Introduction
This policy describes:
• How EthiFinance SAS1 and its subsidiaries, clearly identified hereunder, collect, use and disclose your personal information when you interact with us or this website and other sites we operate, and in connection with the services we provide.
• Your rights with respect to your personal information, and how to contact us regarding our privacy practices. If you are a client of EthiFinance, you can also refer to your contract with us for additional information about the information we collect and use.
EthiFinance attaches great importance to the respect for privacy and undertakes to process your data in accordance with the provisions of:
• The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the “GDPR”
• The French Act No. 78-17 of 6 January 1978 as amended relating to data processing
• The Data Protection Act (Bundesdatenschutzgesetz)
• The German Telecommunications and Telemedia Data Protection Act (TelekommunikationTelemedien-Datenschutzgesetz), which define the conditions under which Personal Data may be processed.
Definitions
Cookies are small files that are placed on your computer, mobile device or any other device by a website, containing the details of your browsing history on that website among its many uses.
Company (referred to as either “EthiFinance”, “the Company”, “We”, “Us” or “Our” in this policy) refers to EthiFinance SAS, EthiFinance GmbH, Spread Research LTD, and EthiFinance SL. For the purposes of the GDPR (General Data Protection Regulation), the Company is the Data Controller.
Data Controller, for the purposes of the GDPR refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
Personal Data is any information that relates to an identified or identifiable individual. For the purposes for GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity. Any information collected on the Websites that directly or indirectly identifies You is considered to be Personal Data and will be processed in accordance with this policy.
Websites refer to the websites managed by EthiFinance, accessible from the following hyperlinks:
https://www.label-fntr.ethifinance.com
https://www.report-for-issuers.ethifinance.com
https://www.esg-ratings.ethifinance.com
https://www.app.esg-ratings.ethifinance.com
https://www.publications.spreadresearch.com
Users (referred to as either “You”, “Your”, “Data Subject” in this policy) means the individual accessing or using the Websites, or the company, or other legal entity on behalf of which such individual is accessing or using the Websites, as applicable.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Privacy Policy
Type of Personal Data Collected
By using our Websites, you provide us with a certain amount of information about yourself, some of which may identify you (“Personal Data”). This is the case for example when you browse our site, or when you fill in online collection forms.
The nature and quality of the Personal Data collected about you may include the following:
• Identification data: This includes all the information that would allow us to identify you, such as your last name, first name, telephone number. We may also collect your e-mail address, as well as your postal address, professional and/or personal.
• Authentication data: This is all the information we need to access your personal account, such as your log or password, log connection, log actions, and other information necessary to authenticate and access an account. We also collect your IP address for maintenance and statistical purposes.
• Browsing information: By browsing and interacting with our Websites, some information is collected as a result.
As a User, you guarantee that the Personal Data you provide is true. You are the only person responsible for any damage or loss, direct or indirect, that could be caused to EthiFinance as responsible for these Websites or third party, if you fill in any form with false information. Please inform us of any changes that may occur in the data that you provided by sending an email to dpo@ethifinance.com.
Use of Personal Data
We collect and process your Personal Data only when we have a valid reason to do so. This can be for either mandatory or optional purposes, depending on the context.
For contractual purposes, we process your data as it is necessary to carry out any process related to the management of our contractual relation. This includes managing our relationship, responding to your requests, and delivering our services.
For mandatory purposes, we also process your data when required to meet legal and regulatory obligations, such as preventing or investigating illegal or prohibited activities, ensuring compliance with our terms of use, or exercising legal rights. In these situations, the processing of your data is essential and not optional.
For other purposes, we rely either on your consent or our legitimate interest. When we process your data based on consent, it means you have explicitly agreed to it. For example, when we use your data for statistical analysis, to respond to contact requests or to send you marketing communications. When we rely on legitimate interest, it’s because we have a reason to use your data that benefits our business and does not override your rights. For instance, to improve your experience on our Websites and with our services.
Disclosure of Personal Data
Your Personal Data use? is solely intended for authorized EthiFinance employees in charge of the management and the execution of the contracts and legal obligations, as well as employees in charge of prospection and marketing operations, within the limits of their respective roles.
