PRIVACY POLICY


Effective date: December 5, 2025


This Privacy Policy explains how Evercity UG (haftungsbeschränkt) (“Evercity”, “we”, “us”, “our”) collects and processes personal data in connection with:

  • our websites (including evercity.io and any subdomains), and
  • our software-as-a-service platform for structuring, issuing and monitoring climate finance transactions (the “Platform”), including access via auth.evercity.io, carbon.evercity.io and related applications,
  • email and other communication channels used to contact us.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable local data protection laws.


By accessing the Platform or our websites, or by otherwise interacting with us, you acknowledge that you have read and understood this Privacy Policy.


1. Controller and Contact Details

Unless stated otherwise in this Privacy Policy or in a separate agreement, the data controller is:

Evercity UG (haftungsbeschränkt)

Neumannstraße 135

13189 Berlin Germany

Email: privacy@evercity.io


2. Scope of this Privacy Policy

This Privacy Policy applies to the processing of personal data of:

  • visitors to our websites;
  • users of the Platform (including Project Users, Service Providers, Investors and their Team Members, as defined in the Evercity Terms of Service);
  • individuals who communicate with us via email, contact forms, meetings or events;
  • participants in webinars, workshops and other events organised or hosted by Evercity;
  • individuals applying for positions with Evercity.

It does not apply to websites or services of third parties that we do not own or control, even if they are linked from our websites or integrated with the Platform. For those, please review the respective third-party privacy policies.


3. Categories of Personal Data We Process

The personal data we process depends on how you interact with us and the Platform.


3.1 Data collected when you visit our websites (log data)

When you use our websites for purely informational purposes (without logging in or actively providing data), we process the following information that your browser automatically transmits to our servers:

  • IP address of the requesting device;
  • date and time of access;
  • requested URL / page and HTTP status code;
  • amount of data transferred;
  • referrer URL (website from which you visited us);
  • browser type and version, operating system, device type;
  • other technical identifiers required to display the website.

This data is stored in server log files for a limited period.


3.2 Data collected when you register and use the Platform

When a Company Account is created and you use the Platform, we may process:

Account and profile data:

  • first name, last name;
  • business email address;
  • password (stored in hashed form);
  • role, company name, company address and other company details;
  • user type (Project User, Service Provider, Investor, Team Member, etc.).

Usage and technical data:

  • login timestamps, authentication and session identifiers;
  • actions performed on the Platform (e.g. project creation, document uploads, workflow steps);
  • device and browser information, IP address, log files related to Platform usage;
  • configuration of Company Accounts and Team Member permissions.

Project and transaction–related data:

  • contact data of project representatives, investors or other stakeholders uploaded by you;
  • information contained in User Content (see Terms of Service), such as project documentation, contracts, templates, and communications related to Transactions;
  • information related to climate projects, Climate Assets, financing structures and associated contacts, which may occasionally include personal data.

3.3 Communication and support

If you contact us by email, through a contact form, via in-app support or other channels, we process:

  • name, email address and other contact details you provide;
  • content of the message and our correspondence;
  • date and time of communication;
  • technical metadata (e.g. email headers, IP addresses) where needed for security and troubleshooting.

3.4 Marketing, newsletters and events

If you sign up for our newsletter, request marketing information or register for an event/webinar, we may process:

  • name, title, organisation, position;
  • business contact details (email, phone, address);
  • registration and participation details (e.g. which event, time, attendance status);
  • topics of interest, areas of focus, feedback and related interactions;
  • your marketing and communication preferences (e.g. opt-ins / opt-outs).

3.5 Job applicants

  • If you apply for a role at Evercity, we typically process:
  • identification and contact details (name, email, phone, address);
  • CV, cover letter and any documents you submit (including education, work history, qualifications, references);
  • information we generate during the recruitment process (e.g. interview notes, assessment results);
  • correspondence with you and scheduling details.

3.6 Cookies and similar technologies

We use cookies and similar technologies on our websites and the Platform for technical operation, security, analytics and, where applicable, marketing. Further details are provided in Section 6 (Cookies and Analytics).


