Last Updated: November 3, 2025

Table of Contents

• [Key Points Summary](#1-key-points-summary)
• [Introduction](#2-introduction)
• [Definitions](#3-definitions)
• [Information We Collect](#4-information-we-collect)
• [How We Use Your Information](#5-how-we-use-your-information)
• [Automated Decision-Making and AI](#6-automated-decision-making-and-ai)
• [Legal Basis for Processing](#7-legal-basis-for-processing)
• [Data Sharing and Third Parties](#8-data-sharing-and-third-parties)
• [International Data Transfers](#9-international-data-transfers)
• [Cookies and Tracking Technologies](#10-cookies-and-tracking-technologies)
• [Data Retention](#11-data-retention)
• [Your Privacy Rights](#12-your-privacy-rights)
• [Data Security](#13-data-security)
• [Data Breach Notification](#14-data-breach-notification)
• [Children's Privacy](#15-childrens-privacy)
• [Changes to This Privacy Policy](#16-changes-to-this-privacy-policy)
• [Contact Information](#17-contact-information)

1. Key Points Summary

What We Collect: Contact information, usage data, cookies, and information you provide voluntarily

How We Use It: To provide and improve our ESG intelligence platform, communicate with you, and analyze usage patterns

Your Rights: Access, correct, delete, port, or restrict processing of your personal data

Data Transfers: We may transfer data to the U.S. under the EU-U.S. Data Privacy Framework

Cookies: We use essential and analytics cookies; non-essential cookies require your explicit consent

Age Requirement: You must be at least 16 years old to use our Service

Contact: info@knowesg.com or our Data Protection Officer at [email if appointed]

For full details, please read the complete policy below.

2. Introduction

KnowESG ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you access or use our website and services (collectively, the "Service").

Important: By using our Service, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. If you do not agree, please do not use our Service.

Scope: This Privacy Policy applies to:

• - Our website at https://www.knowesg.com
• - All related subdomains and services
• - Our ESG intelligence platform and applications

3. Definitions

To ensure clarity, the following terms have specific meanings:

• - "Company," "we," "our," or "us" refers to KnowESG, Goereestraat 6, Amsterdam, Netherlands (KVK Number: [insert])
• - "Country" means the Netherlands, where KnowESG is based
• - "Customer" refers to companies, organizations, or persons using our Service to manage ESG data and relationships
• - "Device" means any internet-connected device (phone, tablet, computer) used to access our Service
• - "IP Address" means the Internet Protocol address assigned to your device
• - "Personal Data" means any information relating to an identified or identifiable natural person, as defined by the GDPR (Regulation 2016/679)
• - "Service" refers to the KnowESG website, platform, and all related services
• - "Third-Party Service" refers to advertisers, partners, service providers, and others who provide content or services
• - "You" or "User" means any person or entity using our Service

4. Information We Collect

We collect information in the following categories:

4.1 Information You Provide Directly

Account Information:

• - Name, email address, company name
• - Job title, phone number (optional)
• - Password (encrypted and never stored in plain text)

Communications:

• - Messages you send us via contact forms, email, or chat
• - Feedback, survey responses, and customer support inquiries
• - Newsletter subscriptions and communication preferences

Professional Information:

• - Industry, company size, ESG data needs (if you are a B2B customer)
• - Job application materials (if you apply for employment)

4.2 Information Collected Automatically

Usage Data:

• - Pages visited, features used, time spent on pages
• - Search queries, clicks, and navigation paths
• - Referral source (how you found our website)

Device and Technical Information:

• - IP address, browser type and version
• - Device type, operating system
• - Screen resolution, language preferences
• - Cookies and similar technologies (see Section 10)

Analytics:

• - Session information (timestamps, duration)
• - Performance metrics and error reports
• - Aggregated and anonymized usage statistics

4.3 Information from Third Parties

We may receive information about you from:

• - Business partners who refer you to our Service
• - Public databases (e.g., company registries, ESG data sources)
• - Social media platforms (if you connect your account or interact with our social media pages)
• - Data providers who supply ESG ratings, company information, or market data

