Loading...
BETA – We are refining the platform. Your feedback helps us improve. Share feedback
Loading...
Last updated: 2 May 2026 · Effective: 1 June 2026 · Version 0.1 (pre-lawyer-review draft)
This policy is under lawyer review. Where any clause conflicts with your statutory rights under UK GDPR, EU GDPR, or POPIA, those statutory rights prevail.
Citable ESG Orgs. (the “Platform”) is a B2B directory of ESG, sustainability-minded and impact-driven organisations, accessible at citableesg.com.
The Platform is operated by:
Card-payment transactions and billing data are received by The Ethical Agency Ltd (UK) as the merchant of record via Stripe. A subset of transaction metadata – customer name, billing country, plan, amount, currency, invoice reference, subscription identifier (excluding raw card data, which is held only by Stripe in tokenised form) – is made available to The Ethical Agency (Pty) Ltd (SA) as the data controller for the purposes of consolidated financial reporting, VAT and corporate tax compliance, customer support, and audit. This data flow is governed by the same internal DPA referenced above and uses the UK International Data Transfer Addendum (UK Addendum to the EU SCCs) for any restricted transfer between the two entities.
References below to “we”, “us”, or “our” mean The Ethical Agency (Pty) Ltd unless context indicates otherwise.
Information Officer (POPIA) and primary privacy contact:
Brett Jefferson
Email: hello@citableesg.com
You can use this address for any question about how we process your personal data, to exercise the rights described in §11, or to request a copy of this policy in another format.
For UK-specific or EU-specific data-protection enquiries, the same contact applies.
We collect personal data in five main contexts:
| Data | Purpose | Source |
|---|---|---|
| Name | Identifying you on the Platform | You |
| Email address | Account access, transactional emails (login, billing, support) | You |
| Password (hashed) | Account security | You |
| Authentication provider IDs (Google, LinkedIn) | Single sign-on if you choose it | Your authentication provider |
| Profile image | Display on your organisation’s profile | You |
| Job title, role | Display on profile, search filtering | You |
| Data | Purpose | Source |
|---|---|---|
| Organisation name, address, country, sector, services, sustainability credentials, climate targets, accreditations | Public directory listing | You / B Lab open dataset / SBTi (where permitted) |
| Logo, cover image, video URL | Display on profile | You |
| Description, tagline, custom CTA | Display on profile | You |
| Reviews you give or receive | Public-facing review record | Reviewers (verified users) |
| Data | Purpose | Source |
|---|---|---|
| Cardholder name, billing address | Card payment processing | You |
| Card details (tokenised by Stripe; we never see the raw number) | Recurring billing | Stripe |
| Transaction amount, currency, date | Invoice generation, accounting | Payment flow |
| VAT / GST identifier | Tax invoicing | You |
Card payment data is processed by The Ethical Agency Ltd (UK) as merchant of record, and by Stripe Payments UK Ltd as payment processor. We never store raw card numbers.
If your organisation appears in a public ESG dataset (such as the B Lab CC-BY-SA dataset on data.world), we may pre-populate a profile for it on the Platform and send a one-time email invitation to claim that profile.
| Data | Purpose | Source |
|---|---|---|
| Your name, work email, job title, employer | Sending you the claim invitation | Public ESG datasets (e.g. B Lab) and contact-enrichment provider Apollo |
The lawful basis is Article 6(1)(f) UK GDPR / POPIA §11(1)(f) – legitimate interests of the controller. You can opt out at any time using the unsubscribe link in any email or by emailing hello@citableesg.com.
