cYAAG places great importance on security of your personal data and only partners with vendors that adhere to the strictest security and data protection standards. 

cYAAG has implemented technical and organizational security measures to ensure the security of your personal data. Information is stored on secure networks and access is restricted to only those employees and partners who are entitled to access our systems.

This policy (the “Data Protection and Privacy Policy”) explains which personal data concerning you we collect when you visit our website (the “Website”), when and why we collect the personal data, how we use them, the conditions of our disclosure to third parties, as well has how we secure the stored personal data.

Please read the Data Protection and Privacy Policy thoroughly in order to understand how we process your personal data.

The Data Controller

If you have any questions or concerns about CYAAG’s personal data practices or your privacy rights, you may contact us at

Executive Summary

As a global organization, CYAAG complies with data protection legislation and guidelines in all countries where it has locations. CYAAG has therefore chosen to work only with IT vendors who participate in and have certified compliance with the EU–U.S. Privacy Shield Framework and are committed to subjecting all personal data received from EU member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles, or have taken other measures to comply with GDPR as mentioned below, under chapter VII. To learn more about the Privacy Shield Framework, you may visit the U.S. Department of Commerce’s Privacy Shield List.

CYAAG also complies with the EU ePrivacy Directive, including the requirement for website operators to obtain users’ consent prior to creating Cookies. 

How We Collect and Use Your Personal Data

CYAAG collects personally identifiable information in the following ways:

Member and Client Data

When a company or individual joins as a member of CYAAG or subscribes to our CYAAG Mailing list, we collect contact data in the form of the following data:

  • First and last name

  • Company (for clients)

  • Email address

  • Phone number

  • Area of interest (e.g. sustainability, climate etc.)

  • Town/city/state

  • Country

All personal data collected will only be used to process your membership application and send you product information and occasional special offers or announcements from selected CYAAG partners. Data collected from questionnaires from subscribers or individuals will be shared with accepted third parties to convey interest and opinion. We do not sell personal data to anyone and only share it with third parties who are facilitating the delivery of CYAAG services.

We rely on fulfilment of contract as the lawful basis under GDPR Article 6(1)(b) for the processing of member and client data.

Human Resources Data

CYAAG is always looking for new employees, and we are always pleased to receive solicited job applications. If you wish to apply for a position with us, please apply directly through our website. Email resume attachments will not be considered.

When you submit your application for employment with CYAAG, we process your personal data in accordance with applicable personal data regulations. This implies that:

  • Your personal data will be treated confidentially

  • We only use your personal data for recruitment purposes

  • We do not disclose your personal data, except for the data processors we use in our recruitment procedure.

CYAAG has ensured that applicants have expressly authorized personal information to be transmitted to CYAAG for position consideration. Access to this personal data is restricted to relevant employees within CYAAG only.

CYAAG stores employee details and performance data with security-cleared data processors, which are assisting us with these HR services. Your personal data are stored on secure servers in the United States.

Any personal data received from you with your application will only be used for the purpose of processing your application and will not be disclosed, except to CYAAG’s security-cleared data processors in connection with the recruitment procedure.

We rely on fulfillment of contract to which the applicant is party or in order to take steps at the request of the applicant prior to entering into a contract as the lawful basis under GDPR Article 6(1)(b) for the processing of Human Resources Data.

Events and CYAAG Conference Data

Individuals within companies provide their corporate information to register for an event. During Conference and event registration, where information is voluntarily provided during event signup, we collect the following information from you:

  • First and last name

  • Job title

  • Company

  • Work e-mail address

  • Phone number

  • Area of interest (e.g. sustainability, climate etc.)

  • Town/city/state

  • Country

CYAAG events may be photographed and/or video/audio recorded for the purpose of reflecting the events in CYAAG publications and on the CYAAG website. We focus our efforts solely on the key note speakers and other voluntary participants from the audience, as well as the audience as a whole.

We rely on legitimate interest as the lawful basis under GDPR Article 6(1)(f) for the processing of Events and CYAAG Conference Data.

Website Visitors’ Data

In general, website visitors do not need to provide personalized information to CYAAG. We do collect "aggregate data," that is, group data with no personal identifiers. We use this aggregate data to help us understand how the site is being used and to improve its usability. We also use it to enhance the quality and availability of products and services we offer.

We also, with explicit permission, use aggregate data from online surveys you choose to fill out for research and publication purposes.

If personal data is provided, and retained, it is only name, business contact email, and business contact phone number, which allow CYAAG to contact the visitor at his or her organization. CYAAG solely holds the information and engages in no contact-sharing program with other organizations.

Many websites create Cookies (small text files) when a user visits a website, and these Cookies are used to analyze aggregate user behavior on a website. In compliance with the EU ePrivacy Directive, CYAAG websites ask permission of the visitor prior to setting Cookies. Should the visitor agree, CYAAG’s server will only collect the following information:

  • The visitor’s IP address (including the domain name associated with the IP address, i.e. using reverse look-up).

  • The date and time of the visit to the website.

  • The pages visited on the website.

  • The browser being used.

