top of page

Pilot Stage Disclaimer
ESG Change Room is currently operating in a proof-of-concept phase.
During this phase, when a brand deems that its data is sensitive, we recommend de-identifying that information prior to upload or use within the platform.
The platform does not require personally identifiable or sensitive data to operate effectively during this stage.
The following policy represents our intended framework for responsible AI use, data security, and privacy management as we move toward full production.

Privacy Policy
Effective Date: 1 November 2025

​

AI & Data Integrity Policy

 

How the ESG Change Room uses AI responsibly, securely, and transparently.

 

1. Introduction

 

Why We Have This Policy

At the ESG Change Room, we are committed to maintaining the highest standards of data security, privacy, and responsible AI use.
Our infrastructure and processes are designed to protect client information at every stage of our workflow—while ensuring AI is used ethically, transparently, and with human oversight.

Artificial Intelligence (AI) is a powerful tool that can streamline ESG compliance, reduce administrative burden, and free up time for work that makes a measurable difference.
We use AI responsibly and with expert supervision—never as a replacement for human judgment, creativity, or integrity.

We recognise that AI consumes energy and contributes to carbon emissions. However, when applied responsibly, AI can deliver far greater positive impact by accelerating the pace of compliance, reducing wasteful processes, and enabling brands to focus on meaningful ESG outcomes.

 

Scope of Application

This policy applies to:
• All AI assistants, bots, and tools provided within the ESG Change Room platform.
• All employees, contractors, and members using AI through our systems.
• External partners engaging with our AI tools as part of client services.
It does not cover personal or non-work AI use by our staff or members.

 

2. Our Commitments

 

a) Expert-Led and Third-Party Approved
Every AI assistant is trained, tested, and validated by ESG experts.
All tools undergo independent third-party review before release.
We continually monitor tools to ensure accuracy, relevance, and compliance with global standards.

 

b) Responsible Use
AI is used to reduce repetitive admin and improve efficiency—not to replace human engagement, critical thinking, or empathy.
Outputs are decision-ready drafts that require user review, not final answers.
We avoid unnecessary generation of unused content to minimise digital energy use.

 

c) Transparency
We are open about where and how AI is used within our platform.
AI involvement in reports, policies, or analyses will be disclosed where material.
We never use AI to mislead, fabricate, or conceal information.

 

d) Data Security
No confidential client data is entered into AI tools without secure hosting and explicit approval.
Sensitive and personal information is protected by strict data-handling standards.
All AI tools are reviewed for security risks before deployment.

 

e) Continuous Improvement
We regularly review the environmental impact of AI and adapt our usage as new research emerges.
We commit to ongoing training for our team and members on safe, ethical, and effective AI use.

 

3. Security & Data Protection

We take the confidentiality and protection of client data seriously. Every layer of the ESG Change Room platform is designed to uphold enterprise-grade standards of information security and privacy.

 

a) Hosting & Data Storage

Our systems are hosted on a private Hostinger VPS located in the EU region, providing a secure and isolated environment for all client data.
All AI automations (via n8n) operate within this private environment.
Data is securely stored in Supabase, a platform built on SOC 2 Type II and ISO 27001-certified cloud infrastructure.
No data is stored or processed on shared or public automation servers.

 

b) Encryption

All data transmitted between systems is encrypted using TLS 1.3.
Data at rest—including databases and backups—is encrypted using AES-256 or an equivalent industry-standard algorithm.
Temporary files and logs remain confined within our private environment and are automatically cleared at regular intervals.

 

c) AI Model Integrations

Where AI models are used (via OpenRouter and OpenAI APIs), all requests are transmitted over HTTPS.
Model inputs and outputs are processed in real time and are not stored for model training or reuse.
OpenRouter may retain minimal metadata (such as timestamps and request size) for up to 30 days for performance and abuse-monitoring purposes.

 

d) Access Controls

Each end user accesses the system through our website using a unique username and password.
Authentication controls ensure users can only interact with their own bot interface and associated data.

The underlying automation workflows (n8n) are hosted on a private VPS and accessible only to two authorised accounts — the ESG Change Room administrator and the technical developer.
Both accounts are protected by strong passwords and multi-factor authentication.

Each user session triggers an independent n8n workflow execution, ensuring users cannot access another user’s data or session context.
The system is designed to support multiple concurrent sessions securely.

 

e) Backups & Monitoring

Encrypted backups are performed daily.
System uptime and error-monitoring tools are continuously active to ensure reliability and early issue detection.

 

f) Incident Response

In the unlikely event of a security incident, we maintain detailed logs and rapid-response procedures aligned with OAIC Notifiable Data Breach requirements.
This includes immediate containment, investigation, and prompt notification to affected clients.

 

4. Accuracy & Responsible AI Use

 

a) How Bots Are Built and Tested

Each ESG Change Room bot is custom-engineered with software developers and built on structured, rule-based logic within n8n.
Every bot’s system prompt reflects ESG best practice and is restricted to defined tasks—such as reviewing audits, assessing living wages, or validating sustainability claims.

