Privacy Statement

1.0 Introduction
1.1 Privacy Statement

ESG is fully committed to maintaining the privacy and personal information collected through ESG’s  public Website, non-public web sites and any ESG software platforms including web application(s) and mobile application (s) (“ESG’s Application(s) and Services”). All Privacy Information is protected by ESG in accordance with the terms set forth in this Privacy Statement. This Privacy Statement explains what Personal Information we collect from You, how ESG uses it and to whom it is passed or provided. [In the event of any conflict or substantive translation changes in a non-English language of this Privacy Statement, the English version of this Privacy Statement shall govern.]

2.0 Scope and Purpose

This Privacy Statement applies to all information, inclusive of business information and Personal Information that registered users of the Application (“Users”) and Website visitor users provide to ESG when using ESG’s Application(s) and Services (including email notifications sent to and from the specific Application(s) and services) and/or information provided via ESG’s Website, and information that ESG’s clients provide to ESG personnel for importation into ESG’s Application(s) and Services.

ESG’s collects information, inclusive of any Personal Information, to provide You with industry information regarding procurement and sourcing and to provide ESG clients and their suppliers with a secure, efficient and customized venue for electronic sourcing of products and services. The Application may also enable ESG clients to create custom fields or documents for the collection of business and Personal Information.

Personal Information, such as individual names and email addresses, is collected to provide You with information such as white papers and industry specific data where You have provided consent to receive such information.

Personal Information provided by You may also be used by other ESG clients, and suppliers of ESG clients, for some features within ESG’s Application(s) and Services and to provide procurement and sourcing-related services. ESG clients may submit Personal Information to create registered Users of the solutions, to store transaction documents, and to store contact information associated with other entities.

We may collect, use and disclose qualitative and quantitative data derived from Your use of the Application for analysis including but not limited to industry analysis, analytics, and other business purposes. We will use such qualitative and quantitative data and Information only as part of an aggregated and anonymized transaction information ESG publishes at its sole discretion on the website(s) or in any other medium. All data collected, used and disclosed will be in aggregated form and will not identify You as an individual User. We may aggregate and publish User business information relating to activity within ESG’s non-public websites and software platforms including mobile application(s), but such aggregated User business information shall not include any User business information that could be used to personally identify You.

Access Provided by Your Organization-Notice to End Users

For Users, the Personal Information is generally related to Your role at Your respective organization and is not related to You as a private person or as an individual client or supplier.

For ESG client Users

When You access or use an Application(s) and Service, ESG’s processing of Your Personal Information in connection with that Application(s) and Service is governed by a contract between ESG and Your company. If you are in the EU or UK, Your company is the ‘controller’ and ESG is a ‘processor’ acting on behalf of Your company, each as defined in the EU General Data Protection Regulation or the UK Data Protection Act 2018. ESG processes Your Personal Information to provide the Application(s) and services (including improving, securing, and updating the service) to Your organization and You for ESG’s business operations related to providing the Application(s) and services. If You have questions about ESG’s processing of Your Personal Information in connection with providing services to Your company, please contact Your company.

For registered supplier Users

When You use an Application(s) and service on behalf of Your organization as a supplier User, ESG’s processing of Your Personal Information in connection with the specific Application(s) is governed by this Privacy Statement. ESG processes Your Personal Information to provide the Application(s) and Services (including improving, securing, and updating the service) to Your company and You, and for ESG’s legitimate business operations related to providing the Application(s) and Services. Certain features of Application(s) and Services may enable ESG’s clients to use or create custom fields or documents to gather various types of information about a supplier. If you object to the types of additional business or Personal Information being requested from a ESG client, please contact the ESG client directly.

Because ESG understands the importance of protecting the privacy of visitors to its Website, ESG clients and the suppliers to ESG clients, and maintaining the security of the business information and Personal Information, ESG pledges that no Personal Information will be disclosed, distributed, published, disseminated, sold, traded, or shared with any third party, including advertisers, business or governmental organizations, or other clients or members.

