Live· ·Issue N°
CO₂ ppm·Temp anomaly°C·CH₄ ppb

OneStop ESG Privacy Policy

This Privacy Policy explains how OneStop ESG ("OneStop ESG," "we," "us," or "our") collects, uses, shares, and protects personal data when you visit or use onestopesg.com (the "Site") and related services (the "Services"). It also describes your rights and choices.

By using the Site or the Services, you agree to this Privacy Policy.

1) Who we are and how to contact us

2) Scope

This Policy covers personal data we collect through:

  • The Site and any pages hosted under onestopesg.com
  • User accounts created and authenticated via Google or LinkedIn using NextAuth
  • Marketplace features, vendor dashboards, forms, newsletters, and analytics

This Policy does not cover third-party websites or services that link to or from our Site.

3) What data we collect

3.1 Data you provide

  • Account details from Google or LinkedIn sign-in: name, email, profile photo (basic profile data only; no extended permissions)
  • Content you submit on the marketplace: company profile, descriptions, media, links, tags, messages, and any information you enter in forms
  • Communication preferences and newsletter sign-ups
  • Requests sent to vendors or to us

We do not collect payment card data.

3.2 Data collected automatically

  • IP address, device identifiers, browser type, operating system, language, and time zone
  • Pages viewed, clicks, scrolls, referrers, session duration, and similar activity data
  • Approximate location inferred from IP address

3.3 Cookies and similar technologies

We use cookies, pixels, and local storage for:

  • Sign-in and session management
  • Analytics and performance
  • Personalization and remembering settings

Tools in use include: Google Analytics, Hotjar, Plausible, Microsoft Clarity.

You can control cookies in your browser settings. Some features may not work without certain cookies. Where required by law, we will seek consent before setting non-essential cookies.

3.4 Data from service providers

When you sign in with Google or LinkedIn via NextAuth, we receive the basic profile data you approve during sign-in. We do not request contacts, work history, or posting permissions.

3.5 Sensitive data

We do not seek to collect sensitive personal data (such as health data, precise geolocation, or government IDs). Do not submit such data through the Site.

4) Why we use your data (purposes and legal bases)

4.1 Service delivery and account management

  • Create and manage your account
  • Authenticate sessions via NextAuth
  • Enable marketplace features, including vendor pages and dashboards

Legal basis (GDPR): performance of a contract or steps prior to entering into a contract; legitimate interests to run and protect our Services.

4.2 Personalization and product improvement

  • Remember preferences and settings
  • Measure and improve Site performance
  • Develop new features and fix issues

Legal basis: legitimate interests to improve and secure our Services; consent where local law requires it for analytics cookies.

4.3 Communications

  • Send service messages (e.g., account notices, security alerts)
  • Send newsletters and promotional emails if you subscribe
  • Respond to inquiries

Legal basis: performance of a contract (service messages); consent or legitimate interests for marketing. You can unsubscribe at any time from marketing emails.

4.4 Vendor analytics and engagement

  • Provide vendors with analytics and engagement metrics for their own listings via vendor dashboards
  • Facilitate contact when you choose to reach out to a vendor

Legal basis: performance of a contract and legitimate interests to operate the marketplace.

4.5 Safety, security, and legal

  • Detect, prevent, and investigate fraud, abuse, or security incidents
  • Comply with laws, court orders, and enforce our terms

Legal basis: legal obligations and legitimate interests to protect our users and Services.

We do not conduct automated decision-making that produces legal or similarly significant effects.

5) How we share data

5.1 No sale of personal data

We do not sell or rent personal data. We do not share data with advertisers for their own marketing.

5.2 Service providers (processors)

We share data with trusted providers that support our operations, such as:

  • Hosting and infrastructure (AWS)
  • Database (MongoDB running on our AWS environment)
  • Authentication (NextAuth using Google and LinkedIn)
  • Analytics (Google Analytics, Hotjar, Plausible, Microsoft Clarity)
  • Email and customer support tools

These providers process data on our instructions and under contract.

