Log in

CleanIndex Privacy Policy  

Last updated: 21 November 2025

CleanIndex respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you interact with our sustainability ratings platform, website (www.cleanindex.com), client portal, or any related services (collectively, the “Services”).

 We are the data controller for personal data processed in connection with the use of our Services (except where we act as a data processor on behalf of our customers – see section 7).

1. Who we are

CleanIndex is part of Diogenes B.V., registered in the Netherlands under number 98287354 with its registered office in Amsterdam. 

Data Protection Officer (DPO): dpo@cleanindex.com

2. What personal data we collect and why

Category of data | Examples | Legal basis (GDPR Art. 6) | Purpose |

| Account & contact data | Name, job title, business email, phone, company, department | Contract (performance of our services agreement) or Legitimate interests (business relationship management) | Create and manage your CleanIndex account, provide access to the platform, communicate about your assessment |

| Assessment-related data | Responses to questionnaires, evidence documents containing names, roles, signatures of employees/suppliers | Legitimate interests (providing sustainability ratings) or Contract (with the requesting customer) | Conduct sustainability assessments and generate ratings/reports |

| Communication data | Emails, meeting notes, support tickets | Legitimate interests (customer support & service improvement) | Respond to inquiries, provide support |

| Technical & usage data | IP address, browser type, device info, cookies, log files, pages visited | Consent (for non-essential cookies) or Legitimate interests (security & service improvement) | Ensure security, improve the platform, analytics |

| Supplier/employee data processed on behalf of our customers | Names, contact details, roles of your suppliers’ or your own employees contained in uploaded evidence | We act as processor – processing governed by Data Processing Agreement (Art. 28 GDPR) | Enable our customer (the controller) to complete their sustainability assessment |

3. How we collect personal data  

– Directly from you (account registration, questionnaire responses, uploads)  

– From our customers (when they invite you to complete an assessment)  

– Automatically via cookies and similar technologies (see our Cookie Policy)  

– From publicly available sources (e.g., corporate websites, registries) only when strictly necessary and proportionate

4. Who we share your personal data with  

– Our customer (the company that requested your sustainability assessment) – they receive the final report and evidence  

– Authorized subprocessors (IT providers, cloud hosting, analytics)  

– Professional advisors (lawyers, auditors)  

– Competent authorities when legally obliged (e.g., law enforcement, courts)  

– In the context of a merger, acquisition, or sale of assets (with notice where required)

All subprocessors are bound by GDPR-compliant Data Processing Agreements.

5. International data transfers  

CleanIndex operates globally. We transfer personal data outside the EEA only when:  

– The country is subject to an EU adequacy decision (e.g., UK, Canada (commercial organizations), Japan), or  

– We have implemented appropriate safeguards: EU Standard Contractual Clauses (SCCs) + Transfer Impact Assessment where required, or Binding Corporate Rules.  

Our main subprocessors primarily process data inside the EEA.

6. Data retention 

– Account data: for the duration of the contractual relationship + 5 years (statutory limitation) 

– Assessment data and evidence: maximum 10 years after the last assessment (business need & audit requirements)  

– Technical logs: maximum 12 months  

– When we act as processor: according to the controller’s (our customer’s) instructions  

After these periods, data is securely deleted or anonymized.

7. When CleanIndex acts as data processor  

When a rated company or supplier submits evidence containing personal data through our platform at the request of our customer, our customer is the data controller and CleanIndex acts only as data processor. In such cases, please refer to the privacy policy of the requesting customer.

8. Your rights under GDPR  

You have the right to: 

– Access your personal data 

– Rectify inaccurate data 

– Erase your data (“right to be forgotten”) – subject to legal obligations  

– Restrict processing 

– Data portability  

– Object to processing based on legitimate interests  

– Withdraw consent (where applicable)  

– Lodge a complaint with a supervisory authority (in particular in your EU country of residence)

To exercise your rights, contact us at privacy@cleanindex.com or our DPO. We will respond within one month (extendable in complex cases).

9. Security  

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or alteration.

10. Cookies and tracking technologies  

Please see our separate Cookie Policy for detailed information and your consent management options.

11. Children  

Our Services are not directed to individuals under 16. We do not knowingly collect personal data from children.

12. Changes to this Privacy Policy  

We may update this policy from time to time. Material changes will be notified via email or a prominent notice on our platform.

13. Contact us  

CleanIndex 

Email: privacy@cleanindex.com  

DPO: dpo@cleanindex.com

 



Scroll to Top