Provided, however, that ESG shall be entitled to disclose business information and/or Personal Information to third parties in the following situations:

  • When such disclosure is necessary to facilitate communications with Users or transactions between Users in accordance with the normal operation or services and transactions between Users and ESG clients;
  • When such disclosure is so ordered by any court, administrative body, governmental agency or regulatory agency, or when ESG in good faith determines that it is legally required to make such disclosure, or when such disclosure is requested by law enforcement authorities in connection with their investigations, or in the event of an emergency;
  • When enforcing the terms of the Agreement (including this Privacy Statement);
  • When communicating with a visitor user to the ESG Website, a ESG client or User outside of ESG’s non-public websites and software platforms including mobile application(s);
  • When ESG in good faith determines that such disclosure is necessary to correct what ESG believes to be false or misleading information or to address activities that ESG believes to be manipulative or deceptive;
  • When you designate your Personal Information to be publicly viewable within any Application(s) and services(s).
  • ESG may aggregate and publish User business information relating to activity within ESG’s non-public websites and software platforms including mobile application(s), but such aggregated User business information shall not include any User business information that could be used to personally identify you; and
  • ESG may share Personal Information with our global affiliates, parent, subsidiaries, agents and integrated service providers that cooperate to provide content to visitors of the Website, and/or to provide ESG’s Technology Solution (including ESG Application(s) and Services) to ESG clients. ESG affiliates follow practices no less protective as per practices described in this Privacy Statement and to the extent allowed by applicable law.

Tracking and other similar technologies

Depending on whether you visit the ESG Website, are a ESG client, or supplier User visiting a non-public website and/or any software platform including Application(s) and Services, web application(s) and/or mobile application(s), the information gathered through technologies like cookies, web beacons, web links and other such tools may include Your Internet Protocol (IP) address (or the proxy server You use to access the World Wide Web), device and application identification numbers, Your location, Your browser type, Your Internet service provider and/or mobile carrier, the pages and files You viewed, Your searches, Your operating system and system configuration information, and date/time stamps associated with Your usage. For example, due to Internet communications standards, when You visit or use the ESG Website and services, ESG automatically receives the URL of the website from which You came and the website to which you go when you leave our Website. Similar technologies may be part of your use of the ESG mobile application platforms. The business information gathered by such technologies is used to analyze overall trends, to help us improve our Website, Application(s) and services, software platform (s) including web application(s) and mobile application(s) and services, to track and aggregate non-personal information, and to provide the Website and Application services. The business information obtained through tracking tools may be subject to data analytics only for the purpose of enhancing the software features or services provided through the software without compromising confidentiality.

Effective planning is the cornerstone in realizing the opportunities we identify for our clients. Our unique planning process includes developing a comprehensive communication strategy and risk mitigation plan to ensure our clients and their suppliers are positioned to achieve the highest levels of success.

3.0 Privacy Principles

ESG adheres to the privacy principles relating to the processing of Personal Information:

  • Personal Information is processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
  • Personal Information is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘Purpose Limitation’).
  • Personal Information is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘Data Minimization’).
  • Information is accurate and, where necessary, kept up to date; every reasonable step is taken to provide that Personal Information which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (‘Accuracy’).
  • Information is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Information is processed (‘Storage Limitation’).
  • Information is processed in a manner that ensures appropriate security of the Personal Information, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
  • When ESG collects Your Personal Information, ESG will give You timely and appropriate notice describing what Personal Information ESG is collecting, how ESG will use it, and the types of third parties with whom ESG may share it. ESG will give rights to access Your Personal Information and method to communicate for any change.
  • ESG will give You choices about the ways ESG uses, shares Your Personal Information, and ESG will respect the choices you make.
  • To transfer Personal Information to a third party acting as a controller, ESG will comply with the Notice and Choice Principles as set out in the EU-U.S./Swiss-U.S. Privacy Shield Framework. ESG will enter into a contract with the third-party controller to provide the same level of protection as the Notice and Choice Principles.
  • ESG will take reasonable and appropriate measures to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Information.
  • ESG will not process Personal Information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, ESG will take reasonable steps to ensure that Personal Information is reliable for its intended use, accurate, complete, and current.
  • ESG will provide ways for You to access Your Personal Information, as required by law, so You can correct inaccuracies.
  • ESG will provide independent recourse mechanism by which each individual’s complaints and dispute are investigated and expeditiously resolved at no cost to the individual.

