Assent & Website Privacy Policy

• Interact with or use our websites (e.g., browsing pages, downloading resources, or requesting a demo)
• Register for or attend one of our events, webinars, or conferences (collectively, “Events”)
• Use our web-based products or services such as the Supplier Portal, Assent Sustainability Manager, and Assent Sustainability Platform, including trials (collectively, “Assent Services”), which may involve completing assessments or responding to questionnaires on behalf of your organization 

Who This Policy Applies To 

Assent collects personal data directly from you and, in some cases, from third parties such as our customers, your employer, service providers, or publicly available sources. When we receive personal data from third parties, we handle it in line with this Policy.

The table below summarizes the types of personal data we may collect, the purposes for which we use it, and—where Assent acts as a data controller—the lawful bases we rely on under GDPR. The examples listed are illustrative and may vary depending on how you interact with Assent.

*Note: The lawful bases listed above reflect Assent’s understanding of the applicable processing purposes in our capacity as either a controller or a processor, and are provided for transparency only. Where Assent acts as a processor, our Customers act as the controller of your personal data and determine the applicable lawful basis for processing. In these cases, Assent processes personal data only on our Customers’ documented instructions. Please contact your organization directly for details on their lawful bases and how they exercise controller responsibilities. The information in this chart should not be relied upon as legal advice or as a definitive statement of legal obligations under any specific privacy law.

Employment-Related Data

For current and previous employees, job applicants, and third parties to employment relationships (references, etc.), please contact our Privacy Office at privacy@assent.com for information applicable to our handling of your personal data. 

Website Data Practices 

This section explains how we handle personal data in connection with your use of our website, including the use of cookies, voluntary submissions, third-party links, and children’s data.

Personal Data Collected via Cookies

Assent’s websites use cookies and similar technologies – including third-party cookies – to operate securely, understand visitor behavior, and improve your experience. Some cookies are essential for the site to function, while others (such as analytics or embedded media) are optional and require your consent where legally required.

You can manage optional cookies at any time using our cookie settings tool below. U.S. visitors may also use the “Do Not Sell or Share My Personal Data” link to opt out of certain uses. For details on cookie use and California-specific rights, please see our California Privacy Notice.

Cookie Settings

Third-Party Links

For your convenience, our website may include links to third-party sites or services. These sites are governed by their own privacy policies, which we encourage you to review before providing personal data. Assent does not control the privacy practices of these third parties, but we welcome feedback if you encounter issues with linked content (for example, if a link is broken).

Children

The Assent website is intended for a general audience and does not knowingly collect personal data from anyone under the age of 18.

Third-Party Disclosures & Subprocessors

Assent discloses personal data in limited circumstances, in compliance with applicable privacy laws and subject to appropriate safeguards:

• To fulfill a legal obligation or respond to lawful requests from public authorities
• To enforce our terms of service, investigate suspected violations, detect or prevent fraud, or protect the rights, safety, or property of Assent, our users, or the public
• With vetted subprocessors who support Assent Services, websites, Events, and other business operations, including: 
  • Hosting and infrastructure providers (e.g., cloud storage, data centers).
  • Analytics and monitoring providers (e.g., performance monitoring, product usage analytics).
  • Identity and access management providers.
  • User support and ticketing platforms.
  • Communication and webinar platforms.
  • AI/automation providers supporting analytics, data enrichment, and support triage.

All subprocessors operate under written agreements that include data protection obligations consistent with applicable laws. These parties act under Assent’s instructions and may only process personal data for specified purposes.

For international data transfers, Assent uses Standard Contractual Clauses (SCCs) and, where required, conducts Transfer Impact Assessments (TIAs) and implements supplementary measures such as encryption, access controls, and data minimization to better protect your personal data.

Requesting a Current Subprocessor List 

To request a current list of subprocessors applicable to your interaction with Assent, please contact our Privacy Office at privacy@assent.com. To help us respond efficiently, please specify one or more of the following:

• Your name, contact information, or account identifier; 
• The Assent Service(s) or platform component you are using (e.g., Supplier Portal, Assent Sustainability Manager, or Assent Sustainability Platform);
• The type of interaction you had with us (e.g., website visit, webinar attendance, resource download, or event registration); or
• The data subject category that best describes your role (e.g., Website Visitor, Declaration Signor, SUPO-User, etc.), as listed in the “Who This Policy Applies To” section above.

