Privacy Policy — METRIQOm® Platform
Effective Date: 1 May 2026
This Privacy Policy applies to organisations and authorised users of the METRIQOm® ESG Intelligence Platform (the “Platform”), accessible at app.metriqom.ae and related domains. It is separate from the privacy policy governing our marketing website (metriqom.com) and explains what data is processed, how it is stored and protected, which third-party processors are engaged, and the rights available to data subjects under EU GDPR, UAE Federal Decree-Law No. 45 of 2021 (PDPL), and equivalent international frameworks.
1. Who We Are
The METRIQOm® Platform is delivered jointly by two affiliated UAE entities under common ownership, operating the same Platform on shared technical and security architecture. Each entity contracts with customers based on the customer’s selected deployment region:
Barz Solutions FZE — a free-zone establishment in Ajman Free Zone, UAE. Owner of the METRIQOm® trade mark and primary platform operator. Contracts with customers selecting AWS-hosted deployment (default region: us-west-2, Oregon). EU regional deployment (Frankfurt or Ireland) available under specific service agreements.
Future Sustain AI Solutions Limited — a free-zone entity in Masdar City, Abu Dhabi, UAE (License No. MC14406). Authorised licensee of the METRIQOm® trade mark. Contracts with customers selecting Alibaba Cloud UAE-hosted deployment, serving customers requiring UAE data residency or alignment with regional procurement preferences across the GCC, MENA, and CIS markets.
References in this Policy to “METRIQOm®,” “we,” “our,” or “us” mean the contracting entity for the relevant Tenant — Barz or Future Sustain — as applicable.
2. Data Protection Roles and Contact
The customer (Tenant) is the data controller. The contracting METRIQOm® entity is the data processor, acting under documented Tenant instructions set out in the Data Processing Agreement (DPA). Sub-processors are listed in Section 7.
For privacy inquiries, data subject requests, or to report a concern: Info@metriqom.ae. Postal address: registered address of the contracting entity, as applicable.
3. Data We Process
The Platform processes the following categories of data entered by or on behalf of Tenant organisations:
• Account and User Data — name, email, phone, role, organisation, and encrypted credentials (passwords stored as PBKDF2-SHA256 hashes; never stored in plaintext)
• ESG Operational Data — GHG emissions (Scope 1, 2, 3), energy consumption, water and waste records, climate risk assessments, life cycle assessments, environmental impact assessments, green building data, and HSE records
• Workforce Records — employee names, gender, nationality, department, role, work location, and date of joining (for HSE workforce management)
• Supplier and Supply Chain Data — supplier and contractor company names, representative contacts, trade licence numbers, pre-qualification responses, and ESG compliance scores
• Uploaded Evidence Files — documents, images, and attachments uploaded for assessments, audits, and monitoring
• Session and Technical Data — authentication tokens (24 hours for standard users; separate lifetimes for administrative and service tokens), access timestamps, and audit log entries
4. Legal Basis and How We Use This Data
As data processor, we process personal data based on the Tenant’s documented instructions. The lawful bases under GDPR Article 6, UAE PDPL, and equivalent frameworks are determined by the Tenant as data controller, typically including contract performance, legitimate interest, legal obligation, and consent.
We use Platform data exclusively to deliver subscribed services, generate reports and analytics, power AI-assisted features (see Section 5), maintain Platform security and reliability, respond to support requests, and meet legal obligations. Tenant data is not used for advertising, marketing analytics, behavioural profiling, or training third-party AI models.
5. AI-Assisted Features and Data Minimisation
Certain features use external AI services to generate reports, insights, and recommendations — including GHG inventory and pre-feasibility reports, energy efficiency reports, water and waste insights, supply chain ESG analysis, life cycle assessment interpretation, climate risk narratives, and in-platform Q&A assistance.
Data Minimisation Commitment. Only anonymised and aggregated analytical data (metrics, quantities, scores, calculated values) is transmitted to AI service providers. No personal data, employee records, supplier contact information, or directly identifying information is transmitted. Tenant data is not used to train any third-party AI model.
6. Data Storage, Infrastructure, and Tenant Isolation
All Platform data is stored in dedicated, isolated MySQL 8.0 databases — one per Tenant — hosted in private Virtual Private Clouds with no public internet endpoints. All data is encrypted at rest using cloud-provider-managed keys and in transit using TLS. Barz-contracted Tenants are hosted on AWS RDS in the selected AWS region (default: us-west-2). Future Sustain-contracted Tenants are hosted on equivalent Alibaba Cloud infrastructure in the UAE region. Uploaded files are stored on encrypted file system volumes (AWS EFS or Alibaba Cloud equivalent), referenced by system-generated identifiers, and inaccessible without authenticated session credentials.
