Legal

Privacy Policy and Personal Data Protection

In effect from 1 October 2025

This is a machine translation provided for your convenience. The legally binding version is the Slovenian original.

(hereinafter: "Privacy Policy")

Basic concepts

  • Personal data: any information relating to an identified or identifiable individual;
  • Processor: a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller
  • Recipient: a natural or legal person, public authority, agency, or other body to which personal data has been disclosed, whether or not it is a third party.
  • Individual: any person whose personal data is processed;
  • Website: all of the Controller's web pages with all subtabs, links, and related web pages.
  • Application: all software provided by the Controller, as defined in the Company's General Terms and Conditions.

1. Introduction

The controller of the personal data processed in accordance with this Privacy Policy is the company ESGON, d.o.o., Ameriška ulica 2, 1000 Ljubljana, tax number: 32212950, registration number: 7487622000. (hereinafter: "Controller"). This Privacy Policy follows the principles of transparency and diligent handling of personal data in accordance with the General Data Protection Regulation (hereinafter: "GDPR") and the Personal Data Protection Act (hereinafter: ZVOP-2).

For any questions regarding this Privacy Policy, the Controller is available at the email address info@esgon.si. The company does not have a data protection officer.

2. Legal bases for the processing of personal data on the website and in the application

a) Processing on the basis of a contract between the Controller and the Individual

The Controller processes certain personal data for the purposes of fulfilling the order and the contract concluded between the Individual and the Controller:

a. General:

  • company name
  • address of the company's registered office
  • list of controlling and subsidiary companies
  • company domain (e.g. @esgon.si)
  • company's primary color
  • company logo

b. Company description

  • general description of the company
  • description of activities
  • description of the portfolio
  • organizational form
  • tax number

c. Organizational boundaries (locations)

  • names of locations
  • full address

The Controller retains the said data for a further 5 years from the termination of the contract.

b) Processing necessary for compliance with a legal obligation to which the controller is subject

The Controller may issue an invoice to the Individual for the payment of individual services. As part of this, the Controller processes and stores the personal data stated on the invoice.

The Controller retains these personal data (invoices) for 10 years from issuance.

c) Processing on the basis of legitimate interest

The Controller processes certain personal data because this is necessary for the legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. The processing of all the personal data listed below is intended to ensure a higher-quality user experience. On this basis, the Controller processes the following personal data:

  • IP addresses from which the Individual accesses the Website. Logging is necessary for the detection and prevention of abuse on the website;
  • logins in the Application: username, date and time of login. Logging is necessary for the detection and prevention of abuse in the Applications;
  • data about the devices from which the Recipient accesses the Website and/or Application;
  • cookie data for functionality, as defined in the Cookie Policy

All the data listed are retained for 2 years from acquisition, except for essential cookies, which may be stored for a period of up to 6 months. The Individual may object to the processing of personal data for these purposes at any time by sending an email to info@esgon.si.

d) Processing on the basis of consent to the processing of personal data

The Controller processes certain personal data on the basis of the Individual's consent:

  • Email address;
  • Data collected on the basis of the functions of the Google Analytics service, to which the Individual consents within the framework of the Cookie Policy;
  • Data collected on the basis of the function of the Hotjar service, to which the Individual consents within the framework of the Cookie Policy.
  • All data that the Individual provides in the contact form on the Controller's website

Consent may be withdrawn at any time.

3. Transfer of data to third parties and transfer of data to third countries (countries that are not members of the European Economic Area)

The Controller shares personal data with the following data recipients:

a. Google Analytics

Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, fax: +353 (1) 436 1001. Google Analytics terms of service, a general overview of Google Analytics security and privacy principles, Google's privacy policy. Google uses standard contractual clauses (SCC) for data transfers to third countries.

b. Hotjar

Hotjar: Hotjar Ltd. is a European company based in Malta (Hotjar Ltd, Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe Tel.: +1 (855) 464-6788).

The ESG On application is hosted entirely in Azure's European data centers. The cloud provider Microsoft Azure adheres to the strictest compliance requirements, such as ISO27001, EU GDPR, EN 301 549, EU Cloud CoC, and the ENISA cybersecurity assurance framework (IAF). The Microsoft cloud services used by ESG On also regularly undergo thorough independent third-party audits under the SOC 2 Type 2 standard. The full compliance documentation can be found at the following address: https://learn.microsoft.com/en-us/azure/compliance/.

Components used:

  • Data storage (Western Europe - Frankfurt and Northern Europe - Dublin)
  • Log Analytics
  • Cosmos DB
  • Postgres
  • Storage account
  • Search service
  • Dependencies
  • Azure AI services
  • Azure OpenAI
  • Data processing
  • Service Bus
  • B2C authentication
  • Container Apps Environment

The personal data collected within the Application and the Website are not transferred to third countries.

4. Handling of personal data after the expiry of the retention period

When the retention period defined in this Privacy Policy expires for a particular piece of personal data or set of data, the Controller effectively and permanently deletes or anonymizes such personal data so that it can no longer be associated with the Individual.

