ESG Lift: Professional Sustainability Reporting for SMEs in Compliance with the VSME Standard
ESG Lift: Professional Sustainability Reporting for SMEs in Compliance with the VSME Standard

ESG Lift

ESG Reporting

EUDR

Blog

Pricing

Login

Dashboard

ESG Lift: Professional Sustainability Reporting for SMEs in Compliance with the VSME Standard
ESG Lift: Professional Sustainability Reporting for SMEs in Compliance with the VSME Standard

ESG Lift

VSME (Voluntary ESRS for SMEs)

EUDR (EU Deforestation Regulation)

Blog

Pricing

Login

Dashboard

ESG Lift: Professional Sustainability Reporting for SMEs in Compliance with the VSME Standard
ESG Lift: Professional Sustainability Reporting for SMEs in Compliance with the VSME Standard

ESG Lift

Privacy Policy

Privacy Policy
As of: 20 March 2026

1. General Information and Mandatory Disclosures
Protecting your personal data is a matter of paramount importance to us. We process your personal data confidentially and in strict compliance with statutory data protection regulations, in particular the EU General Data Protection Regulation (GDPR), and this Privacy Policy.

This policy explains what data we collect and what we use it for. It also explains how and for what purpose this is carried out.

2. Name and Address of the Data Controller
The controller within the meaning of the GDPR is:

mAIaNext UG (haftungsbeschränkt)
George Adamov
Altensteinstraße 40
14195 Berlin
Germany

Email: hello@esglift.com
Represented by: George Adamov
3. Definitions
Our privacy policy is based on the terms used by the European legislator when enacting the General Data Protection Regulation (GDPR). To ensure readability and clarity, we explain some key terms beforehand:

Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, or disclosure.
Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

4. Rights of the Data Subject
In accordance with statutory provisions, you retain the following rights at any time:

Right of access under Art. 15 GDPR
Right to rectification under Art. 16 GDPR
Right to erasure ('Right to be forgotten') under Art. 17 GDPR
Right to restriction of processing under Art. 18 GDPR
Right to data portability under Art. 20 GDPR
Right to object under Art. 21 GDPR
Furthermore, you have the right to withdraw any consent granted at any time with future effect (Art. 7(3) GDPR) and to file a complaint with a data protection supervisory authority concerning our processing of your personal data (Art. 77 GDPR).

5. Provision of the Website and Contact Inquiries
a) Website Hosting with Framer B.V., Rozengracht 207B, 1016 LZ Amsterdam, Netherlands.

  • Purpose: Hosting and rendering of the website

  • Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in the reliable delivery and presentation of the website)

  • Data Transfer to the USA: Framer may process data in the USA under certain circumstances. To safeguard this, Framer utilizes EU Standard Contractual Clauses pursuant to Art. 46(2) and (3) GDPR, which bind Framer to comply with EU data protection standards.

  • Link to Framer Privacy Policy: https://www.framer.com/legal/privacy-statement/

  • Link to Data Processing Addendum (DPA): https://www.framer.com/legal/data-processing-addendum/

Types of Data: IP address, browser type and browser version, operating system used, referrer URL, host name of the accessing computer, time of the server request.
Purpose: Storage in server log files is carried out to secure the functionality of the website and ensure the security of our information technology systems.
Legal Basis: Processing is carried out based on our legitimate interest in providing our online services securely and efficiently in accordance with Art. 6(1)(f) GDPR.
Contractual Basis: We have concluded a Data Processing Agreement (DPA) with Hostinger pursuant to Art. 28 GDPR.
b) Contacting Us via Email
When contacting us by email, the information provided by you (your email address and any other details provided) will be stored by us to handle your inquiry.

Purpose: Handling of your inquiry.
Legal Basis: Processing is conducted to carry out pre-contractual measures or for contract performance (Art. 6(1)(b) GDPR) or based on our legitimate interest in responding to your inquiry (Art. 6(1)(f) GDPR).
Storage Period: Data will be deleted as soon as the purpose of its collection is completed and no statutory storage obligations prevent its deletion.