In addition, where this is available, CYAAG will also collect:

  • The country from which the visitor is accessing the website (only the ending is saved, e.g., de, since this indicates the relevant country).

  • The language of the browser being used.

  • The website from which the visitor is accessing the CYAAG website.

  • The search word used (if the site is accessed via a search engine).

  • The type of connection and operating system.

We only use this data to improve the visitor’s website experience. Please review our Cookie Policy to learn more about how we use Cookies.

When it comes to Cookies, we rely on consent given as the lawful basis under GDPR Article 6(1)(a).


When you send an inquiry to us through our contact form, we use the personal data that you have stated in the contact form to answer you. Any personal data received from you will not be used for any other purpose without your prior consent and knowledge and will not be disclosed.

We rely on a legitimate interest as the lawful basis under GDPR Article 6(1)(f) for the processing of data in connection to inquiries.


In order to ensure that the services we offer meet your requirements, we may ask for your feedback in form of surveys and polls. Any feedback received from you will only be used for the purpose of improving our services and will not be disclosed.

We rely on your consent as the lawful basis under GDPR Article 6(1)(a) for the processing of data in connection with surveys.


If we contact you to perform stakeholder interviews, any personal data received from you will not be used for any other purpose without your prior consent.


CYAAG’s use of ecommerce is limited to registration for a limited number of events each year. Individuals within companies provide their corporate information to register for an event. We use the data collected in order to process billing and orders for products/services you choose to purchase on our website.

We rely on fulfillment of contract as the lawful basis under GDPR Article 6(1)(b) for the processing of eCommerce Data.

Personal Data Collected From Third Parties

In some cases, we collect your personal data from third parties:

We receive a limited amount of data via lead generation programs. Contacts can change email preferences at any time and opt-out by following the links included in CYAAG emails for this purpose.

Payment Information

When you purchase services from us, we request you to state your payment card details (name on card, billing address [street address/city/state/country], card type [e.g. Visa], card number, expiration date, security code). We are using a secure third party to manage transactions and ecommerce payment processing.

Your payment information will be stored as long as the third party is entitled or obliged to store it pursuant to legislation. Read more about this directly with the third party.

Duration of Storage

We will store your personal data until these are no longer necessary for us to process. In certain situations, it may be difficult to envisage an exact period, but the below paragraphs list our periods for the processing of your personal data.

Member and Client Data

  • We store member company data and contact information of member companies for the duration of the membership with us and for a period of time thereafter to allow members to recover accounts if they decide to renew, to analyze the data for our own operations, and for historical and archiving purposes associated with our history as a membership organization. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact our data protection officer at admin@CYAAG.COM

  • Client data, i.e. data collected due to your subscription to our mailing list, will be erased as soon as possible after your deregistration to the mailing list.


Human Resources

  • If you submit an application to us, your consent is required to store your application data longer than six months after receipt. The application will be stored in order for you to be taken into consideration for any future positions that have any relevance for your profile.


Events and CYAAG Conference Data

  • As a main rule, information about participation to events and the CYAAG Conference are deleted as soon as possible after the Conference or event is over, unless CYAAG has legitimate and exceptional reasons to store the data for a longer period.



  • Stored until six months after completion of processing of your inquiry.



  • Stored up to five years after receipt. To the extent possible, we will store your feedback in an anonymous form, and we have a long duration of storage in order to measure our own performance over time.

In general, if we have reason to store your personal data as part of the protection of our legitimate interests, including, for example, legal disputes, we reserve our right to store your personal data for an extended period and minimum until the legal dispute has been determined.

Transfer of Your Personal Data

We do not rent or sell personally identifiable information with other individuals or organizations.

However, we may transfer your personal data to third parties when it is necessary in order to provide you with our service. Third parties shall mean:

  • Undertakings in the CYAAG Group

  • Business partners

  • Security-cleared data processors/subcontractors, who are assisting us or the group with IT or other services

When we transfer your personal data to business partners, you should be aware that they might have stored personal data concerning you collected by other means, e.g. if you have been in contact with them in another context.

We also transfer your personal data to the above or other third parties if we are obliged to do so according to legislation or in order to protect our or the group’s interests in legal disputes.

For EU Citizens

File Storage and Security

CYAAG partners with a security-cleared data processor to store files and data on secure servers. This data processor has self-certified under the EU-U.S. Privacy Shield Framework and thereby guarantees an appropriate standard of data protection and operates to an appropriate standard of data security.

All data is accessed via secure connections in the United States.

In spite of our efforts to establish a secure environment for the website, you should be aware that no information is completely secure on the internet. Therefore, you should always take the necessary safeguards on your own equipment.

Your Rights

You have the right of access to the personal data we are processing concerning you, as well as to have your personal data updated, rectified, or erased, or to obtain a copy of your personal data. All requests shall be made in writing to

Transfer of Personal Data to Third Countries

CYAAG partners with various IT vendors and from time to time. This will result in a transfer of personal data to a third country or international organization.

In order to ensure a sufficient level of security for such transfer in accordance with the GDPR, CYAAG has chosen to work only with vendors that:

  • have certified compliance with the EU-U.S. Privacy Shield Framework, or

  • have entered into Standard Contractual Clauses with CYAAG.