5. How We Use Your Information

We use your personal data for the following purposes:

5.1 Service Provision

• - Create and manage your account
• - Provide access to our ESG intelligence platform
• - Process transactions and fulfill orders
• - Deliver customer support and respond to inquiries

5.2 Communication

• - Send service updates, security alerts, and administrative messages
• - Respond to your questions and requests
• - Deliver newsletters and marketing communications (with your consent)
• - Conduct surveys and gather feedback

5.3 Improvement and Analytics

• - Analyze usage patterns to improve our Service
• - Conduct research and development
• - Monitor performance, troubleshoot issues, and fix bugs
• - Develop new features and services

5.4 Security and Compliance

• - Detect and prevent fraud, abuse, and security threats
• - Enforce our Terms and Conditions
• - Comply with legal obligations and respond to law enforcement requests
• - Protect our rights, property, and safety

5.5 Marketing and Personalization

• - Personalize your experience based on your interests
• - Show relevant content, recommendations, and advertisements
• - Measure the effectiveness of our marketing campaigns

You can opt out of marketing communications at any time by clicking "unsubscribe" in emails or contacting us at info@knowesg.com.

6. Automated Decision-Making and AI

6.1 Use of Automated Systems

Disclosure: KnowESG may use automated decision-making systems, artificial intelligence (AI), and algorithms to:

• - Analyze ESG ratings and company assessments
• - Provide personalized recommendations
• - Score and rank ESG providers, solutions, and companies
• - Detect fraudulent activity or security threats

6.2 How Automated Systems Work

ESG Rating Algorithms:

Our AI systems process publicly available ESG data, company disclosures, and third-party ratings to generate assessments. The logic includes:

• - Weighted scoring based on environmental, social, and governance factors
• - Comparison against industry benchmarks
• - Identification of trends and anomalies

Personalization Algorithms:

We use machine learning to recommend content, providers, and courses based on:

• - Your browsing history and preferences
• - Similar users' behavior
• - Industry trends and relevance scores

6.3 Your Rights Regarding Automated Decisions

Under GDPR Article 22, you have the right to:

• - Request human intervention in automated decisions that significantly affect you
• - Contest automated decisions and request manual review
• - Receive meaningful information about the logic, significance, and consequences of automated processing

To exercise these rights: Contact info@knowesg.com with the subject line "Automated Decision Review Request."

6.4 EU AI Act Compliance

As of February 2, 2025, the EU AI Act imposes transparency obligations on certain AI systems. If our ESG rating systems qualify as "high-risk AI" (e.g., affecting creditworthiness), we will:

• - Provide clear disclosures about AI use
• - Ensure human oversight of high-risk decisions
• - Maintain documentation of AI training data and algorithms
• - Comply with all applicable AI Act requirements

For more information: See our AI Transparency Statement at [link] (if applicable).

7. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

• - Consent: You have given explicit consent for specific processing activities (e.g., marketing communications, non-essential cookies)
• - Contract Performance: Processing is necessary to fulfill our contractual obligations to you
• - Legal Obligation: We must process your data to comply with legal requirements (e.g., tax, accounting, data breach notification)
• - Legitimate Interests: Processing is necessary for our legitimate business interests (e.g., fraud prevention, service improvement), provided your rights are not overridden

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

8. Data Sharing and Third Parties

8.1 When We Share Your Data

We may share your personal data with the following categories of third parties:

Service Providers:

• - Cloud hosting providers (e.g., AWS, Google Cloud, Azure) – Store and process data on our behalf
• - Analytics platforms (e.g., Google Analytics) – Analyze usage and improve our Service
• - Email service providers (e.g., Mailchimp, SendGrid) – Deliver communications
• - Payment processors (e.g., Stripe, PayPal) – Process transactions
• - CRM systems (e.g., HubSpot, Salesforce) – Manage customer relationships

Business Partners:

