Privacy Policy

Last updated: April 1, 2026

1. Data Controller

Nossa Data, Inc. ("Nossa Data," "we," "us," or "our") is the data controller responsible for the personal data described in this Privacy Policy. Our principal place of business is:

Nossa Data, Inc.
47 Finsbury Square, London EC2A 1PX
Boston, MA 02210
United States
Email: [email protected]
Phone: +1 (617) 429-8100

Where Nossa Data processes personal data on behalf of its customers (e.g., employee data uploaded to the platform for ESG reporting purposes), Nossa Data acts as a data processor and the customer acts as the data controller. The customer's privacy policy governs in those instances.

2. Scope of This Policy

This Privacy Policy applies to personal data collected through our website at nossadata.org, our cloud-based ESG reporting and sustainability data management platform (the "Service"), and any associated communications. It does not apply to third-party websites, services, or applications that may be linked to or integrated with our Service.

By using our website or Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Service.

3. Data We Collect

3.1 Account and Registration Data

When you register for the Nossa Data platform, we collect information necessary to create and maintain your account:

  • Full name and job title
  • Business email address
  • Company name and industry
  • Password (stored as a salted hash; we do not store plaintext passwords)
  • Telephone number (optional, for support purposes)
  • Billing address and country of residence
  • Time zone and preferred language

3.2 Usage and Platform Data

We collect information about how you interact with our Service, including:

  • Log data: IP address, browser type and version, operating system, referral URLs, pages visited, and timestamps
  • Feature usage data: which modules, reports, and integrations you use, and how frequently
  • Session identifiers and authentication tokens
  • Error and diagnostic logs
  • Device identifiers and user agent strings
  • Search queries within the platform

3.3 ESG Reporting Data

The core function of the Service involves processing sustainability and ESG data that you or your organization upload or connect to the platform. This data may include:

  • Energy consumption figures, GHG emissions data, and environmental performance metrics
  • Social metrics including employee headcount, turnover, injury rates, and diversity figures
  • Governance information including board composition, committee structures, and policy documentation
  • Supply chain data including supplier names, locations, and sustainability performance indicators
  • Internal financial and operational data used for ESG calculation purposes
  • Third-party audit and assurance documentation

To the extent this data constitutes personal data under applicable law (for example, named employee records), Nossa Data processes it as a data processor acting under your instructions as the data controller. You are responsible for ensuring that you have a lawful basis for processing such data and for complying with applicable data protection laws in relation to those data subjects.

3.4 Billing and Financial Data

We use Stripe, Inc. as our payment processor. When you provide payment information, it is transmitted directly to Stripe using TLS encryption and stored on Stripe's PCI-DSS-compliant systems. Nossa Data receives and stores only a payment method token, the last four digits of your card number, expiration date, and billing address. Notre Data does not store full credit card numbers or CVV codes.

3.5 Communications Data

We retain records of communications between you and Nossa Data, including support tickets, email correspondence, demo request forms, and webinar registrations, including the content of those communications.

3.6 Data Collected Automatically from Our Website

When you visit nossadata.org, we collect certain information automatically through cookies and similar tracking technologies. Please see Section 9 (Cookies and Tracking) for details.

4. How We Use Your Data

4.1 Service Delivery

We use your personal data to provide, operate, and maintain the Nossa Data platform, including authenticating users, processing data uploads, generating reports, and enabling integrations with connected data sources.

4.2 Compliance Reporting Support

We use ESG data you upload to support the production of regulatory filings and voluntary disclosures under GRI, SASB, TCFD, CSRD, SFDR, SEC Climate Disclosure rules, and other frameworks. This is the primary purpose for which the Service is provided.

4.3 Customer Support

We use contact and account data to respond to support requests, troubleshoot technical issues, communicate service updates, and provide onboarding assistance.

4.4 Service Improvement and Analytics

We analyze aggregated, anonymized usage data to understand how the Service is used, identify areas for improvement, prioritize product features, and monitor system performance. We do not use individual user data for advertising purposes.

4.5 Billing and Account Management

We use billing data to process subscription payments, issue invoices, manage renewals, and handle refunds or disputes through our payment processor.

