Privacy Policy - LEIFLYTICS

1. Introduction and Commitment to Privacy

LEIFLYTICS ("we," "our," or "us") is committed to protecting your privacy and maintaining the highest standards of data protection. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you use our ESG (Environmental, Social, and Governance) reporting platform, website, and related services.

Please read this Privacy Policy carefully. If you do not agree with our practices, please do not use our services. By accessing LEIFLYTICS, you acknowledge that you have read and understood this Privacy Policy.

2. Information We Collect

A. Information You Provide Directly:

Account information: name, email address, company name, industry, phone number
Billing information: payment method, billing address
ESG and sustainability data: emissions data, employee information, supply chain details, compliance metrics
Profile information: role, department, preferences
Communications: support requests, feedback, survey responses

B. Information Collected Automatically:

Usage data: pages visited, features used, time spent, IP address
Device information: browser type, operating system, device ID
Cookies and similar technologies: for session management and user preferences
Log data: access times, error logs, referrer URLs

3. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve our ESG analytics and reporting platform
Process your ESG data and generate compliance reports
Generate AI-powered insights, narratives, and recommendations using third-party AI models (see Section 14 below)
Create and manage your account and subscriptions
Process payments and handle billing matters
Send service updates, security alerts, and support communications
Respond to your inquiries and provide customer support
Analyze usage patterns to improve platform features and functionality
Conduct internal research and analytics
Comply with legal obligations and enforce our Terms of Service
Detect and prevent fraudulent activity and abuse

4. Data Security and Protection

We implement comprehensive technical and organizational security measures to protect your personal information and ESG data against unauthorized access, alteration, disclosure, and destruction. These measures include:

Encryption of data in transit (SSL/TLS) and at rest
Secure server infrastructure with firewalls and intrusion detection
Access controls and authentication mechanisms
Regular security audits and penetration testing
Employee training on data protection practices
Data retention policies aligned with legal requirements

5. Third-Party Service Providers

We do NOT sell your personal information to third parties. We share your information only with the following categories of service providers, each bound by data processing agreements:

Cloud Hosting: Fly.io (application hosting, US region)
AI Processing: Anthropic (Claude API for ESG insights and report narratives) and OpenAI (GPT models for compliance analysis)
Payment Processing: Stripe (billing and subscription management)
Email: SendGrid (transactional and notification emails)
Error Monitoring: Sentry (application error tracking — no ESG data transmitted)
Analytics: Google Analytics (anonymised usage patterns)

We may also share information with law enforcement or government agencies when required by law, or with other parties in connection with company transactions (e.g., acquisitions).

All service providers are bound by confidentiality agreements and are prohibited from using your information for purposes other than providing services to us.

6. Your Rights and Choices

Depending on your location, you may have the following rights:

Right to Access: Request a copy of your personal information
Right to Correct: Request correction of inaccurate data
Right to Delete: Request deletion of your data (subject to legal obligations)
Right to Data Portability: Request your data in a machine-readable format
Right to Opt-Out: Unsubscribe from marketing communications
Right to Withdraw Consent: Withdraw consent for data processing

7. Regulatory Compliance

We are committed to compliance with applicable data protection regulations:

GDPR (EU/EEA): If you are located in the EU or EEA, you have rights under the General Data Protection Regulation including access, rectification, erasure, restriction, portability, and objection.
CCPA (California): California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information (we do not sell personal information).
UK Data Protection Act 2018: UK residents have rights under the UK GDPR and Data Protection Act 2018, including access, rectification, erasure, and objection. Complaints may be directed to the Information Commissioner's Office (ICO).

8. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance user experience, remember preferences, and analyze platform usage. You can control cookies through your browser settings, though some features may not function properly if cookies are disabled.

9. Data Retention

We retain your personal information and ESG data for as long as your account is active or as needed to provide services. Upon account termination, we retain data for 30 days to allow data export, then delete it unless legal obligations require longer retention.

10. Children's Privacy

LEIFLYTICS is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we become aware that a child has provided personal information, we will delete such information immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy at any time. Changes will be effective immediately upon posting. We encourage you to review this policy periodically to stay informed of how we protect your information.

12. International Data Transfers and Data Residency

Your data is primarily stored and processed on servers located in the United States (Fly.io US region). Your information may also be processed by our third-party service providers in their respective data centres. By using LEIFLYTICS, you consent to such transfers.

For EU/EEA users, we implement Standard Contractual Clauses (SCCs) and other safeguards to ensure adequate protection for cross-border data transfers. For New Zealand users, transfers comply with the Privacy Act 2020 requirements for overseas disclosure.

13. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with GDPR, the NZ Privacy Act 2020, and other applicable regulations. Notification will include the nature of the breach, data affected, and steps taken to address it.

14. AI and Automated Processing

LEIFLYTICS uses artificial intelligence and machine learning to provide ESG insights, generate report narratives, compliance analysis, and recommendations. Important information about our AI features:

AI Providers: We use Anthropic (Claude) and OpenAI (GPT) APIs to process ESG data and generate insights. Your ESG data may be sent to these providers for processing.
Data Minimisation: We send only the minimum data necessary for each AI operation. We do not send personal identifiable information to AI providers unless required for the specific feature.
No AI Training: Your data is NOT used to train AI models. Our agreements with AI providers prohibit the use of your data for model training.
Human Oversight: AI-generated content (reports, insights, recommendations) is clearly labelled and should be reviewed by qualified professionals before use in compliance filings or public disclosures.
Opt-Out: You may contact us to disable AI-powered features for your account if you prefer not to have your data processed by third-party AI models.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights:

Email: [email protected]
Support: [email protected]