• - ESG data providers – Supply ratings, company information, and market data
• - API partners – Integrate with third-party ESG tools and platforms
• - Marketing partners – Co-market services and events (with your consent)

Legal and Regulatory Authorities:

• - Law enforcement – When required by law or to respond to legal process
• - Regulatory bodies – To comply with data protection and consumer protection laws
• - Courts and legal advisors – To defend our legal rights

Corporate Transactions:

• - Acquirers or successors – In the event of a merger, acquisition, or sale of assets

8.2 Third-Party Links

Our Service may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices or content of third parties. Please review their privacy policies before providing personal information.

8.3 Data Processing Agreements

All service providers who process personal data on our behalf are bound by Data Processing Agreements (DPAs) that require them to:

• - Process data only as instructed by KnowESG
• - Implement appropriate security measures
• - Notify us of data breaches
• - Comply with GDPR and applicable data protection laws

9. International Data Transfers

9.1 Data Transfer Mechanisms

KnowESG is based in the Netherlands (European Economic Area). We may transfer your personal data to countries outside the EEA, including the United States, for the purposes described in this Privacy Policy.

Legal Safeguards:

When we transfer data internationally, we rely on the following mechanisms:

EU-U.S. Data Privacy Framework (DPF):

• - Effective July 10, 2023, the DPF provides an adequacy decision for data transfers to participating U.S. organizations
• - We only transfer data to DPF-certified service providers (verification available at https://www.dataprivacyframework.gov)

Swiss-U.S. Data Privacy Framework:

• - Effective September 15, 2024, provides adequacy for Swiss data transfers to DPF-certified U.S. organizations

Standard Contractual Clauses (SCCs):

• - For transfers not covered by the DPF, we use EU-approved Standard Contractual Clauses

Transfer Impact Assessments (TIAs):

• - We conduct assessments to ensure adequate protection in destination countries

9.2 Your Rights

You have the right to:

• - Request information about international data transfers
• - Object to transfers that do not provide adequate protection
• - Obtain a copy of the safeguards in place (e.g., SCCs)

To exercise these rights: Contact info@knowesg.com.

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files stored on your device by your web browser. We use cookies to enhance performance, analyze usage, and provide personalized experiences.

10.2 Types of Cookies We Use

Essential Cookies (Always Active):

• - Required for the Service to function properly
• - Enable core features like login, security, and form submission
• - Legal basis: Necessary for contract performance (no consent required)

Analytics Cookies (Requires Consent):

• - Help us understand how you use the Service
• - Provide aggregated statistics on page views, session duration, and user behavior
• - Example: Google Analytics
• - Legal basis: Consent

Marketing Cookies (Requires Consent):

• - Track your visits across websites to show relevant advertisements
• - Measure the effectiveness of marketing campaigns
• - Example: Facebook Pixel, LinkedIn Insight Tag
• - Legal basis: Consent

10.3 Cookie Consent

Prior Consent Required:

Non-essential cookies (analytics, marketing) are blocked until you actively opt in through our cookie banner. We use a consent management platform that:

• - Provides granular consent categories
• - Allows you to accept or reject specific cookie types
• - Remembers your preferences for future visits

Withdraw Consent:

You can withdraw consent at any time by:

• - Clicking the "Cookie Settings" link in our website footer
• - Adjusting your browser settings to block or delete cookies
• - Contacting us at info@knowesg.com

Important: Blocking essential cookies may affect the functionality of our Service.

10.4 Browser Controls

Most browsers allow you to:

• - View and delete cookies
• - Block third-party cookies
• - Enable "Do Not Track" signals

For instructions: See your browser's help menu or visit https://www.aboutcookies.org.

11. Data Retention

11.1 Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law.