4.6 Legal and Compliance Obligations

We may process your data to comply with applicable laws, respond to lawful requests from public authorities, enforce our Terms of Service, and protect the rights and safety of Nossa Data, our customers, and others.

4.7 Security and Fraud Prevention

We process log and usage data to detect, investigate, and prevent unauthorized access, data breaches, and other security incidents.

5. Legal Bases for Processing (GDPR)

For individuals located in the European Economic Area or the United Kingdom, we process personal data under the following legal bases:

  • Contract performance (Article 6(1)(b)): Processing necessary to provide the Service under our agreement with you, including account creation, platform operation, and billing.
  • Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests in improving our products, preventing fraud, and ensuring security, provided those interests are not overridden by your rights.
  • Legal obligation (Article 6(1)(c)): Processing required to comply with applicable law, including tax, financial, and regulatory requirements.
  • Consent (Article 6(1)(a)): Where we rely on your consent (for example, for non-essential cookies or marketing communications), you may withdraw that consent at any time by contacting us at [email protected].

6. Data Sharing and Third Parties

We do not sell your personal data to third parties. We share data only in the following circumstances:

6.1 Service Providers (Data Processors)

We engage the following categories of sub-processors to operate our Service. Each is bound by data processing agreements that restrict use of data to providing services to Nossa Data:

  • Amazon Web Services, Inc. (AWS): Cloud infrastructure provider. Customer data and platform data are hosted on AWS servers. AWS processes data in accordance with our data processing addendum. AWS certifications include ISO 27001, SOC 2 Type II, and PCI-DSS.
  • Stripe, Inc.: Payment processing. Stripe handles all payment card data under its own PCI-DSS Level 1 certification.
  • Intercom, Inc.: In-platform chat and customer support ticketing. Contact and account data is shared with Intercom to provide support functionality.
  • Mixpanel, Inc.: Product analytics. Pseudonymized usage data is processed by Mixpanel to generate product analytics reports.
  • SendGrid (Twilio Inc.): Transactional email delivery for account notifications, reports, and system alerts.

6.2 Legal Requirements

We may disclose personal data if required to do so by law, court order, or valid legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud.

6.3 Business Transfers

If Nossa Data undergoes a merger, acquisition, sale of assets, or other business combination, personal data may be transferred to the successor entity as part of that transaction, subject to the same privacy protections described in this policy.

7. Data Retention

We retain personal data for the periods set out below, or as otherwise required by applicable law:

  • Account and registration data: For the duration of your active account, plus three years after account closure to support legal and regulatory obligations.
  • ESG reporting data: For the duration of your active subscription. Upon subscription termination, we retain ESG data for 90 days during which you may export your data. After 90 days, data is deleted from production systems. Backup copies are purged within 180 days.
  • Billing records: Seven years from the date of the transaction, in accordance with US financial recordkeeping requirements.
  • Support and communications records: Three years from the date of last contact.
  • Log and usage data: 13 months from collection, after which logs are aggregated and anonymized.
  • Marketing consent records: Until consent is withdrawn, plus five years to document compliance.

8. Your Rights Under GDPR

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:

  • Right of access (Article 15): You have the right to request a copy of the personal data we hold about you and information about how it is processed.
  • Right to rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data we hold about you.
  • Right to erasure (Article 17): You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where processing is unlawful.
  • Right to restriction of processing (Article 18): You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest its accuracy or object to its processing.
  • Right to data portability (Article 20): You have the right to receive the personal data you have provided to us in a structured, commonly used, machine-readable format, and to transmit that data to another controller.
  • Right to object (Article 21): You have the right to object to processing of your personal data based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
  • Rights related to automated decision-making (Article 22): You have the right not to be subject to decisions made solely by automated processing that produce significant legal or similarly significant effects on you. Nossa Data does not currently use automated decision-making of this nature.
  • Right to withdraw consent (Article 7(3)): Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the purposes for which we use it, and the categories of third parties with whom we share it.
  • Right to delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to correct: You have the right to request correction of inaccurate personal information.
  • Right to opt-out of sale or sharing: We do not sell personal information as defined under the CCPA, nor do we share it for cross-context behavioral advertising. No opt-out mechanism is required, but you may contact us to confirm our practices.
  • Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes other than those permitted under the CPRA.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your California privacy rights.

