Privacy Policy
Effective May 23, 2026
WhatsMyESG (“WME,” “we,” “us,” or “our”) is operated by Vertexium Environmental Solutions, a Texas-based environmental consulting practice headquartered in Dallas, Texas, United States. This Privacy Policy explains what personal information we collect when you visit whatsmyesg.com or use our services, why we collect it, how long we keep it, with whom we share it, and the rights you have under U.S. and EU/UK law.
This Policy is written to satisfy our obligations under the California Online Privacy Protection Act (CalOPPA, Cal. Bus. & Prof. Code §§ 22575–22579), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the EU and UK General Data Protection Regulation (GDPR/UK GDPR), the Virginia Consumer Data Protection Act (VCDPA), the Connecticut Data Privacy Act (CTDPA), and similar U.S. state privacy statutes in effect as of the effective date.
1. Information We Collect
We collect only what we need to operate the service. The categories below cover everything WME presently processes.
| Category | What it is |
|---|---|
| Identifiers | Email address (waitlist + account), IP address, device and browser fingerprint signals (user-agent, screen size, language). |
| Account data | After launch: name (optional), organization (optional), magic link sign-in records, account preferences. |
| Commercial data | Subscription tier, billing status, invoice history. Card numbers and bank credentials are never seen or stored by WME; they are handled exclusively by Stripe, Inc. |
| Usage data | Reports you generated, entities you queried, timestamps, error logs, request paths. Used for service operation and abuse prevention. |
| Aggregate analytics data | Cookieless, aggregate measurement collected via Vercel Analytics — page views, referrers, approximate region, and device type. No cookies are set and no cross-site profile is built. |
| Communications | Email you send to info@, privacy@, or security@whatsmyesg.com, and our replies. |
2. Why We Collect It (Purposes & Legal Bases)
- Provide the service: generate, store, and serve your ESG reports. Legal basis under GDPR: performance of a contract (Art. 6(1)(b)).
- Authenticate you: issue and validate magic-link sign-in tokens via Supabase Auth. Legal basis: contract (Art. 6(1)(b)) and our legitimate interest in account security (Art. 6(1)(f)).
- Bill you: process subscription payments via Stripe. Legal basis: contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for tax and accounting records.
- Measure traffic: understand aggregate site usage via cookieless analytics to operate and improve the product. Legal basis: legitimate interest (Art. 6(1)(f)), balanced against your rights, supported by the cookieless and aggregate nature of the measurement.
- Operate and secure the platform: detect abuse, troubleshoot, and improve the product. Legal basis: legitimate interest (Art. 6(1)(f)), balanced against your rights.
- Comply with the law: respond to lawful requests, enforce our Terms, and exercise legal claims. Legal basis: legal obligation (Art. 6(1)(c)) and legitimate interest (Art. 6(1)(f)).
We do not sell personal information. We do not currently share personal information for cross-context behavioral advertising. We do not profile users for decisions producing legal or similarly significant effects on you. If we enable advertising or measurement pixels in the future (see § 4 and the Cookie Policy), we will update this Policy first and describe any resulting processing and opt-out rights.
3. How Long We Keep It
| Data | Retention |
|---|---|
| Waitlist email | Until launch + 90 days after, then deleted unless you convert to a paid account or request earlier deletion. |
| Account data | For the life of your subscription, plus 30 days after cancellation to allow reactivation. Earlier on request. |
| Generated reports | For the life of your subscription. Hard-deleted within 30 days after cancellation. Earlier on request. |
| Billing & tax records | Seven (7) years after the related transaction, as required by U.S. tax and accounting rules. |
| Server, application & audit logs | Rolling 90 days for routine application and access logs; up to 12 months for security and audit logs, longer where an incident investigation is open. After the retention window, logs are aggregated or deleted. |
| Email correspondence | Up to 24 months, then deleted unless tied to an open matter. |
4. Third-Party Processors
We use a short list of vetted vendors to run WME. Each acts as our data processor under GDPR Art. 28 and as our service provider under CCPA § 1798.140(ag).
