Data & AI Privacy Policy
Effective: April 20, 2026 · Last updated: April 20, 2026
DoubleMaterialityIQ is operated by [LEGAL ENTITY NAME], registered at [REGISTERED ADDRESS] ("we", "us", "our").
This policy applies to any person or organisation ("you") that accesses or uses DoubleMaterialityIQ ("the Service"), including free trials, paid subscriptions, and API integrations.
For corporate accounts, your organisation is the data controller of the ESG assessment content you submit. We act as your data processor for that content and as data controller for account and billing data.
1. Legal Framework
We process personal data in compliance with:
- Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)
- Regulation (EU) 2024/1689 — EU Artificial Intelligence Act (AI Act)
- Directive 2002/58/EC as amended — ePrivacy Directive
- Directive (EU) 2022/2555 — NIS2, for security obligations
- Applicable national implementing legislation
2. Data We Process
| Category | Examples | Our Role |
|---|---|---|
| Account data | Name, email, organisation, password hash | Controller |
| Billing data | Invoice details, VAT number (no raw card data — handled by Stripe) | Controller |
| Assessment content | ESG inputs, materiality matrices, stakeholder data you upload | Processor |
| Usage data | Feature interactions, session logs, error traces | Controller |
| Communications | Support requests, feedback forms | Controller |
We do not process special categories of data (Article 9 GDPR) and do not knowingly process data of individuals under 16.
3. Legal Basis for Processing (Article 6 GDPR)
| Purpose | Legal Basis |
|---|---|
| Providing the Service (account, assessments, AI features) | Contract — Art. 6(1)(b) |
| Billing and invoicing | Legal obligation — Art. 6(1)(c) |
| Security monitoring and fraud prevention | Legitimate interests — Art. 6(1)(f) |
| Product analytics and improvement | Legitimate interests — Art. 6(1)(f) |
| Marketing communications | Consent — Art. 6(1)(a) |
Where we rely on legitimate interests, you may object at any time (see Section 8).
4. AI Processing — How It Works and What It Means for Your Data
What the AI does
DoubleMaterialityIQ uses large language model (LLM) APIs to assist with double materiality analysis, impact scoring, and report generation. The AI processes content you explicitly submit through the Service interface.
Our AI provider
We use the Anthropic API (Anthropic, PBC, San Francisco, CA, USA) to power AI features.
Key commitment: Anthropic's API terms explicitly state that input and output data submitted via the API is not used to train Anthropic's models. Your assessment data does not improve any AI model.
Data minimisation
We transmit only the content strictly necessary for each AI request. We do not send account identifiers, billing data, or metadata to the AI provider unless you have explicitly included that information in your assessment inputs.
EU AI Act classification
Under Regulation (EU) 2024/1689, DoubleMaterialityIQ's AI features are classified as limited-risk AI systems. Accordingly:
- You are always informed when content is AI-assisted (visual indicator in the interface).
- AI-generated outputs are clearly labelled and editable.
- No automated decision-making with legal or similarly significant effect is performed without human review.
We do not use prohibited AI practices as defined in Article 5 of the AI Act.
Human oversight
AI outputs are tools to support your analysis, not final determinations. All materiality assessments require human validation before being exported or used in regulatory filings.
5. Sub-Processors
We maintain Data Processing Agreements (DPAs) with each sub-processor listed below.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Vercel Inc. | Application hosting | USA / EU edge | SCCs + Vercel DPA |
| Supabase Inc. | Database & authentication | EU (AWS eu-central-1) | SCCs + Supabase DPA |
| Stripe Inc. | Payment processing | USA / EU | SCCs + Stripe DPA |
| Anthropic, PBC | AI language model API | USA | SCCs + Anthropic DPA |
We will notify you at least 30 days before adding or replacing a sub-processor that processes your assessment content. You may object within that period.
6. International Transfers
Some sub-processors are based outside the EEA (primarily USA). All such transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), supplemented by transfer impact assessments where required.
7. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Duration of subscription + 12 months |
| Assessment content | Duration of subscription + 12 months, or until deleted |
| Billing records | 7 years (EU accounting directive obligation) |
| Usage logs | 90 days rolling |
| AI request logs | 30 days (at Anthropic sub-processor level) |
After the retention period, data is permanently deleted or irreversibly anonymised. You may request early deletion at any time, subject to legal obligations.
8. Your Rights (GDPR Articles 15–22)
- Access — obtain a copy of your personal data (Art. 15)
- Rectification — correct inaccurate data (Art. 16)
- Erasure — request deletion, “right to be forgotten” (Art. 17)
- Restriction — limit processing while a dispute is pending (Art. 18)
- Portability — receive your data in a machine-readable format (Art. 20)
- Object — to processing based on legitimate interests (Art. 21)
- Withdraw consent — at any time, without affecting prior processing (Art. 7(3))
- Not be subject to solely automated decisions with significant effect (Art. 22)
To exercise your rights, email doublematerialityiq@gmail.com with subject “GDPR Request”. We will respond within 30 days (extendable to 90 days for complex requests, with notice).
You also have the right to lodge a complaint with your national supervisory authority: CNPD (Portugal), AEPD (Spain), or your local DPA per Article 77 GDPR.
9. Security
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row-level security policies that prevent cross-organisation data access
- Access controls and role-based permissions
- Regular dependency and vulnerability scanning
- Incident response with 72-hour breach notification to the competent supervisory authority (Art. 33 GDPR) and to affected users where required (Art. 34 GDPR)
10. Enterprise Data Processing Agreement
Organisations that require a signed DPA — including those subject to their own GDPR compliance obligations — may request our standard DPA covering:
- Controller–processor obligations (Article 28 GDPR)
- Sub-processor management and notification
- Data subject request assistance
- Audit rights
- Return or deletion of data upon contract termination
Request a DPA at doublematerialityiq@gmail.com.
11. Cookies
We use strictly necessary cookies for session management and authentication (via Supabase Auth). We do not use advertising or cross-site tracking cookies. Product analytics events are tied to an anonymised internal session identifier.
12. Changes to This Policy
We may update this policy to reflect changes in the law or the Service. Material changes will be notified by email or in-app banner at least 14 days before they take effect. Continued use of the Service after that date constitutes acceptance.
13. Contact
- Controller: [LEGAL ENTITY NAME]
- Address: [REGISTERED ADDRESS]
- Email: doublematerialityiq@gmail.com
DoubleMaterialityIQ is committed to processing your data with the same rigour we help you document in your ESG assessments.
This policy was drafted in accordance with the GDPR and EU AI Act frameworks. Before public commercial launch, review with a qualified legal advisor in your jurisdiction to confirm compliance with any applicable national legislation.