Privacy Shield

  • ESG complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union and Switzerland to the United States. ESG has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view ESG’s certification, please visit
4.0 Individual Rights/User Rights

Please note the following rights which apply to an individual under the General Data Protection Regulation where ESG is acting in its capacity as a controller. In most circumstances, ESG is not considered a controller and is operating as a processor.

  • An individual has the right to receive the Personal Information concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit the data to another controller without hindrance from the controller to which the Personal Information has been provided.
  • An individual has the right to object, on grounds relating to his or her particular situation, at any time, to the processing of Personal Information concerning him or her, including profiling based on those provisions. The controller shall no longer process the Personal Information unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defense of legal claims.
  • An individual has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  • An individual has the right to obtain from the controller confirmation as to whether or not Personal Information concerning him or her is being processed, and, where that is the case, access to the Personal Information and the following information:
    • The purposes of the processing.
    • The categories of Personal Information concerned.
    • The recipients or categories of recipient to whom the Personal Information has been or will be disclosed, in particular recipients in third countries or international organizations.
    • Where possible, the envisaged period for which the Personal Information will be stored, or, if not possible, the criteria used to determine that period.
    • The existence of the right to request from the controller rectification or erasure of Personal Information or restriction of processing of Personal Information concerning the data subject or to object to such processing.
    • The right to lodge a complaint with a supervisory authority.
    • Where the Personal Information is not collected from the data subject, any available information as to their source.
  • An individual has rights to deny or withdraw the consent anytime where relevant.
  • An individual has the right to obtain from the controller without undue delay the rectification of inaccurate Personal Information concerning him or her.
  • An individual has the right to obtain from the controller the erasure of Personal Information concerning him or her without undue delay in certain circumstances.
  • An individual has the right to obtain from the controller restriction of processing in a situation where accuracy of the Personal Information is contested by the data subject, the processing is unlawful, and the data subject opposes the erasure of the Personal Information and requests the restriction of their use instead.
  • An individual has the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.
5.0 Security of Personal Information

ESG’s internal security policy governs the processing of data collected through the Application and Services and the Website. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ESG has implemented appropriate technical and organizational measures to provide a level of security appropriate to the risk.

  • The pseudonymization and encryption of sensitive or special category sensitive data.
  • The ability to provide the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • The ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
  • ESG has implemented technical controls to prevent unauthorized access to or unauthorized alteration, disclosure or destruction of information ESG holds.
    • ESG has encrypted many of ESG’s services using the latest strong encryption technologies.
    • ESG provides secure authentication to access non-public information.
    • ESG restricts access to Personal Information to employees, contractors and agents who need to know that information in order to process it for ESG, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.
6.0 Compliance and Cooperation with Regulatory Authorities

ESG regularly reviews our compliance with ESG’s Privacy Statement. ESG also adheres to regulatory frameworks, including the EU-US and Swiss-US Privacy Shield Frameworks. When ESG receives formal written complaints, ESG will contact the person who made the complaint to follow up. ESG will work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of Personal Information that ESG cannot resolve with our users directly.

ESG Contact

1591 Winchester Rd, Ste 125
Lexington, KY 40405
Office: (800) 215-0175

To raise a request or complaint about how ESG has handled your Personal Information, please mail or email the above contact. Please be aware that if you complain to ESG directly and it is the processor of your Personal Information, it will promptly refer your enquiry to the controller.

Please allow at least 10 business days for ESG to respond to Your request or complaint.

In compliance with the Privacy Shield Principles at, ESG commits to resolve complaints about ESG’s collection or use of Your Personal Information.

"We engaged ESG to help us develop and implement the supply management strategy for our organization. ESG did an excellent job walking us through the process of understanding the current state of our organization and the effort required to reach our long-term objectives. They were instrumental in creating an effective strategy for managing our third party expenditures in a cost effective manner during a very tumultuous time for our bank. Their end product has positioned us to reduce operating expenses, improve supplier performance and manage our supplier relationships with confidence."
CFO, Major International Banking Institution