Privacy Policy

Privacy Policy — METRIQOm Platform

Effective Date: April 2026
Applies to: METRIQOm ESG Intelligence Platform (the “Platform”)

This Privacy Policy applies to organizations and users who access the METRIQOm Platform and is separate from the privacy policy governing our marketing website. It explains what data we process, how it is stored and protected, which third-party processors we engage, and the rights available to you.

  1. Who We Are

METRIQOm operates as a Software-as-a-Service (SaaS) platform providing ESG data management, reporting, and intelligence capabilities. Each client organization (“Tenant”) operates within a fully isolated environment. METRIQOm acts as a data processor on behalf of Tenant organizations, who remain the data controllers for the information they input into the Platform.

  1. Data We Collect and Process

The Platform processes the following categories of data entered by or on behalf of Tenant organizations:

Account and User Data

Full name, email address, phone number
Job title, role, and organization affiliation
Encrypted credentials (passwords stored as PBKDF2-SHA256 hashes — plaintext passwords are never stored)
ESG Operational Data

Greenhouse gas (GHG) emissions records — Scope 1, 2, and 3 — including fuel types, quantities, emission factors, and calculated CO₂e values
Energy consumption data — site-level records, baseline data, energy uses, tariffs, and conservation measures
Water intake and discharge volumes, footprint breakdown (blue/green/grey water), and quality parameters
Waste records — waste streams, disposal methods, material flows, and production units
Climate risk assessments — physical and transition risks, scenario analyses, and financial exposure estimates
Life Cycle Assessment (LCA) data — material inputs, energy, water, transport, and waste across defined system boundaries
Environmental Impact Assessment (EIA) and Environmental Impact Monitoring (EIM) records
Green building assessment data — certification schemes, energy performance, and compliance records
Health, Safety and Environment (HSE) data — incident records, hazard registers, compliance checklists, and safety audits
Workforce Records

Employee names, gender, nationality, department, job title, employment type, work location, and date of joining (as entered for HSE workforce management)
Supplier and Supply Chain Data

Supplier and contractor company names, representative names, email addresses, phone numbers
Trade license numbers and issuing authorities
Pre-qualification questionnaire responses and ESG compliance scoring data
Uploaded Evidence Files

Documents, images, and attachments uploaded as evidence for assessments, audits, and monitoring records
Files are stored with system-generated unique identifiers and are not publicly accessible
Session and Technical Data

Authentication tokens (valid for 24 hours, bound to your organization’s environment)
Access timestamps and audit log entries

  1. How We Use This Data

We use the data entered into the Platform exclusively to:

Deliver the services and modules you have subscribed to
Generate reports, calculations, and analytics within your organization’s environment
Power AI-assisted features (see Section 6)
Maintain platform security, performance, and operational reliability
Respond to support requests
Fulfil legal or regulatory obligations
We do not use your data for advertising, profiling outside of Platform functionality, or any purpose beyond service delivery.

  1. Data Storage and Infrastructure

Databases
All Platform data is stored in dedicated, isolated MySQL 8.0 databases — one per Tenant organization. Databases are hosted on AWS RDS (Amazon Relational Database Service) in a private Virtual Private Cloud (VPC) with no public internet endpoints. All data is encrypted at rest using AWS-managed encryption keys.

File Storage
Uploaded evidence files are stored on AWS Elastic File System (EFS) volumes, encrypted at rest. Files are referenced by system-generated identifiers and are not accessible without authenticated session credentials.

Data in Transit
All data transmitted between your browser and the Platform is encrypted using TLS (Transport Layer Security).

Geographic Location
Primary infrastructure is hosted in the AWS us-west-2 (Oregon) region.

  1. Tenant Isolation

Each client organization’s data is completely isolated from all other Tenant environments. Isolation is enforced at the hardware level using the AWS Nitro System, which ensures that no Tenant can access, read, or interfere with another Tenant’s data under any circumstances. METRIQOm platform staff do not have access to Tenant ESG data during normal operations — administrative access is restricted to infrastructure-level functions and is subject to immutable audit logging.

  1. AI-Assisted Features and Data Minimization

Certain features within the Platform use external AI services to generate reports, insights, and recommendations. These include:

GHG inventory and pre-feasibility reports
Energy efficiency and ISO 50001 reports
Water footprint and waste management insights
Supply chain ESG analysis
Life Cycle Assessment interpretation
Climate risk narrative generation
In-platform Q&A assistance
Data Minimization Commitment: When AI-assisted features are used, only anonymized and aggregated analytical data (metrics, quantities, scores, calculated values) is transmitted to AI service providers. No personal data, employee records, supplier contact information, or directly identifying information is ever transmitted to AI services.

  1. Third-Party Sub-Processors

METRIQOm engages the following third-party processors in the delivery of Platform services:

Sub-Processor Purpose Data Transmitted
Anthropic (USA) AI-generated reports, insights, and chatbot Anonymized analytical data only
OpenAI (USA) AI-assisted reports and analysis (fallback) Anonymized analytical data only
Meteosource (EU) Weather and climate data for risk modeling No personal data
All sub-processors are bound by data processing agreements and are required to maintain confidentiality and appropriate security standards. No personal data is transferred to sub-processors.

  1. Data Retention and Deletion

Active Service: Your data is retained for the duration of your active service agreement with METRIQOm.
Post-Termination: Upon termination of your agreement, a 30-day data export window is provided during which you may retrieve your data in structured formats (Excel, PDF, Word).
Permanent Deletion: At the close of the export window, your Tenant database and all associated files are permanently and irreversibly deleted. No residual copies are retained in active systems.
Audit Logs: Platform administrative audit logs are retained for 12 months in an immutable, append-only format for security and compliance purposes.

  1. Data Portability and Export

You may export your data at any time during your active subscription. The Platform supports export in the following formats:

Excel (.xlsx) — structured data records for all modules
Word (.docx) — generated reports (GHG, energy, water, waste, climate, HSE, LCA, and more)
PDF — formatted versions of generated reports
Time-limited, passcode-protected access links may be created to share specific platform views with external stakeholders (e.g., auditors or regulators). These links do not expose personal data.

  1. Security Measures

We implement the following technical and organizational measures to protect your data:

All passwords are hashed using PBKDF2-SHA256 with a unique per-user salt — plaintext passwords are never stored or recoverable
Session tokens expire automatically (24 hours for standard users)
Platform infrastructure operates within a private VPC with no publicly accessible database endpoints
All data is encrypted at rest and in transit
Role-based access controls restrict what each user can view and modify within their organization
Immutable administrative audit logs capture all access and configuration events
In the event of a confirmed data breach, we are committed to notifying affected Tenants within 72 hours of becoming aware of the incident

  1. Your Rights

Depending on your jurisdiction, you or your organization may have the right to:

Request access to the personal data we hold about you
Request correction of inaccurate or incomplete information
Request deletion of your personal data
Request a copy of your data in a portable format
Object to or restrict certain types of processing
To exercise any of these rights, please contact us using the details below. We will respond within a reasonable timeframe and in accordance with applicable law.

  1. Contact Us

For privacy-related inquiries, data requests, or to report a concern:

General Inquiries: info@metriqom.ae
Support & Data Requests: support@metriqom.ae

  1. Updates to This Policy

This Privacy Policy may be updated to reflect changes in Platform functionality, applicable regulations, or our data practices. Material changes will be communicated to Tenant administrators. Continued use of the Platform following an update constitutes acknowledgment of the revised policy.