| Data | Purpose | Source |
|---|---|---|
| IP address | Security, abuse prevention, geographic content | Your browser |
| User agent (browser, device, OS) | Compatibility, analytics | Your browser |
| Pages viewed, referrer URL, time on page | Analytics, performance optimisation | Analytics scripts |
| Cookies and similar technologies | See §10 | Your browser |
Under UK GDPR / EU GDPR Article 6 and POPIA §11, we rely on the following lawful bases:
| Processing | Lawful basis |
|---|---|
| Operating your account and providing the Platform | Performance of contract – Art. 6(1)(b) GDPR / POPIA §11(1)(b) |
| Sending claim invitations to public-dataset organisations | Legitimate interest – Art. 6(1)(f) GDPR / POPIA §11(1)(f) |
| Billing, invoicing, and tax compliance | Performance of contract + legal obligation – Art. 6(1)(b) and (c) GDPR / POPIA §11(1)(b) and (c) |
| Security, fraud prevention, abuse handling | Legitimate interest |
| Analytics and Platform improvement | Legitimate interest, with consent for any non-essential cookies |
| Marketing emails to existing customers (if any) | Soft opt-in (Art. 6(1)(f) GDPR + PECR Reg. 22(3)) – only for own similar services to existing customers; opt-out in every email |
| AI content moderation (Anthropic Claude API) | Legitimate interest in keeping the Platform free of greenwashing and inappropriate content. Article 22 GDPR: AI moderation flags potentially non-compliant content but does not autonomously reject, suspend, or delete listings. Every AI flag is reviewed by a human moderator before any restriction takes effect. |
We share data only with the third parties listed below, each of whom processes data on our behalf as a sub-processor. Each is bound by a written data-processing agreement.
| Provider | Purpose | Region | Safeguards |
|---|---|---|---|
| Neon | Database hosting (PostgreSQL) | EU / US | EU SCCs / UK Addendum + DPA. Encryption at rest (AES-256) + in transit. SOC 2 Type II. |
| Cloudflare R2 | File storage (logos, cover images, document uploads) | Global edge | EU SCCs / UK Addendum + DPA. Encryption at rest + in transit. SOC 2 Type II. ISO 27001. |
| Auth.js + Clerk | Authentication infrastructure | EU / US | EU SCCs / UK Addendum + DPA. Hashed credentials only. SOC 2 Type II. |
| Stripe Payments UK Ltd | Card payment processing, tax calculation | UK / Ireland / US | Stripe’s published DPA + PCI DSS Level 1. Encryption + tokenisation; raw card numbers never accessible to us. |
| The Ethical Agency Ltd (UK) | Merchant of record for Stripe-processed payments | United Kingdom | Internal DPA between affiliated TEA entities + UK International Data Transfer Addendum. |
| Resend | Transactional emails (login, billing, account notices) | US (with EU residency option) | EU SCCs + DPA. Encryption in transit + at rest. SOC 2 Type II. |
| Smartlead (521 PRODUCTS PTY LTD, ACN 645 593 835) | Corpus-seeding outreach delivery (claim invites only) | Australia / global infrastructure | DPA auto-accepted by paid subscription. EU SCCs incorporated. Encryption in transit + at rest. |
| Anthropic | AI content moderation | US | EU SCCs / UK Addendum + DPA. Zero-data-retention API mode where supported. |
| Sentry | Error monitoring and performance tracing | US (EU region available) | EU SCCs / UK Addendum + DPA. PII scrubbing on ingest. SOC 2 Type II. |
| Upstash | Rate limiting (Redis) | EU / US | EU SCCs + DPA. Encryption at rest + in transit. |
| Vercel | Application hosting and edge delivery | EU / US | EU SCCs / UK Addendum + DPA. SOC 2 Type II. ISO 27001. |
| Google Workspace | Operational email | EU / US | EU SCCs + DPA. SOC 2 Type II. ISO 27001 / 27018. 2FA enforced. |
The full Technical and Organisational Measures (TOMs) for each integration are documented in the corresponding DPA and are available on request.
We do not sell personal data to anyone. We do not share personal data for advertising-network targeting. We do not share personal data with parties outside this list except where required by law (e.g. response to a valid court order or regulatory request) or with your specific consent.
The current sub-processor list reflects integrations as at the date of this policy. We will update this list in advance of any material change. Subscribers may register for change notifications by emailing hello@citableesg.com.