To exercise your California privacy rights, submit a verifiable consumer request to [email protected] or call +1 (617) 429-8100. We will respond within 45 calendar days.

10. ESG Data — Special Provisions

The ESG reporting data that you submit to the Notre Data platform is treated as confidential business information. We implement the following specific protections for this data category:

  • Data isolation: Each customer's ESG data is stored in logically isolated tenant partitions on AWS. Your data is never merged with, compared against, or made accessible to other customers' data.
  • No benchmarking without consent: We do not use your proprietary ESG data to generate industry benchmarks or comparative analyses for third parties without your explicit written consent.
  • Export control: You retain full ownership of your ESG data. You may export it in CSV or JSON format at any time from the platform settings, or request a full data export from our support team.
  • Regulatory disclosure requests: If we receive a subpoena or regulatory request for your ESG data, we will notify you promptly (to the extent legally permitted) so you may seek a protective order.
  • Assurance provider access: We support your ability to grant read-only access to third-party assurance providers. Such access is governed by the roles and permissions you configure in the platform and ceases when you revoke it.

11. Cookies and Tracking Technologies

We use cookies and similar technologies on nossadata.org and within the platform. A cookie is a small text file stored on your device that helps us recognize you and remember your preferences.

  • Essential cookies: Required for the platform to function, including session authentication, security tokens, and load balancing. These cannot be disabled.
  • Analytics cookies: We use Mixpanel to understand how users interact with our website and platform. These cookies collect anonymized data about pages visited and features used.
  • Functional cookies: Remember your preferences such as language, time zone, and dashboard layout.
  • Third-party cookies: Stripe may set cookies in connection with payment flows. Intercom sets cookies to support the in-platform chat widget.

You can control non-essential cookies through our Cookie Preference Center (accessible via the cookie banner on first visit) or through your browser settings. For detailed information, see our Cookie Policy.

12. Security

Nossa Data maintains a comprehensive information security program designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. Key measures include:

  • SOC 2 Type II certification: Nossa Data is certified under the AICPA SOC 2 Trust Services Criteria. Our annual SOC 2 Type II report is available to enterprise customers under NDA upon request.
  • Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher. API communications require HTTPS.
  • Encryption at rest: All customer data stored in AWS is encrypted at rest using AES-256 encryption.
  • Access controls: Platform access is enforced through role-based access control (RBAC). Administrative access to production systems is restricted to named personnel and requires multi-factor authentication.
  • Vulnerability management: We conduct regular penetration testing by accredited third-party security firms and maintain a responsible disclosure program.
  • Incident response: We maintain a documented incident response procedure. In the event of a data breach affecting your personal data, we will notify you within 72 hours of becoming aware, in accordance with GDPR Article 33 requirements.

13. International Data Transfers

Nossa Data is headquartered in the United States. If you are accessing our Service from the European Economic Area, United Kingdom, Switzerland, or other jurisdictions with data transfer restrictions, your personal data will be transferred to and processed in the United States.

We ensure that such transfers comply with applicable data protection law through the following mechanisms:

  • Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses for data transfers from the EEA to third countries. These are incorporated by reference into our Data Processing Agreement, available upon request.
  • UK International Data Transfer Agreement (IDTA): For transfers from the United Kingdom, we use the UK IDTA or the UK Addendum to the EU SCCs where applicable.
  • Transfer Impact Assessment: We conduct Transfer Impact Assessments for EEA-to-US data transfers in accordance with the requirements of the Schrems II decision and applicable supervisory authority guidance.

14. Children's Privacy

Our Service is intended for use by business professionals and is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete that information promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email to the address associated with your account and/or by posting a prominent notice on our website at least 30 days before the changes take effect. The updated policy will be effective as of the date indicated at the top of this page.

Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the revised terms.

16. Contact Us

For questions, concerns, or requests related to this Privacy Policy or the exercise of your data protection rights, please contact our Privacy Team:

Privacy Team
Nossa Data, Inc.
47 Finsbury Square, London EC2A 1PX
Boston, MA 02210
Email: [email protected]
Phone: +1 (617) 429-8100

For EEA residents: You may also contact your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.