5.3 Vendors on the marketplace

  • Vendors can access analytics and engagement metrics for their own listings through vendor dashboards.
  • Vendors may receive your personal data only when you choose to contact them, submit a form, or otherwise share details with them.
  • Vendors do not receive our full user lists.

5.4 Compliance and safety

We may share data when the law requires it or to protect rights, safety, or the integrity of the Services.

6) International data transfers

We serve users globally. Your data may be stored or processed in countries that may have different data protection laws than your country.

When we transfer personal data from the EEA/UK/Switzerland to countries that are not covered by an adequacy decision, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, where required by law.

7) Data retention

We keep personal data for as long as needed for the purposes described in this Policy. If you delete your account or request deletion, we will delete your personal data unless we need to keep it to meet legal, accounting, or security needs. Usage logs and backups may persist for a limited period.

You can request deletion at any time by emailing [email protected].

8) Security

We apply access controls, account-level restrictions, monitoring, and other administrative safeguards to protect data. Our databases run on AWS.

Data is not encrypted at rest in our systems. We do not provide end-to-end encryption. Do not share confidential or sensitive information through free-text fields.

No method of transmission or storage is fully secure. We work to detect and respond to incidents and will notify users and authorities when required.

9) Your rights

9.1 EEA/UK/Swiss users (GDPR/UK GDPR)

You may have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data
  • Restrict or object to processing
  • Port your data
  • Withdraw consent where we rely on consent

To exercise these rights, email [email protected]. We will respond within one month, or as local law requires. You can lodge a complaint with your local supervisory authority.

9.2 California residents (CCPA/CPRA)

You may have the right to:

  • Know the categories and specific pieces of personal information we collect
  • Delete personal information
  • Correct inaccurate information
  • Opt out of sale or sharing (as those terms are defined in the CPRA)

We do not sell or share personal information as those terms are defined in the CPRA. To exercise rights, email [email protected]. We will respond within 45 days, or as the law allows.

9.3 India and other regions

We honor requests to access, correct, or delete personal data, and we follow local laws that apply. Contact [email protected].

10) Your choices

10.1 Email marketing

You can unsubscribe using the link in our emails or by emailing [email protected].

10.2 Cookies and analytics

Use your browser settings to block or delete cookies. You can also use built-in tools from some analytics providers to reduce tracking. Where required, we will ask for consent before setting analytics cookies.

10.3 Account

You can request access, correction, or deletion of your account by emailing [email protected].

11) Children's privacy

Our Services are not directed to children. We do not knowingly collect personal data from children under 13 (or a higher age where local law sets it). If you believe a child provided data to us, email [email protected] and we will act.

12) Third-party links

The Site may include links to third-party websites or services. Their privacy policies govern those services. We are not responsible for their practices.

13) Changes to this Policy

We may update this Policy from time to time. We will post the new version on this page and change the "Last updated" date. If changes meaningfully affect your rights, we will provide a clear notice.

14) How to contact us

15) Summary of categories collected and used (California format)

Identifiers:

name, email, IP address, device and browser identifiers

  • Sources: you; your device; Google/LinkedIn (NextAuth)
  • Business purposes: account, security, analytics, communications, vendor dashboards
  • Sharing: service providers; vendors only when you choose to contact them
  • Sale/Share: none

Internet or network activity:

pages viewed, clicks, session duration, referrers

  • Sources: your device; cookies/analytics
  • Business purposes: analytics, security, product improvement
  • Sharing: service providers (analytics)
  • Sale/Share: none

Geolocation (approximate):

inferred from IP

  • Sources: your device
  • Business purposes: analytics, fraud prevention
  • Sharing: service providers
  • Sale/Share: none

Profile inferences:

usage patterns used to improve Services

  • Sources: analytics
  • Business purposes: product improvement and personalization
  • Sharing: service providers
  • Sale/Share: none

We do not collect payment information through the Site.

16) Requests and verification

To exercise your rights, email [email protected]. We may ask for information to verify your identity and to protect your account. If an agent submits a request for you, we may ask for proof of authorization.