5. The individual's rights regarding the processing of personal data

The Individual has the following rights with regard to their personal data:

a) Right of access by the data subject

The data subject has the right to obtain confirmation from the Controller as to whether personal data concerning them is being processed. Where the answer is affirmative, the Individual has the right to access the personal data and the following information:

  • the types of personal data being processed;
  • the categories of Recipients to whom the personal data has been or will be disclosed;
  • retention periods;
  • the existence of the right to request from the Controller the rectification or erasure of personal data or the restriction of the processing of personal data concerning the data subject, or the existence of the right to object to such processing;
  • the right to lodge a complaint with the Information Commissioner;
  • where the personal data is not collected from the data subject, all available information regarding its source;
  • the existence of automated decision-making, including profiling, and meaningful information about the reasons for it, as well as the significance and envisaged consequences of such processing for the individual.

Within the framework of this right, the Individual has the option to request one free copy of the personal data in a form determined by themselves. If the request is submitted by electronic means of communication and the Individual does not request otherwise, the copy is provided in electronic form. For additional copies requested by the Individual, the Controller may charge a reasonable fee, taking into account the costs incurred by the Controller in doing so.

b) Right to rectification

The data subject has the right to obtain from the Controller, without undue delay, the rectification of their inaccurate personal data.

c) Right to erasure of data

The Individual may request that the Controller erase the personal data concerning them without undue delay in the following cases:

  • the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • the data subject withdraws the consent on which the processing is based, and where there is no other legal ground for the processing;
  • the data subject objects to the processing and there are no overriding legitimate grounds for it, or the data subject objects to the processing for direct marketing purposes;
  • the personal data has been processed unlawfully;
  • the personal data must be erased to comply with a legal obligation under the law of the Republic of Slovenia or the European Union.

d) Right to restriction of processing

The Individual may request that the processing of data concerning them be restricted. They may request this in the following cases:

  • the Individual contests the accuracy of the personal data, for a period enabling the Controller to verify the accuracy of the personal data;
  • the processing is unlawful and the Individual opposes the erasure of the personal data and requests the restriction of its use instead;
  • the Controller no longer needs the personal data for the purposes of processing, but the Individual requires it for the establishment, exercise, or defense of legal claims;
  • the data subject has lodged an objection regarding the processing, pending verification of whether the Controller's legitimate grounds override those of the Individual.

e) Right to data portability

The data subject has the right to receive the personal data concerning them and the right to transmit that data to another controller without hindrance from the controller to which the personal data was provided, where the conditions of Article 20 GDPR are met.

f) Right to object

The data subject has the right to object at any time to the processing of personal data concerning them. In such a case, the Controller shall cease processing the personal data, unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

The Individual may always object to the processing of personal data for direct marketing purposes. In such a case, the Controller may no longer process the personal data for this purpose.

The Individual also has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, where the conditions of Article 22 GDPR are met.

g) Right to lodge a complaint regarding the processing of personal data

Every Individual may lodge a complaint against the Controller with the Information Commissioner when they consider that the processing of their personal data infringes the applicable legislation.

6. Information on the existence of automated decision-making

The Controller collects, analyzes, and processes the information it gathers within the Applications. It uses this information to improve the appearance, functionality, and security of the Website and the Applications.

7. Withdrawal of consent to the processing of personal data and consequences for the individual

The Individual may withdraw their consent to the processing of personal data at any time. This can be done by a written statement sent to the Controller at the Controller's address or by email to info@esgon.si.

The withdrawal of consent to the processing of personal data has no negative consequences or sanctions for the Individual. However, it is possible that, after the withdrawal of consent, the Controller may no longer be able to provide the Individual with one or more of its services. This happens when the services are ones that cannot be provided without personal data (e.g. membership in a loyalty club or personalized notifications).

If, after the withdrawal of consent to the processing of personal data, there is no other legal ground, the Controller will effectively and permanently delete or anonymize the personal data of the Individual to which the withdrawal relates, so that it can no longer be associated with the Individual.

8. Procedure for exercising rights regarding personal data

The Individual may address all requests concerning the exercise of rights regarding personal data in writing to the Controller, namely at the Controller's address or by email to info@esgon.si.

Where the Controller has reasonable doubt concerning the identity of the Individual who submits a request regarding the protection of personal data, it may request the provision of additional information necessary to confirm the identity of the data subject.

The Controller must respond to the Individual's request without undue delay, and at the latest within one month of receipt of the request. In the event of greater complexity of the request or a larger number of requests, this period may be extended by a maximum of two additional months.

9. Cookies

Cookies are used in accordance with the Cookie Policy published on the Controller's website.

10. Consent and changes to the terms

Every user of the services of this website agrees to certain terms of use. The Controller undertakes to comply with all the above provisions and the applicable legislation. Each registration on the website also includes the Individual's consent that the Controller may send them an email or contact them via telephone number.

Any change to this Privacy Policy shall take effect only after publication on this website and after sending email notifications to all registered Individuals.

This personal data protection policy is in effect from 1 October 2025 onward.

See also: Cookie Policy · General Terms and Conditions

Book a Demo