c) Online Appointment Booking via Calendly
To provide an efficient online booking system, we use the service Calendly provided by Calendly LLC, 271 17th St NW, 10th Floor, Atlanta, Georgia 30363, USA.
If you book an appointment with us via Calendly, the data you enter will be transmitted to Calendly and processed there. This primarily includes your name, email address, the requested appointment slot, and any other voluntary info you provide in the booking form.
Purpose of Processing:
To facilitate swift and efficient booking, orchestration, and execution of meetings.
Legal Basis:
Data processing is conducted for pre-contractual measures or for contract performance pursuant to Art. 6(1)(b) GDPR. If additional voluntary information is added, processing is based on our legitimate interest in seamless communication pursuant to Art. 6(1)(f) GDPR.
Contractual Basis:
We have concluded a Data Processing Agreement (DPA) with Calendly pursuant to Art. 28 GDPR.
Data Transfer to Third Countries:
Calendly also processes personal data in the USA. Data transfers are secured by appropriate guarantees under Art. 44 et seq. GDPR, based in particular on Standard Contractual Clauses (SCCs) approved by the EU Commission. In addition, Calendly is certified under the EU-U.S. Data Privacy Framework.
Storage Period:
Data is stored for as long as required to conduct the scheduled meeting and subsequent follow-ups, provided no statutory retention duties prevent its erasure.
d) Content Delivery Network and Security Services by Cloudflare
We use the Content Delivery Network (CDN) and security services provided by Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA (hereinafter "Cloudflare"). Cloudflare is represented in the European Union by Cloudflare Germany GmbH, Rosental 7, 80331 Munich, Germany.
When you visit our website, your traffic is routed through Cloudflare's global server network. This ensures high-speed delivery of our website content and protects our infrastructure from malicious activities (e.g., DDoS attacks).
Types of Data: IP address, browser type and version, operating system used, accessed URLs, time of server request, and device identifiers if applicable.
Purpose: Secure and high-performance delivery of our website, mitigation of cyber threats, and ensuring uptime of our online systems.
Legal Basis: Processing is based on our legitimate interest in securing a stable and efficient web presence in accordance with Art. 6(1)(f) GDPR.
Contractual Basis: We have concluded a Data Processing Agreement (DPA) with Cloudflare in accordance with Art. 28 GDPR.
Data Transfer to Third Countries: Cloudflare also processes personal data on servers outside the European Union, specifically in the USA. Cloudflare is certified under the EU-U.S. Data Privacy Framework, meaning data transfers are based on the adequacy decision of the European Commission pursuant to Art. 45 GDPR. In addition, Cloudflare utilizes Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
Storage Period: Cloudflare generally stores log data for up to 24 hours. For detailed information regarding data processing by Cloudflare, please consult their Privacy Policy at: https://www.cloudflare.com/en-gb/privacypolicy/

6. Cookies and Consent Tools
a) Cookies and Consent Management with Usercentrics
Our website uses cookies. In order to collect, manage and document your explicit consent for non-essential cookies and tracking technologies in a legally compliant manner, we utilize the consent management platform of Papoo Software & Media GmbH, Auguststr. 4, 53229 Bonn, Germany.

Purpose: Fulfilment of the legal obligation to demonstrate consent compliant with data protection standards.
Legal Basis: The deployment of Usercentrics is carried out to comply with a legal obligation pursuant to Art. 6(1)(c) GDPR.
b) Google Analytics
Subject to your consent, this website utilizes functionalities of the web analytics service Google Analytics. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Types of Data: IP address (anonymised), usage data (e.g., pages visited, session duration), technical configurations (e.g., browser).
Purpose: Analysis of user behaviour to optimise our website and digital marketing efforts. IP anonymisation is activated on this website.
Legal Basis: Processing is carried out solely on the basis of your consent pursuant to Art. 6(1)(a) GDPR. You can withdraw your consent at any time via our Usercentrics consent banner.
Data Transfer to Third Countries: Data transfers to Google servers in the USA cannot be entirely ruled out. Transatlantic data transfers are covered by the EU-U.S. Data Privacy Framework adequacy decision. Google is certified under the Data Privacy Framework.
Contractual Basis: We have concluded a Data Processing Agreement (DPA) with Google.
c) Google Search Console
We use Google Search Console to monitor and optimise our online presence in Google search results. This is an analytical tool providing aggregated search query data. No personal data of website visitors is processed.

Purpose: Enhancing our search engine rankings as part of our SEO and digital marketing strategy.
Legal Basis: Our legitimate interest in website optimisation in accordance with Art. 6(1)(f) GDPR.

7. SaaS Tool for Sustainability and ESG Data Collection
We provide an online software application enabling users to collect, track, and manage company-specific data related to their sustainability performance and ESG reporting practices.

a) Scope and Purpose of Data Processing
Within this tool, we process the data provided by you and your company. This includes register data (e.g., email address) and the ESG data and metrics entered by you.

Purpose: Provision of tool functionalities and features in accordance with our terms of use.
Legal Basis: Processing is necessary for the performance of a contract to which the user is party (Art. 6(1)(b) GDPR).

b) Hosting with Amazon Web Services (AWS)

Our web application is hosted with Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg ("AWS"). Personal data is processed exclusively on servers within the European Union, specifically in the AWS Frankfurt Region (eu-central-1). A Data Processing Agreement in accordance with Art. 28 GDPR has been concluded with AWS. Processing of data occurs solely on our instructions, accompanied by advanced technical and organisational measures to ensure an appropriate level of data security. When hosting, AWS processes IP addresses, connection data, and SaaS input data. Transatlantic or third-country data transfers do not generally take place. To the extent that intra-group transfers to Amazon entities outside the EU might occur in exceptional support or maintenance cases, suitable safeguards under Art. 44 et seq. GDPR are implemented (e.g., Standard Contractual Clauses). Processing is based on Art. 6(1)(f) GDPR (legitimate interest in stable, secure, and efficient cloud infrastructure) and Art. 6(1)(b) GDPR for contract performance.

c) Payment Processing with Stripe
To manage subscriptions and process billing for paid plans of our tool, we use Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.