Providing this context allows us to share a subprocessors list that is tailored to the specific services or activities relevant to your relationship with Assent. 

For a listing of Subprocessors applicable to Assent’s processing activities under our Data Processing Addendum (DPA) with papered customers, please click here.

Protecting Your Personal Data

The security of the personal data in Assent’s custody is ensured through the use of advanced technology and practices. We regularly review our security procedures to ensure this high level of protection is continuously maintained. We have implemented state-of-the-art administrative, technical, and physical safeguards in an effort to protect against unauthorized access, use, modification, and disclosure of personal data in our custody and control. To learn more about current practices and policies regarding security and confidentiality, see our Security Practices.

Personal Data Retention

Personal data is retained only for as long as necessary to fulfill the purposes outlined in this policy or as required by applicable law. Assent follows internal data retention schedules to ensure data is reviewed, archived, or deleted in a timely manner.

Use of AI & Automated Decision-Making

We do not use automated decision-making or AI systems to make legal or significant decisions about individuals. Any AI-based features used in our Services are for analytics or product enhancement purposes only and are not used to evaluate individuals or make determinations that could significantly affect them. Should this change, we will update this policy and employ appropriate notice and consent mechanisms. Any AI-driven features used in Assent’s services are reviewed and monitored by human operators to ensure accuracy, fairness, and appropriate use. 

GDPR Compliance

Assent is committed to complying with the EU’s General Data Protection Regulation (GDPR) wherever it applies. When processing personal data subject to the GDPR, Assent does so lawfully, fairly, and transparently, in accordance with our contractual obligations and applicable legal requirements. We limit data collection to what is necessary, implement appropriate safeguards, and respect individuals’ rights under the GDPR.

EU & UK Representative Information

For individuals located in the European Union (EU), European Economic Area (EEA), United Kingdom (UK), or Switzerland, Assent Inc. has appointed DataRep as its local data protection representative, as required under the GDPR, the UK GDPR, and Switzerland’s Federal Act on Data Protection (revFADP).

If Assent processes your personal data in one of these jurisdictions, you may exercise your rights under applicable data protection laws by contacting DataRep using one of the following methods:

• Email: assent@datarep.com 
• Online form: www.datarep.com/assent 
• Mail: Send your inquiry to DataRep at the address listed for your location (list available at the link above). Please be sure to address your letter to “DataRep” and not “Assent Inc.” to ensure proper delivery.

For more information about your data protection rights you may also contact your national data protection authority. 

Your Rights 

Depending on your location, you may have the following rights under applicable data protection laws:

• Access – to request confirmation of whether we process your personal data and to obtain a copy.
• Correction (Rectification) – to request correction of inaccurate or incomplete personal data.
• Deletion (Erasure) – to request deletion of your personal data, subject to certain legal or contractual exceptions.
• Objection – to object to processing of your personal data where we rely on legitimate interests as the lawful basis. If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests (including your data protection rights), or the processing is required for legal claims.
• Restriction – to request that we limit how we process your personal data in certain circumstances.
• Portability – to request your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another organization where technically feasible.
• Withdrawal of Consent – where we rely on consent, to withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Appeal – in certain jurisdictions (such as Quebec and some U.S. states), to appeal our response to your rights request.
• De-Indexing or Anonymization – in certain jurisdictions (such as Quebec), to request de-indexing or anonymization of your personal data.

To exercise these rights, please contact us at privacy@assent.com. We may ask for information necessary to verify your identity before responding, to protect your privacy and the security of your data.

We will respond to your request within the timeframes required by law (typically within one month under GDPR and Canadian law or 45 days under US law, with possible extensions where permitted). Please note that these rights are not absolute and may be restricted in certain circumstances — for example, where fulfilling the request would adversely affect the rights and freedoms of others, conflict with legal obligations, or where the request is manifestly unfounded, repetitive, or excessive. In such cases, we will explain the reason for denial or limitation and may charge a reasonable fee if permitted by law.

