Privacy Policy

Effective date: 1 March 2026.  |  Jiskta B.V., Netherlands

1. Who We Are

Jiskta B.V. ("Jiskta", "we", "us") operates the Jiskta ESG site assessment platform at esg.jiskta.com. We are the data controller for the personal data processed through this service. Contact: privacy@jiskta.com.

2. Data We Collect

We collect only what is necessary to deliver the service:

  • Account data: Email address and password hash (stored by Supabase Auth, EU-hosted).
  • Site addresses: Facility addresses and/or GPS coordinates you submit for assessment. These are stored in your report history so you can re-download past reports.
  • Payment data: Processed entirely by Paddle (our Merchant of Record). We receive only a transaction ID and credit amount — no card numbers or billing addresses are stored by Jiskta.
  • Usage data: Report generation timestamps and credit balance. No behavioural tracking, no cookies beyond those required for authentication.

3. How We Use Your Data

  • To generate site assessment reports and store them in your account history.
  • To manage your account, authenticate you, and process your credit balance.
  • To send transactional emails (confirmation, password reset) via our email provider.
  • We do not use your data for marketing, profiling, or machine-learning model training.
  • We do not sell your data to any third party.

4. Legal Basis (GDPR)

We process your personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b)): Account data and site addresses are necessary to provide the service you contracted.
  • Legitimate interests (Art. 6(1)(f)): Usage logs for service reliability and fraud prevention.

5. Data Retention

  • Account data: Retained for the duration of your account and deleted within 30 days of account deletion.
  • Report data (addresses, coordinates, raw JSON): Retained for 3 years from generation date, then deleted. You can delete individual reports at any time from your dashboard.
  • Payment records: Retained for 7 years as required by EU accounting law (VAT records).

6. Sub-processors & Data Transfers

We rely on the following sub-processors, all operating under GDPR-compliant data processing agreements:

Processor Purpose Location
Supabase Authentication, database (account + report storage) EU (Frankfurt)
Paddle Payment processing (Merchant of Record) UK/EU
Cloudflare CDN, static hosting, DDoS protection EU PoPs
Scaleway / dedicated server (Jiskta API) Climate data query processing EU (Paris)

No personal data is transferred to countries outside the EU/EEA or UK without adequate safeguards.

7. Cookies

We use only technically necessary cookies and browser localStorage for authentication (Supabase session token). We do not use analytics cookies, advertising cookies, or third-party trackers. No cookie consent banner is required as no non-essential cookies are set.

8. Your Rights (GDPR)

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data ("right to be forgotten") — submit a request to privacy@jiskta.com; we will action within 30 days.
  • Portability — export your report data as JSON or CSV from the dashboard.
  • Object to processing based on legitimate interests.
  • Lodge a complaint with your national Data Protection Authority (in the Netherlands: Autoriteit Persoonsgegevens).

9. Security

All data is transmitted over TLS 1.3. Passwords are hashed by Supabase Auth (bcrypt). The API server only accepts authenticated requests. We conduct periodic security reviews and apply security patches within 48 hours of disclosure for critical vulnerabilities.

10. Changes to This Policy

We will notify registered users by email at least 14 days before any material change to this policy. The current version is always available at esg.jiskta.com/privacy.

11. Contact

For any privacy-related questions or to exercise your rights:
privacy@jiskta.com
Jiskta B.V., Netherlands