refresh (localStorage) — session renewal token, 30 days

• •TLS 1.2+ encryption for all data in transit
• •Encryption at rest for all stored data
• •Role-based access controls
• •Rate limiting on login and API endpoints
• •Access tokens expire after 15 minutes; refresh tokens rotate on each use
• •New login alerts when access occurs from a new IP address
• •72-hour breach notification to you and the ICO where required

The Platform is not for children under 16. We do not knowingly collect data from under-16s. If you believe a child has provided us data, contact support@gaiascore.com immediately.

Material changes will be notified by email and in-app notification at least 14 days before taking effect. Continued use after the effective date constitutes acceptance.

If you have concerns, contact us first at support@gaiascore.com. If unsatisfied, you may lodge a complaint with the ICO:

• •Website: ico.org.uk
• •Helpline: 0303 123 1113
• •Address: Wycliffe House, Water Lane, Wilmslow, SK9 5AF