Privacy Notice
Last updated: June 2026
1. Introduction
TRUST-ESG is an AI-powered ESG (Environmental, Social and Governance) reporting platform designed to help small and medium-sized enterprises (SMEs) assess and improve their sustainability performance. The platform is funded by the Research and Innovation Foundation (RIF) under the THALIA 2021–2027 programme (Project No. EXCELLENCE/0524/0586), co-funded by the European Union.
The TRUST-ESG ESG Assessment questionnaire is designed to collect non-personal, company-level ESG information for research and assessment purposes only. It is not intended to, and does not, systematically collect personal data.
Notwithstanding the above, the website does process limited personal data in specific, defined circumstances: through the automatic transmission of technical information by your web browser, and through the collection of an email address for the purpose of delivering a Certificate of Completion upon submission of the ESG questionnaire.
This Privacy Notice explains what information is processed, on what legal basis, for what purposes, and for how long. It also sets out the rights available to data subjects and the contact details for exercising those rights.
TRUST-ESG is committed to protecting your privacy and handling all information in accordance with applicable data protection law, including Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and the Cyprus Law 125(I)/2018 on the Protection of Natural Persons with regard to the Processing of Personal Data.
If you have any questions regarding this Notice, please contact us using the details provided in Section 11 below.
2. Scope
This Privacy Notice applies to all visitors and users of the TRUST-ESG website (https://trustesg.com.cy), including users who access or complete the ESG Assessment questionnaire.
Where the website contains links to third-party websites or services, those websites operate independently and are governed by their own privacy policies. We are not responsible for the content or data practices of such third-party sites.
3. Data Controllers
The TRUST-ESG website is operated jointly by the three consortium partners, who act as Joint Data Controllers in respect of personal data processed through the website:
- Frederick Research Center (FRC)
- Infocredit Group (ICG)
- Cyprus University of Technology (CUT)
4. Information Processed
4.1 Technical Information (Server Logs)
When you visit this website, your web browser automatically transmits certain technical information to our web server. This may include:
- your Internet Protocol (IP) address;
- the date and time of your visit;
- the pages or resources requested;
- the type and version of your browser and operating system;
- the referring URL (the page from which you arrived).
This information is recorded in server logs and is processed solely for the purposes of maintaining the security, stability, and technical operation of the website. It is not used to identify individual visitors and is not combined with other data for profiling purposes.
Legal basis: Article 6(1)(f) GDPR
4.2 Email Address (Certificate of Completion)
Upon successful submission of the ESG Assessment questionnaire, the website collects the respondent's email address for the sole purpose of delivering a Certificate of Completion. The email address is used exclusively for this delivery and is not used for any other purpose, including marketing or profiling.
Legal basis: Article 6(1)(b) GDPR
4.3 ESG Questionnaire Responses
The ESG Assessment questionnaire is designed to collect company-level ESG information only. It is not intended to collect personal data, and all questions are structured to elicit organisation-level responses.
Users are expressly requested to refrain from submitting personal data through the questionnaire. Please ensure that your responses do not contain names, contact details, identification numbers, or any other information that could directly or indirectly identify a natural person.
Questionnaire responses are processed for the following purposes:
- assessing the ESG maturity of the participating organisation;
- supporting research activities conducted under the TRUST-ESG project;
- improving AI-powered ESG assessment methodologies;
- generating aggregated statistical outputs;
- producing anonymised or pseudonymised research results.
Note on GDPR applicability: As questionnaire responses do not constitute personal data, the GDPR does not apply to their processing. The purposes listed above are provided for transparency only. In the event that personal data is inadvertently submitted, it will be processed in accordance with this Privacy Notice.
5. Cookies
This website may use cookies and similar technologies. Cookies are small text files placed on your device to enable certain functionality and to improve the performance and usability of the website.
A separate Cookie Policy, available at https://trustesg.com.cy/cookie-policy, provides full details of the cookies used, their purpose, duration, and the choices available to you.
We recommend that you review the Cookie Policy carefully. Where cookies require your consent, such consent is obtained separately through the cookie consent mechanism on the website.
6. Data Sharing and Transfers
We do not sell, rent, or trade personal data to any third party.
Personal data processed through the website may be shared in the following limited circumstances:
- Between the three Joint Controllers (Frederick Research Center, Infocredit Group, and Cyprus University of Technology) for purposes consistent with this Privacy Notice;
- Where required by law, regulation, court order, or the lawful request of a competent authority.
All personal data is processed and stored within the European Union / European Economic Area. No transfers of personal data to third countries are made. Should this position change, appropriate safeguards, such as Standard Contractual Clauses approved under Article 46 GDPR, will be put in place and this Notice will be updated accordingly.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:
- Server log data is retained for a limited period required for security monitoring purposes, after which it is deleted or anonymised. The specific retention period is determined by server configuration policies.
- Email addresses collected for the delivery of Certificates of Completion are retained for the period strictly necessary to deliver the certificate and resolve any related queries, after which they are deleted.
- Company-level ESG questionnaire response data (non-personal) is retained for the duration of the TRUST-ESG project and any subsequent archiving period required under applicable research data management obligations or RIF grant conditions.
8. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. These measures are reviewed and updated periodically in light of evolving threats and best practice.
While we take all reasonable precautions to protect personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.
9. Your Rights
Where personal data about you is processed, you have the following rights under the GDPR and applicable Cyprus data protection law:
- Right of access (Article 15 GDPR): to obtain confirmation of whether your personal data is processed and to receive a copy of that data, along with supplementary information.
- Right to rectification (Article 16 GDPR): to have inaccurate personal data corrected or incomplete data completed.
- Right to erasure (Article 17 GDPR): to request deletion of your personal data in certain circumstances, for example where the data is no longer necessary for the purposes for which it was collected.
- Right to restriction of processing (Article 18 GDPR): to request that processing is restricted in certain circumstances, for example while the accuracy of data is contested.
- Right to object (Article 21 GDPR): to object to processing based on legitimate interests, on grounds relating to your particular situation.
- Right to data portability (Article 20 GDPR): to receive your personal data in a structured, commonly used, machine-readable format, where processing is based on consent or contract and carried out by automated means.
- Right not to be subject to automated decision-making (Article 22 GDPR): we do not make decisions based solely on automated processing that produce legal or similarly significant effects.
To exercise any of these rights, please contact us using the details set out in Section 11. We will respond to your request within one month of receipt, in accordance with Article 12 GDPR. This period may be extended by a further two months where requests are complex or numerous, in which case we will notify you.
Please note that given the limited nature of personal data processing through this website, some of the above rights may have limited or no practical application in your case.
10. Right to Lodge a Complaint
If you believe that your personal data has been processed in a manner that is inconsistent with your rights or with applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority. The supervisory authority in Cyprus is:
Office of the Commissioner for Personal Data Protection
1 Iasonos Street, 1082 Nicosia, Cyprus
Website: www.dataprotection.gov.cy
You may also contact the supervisory authority in your country of residence or establishment.
We would, however, appreciate the opportunity to address your concerns directly before you approach the supervisory authority. Please contact us in the first instance using the details in Section 11.
11. Contact Details
For any questions, concerns, or requests relating to this Privacy Notice or to the processing of your personal data, please contact the TRUST-ESG data protection contact point:
Email: dpo@infocreditgroup.com
12. Changes to This Notice
We may update this Privacy Notice from time to time to reflect changes in our data processing activities, legal requirements, or the services we provide. Any updated version will be published on this page with a revised date at the top of the Notice.
Where changes are material, we will take reasonable steps to draw them to your attention. We encourage you to review this Notice periodically.