Before release, bots undergo:
• Internal testing by ESG specialists for factual accuracy and consistency.
• Independent third-party validation by auditors or compliance professionals.
• Continuous refinement based on user feedback.

 

b) Human-in-the-Loop & Pilot Supervision

All AI outputs are reviewed or overseen by human experts during pilot phases and ongoing use.
Nicole Bennett personally monitors pilot interactions to identify edge cases, adjust prompts, and ensure context-appropriate results.
This combination of automation and expert oversight ensures AI enhances—rather than replaces—professional ESG judgment.

 

c) Responsible AI Disclaimer

While each ESG bot has been built, tested, and validated for accuracy, all AI-generated content should be reviewed by users before publication or implementation.
As with any AI system, results may vary depending on input quality, scope, and context.
Ongoing human review and expert supervision remain essential to maintain the highest standards of accuracy, compliance, and brand alignment.

 

5. Data Safety Summary

Our approach aligns with the ISO 27001 Information Security Standard and the Australian OAIC Privacy Principles.
This means:
• All information is encrypted in storage and transit.
• Access is limited, traceable, and monitored.
• Breach response procedures are established and reviewed regularly.

We are committed to never using client data to train AI models or share information with third parties for commercial or analytical purposes.
Every data point processed through the ESG Change Room remains confidential, anonymised where necessary, and under the control of the client.
These measures ensure our platform delivers the benefits of AI—speed, consistency, and clarity—while maintaining trust, privacy, and ethical integrity.

 

6. Frequently Asked Questions

1. Is my data safe?
Yes. All information transmitted and stored through the ESG Change Room is protected by encryption in transit (TLS 1.3) and at rest (AES-256).
Data is hosted on secure private servers within our Hostinger VPS environment and stored in Supabase databases that meet ISO 27001 and SOC 2 Type II standards.
Each client’s data is isolated in its own workspace, and administrative accounts use multi-factor authentication and role-based permissions.
Systems are monitored continuously, with daily encrypted backups for recovery and resilience.

 

2. Can other people access my data?
No. Each brand operates within its own workspace. Only authorised ESG Change Room administrators—bound by confidentiality—can access data for maintenance or support.

 

3. Is my data used to train the bots or AI models?
Never. AI tools do not learn from or retain client information.
All processing happens through encrypted, transient API calls to OpenRouter and OpenAI within our self-hosted n8n environment.
OpenRouter may store minimal metadata (e.g., timestamps, request size) for up to 30 days for performance and abuse monitoring.

 

4. Where is my data hosted?
Data resides on a private Hostinger VPS (EU region) with structured databases managed by Supabase (SOC 2 / ISO 27001).
This setup complies with Australian OAIC privacy requirements and international best practice.

 

5. What happens if there is a data breach?
We follow the OAIC Notifiable Data Breach protocol: immediate containment, investigation, and prompt notification to affected clients.
All incidents are logged, reviewed, and used to strengthen future safeguards.

 

6. Who owns the content and IP created by the bots?
You do. All documents, assessments, and reports generated through your account remain your intellectual property.
The ESG Change Room retains ownership of its underlying tools, templates, and workflows.

 

7. Can I export or delete my data?
Yes. Clients may request a full export or permanent deletion of their data at any time.
Deletion is verified and logged for audit purposes.

 

8. Who tests and monitors the accuracy of the bots?
Bots are custom-built by software engineers and validated by independent ESG specialists.
During pilot programs, Nicole Bennett supervises testing and refinement to maintain accuracy and regulatory alignment.

 

9. Do the bots replace human ESG experts?
No. They support—not replace—professional judgment.
All AI outputs should be reviewed and approved by users before use.

 

10. What standards guide your security and privacy approach?
Our framework aligns with ISO 27001 (Information Security Management) and the Australian Privacy Principles under the OAIC.
These measures are reviewed regularly to ensure ongoing compliance and resilience.

​

Contact

For questions or data-related requests, contact: nicole@esgchangeroom.com

ESG Change Room

ABN  86 070 897 022

nicole@esgchangeroom.com

Follow

Explore

About 

Services

Testimonials

Founder

FAQs

Acknowledgment of Country

The ESG Change Room acknowledges the Traditional Custodians of the lands on which we work, create, and collaborate. We pay our deepest respects to Elders past and present, and extend that respect to all First Nations peoples.

 

We recognise that First Nations communities have cared for Country, culture, and community for tens of thousands of years—practicing sustainability and stewardship long before the fashion industry turned its gaze toward ESG.

 

We commit to listening, learning, and working in partnership to honour this wisdom as we co-create a more ethical and regenerative future.

© 2025 by the ESG Change Room. All rights reserved.  |  Terms of Usage  Privacy Policy  |  AI & Data Integrity Policy

bottom of page