Each Tenant’s data is logically and cryptographically isolated from all other Tenant environments, with hardware-level isolation enforced through the AWS Nitro System or equivalent infrastructure on Alibaba Cloud. METRIQOm® personnel do not access Tenant ESG data during routine operations. Access for support or incident response occurs only with documented Tenant authorisation or under specifically defined exceptional circumstances, and all such access is logged in immutable audit records.
7. Third-Party Sub-Processors
| Sub-Processor | Legal Entity | Purpose | Data Transmitted |
| Amazon Web Services | Amazon Web Services, Inc. (USA) | Cloud infrastructure (AWS deployment) | Tenant data, encrypted |
| Alibaba Cloud | Alibaba Cloud (Singapore) Pte. Ltd. | Cloud infrastructure (UAE deployment) | Tenant data, encrypted |
| Anthropic | Anthropic, PBC (USA) | AI-generated reports and chatbot | Anonymised analytical data only |
| OpenAI | OpenAI, OpCo, LLC (USA) | AI-assisted reports (fallback | Anonymized analytical data only |
| Meteosource | Meteosource s.r.o. (EU) | Weather and climate data | No personal data |
All sub-processors are bound by written data processing agreements requiring confidentiality, GDPR-compliant terms, and security measures consistent with this Policy. Tenant administrators are notified at least 30 days before any new sub-processor is added or replaced; Tenants may object on reasonable grounds.
8. International Transfers
Where personal data is transferred outside the European Economic Area (e.g., to AWS us-west-2 or US-based AI service providers), transfers are governed by the European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914), incorporated by reference into the Data Processing Agreement. For Tenants selecting Alibaba Cloud UAE deployment, personal data remains within the UAE and is subject to the UAE PDPL.
9. Security, Compliance, and Breach Notification
The Platform is architected in alignment with ISO/IEC 27001:2022, the AICPA Trust Services Criteria, GDPR Articles 25 and 32, the UAE PDPL, and the UAE Information Assurance Standards. The underlying AWS and Alibaba Cloud infrastructure providers are independently certified to ISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 1/2/3, PCI DSS, and equivalent global frameworks; cloud-provider certification documentation is published at aws.amazon.com/compliance and trust.alibabacloud.com.
Technical and organisational measures include PBKDF2-SHA256 password hashing with per-user salt, time-limited authentication tokens, private-VPC infrastructure with no public database endpoints, encryption at rest and in transit, role-based access controls, immutable administrative audit logs, and periodic independent security reviews. In the event of a personal data breach, METRIQOm® will notify affected Tenants without undue delay and in any event within 72 hours of becoming aware of the incident, in accordance with applicable law.
10. Data Retention, Portability, and Deletion
Tenant data is retained for the duration of the active service agreement. Upon termination, Tenants have a 30-day export window to retrieve data in Excel, PDF, or Word formats. After the export window, the Tenant database and associated files are permanently and irreversibly deleted from active systems. Encrypted backups are retained for up to 30 days on a rolling basis. Audit logs are retained for 12 months in immutable, append-only format. Tenants may also export data at any time during the active subscription, and may create time-limited, passcode-protected access links to share specific Platform views with external stakeholders; Tenants are responsible for the data scope of shared views.
11. Tenant Audit Rights and Children’s Data
Enterprise Tenants may exercise audit rights as defined in the Data Processing Agreement, including review of independent third-party assessments and reasonable on-site or remote audits with prior written notice.
The Platform is not intended for children under 16. We do not knowingly process personal data of children. If a Tenant inadvertently submits such data, the Tenant should contact Info@metriqom.ae and the data will be deleted.
12. Your Rights
Depending on jurisdiction, data subjects may have the right to: request access to their personal data; request correction; request deletion; receive a copy in portable format; object to or restrict processing; and lodge a complaint with the relevant supervisory authority (e.g., UAE Data Office, or the relevant EU Member State Data Protection Authority). Because the Platform operates as a data processor, requests should generally be directed to the Tenant (data controller). Where received directly by METRIQOm®, we will forward the request to the Tenant and respond as instructed.
To exercise rights, contact Info@metriqom.ae
13. Updates to This Policy
This Policy may be updated to reflect changes in Platform functionality, regulations, or data practices. Material changes are communicated to Tenant administrators at least 30 days in advance. The current version is always available at app.metriqom.ae. Continued use following an update constitutes acknowledgment of the revised Policy.