Your Personal Data may be transmitted for certain tasks related to that purpose, and within the limits of their respective missions and authorizations, to the following recipients:
• Subsidiaries of EthiFinance.
• Service providers and data processors that we use to carry out a range of operations and tasks on our behalf, including Data hosting centers and commercial partners, only when you have expressly consented to this through a checkbox on our Data collection forms.
• Duly authorized public authorities (judicial, control…), in the framework of our legal and regulatory obligations.
• Regulated professions (lawyers, bailiffs, etc…) who may intervene in the context of the implementation of guarantees, collection, or litigation.
When your data is provided to our service providers and data processors, they are also required not to use the data for purposes other than those originally intended.
EthiFinance expects all its data processors and service providers to implement all necessary technical and organizational measures, on an ongoing basis, to keep your Personal Data secure and to ensure the same high level of protection of Personal Data as that provided by EthiFinance. In addition, Its subcontractors and partners undertake to comply with all applicable legislation and any future new provisions.
In this respect, when the entity concerned is located outside the European Union, or in a country that does not have equivalent regulations within the meaning of the GDPR, EthiFinance will establish its contractual relationship with this entity by requiring compensating mechanisms.
In all cases, only necessary data is provided. We make every effort to ensure secure communication and transmission of your data.
We do not sell your data.
Retention of Personal Data
We retain your Personal Data only for as long as necessary to fulfill the purpose for which we hold the Data and to meet your needs or our legal obligations. Retention times vary depending on several factors, such as:
• EthiFinance business needs
• Contractual requirements
• Legal and regulatory requirements
The retention periods for your Data are as follows:
| PURPOSES | RETENTION PERIODS |
| Customer relation management | Five years from the contract termination |
| Statistical | 6 months |
| Prospecting and marketing | Three years from the last contact |
| Data coming from Cookies | 1 year or session |
| Answer to the request | The time required for the business relationship |
Exercise of Data Protection Rights
EthiFinance has appointed a Data Protection Officer (DPO), who can be contacted at the following e-mail address for any questions relating to the processing of Personal Data: dpo@ethifinance.com or at the following postal address:
EthiFinance SAS
20 Boulevard Eugène Deruelle
69003 Lyon
FRANCE
The regulations provide Data Subjects with the following rights:
• Right to information: the right to have clear, precise and complete information on the use of Personal Data by EthiFinance
• Right of access: the right to obtain a copy of the Personal Data that the Data Controller holds on the applicant
• Right to rectification: the right to have Personal Data rectified if the data is inaccurate or obsolete and/or to complete them if they are incomplete
• Right to erasure / Right to be forgotten: the right, under certain conditions, to have the data erased or deleted, unless EthiFinance has a legitimate interest in keeping it
• Right to opposition: the right to object to the Processing of Personal Data by EthiFinance for reasons related to the particular situation of the applicant (under conditions)
• Right to restriction of processing: the right, under certain conditions, to request that the Processing of Personal Data be temporarily suspended
• Right to data portability: the right to request that Personal Data be transmitted in a reusable format that allows it to be used in another database
• Right to withdraw consent: the right at any time to withdraw Consent where Processing is based on Consent
• Right to define post-mortem directives: the right to define directives relating to your Personal Data (retention, deletion, communication) after your death
Additional rights may be granted by the local regulations to Data Subjects.
EthiFinance is committed to ensure that your rights are managed in accordance with the requirements of the applicable legislations.
When you send us a request to exercise a right, please specify as far as possible the scope of the request, the type of right being exercised, the Personal Data Processing concerned, and any other useful information, to facilitate the examination of your request. In addition, in case of reasonable doubt, we may ask you to prove your identity. You can also make use of the processes and forms to exercise these rights made available by the supervisory authorities.
You also have the right to file a complaint with your local supervisory authority:
In France
Commission Nationale de l’Informatique et des Libertés (« CNIL »)
3 place de Fontenoy
TSA 80175
75334 Paris Cedex 07 FRANCE
In Germany, each federal state has its own supervisory authority, you will find below a hyperlink that will direct you to a list with the contact details and websites of most of the supervisory authorities:
https://www.datenschutzkonferenz-online.de/datenschutzaufsichtsbehoerden.html
In Spain
Agencia Española de Protección de Datos (“AEPD”)
C/Jorge Juan, 6
28001 Madrid
Regional Data Protection Commissioners exist to supervise personal data processing by regional public authorities and other entities controlled by regional public authorities.