General Retention Periods:

| Data Type | Retention Period | Legal Basis |

|---------------|----------------------|-----------------|

| Account information | Until account deletion + 90 days | Contract performance |

| Financial records | 7 years | Dutch tax and accounting laws |

| Marketing communications | Until you unsubscribe + 2 years | Legitimate interests |

| Analytics data (aggregated) | Indefinitely (anonymized) | Legitimate interests |

| Security logs | 1 year | Legal obligation |

| Customer support inquiries | 3 years | Legitimate interests |

| Job applications | 1 year (unless hired) | Legitimate interests |

11.2 Account Deletion

When you delete your account:

• - Your account information is deleted within 90 days
• - Aggregated, anonymized data (that cannot identify you) may be retained indefinitely
• - Financial records are retained for 7 years to comply with tax laws
• - Backup copies may be retained for up to 60 days before permanent deletion

To request immediate deletion: Contact info@knowesg.com.

12. Your Privacy Rights

12.1 GDPR Rights

Under the GDPR, you have the following rights:

Right of Access (Article 15):

• - Request a copy of your personal data
• - Receive information about how we process your data

Right to Rectification (Article 16):

• - Correct inaccurate or incomplete personal data

Right to Erasure / "Right to Be Forgotten" (Article 17):

• - Request deletion of your personal data
• - Exceptions apply for legal obligations or legitimate interests

Right to Restriction of Processing (Article 18):

• - Limit how we use your data while we investigate a complaint or dispute

Right to Data Portability (Article 20):

• - Receive your data in a structured, machine-readable format (e.g., CSV, JSON)
• - Transfer your data to another service provider

Right to Object (Article 21):

• - Object to processing based on legitimate interests or for direct marketing purposes

Right to Withdraw Consent (Article 7):

• - Withdraw consent for processing at any time (does not affect lawfulness of prior processing)

Right Not to Be Subject to Automated Decision-Making (Article 22):

• - Request human intervention in automated decisions that significantly affect you

12.2 How to Exercise Your Rights

To exercise any of these rights:

• Email: info@knowesg.com with the subject line "Privacy Rights Request"
• Specify: Which right you wish to exercise and which data you are referring to
• Verification: We may request identification to verify your identity (to protect your privacy)
• Response time: We will respond within 30 days (may be extended by 60 days if complex)

No Fee: Exercising your rights is free of charge, unless requests are manifestly unfounded or excessive.

12.3 Right to Lodge a Complaint

If you believe we have violated your privacy rights, you have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens (Dutch DPA)

• - Website: https://autoriteitpersoonsgegevens.nl
• - Phone: +31 (0)70 888 8500
• - Address: Bezuidenhoutseweg 30, 2594 AV The Hague, Netherlands

You may also contact the supervisory authority in your EU country of residence.

13. Data Security

13.1 Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration, including:

Technical Measures:

• - Encryption: Data in transit (TLS/SSL) and at rest (AES-256)
• - Access controls: Role-based access, multi-factor authentication
• - Firewall protection: Network segmentation and intrusion detection
• - Secure hosting: ISO 27001-certified cloud providers
• - Regular security audits: Penetration testing and vulnerability assessments

Organizational Measures:

• - Employee training: Privacy and security awareness programs
• - Data minimization: Collect only necessary personal data
• - Confidentiality agreements: All personnel with access to personal data are bound by confidentiality obligations
• - Incident response plan: Procedures for detecting, investigating, and responding to data breaches

13.2 Limitations

No system is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. You are responsible for:

• - Keeping your password confidential
• - Logging out after using shared or public devices
• - Reporting suspected security incidents to info@knowesg.com

14. Data Breach Notification

14.1 Notification to Authorities

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• - Notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach (GDPR Article 33)
• - Provide details about the nature of the breach, affected data, and measures taken

14.2 Notification to Individuals

If the breach poses a high risk to your rights and freedoms, we will also notify you directly:

• - Timing: Without undue delay
• - Method: Email to your registered address or prominent notice on our website
• - Content: Description of the breach, potential consequences, and steps you can take to protect yourself

14.3 Breach Records

We maintain records of all personal data breaches, including facts, effects, and remedial actions taken, in accordance with GDPR Article 33(5).

