Privacy Policy v1.1

Effective Date: 17 March 2026

Last Updated: 17 March 2026

This Privacy Policy explains how Vellum ESG Pty Ltd (“Vellum,” “Company,” “we,” “us,” or “our”), located at Level 36, 1 Macquarie Place, Sydney NSW 2000, Australia, collects, uses, discloses, and safeguards your personal information when you use the VellumESG platform and associated services (collectively, “Services”).

The Services include the ESG Ranking Engine, AI-Powered Pre-population (RAG pipeline), Report Generation, Community Portal, Impact Valuation tools, real-time Firestore tracking, and all related features.

This Privacy Policy is incorporated into and forms part of our End User License Agreement (EULA). By checking the box and clicking “I Agree and Continue” during onboarding, or by accessing or continuing to use the Services, you acknowledge that you have read, understood, and consent to the practices described in this Privacy Policy. If you do not agree, you must not use the Services.

We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) (as amended 2024–2026), the Notifiable Data Breaches scheme, and the General Data Protection Regulation (GDPR) where applicable.

We collect the following categories of information:

Organisation details (name, ABN/ACN, address)

Authorised user details (email, phone)

Account credentials and company switcher preferences

Payment and billing information (processed via Stripe)

Questionnaire responses and assessment data

KPI calculations, normalised scores, and peer benchmarking results

Uploaded source documents (stored in private GCS buckets)

Generated reports (PDF/HTML) and rich-text editor content

Impact Valuation and SDG-aligned metrics

Document chunks, embeddings (768-dimensional vectors), and hybrid retrieval results

Gemini 2.5 Flash Lite or later versions for inference outputs (pre-population suggestions)

Feature usage, report generation history, and seat assignment activity

Firestore job progress (AI pre-population progress bars)

Community Portal publishing activity

Device identifiers, IP address, user agent

Access timestamps, Cloud Run logs, and authentication events

Signed URLs generated for private GCS access

We collect personal information primarily directly from you, but may also receive it from authorised third-party integrations or your designated Data Owner.

We use your information for the following purposes (all permitted by law):

Provide ESG ranking, AI pre-population (via Vertex AI), report generation, and Impact Valuation

Enable real-time collaboration and progress tracking

Manage multi-tenancy, seats, and Data Owner visibility controls

Authenticate users

Generate and validate signed URLs for private GCS documents

Maintain audit logs and Row-Level Security enforcement

Analyse anonymised and aggregated data for benchmarking and insights

Improve the RAG pipeline and AI methodologies

Send service notifications and support responses

We do not use your information for unrelated secondary purposes without your consent unless required or permitted by law.

The AI-Powered Pre-population and KPI scoring involve automated processing. These outputs are assistive only. You may request human review of any automated decision by contacting support.

The designated Data Owner (restricted to Editor and Admin roles within the Vellum Platform) within your organisation solely controls data visibility in reports. Viewers (internal or external) receive access only as granted by the Data Owner and must comply with privacy obligations. You remain responsible for ensuring appropriate consents and handling of any shared personal information.

We may share personal information only in the following limited circumstances, under strict confidentiality:

With authorised users and the Data Owner within your organisation.

With service providers (hosting, payment processors, Vertex AI) bound by data processing agreements.

For legal and regulatory compliance (including mandatory climate disclosures)

In the event of a business transition (merger, acquisition, or asset sale) — we will notify you in advance where required by law.

We never sell personal information.

Your data may be processed in the United States (us-central1 region) and other jurisdictions. All transfers comply with Australian privacy laws and are protected by:

Standard contractual clauses

Binding corporate rules (where applicable)

Regular security and privacy assessments

We retain personal information only as long as necessary to fulfil the purposes outlined in this Policy or as required by law. We implement:

Encryption at rest and in transit

Role-based access control and Row-Level Security

Signed URLs with short expiry for private GCS files

Regular security assessments and staff training

You have the right to:

Access, correct, or delete your personal information

Withdraw consent (subject to legal obligations)

Export your data

Request human review of automated decisions

Manage notification preferences

To exercise these rights, contact our privacy team (details below). We respond within 30 days.

The Services are intended for users aged 18 and over. We do not knowingly collect data from children under 18. If we discover such data, we will delete it immediately.

We use essential cookies for functionality and security. You can manage preferences via your browser settings.

We may update this Privacy Policy. Material changes will be notified via the Services or email. Continued use constitutes acceptance. Historical versions are available on request.

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. Any successor will be bound by this Privacy Policy.

Vellum ESG Pty Ltd

Level 36, 1 Macquarie Place, Sydney NSW 2000, Australia

Email: hello@vellum.com.au