Security of Personal Data
EthiFinance has put in place technical and organizational measures for adequate protection, confidentiality, integrity, resilience and security under the provisions of the applicable legislation, including but not limited to regular monitoring of EthiFinance’ systems to detect and alert on possible vulnerabilities and attacks
EthiFinance will not be responsible for inconsistencies in Personal Data when it is derived from an attack or unauthorized access to the systems in such a way that it is impossible to detect by the security measures implemented or when it is due to a lack of diligence of the user in terms of the guard and custody of their access passwords or their own Personal Data.
Transfer of Personal Data
As of now, EthiFinance confirms, to the best of our knowledge, that no Personal Data is being transferred outside the European Union.
In the event that the data we collect when you use our platform were to be transferred to non-UE countries; for instance, if some of our service providers are located outside the EU, EthiFinance agrees to use its best efforts to reach an adequate level of protection in line with the GDPR.
Transfer of Personal Data to Third Parties
EthiFinance informs the users that their Personal Data will not be transferred to third parties or organizations, with the exception that said transfer of data is covered by a legal obligation or when the provision of the service implies the need for a contractual relationship with service providers responsible for the processing. In the latter case, the transfer of Personal Data to the third party will only take place when EthiFinance has the consent of the user and maintains a contractual relationship with the third-party in charge of the processing that guarantees its confidentiality and compliance.
If EthiFinance is approached by the relevant authorities, it may communicate personal information to respond to legal requirements, criminal investigations of possible illegal activity. In such cases, EthiFinance may communicate to the competent authorities Personal Data such as name and surname, city or province, postal code, telephone number, email address, user history and address IP.
If EthiFinance is transferred, absorbed or merged with another entity, we undertake to agree on the subrogation and commitment of the new managing entity responsible for the processing of Personal Data for the continuation of this privacy policy. Warning of the commitment that if the Personal Data is going to be used contrary to this policy, then the user must be previously notified. In any case, and as a result of the operation, the user will also be transferred so that the user can renew or, if applicable, revoke the consent previously granted.
Tracking of Technologies and Cookies
Please refer to our Cookies Policy for more information https://www.ethifinance.com/fr/cookies-policy/
Third Parties Sites and Social Networks
We may use Web services from third parties on our Websites to present content, e.g., to display videos and social content, to conduct surveys, etc. EthiFinance cannot prevent these Web services from collecting information on your usage of this embedded content and recommend that you review their respective terms May 2025 10 of use and privacy policies. EthiFinance will not be responsible for any information sent to or collected by these third parties.
EthiFinance does not give any guarantee concerning, in particular, the Personal Data protection practices of the indexed websites and may under no circumstances be held liable in the event of a dispute arising between a website indexed on the website and one of the Users, in particular as a result of losses or damage suffered, the operators of the indexed websites being solely responsible for their Personal Data protection practices.
EthiFinance actively works with social networks with the main purpose of publishing and disseminating information about the services provided by EthiFinance, interacting with users and serving as a channel of attention and social interaction. If you access the Websites using an application that connects a social network with this Website, you are authorizing the social network to share some data with EthiFinance.
It is important to know that, if you have geolocated your accounts in social networks, the information of your location will be visible to EthiFinance.
For more information about the method by which data is shared with social networks, we recommend that you check the privacy policies of each social network in question, as well as responsibly configure your profile in social media accounts and email applications to guarantee your privacy and security.
Below we link the privacy policies of social networks where we have an open profile at this time:
• X
Privacy Policy Changes and Contacts
Privacy Policy Changes
EthiFinance reserves the right to modify this privacy policy at any time to comply with any changes in applicable legislation, EthiFinance’s data protection strategy or internal risk exposure. By continuing to use any of our sites, you agree that the terms of the privacy policy as of the effective date will apply to the information collected.
This privacy policy is available in several languages but only the English version is legally binding.
Contact Information
Questions or comments about this privacy policy or our data collection and processing practices can be emailed to dpo@ethifinance.com.