Your data may be transferred and processed outside your country of residence – principally between South Africa, the United Kingdom, the European Union, and the United States.
Where your data leaves the UK or EU, we ensure adequate protection by relying on:
For transfers to or from South Africa, we comply with POPIA §72, which permits cross-border transfers of personal information only where:
For our SA→UK and SA→US transfers, we rely on the substantial-similarity route: the UK GDPR (and Data Protection Act 2018) provides protections substantially similar to POPIA, and the US sub-processors named in §5 are bound by the EU SCCs / UK Addendum + DPAs which establish substantially-similar protections by binding agreement. The Information Officer maintains a written transfer impact assessment for each cross-border flow.
A copy of the relevant transfer mechanism + transfer impact assessment for any specific provider is available on request.
| Data category | Retention |
|---|---|
| Active account data | For the life of your account, plus up to 90 days after closure for backup recovery |
| Closed-account data | Anonymised after 90 days (we keep aggregate analytics and audit logs that no longer identify you) |
| Billing and tax records | 7 years from the end of the relevant tax year, as required by UK and SA tax law |
| Audit logs of administrative actions | 2 years |
| Marketing engagement data (opens, clicks) | 18 months from last interaction |
| Claim-invite tracking data (open / click / bounce events) | 12 months from final send, then anonymised |
| Unclaimed-profile contact data | 6 months from last attempted contact, then purged. |
| Backups | 30 days, encrypted, automatically rotated |
| Server logs | 30 days |
If a longer retention period is required by law (e.g. ongoing litigation), we may retain the relevant data for that longer period.
If we discover a security breach affecting your personal data, we will notify the relevant supervisory authorities within the legally required timeframes and notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms.
The Platform is a B2B service intended for use by adult professionals. It is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected a child’s data, contact us and we will delete it.
| Type | Purpose | Lawful basis |
|---|---|---|
| Strictly necessary | Authentication session, CSRF token, language preference, subscription state | Necessary for the Platform to function (no consent required) |
| Analytics | Anonymous usage analysis, performance monitoring | Consent (you can decline via the cookie banner) |
| Functional | Remembering preferences (e.g. currency toggle EUR/GBP/USD) | Consent |
We do not use advertising or tracking cookies. We do not participate in advertising networks.
You can manage your preferences via the cookie banner shown on first visit, or at any time via the “Cookie preferences” link in the footer. See also our Cookie Policy.
Under UK GDPR / EU GDPR / POPIA you have the following rights:
To exercise any of these rights, email hello@citableesg.com. Under UK GDPR / EU GDPR Art. 12(3), we respond without undue delay and at the latest within one month of receiving the request. Under POPIA we respond as soon as reasonably possible and in any event within the time limits required by §23. Where a request is complex or numerous, the response period may be extended by up to a further two months; we will tell you within the first month if an extension is needed and explain why.
We do not charge for exercising these rights, except where requests are manifestly unfounded, repetitive, or excessive.
We may update this policy from time to time. The “Last updated” date at the top reflects the most recent revision. For material changes, we will notify you in advance by email or by a prominent notice on the Platform.
A version history is maintained internally. You may request a previous version by emailing hello@citableesg.com.
Our processing is governed by POPIA. The Information Officer is Brett Jefferson, hello@citableesg.com. You have the rights set out in POPIA Chapter 3 in addition to those listed in §11.
Our processing is governed by the GDPR as it applies in your member state, as well as by national implementing legislation. You may also contact your local data-protection authority directly.
Our processing is governed by the UK GDPR and the Data Protection Act 2018. You may also contact the ICO directly.
You have rights under PIPEDA and (where applicable) provincial data-protection legislation. CASL governs commercial electronic messages we send you; we comply with CASL §6 and §10(9) including identification, opt-out, and lawful-basis requirements.
If you are a California resident, you have rights under the CCPA / CPRA, including the right to know, the right to delete, the right to correct, and the right to opt out of “sale” or “sharing” (we do neither). To exercise these rights, contact hello@citableesg.com.