A copy of the Standard Contractual Clauses can be obtained by contacting email—


If you want to lodge a complaint over our processing of your personal data, please contact us directly. If we cannot help you, you can lodge a complaint to the national Data Protection Authority.



We recognize that data protection and privacy is an ongoing responsibility, so we reserve our right to make changes to this Data Protection and Privacy Policy from time to time as we undertake new personal data practices or adopt new privacy policies, etc. If such changes are substantial, we will notify you via email, provided that we have your email address.

Cookie Policy

General Information

We use Cookies and other tracking mechanisms (collectively “Cookies”) on the platform in order to improve our services, for targeting of advertisements, and to better understand and improve our communications efforts.

On your first visit to the website, you will be asked to accept that we place one or more Cookies on your device. Your continued use of the platform constitutes acceptance hereof. You can delete Cookies by following the instructions near the bottom of this page.


What are Cookies?

A Cookie is a small text file that is stored on your computer. Cookies allow us to:

  • Recognize you when you visit the platform for the purpose of giving you a more personal experience.

  • Observe your habits on the website. The better we understand which products you are interested in, the better our ability to tailor solutions to meet your requirements.

  • Obtain information about the number of visitors and their behavior.

  • Improve the performance of our websites.

  • Determine interest in the topics and services we provide.

  • Measure the effectiveness of our communications.


Our Types of Cookies

Strictly Necessary Cookies

These Cookies are required in order for the website to work properly. If you do not allow these Cookies, some parts of the website may not work properly, such as logging in, submitting forms, and other standard website behavior. The only way to disable these Cookies is via your browser.

Cookie Name: exp_csrf_token

Purpose: If you log in to our website, this is a security Cookie used to identify the user and prevent Cross Site Request Forgery attacks.

Storage Period: Session (expires after quitting your browser)

Cookie Name: exp_last_activity

Purpose: Records the time of the last page load. Used in conjunction with the exp_last_visit Cookie.

Storage Period: One year

Cookie Name: exp_last_visit

Purpose: Date of the user’s last visit. Can be shown as a statistic for logged in visitors.

Storage Period: One year

Cookie Name: exp_remember

Purpose: Determines whether a user is automatically logged in upon visiting the website.

Storage Period: Session (expires after quitting your browser)

Cookie Name: PHPSESSID

Purpose: PHP's session cookie.

Storage Period: Session (expires after quitting your browser)

Functionality Cookies

These Cookies help personalize content and functionality, including remembering changes a user has made to parts of the website that they can customize, for example. These Cookies are optional and simply make the website more user friendly and add functionality without requiring registration.

Cookie Name: exp_tracker

Purpose: Contains the last five pages viewed, encrypted for security. This is used for form or website error messages that can return you to the previous page.

Storage Period: Session (expires after quitting your browser)

Performance Cookies

These Cookies allow us to measure how visitors use our website, which pages are popular, and what our traffic sources are. This helps us improve how our websites work and make it easier for all visitors to find what they are looking for. Some of this information is aggregated and anonymous and cannot be used to identify you, and some of these Cookies will contain a unique identifier to track "click-through" activity. The information we use through click-through activity helps us determine interest in specific sustainability topics or BSR services and to measure the effectiveness of our communications.

We also use these types of Cookies to save your information if you fill out a form, such as when you register for an event. This is more of a convenience feature so that you don’t have to fill in your information again the next time you submit a form.

Cookie Name: _ga, _gat, _gid

Purpose: Website metrics reporting by Google Analytics.

Storage Period: Two years

Cookie Name: pi_opt_in

Purpose: Tracks whether the visitor opts in or out of Cookie tracking.

Storage Period: Two years

Cookie Name: visitor_

Purpose: Contains a unique identifier.

Storage Period: Ten years


Remarketing Services

From time to time, our website may use a remarketing advertising service. We use remarketing services provided by Google, Twitter, and LinkedIn to show our ads on websites across the internet. With remarketing, you may see ads for our products, services, or events based on your past activity, such as visiting our websites or clicked on a marketing email.

Here’s an example of how remarketing works: Suppose you visit a website that sells watches, but you do not buy a watch on your first visit to that website. The website owner might like to encourage you to revisit its website and buy a watch by showing you its ads again on other websites you visit.

We use remarketing for similar purposes, so you may see advertisements for our products, services, or events like the annual SDG Conference as you search the internet. For this to happen, the advertising platform will read a Cookie that is already in your browser, or it will place a Cookie in your browser when you visit one of our websites or other sites using remarketing.

This can only happen if your browser is set to let it happen. You can set preferences for how Google, Twitter, and LinkedIn advertise to you by updating your privacy settings:

And if you would like, you can opt out of interest-based advertising permanently by changing your privacy options in your web browser.


Reject or Delete Cookies

You can disable Cookies in your browser, including by deleting your browser history. See how at

You can always reject Cookies by changing the settings of your browser.

If you choose to block or delete our Cookies, you might not be able to access certain features on the platform, which may affect how the platform works.

Contact Information

In case you have questions about our Privacy Policy, please contact us