| Vendor | Role |
|---|---|
| Supabase, Inc. | Postgres database and authentication. SOC 2 Type II, ISO/IEC 27001:2022, GDPR-compliant. Data hosted in U.S. regions. |
| Stripe, Inc. | Payment processing. PCI DSS Level 1. Card data is tokenized; WME never sees card numbers. |
| Vercel, Inc. | Application hosting and CDN. SOC 2 Type II. Also provides Vercel Analytics, a cookieless, aggregate traffic measurement service that does not set cookies, does not build a cross-site profile, and does not store personally identifying information. |
| Cloudflare, Inc. | DNS and edge network for whatsmyesg.com. |
| Resend | Transactional email (magic-link sign-in, receipts, account notices). |
| OpenRouter, Inc. | LLM gateway for ESG report synthesis. When you generate a report, the entity name and any user-provided notes are sent to OpenRouter, which routes the request to a downstream LLM provider (currently Anthropic, PBC— primary model anthropic/claude-opus-4.7— with OpenAI, OpCas automatic fallback if the primary is rate-limited or unavailable). No payment data, no account credentials, and no PII beyond the entity name and any notes you choose to include are transmitted. Each provider applies its own data-handling policy; we do not authorize them to train models on the content of your requests beyond the providers’ standard zero-retention or limited-retention enterprise API policies. |
We use cookieless, aggregate analytics (Vercel Analytics, listed above) to measure site traffic. We do not currently run third-party advertising trackers or social-media measurement pixels (such as the Meta Pixel or the LinkedIn Insight Tag). We may enable advertising or measurement pixels in the future for advertising measurement; before any such pixel becomes active, we will update this Policy and the Cookie Policy to name the provider and describe the available opt-out.
5. International Transfers
WME is operated from the United States and our primary data infrastructure is hosted in the United States. If you access the service from the EU, UK, or another jurisdiction with data-export restrictions, your information will be transferred to the U.S. under the European Commission’s Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, which we incorporate by reference into our processor agreements.
6. Your Rights
Subject to applicable law, you may exercise the following rights at any time by emailing privacy@whatsmyesg.com. We will verify your identity using the email address tied to your account.
- Access— request a copy of the personal information we hold about you.
- Deletion— request that we erase your personal information.
- Correction— request that we correct inaccurate information.
- Portability— request a machine-readable export of your data.
- Opt-out of sale or sharing— not applicable: we do not sell or share for cross-context behavioral advertising.
- Limit use of sensitive personal information — not applicable: we do not collect sensitive personal information as defined under CPRA § 1798.140(ae).
- Object to processing— (GDPR Art. 21) object to processing based on legitimate interests.
- Withdraw consent— where processing is based on consent, withdraw it at any time without affecting prior processing.
- Lodge a complaint— with a supervisory authority (e.g., the Texas Attorney General, the California Privacy Protection Agency, or your EU/UK data-protection authority).
We respond to verifiable requests within 45 days (CCPA/CPRA) or 30 days (GDPR), with one extension permitted where law allows.
7. Cookies and Similar Technologies
We use essential cookies necessary to operate the service, plus a cookieless, aggregate analytics service (Vercel Analytics) that does not set cookies. We do not currently run advertising or measurement pixels; we may enable them in the future, in which case each provider will be named with opt-out instructions before activation. See the Cookie Policyfor the full list, purposes, and how to disable them. Per CalOPPA § 22575(b)(5), we do not currently honor a single Do-Not-Track signal because no industry consensus has been adopted; our current analytics is cookieless and aggregate, and we do not build cross-site advertising profiles of you.
8. Children’s Privacy
WME is a business-to-business intelligence tool. It is not directed to children under 13, and we do not knowingly collect personal information from children. If you believe a child has submitted information to us, contact privacy@whatsmyesg.com and we will delete it promptly.
9. Security
See the Security page for the encryption, access-control, and incident-response measures we operate. No system is impenetrable; we maintain reasonable administrative, technical, and physical safeguards appropriate to the risks involved.
10. Changes to This Policy
If we materially change this Policy, we will update the effective date above and, where required by law, notify you by email or via an in-product banner before the change takes effect. Non-material changes (typo fixes, clarifications) take effect on posting.
11. Contact
Vertexium Environmental Solutions
Dallas, Texas, United States
privacy@whatsmyesg.com · info@whatsmyesg.com
If privacy@ bounces during the pre-launch period, write to info@ — both addresses route to the same operations queue.