Types of Data: Master data (e.g., name, address), payment data (e.g., credit card details, bank information), contract details.
Purpose: Secure, compliant, and efficient payment processing.
Legal Basis: Data transfer to Stripe is strictly for contract execution and billing purposes under Art. 6(1)(b) GDPR.
Data Transfer to Third Countries: Stripe may transfer data to Stripe, Inc. in the USA. This transfer is secured by the EU-U.S. Data Privacy Framework, under which Stripe is certified.
d) Integration of OpenAI (AI-powered Content & ESG Writing Assistance)

To provide AI-driven text compilation and editing within our application, we integrate the API of OpenAI Ireland Limited, 1st Floor, The Liffey Trust Centre, 117–126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland ("OpenAI"). This processing activity is backed by a DPA in accordance with Art. 28 GDPR and is executed solely on our instructions.

When using the AI features, entered text prompts are sent directly to OpenAI for immediate real-time generation. We do not permanently store prompts or output text on behalf of OpenAI. The data sent to OpenAI is not used to train or improve their semantic models. In the course of processing, parent-group transfers to OpenAI entities in the US may occur. These transfers are governed by the EU-US Data Privacy Framework under Art. 45 GDPR. The underlying legal basis is Art. 6(1)(a) GDPR (consent), obtained during system onboarding.

e) Anonymisation and Use of Data for Sustainability Benchmarking and Product Innovation
We reserve the right to process the non-personal, company-specific ESG reporting data entered into our tool in a completely anonymised form. Anonymisation ensures that all direct identifiers are deleted, making backtracking to your business impossible.

Purpose: Using anonymised ESG datasets to train and improve our software, analyze ESG reporting trends, and compile anonymous industry benchmarks.
Legal Basis: The processing of anonymous data falls outside the scope of the GDPR. The preliminary anonymisation is supported by our legitimate interest in business model innovation and product development under Art. 6(1)(f) GDPR.
f) Data Retention in the ESG Platform
Your personal data in our application is generally stored for the lifetime of your active customer account. Data subject to tax or commercial preservation laws (e.g., billing invoices) is kept for the mandatory legally prescribed durations (e.g., 10 years).

8. Processing for Accounting, Corporate Governance and General Business Operations
During regular business activities, we process personal data of client representatives, suppliers, and contacts (e.g., names, email addresses, order history, and billing info).

Purpose: Financial bookkeeping, corporate administration, and statutory filing compliance.
Legal Basis: Contractual completion (Art. 6(1)(b) GDPR) and legal compliance (Art. 6(1)(c) GDPR).

9. Email and Newsletter Campaigns via Brevo
For distributing company newsletters, system announcements, transaction emails, and marketing campaigns, we utilize Brevo (formerly Sendinblue), operating under Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany.

Brevo is a platform designed to map, automate, and evaluate mailing outputs. We have executed a Data Processing Agreement with Brevo according to Art. 28 GDPR. This mandates Brevo to process customer data solely inside our predefined scope and in compliance with EU regulations.

a) Newsletter Distribution
When subscribing to our sustainability newsletters, the input fields (e.g., email address, name) are transmitted and hosted on Brevo database systems inside Germany.

Legal Basis: This processing is based entirely on your consent pursuant to Art. 6(1)(a) GDPR.
Opt-out: You can unsubscribe or withdraw consent at any time via the opt-out hyperlink provided in every footer, or by contacting us using our imprint details.
b) Campaign Tracking & Audience Insights
Campaigns delivered via Brevo carry a 1x1 "Web Beacon" element. Upon opening the message, technical browser metrics, IP sequences, and access times are evaluated.

This tracking is designed to improve campaign content structure and match regional user demands. Analytics highlight click-through rates, open ratios, and link interactions. This feedback helps us tailor our sustainability and ESG content to matching subscriber segments.

Legal Basis: Analytical campaign tracking is integrated within your newsletter consent under Art. 6(1)(a) GDPR.
c) System and Transactional Notifications
We also employ Brevo to dispatch mandatory contractual notices, including purchase receipts, password recovery info, or product updates.

Legal Basis: Performance of a contract or implementation of pre-contractual steps under Art. 6(1)(b) GDPR.
For deeper insights into Brevo data security, please access their direct statements here: https://www.brevo.com/en/legal/privacypolicy/

10. Amendments to our Privacy Policy
We reserve the right to modify this policy, ensuring it continually mirrors the latest regulatory requirements, ESG standards, or structural shifts in our product portfolio (e.g., launching new features or services). The newly updated privacy statement will apply from your next visit.