If your request relates to personal data that Assent processes on behalf of a customer (in our role as processor), we will redirect your request to that customer, who acts as the controller and is responsible for responding.

Additional rights may apply to residents of specific jurisdictions, such as California, which are described in the California Privacy Notice below.

California Privacy Notice 

The California Consumer Privacy Act (CCPA) provides certain legal rights for California residents. This section generally describes these rights and how you may exercise them in connection with Assent’s personal data practices.

Under the CCPA, some sharing of personal data for marketing and advertising purposes may be considered a “sale” of that data. This may apply in two contexts at Assent, namely when you visit our website or interact with our marketing team in another way.  

Cookie-Based “Sales” of Personal Data

Cookies are small text files placed on your device that enable us and our partners to recognize your browser and collect data as you navigate our website. This helps us: 

• Measure and improve website performance 
• Personalize your experience 
• Deliver more relevant ads 

We may “sell” the following categories of personal data through our site’s use of cookies:

• Identifiers such as IP address and unique cookie identifiers
• Behavioral information such as browsing and search history, and your interactions with our site and advertisements 

These cookies may be placed by third-party partners, including advertising networks, analytics providers, and social media platforms, who may use this data to build profiles of your interests and display targeted ads across the internet. 

You have the right to opt out of any sale or share of your personal data. You can opt out of cookie-based sales by adjusting your browser settings or by clicking “Do Not Sell or Share My Personal Information” on our site to manage your choices.  

Other “Sales” of Personal Data 

If you have signed up to receive promotional messages from Assent or attended one of our Events, your business email address may also be shared with partners such as 6Sense or Google Ads in order to display our ads to you across the internet. 

You have the right to opt out of any sale or share of your personal data. You can opt out of all non-cookie based sales by emailing our Privacy Office at privacy@assent.com.  

Your Rights Under California Law

In addition to your right to opt out of sales/shares of your personal data, all California residents also hold the right to: 

• Request to Know: You may request the specific pieces or categories of personal data we have collected about you in the past 12 months, the sources from which we collected it, the purposes for collecting it, and the identities of any third parties with whom we’ve shared it. 

• Request Deletion: You may request that we delete any personal data we have collected about you, subject to certain exceptions. 

• Request Correction: You have the right to request that we correct any inaccurate personal data we maintain about you. 

We will not discriminate against you for exercising your rights. To exercise any of the rights listed above, please contact us at privacy@assent.com. 

In order to protect your privacy, we will need to verify your identity before processing an access, deletion, or correction request. This may require you to provide additional information, which will only be used for the verification process.  

Authorized Agent

You may designate an authorized individual to make requests on your behalf. To do so, please provide written permission for the agent and verify your identity by contacting us at privacy@assent.com.

Changes

Assent’s Website & Privacy Policy is updated as necessary to reflect Assent activities that may entail collection and use of personal data, as well as the measures developed to protect it. We post updates to this page and encourage you to review regularly to stay informed.

Addressing Questions & Feedback

Assent is committed to handling privacy-related inquiries in a timely, transparent, and accountable manner. We have appointed a Data Protection Officer (DPO) to oversee compliance with the GDPR and other applicable privacy laws, including those in Canada, the United Kingdom, the United States, and the EEA.

If you wish to exercise your rights or raise a privacy concern, please contact us using the details below. See the “Your Rights” section above for a summary of the rights you may exercise under applicable laws.

If you are not satisfied with our response, you also have the right to raise concerns with your local data protection authority. Assent is subject to the oversight of several regulators, including:

• The Federal Trade Commission (FTC) in the United States
• The Office of the Privacy Commissioner of Canada
• European and UK data protection authorities
• Other supervisory authorities in jurisdictions where we operate

Contact Details

• Email: privacy@assent.com
• Postal Mail:  Assent Inc., Attn: Data Protection Officer, 525 Coventry Road, Ottawa, ON, K1K 2C5, Canada

We make every effort to respond promptly and fully to all privacy inquiries.