15. Children's Privacy

15.1 Age Requirement

Our Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16 without parental consent.

GDPR Compliance:

Under GDPR Article 8, the age of consent for information society services in the Netherlands is 16 years. If you are under 16, you may not use our Service or provide personal data without verifiable parental or guardian consent.

15.2 Parental Consent

If we become aware that we have collected personal data from a child under 16 without verifiable parental consent, we will:

• - Delete the data immediately
• - Terminate the associated account
• - Notify the parent or guardian (if contact information is available)

15.3 Parents and Guardians

If you believe your child under 16 has provided personal data to KnowESG without your consent, please contact us immediately at info@knowesg.com with the subject line "Child Privacy Concern." We will investigate and take appropriate action.

16. Changes to This Privacy Policy

16.1 Updates

We may update this Privacy Policy from time to time to reflect:

• - Changes in our data processing practices
• - New legal requirements or regulatory guidance
• - Improvements to our Service or security measures

16.2 Notification

Material Changes:

If we make material changes to this Privacy Policy, we will notify you at least 30 days before the changes take effect by:

• - Posting a prominent notice on our website
• - Sending you an email (if you have provided an email address)

Material changes include:

• - Changes to the categories of personal data we collect
• - New purposes for processing
• - Changes to data sharing practices
• - Changes to your rights or how to exercise them

Your Options:

If you do not agree to the updated Privacy Policy, you may:

• - Stop using our Service
• - Request deletion of your account and personal data

Continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

16.3 Version History

Version 2.0 (November 3, 2025):

• - Updated age of consent from 13 to 16 years (GDPR compliance)
• - Replaced Privacy Shield references with EU-U.S. Data Privacy Framework
• - Added AI and automated decision-making disclosures (EU AI Act)
• - Enhanced data breach notification procedures (72-hour requirement)
• - Updated cookie consent requirements (prior explicit consent)
• - Added DPO information and contact details
• - Clarified data retention justifications by data type
• - Added accessibility statement (EAA compliance)
• - Enhanced third-party disclosure categories
• - Improved user rights section with detailed instructions
• - Added comprehensive contact information
• - Created layered privacy notice with key points summary
• - Fixed spelling errors and updated company address

Version 1.0 (May 22, 2022):

• - Initial version

17. Contact Information

17.1 General Inquiries

For questions, concerns, or requests regarding this Privacy Policy or our data processing practices:

KnowESG

Email: info@knowesg.com

Physical Address: Goereestraat 6, Amsterdam, Netherlands

Company Registration (KVK): [insert]

VAT Number: [insert if applicable]

17.2 Data Protection Officer

If we are required to appoint a Data Protection Officer (DPO) under GDPR Article 37, you may contact them at:

Email: [DPO email if appointed]

17.3 Regulatory Authority

Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

Website: https://autoriteitpersoonsgegevens.nl

Phone: +31 (0)70 888 8500

Email: info@autoriteitpersoonsgegevens.nl

Address: Bezuidenhoutseweg 30, 2594 AV The Hague, Netherlands

17.4 Accessibility

Accessibility Statement:

We are committed to ensuring our Privacy Policy is accessible to all users, including those with disabilities. This document meets WCAG 2.1 AA accessibility standards.

If you have difficulty accessing this Privacy Policy or require an alternative format (e.g., large print, audio, or Braille), please contact us at info@knowesg.com.

18. Additional Information

18.1 Do Not Track Signals

Some browsers offer a "Do Not Track" (DNT) signal. We currently do not respond to DNT signals because there is no industry-wide standard for how to interpret them. However, you can control cookies through your browser settings (see Section 10.4).

18.2 California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). For CCPA-specific information, please contact info@knowesg.com.

18.3 GDPR Representative

If required, we will appoint a GDPR representative in other EU member states. Contact information will be provided here if applicable.

Acceptance:

By using the Service, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your personal information as described in this Privacy Policy.

*Last Updated: November 3, 2025*

*Version 2.0*