‹ Back to AtlasYour data, for impact.
This policy explains what XG collects, why, the legal basis for it, how the matching engine (“the Brain”) uses it, and the rights you can exercise at any time. It applies to XG Atlas and the wider XG environmental-intelligence platform operated by XG Energy (“XG”, “we”).
§1Who we are, and what this covers
XG is an environmental-intelligence platform. We connect the people who face environmental and ESG challenges (“Seekers”) with the regulations that bind them, the vendors who can help, and the moves that matter. This policy covers personal data we process across XG Atlas and XG Hub for our ten stakeholder types: Seekers, Providers, Consultants, Investors, Academics, Implementors, Regulators, Insurers, Communities, and Data Partners.
If you use XG — or your details flow through it because you’re part of a match — this is how we treat your information.
§2What we collect — every category, named
We don’t hide behind “we collect information to improve our services.” Here is the actual map: each category, the data in it, and what it is used for. (Retention is in §8; legal basis in §4.)
| Category | What’s in it | What it’s for |
|---|---|---|
| Account | Name, work email, password (hashed), organisation | Sign you in; secure your account |
| Organisation | Company name, domain, industry, jurisdiction | Detect your stakeholder type; route the right regulations |
| Challenge data | The company/URL and context you submit to scan | Generate your Strategic Brief; match solutions |
| Brief & edits | Generated briefs, your edits, plans you build | Deliver, improve and learn from matching quality |
| Usage | Scans run, pages viewed, timestamps | Operate the service; security; product analytics |
| Device & log | IP, browser, security events | Security, fraud prevention, debugging |
| Communications | Support messages, feedback | Help you; improve the product |
| Marketing (opt-in) | Email, preferences | Send updates you asked for |
We list exactly what we hold and why — no vague catch-alls. If it’s not here, we don’t collect it.
§3Why we collect it — impact, not exploitation
Every data point exists to do one job: match you to the regulations, vendors and moves that reduce environmental harm and risk. We charge a platform fee for making that connection. We do not sell your data, and we do not build advertising profiles. The connection is the product — your data is the input, not the inventory.
We make money when we connect the right people to the right environmental solution — not by selling your information to anyone.
§4Our legal basis — named per use
For business-to-business matching, our basis is legitimate interest (connecting organisations to relevant environmental solutions), balanced against your rights and documented in an internal Legitimate Interest Assessment. For optional marketing, our basis is your consent, which you can withdraw at any time. Where the law requires consent for a specific processing activity, we ask for it separately and specifically.
For the core service we rely on “legitimate interest”; for marketing we only act on a yes you can take back anytime.
§5The Brain — automated matching, and your right to a human
XG’s matching engine (“the Brain”) performs automated profiling under GDPR Article 22: it classifies your organisation, routes jurisdictions, and ranks regulations and vendors. We disclose the logic — your industry and jurisdiction drive which regulations are retrieved; relevance and applicability drive the ranking; nothing is hidden behind a black box. You can request human review of any automated output, contest it, and get an explanation. No automated decision produces a legal effect on you without that route available.
A computer does the matching. We tell you how, and you can always ask a person to check or overturn it.
§6Your rights — because Impactors respect autonomy
You can, at any time and free of charge:
- Know what we hold about you and get a copy (access & portability).
- Correct anything wrong (rectification).
- Delete your data (erasure), subject to legal retention duties.
- Object to processing based on legitimate interest, and opt out of automated decisions.
- Withdraw consent for marketing with one click.
- Complain to your data protection authority (e.g. the ICO, your EU DPA, or the California Privacy Protection Agency).
It’s your data. See it, fix it, take it, or tell us to delete it — and we won’t treat you worse for asking.
§7We don’t sell your data — and here’s what “sharing” means
We do not sell personal data. Under California’s CPRA, “sharing” is broader than “selling” — and connecting one stakeholder to another could be read that way. So we say it plainly: we share your details with another party only to make a match you are seeking, and you can opt out. To exercise a “Do Not Sell or Share My Personal Information”request, email privacy@xge.ai — and we honour it globally, not just in California.
We never sell you. We only pass your details to someone when it’s the match you came for — and you can switch that off.
§8How long we keep it
We keep each category only as long as it serves its purpose, then delete or anonymise it. As a guide: account data for the life of your account plus 12 months; challenge and brief data for up to 24 months; security and access logs for up to 12 months; marketing data until you opt out. We review these periods regularly and shorten them wherever we can.
We don’t hoard. Each type of data has an expiry, and when it’s done its job it goes.
§9Where your data lives, and when it travels
XG’s data is hosted with our cloud infrastructure providers (Supabase and Vercel). Where data moves across borders, we rely on appropriate safeguards (e.g. Standard Contractual Clauses, the UK addendum, and equivalent mechanisms) so your protections travel with it.
If your data crosses a border, the legal protections come with it.
§10How we protect it
Encryption in transit and at rest, role-based access, row-level security, audited admin access, and an incident process with breach notification within the legally required window (72 hours under GDPR). No system is perfectly secure, but security is treated as foundational — XG is built to help run the energy sector, and we hold ourselves to that standard.
We lock your data down with real controls, and if something ever goes wrong we tell the right people fast.
§11When this policy changes
If we make a material change, we’ll tell you before it takes effect and update the date at the top. We won’t quietly weaken your rights.
If the rules change in a way that matters, you’ll hear it from us first — not discover it later.
§12Talk to a human
Questions, requests, or a rights claim? Email our privacy team at privacy@xge.ai and a person will respond. This policy is governed by the laws of the jurisdiction in which XG Energy is established, and you can also complain to your local data protection authority.
A real person answers privacy questions here — not a void.