4. Purposes and Legal Bases of Processing

We process personal data only when we have a valid legal basis under Article 6 GDPR. Depending on the situation, we rely on one or more of the following bases:


4.1 Performance of a contract (Art. 6(1)(b) GDPR)

We process personal data where necessary to:

  • create and manage your Account and Company Account;
  • provide, operate and support the Platform and related services;
  • respond to your requests as a (prospective) customer or partner;
  • perform our obligations under the Evercity Terms of Service and any applicable Client Agreement.

4.2 Legitimate interests (Art. 6(1)(f) GDPR)

We process personal data where necessary for our legitimate interests, provided these are not overridden by your interests or fundamental rights. This includes:

  • ensuring IT security, fraud prevention and abuse detection;
  • maintaining and improving the functionality, performance and usability of the Platform and websites;
  • performing usage analytics to improve features and user experience;
  • maintaining business relationships with customers, partners, investors and prospects;
  • enforcing our rights, defending against legal claims and managing business operations;
  • limited direct B2B marketing, where permitted by law and subject to your right to object.

Where we rely on legitimate interests, we have carefully balanced those interests against your privacy rights.


4.3 Consent (Art. 6(1)(a) GDPR)

In specific cases, we process personal data based on your consent, for example:

  • sending certain types of newsletters or marketing communications to the extent required by law;
  • storing or accessing non-essential cookies and performing analytics/marketing tracking where this is not strictly necessary for the operation of the website or Platform;
  • other processing activities that we clearly present to you as requiring consent.

You may withdraw your consent at any time with effect for the future (see Section 11).


4.4 Legal obligations (Art. 6(1)(c) GDPR)

We may process personal data where necessary to:

  • comply with obligations under commercial, tax, financial, sanctions, anti-money laundering (AML) or other regulations;
  • respond to lawful requests from courts, regulators or law enforcement authorities;
  • maintain required records and documentation.

4.5 Recruitment (Art. 6(1)(b) and (f) GDPR)

For job applicants, processing is primarily based on steps taken at your request prior to entering into an employment or contractor agreement and on our legitimate interest in managing an efficient recruitment process.


5. Data Controller and Data Processor Roles


5.1 Evercity as Data Controller

For most processing activities described in this Privacy Policy, Evercity acts as an independent data controller. This includes, in particular, processing of personal data for:

  • registration and management of user and Company Accounts;
  • provision, operation, security and improvement of the Platform;
  • communication with Users and prospective Users;
  • analytics, product development and marketing (within legal limits);
  • compliance with legal obligations and enforcement or defence of legal claims.

In these cases, Evercity determines the purposes and means of processing and is responsible for compliance with applicable data protection law.


5.2 Evercity as Data Processor

In certain cases, Evercity processes personal data on behalf of business customers (Company Account holders) who use the Platform to manage their own projects, stakeholders and workflows. In such situations, the customer acts as data controller and Evercity acts as data processor.


This may include, for example, when a customer uploads or connects to the Platform:

  • personal data of its employees, contractors or team members;
  • personal data of project stakeholders, beneficiaries, suppliers, offtakers or partners;
  • contact details of investors, buyers or other third parties involved in specific Transactions.

Where Evercity acts as a processor, we:

  • process personal data only for the purposes of providing, operating and supporting the Platform and related services to the customer;
  • act strictly on the customer’s documented instructions (except where otherwise required by law);
  • implement appropriate technical and organisational measures to protect personal data.

Where required by law, these arrangements are further governed by a separate Data Processing Addendum (DPA) between Evercity and the respective customer.


5.3 Responsibilities of Customers as Controllers

Where customers use the Platform in a business capacity as controllers, they are responsible for:

  • determining the purposes and legal bases for collecting and uploading personal data to the Platform;
  • providing appropriate information and notices to data subjects in accordance with the GDPR (e.g. employees, project participants, beneficiaries);
  • ensuring that instructions given to Evercity comply with applicable law;
  • handling data subject requests addressed to them (access, rectification, erasure, etc.).

Evercity does not monitor which personal data customers choose to upload or manage in their Company Accounts and cannot assume responsibility for the lawfulness of such processing by customers.


5.4 Sub-Processors and Service Providers

Where Evercity acts as controller, we may engage third-party service providers (e.g. hosting, email delivery, analytics, CRM, monitoring and security tools) as processors.


Where Evercity acts as processor for a customer, we may engage sub-processors to support the provision of the Platform. In both cases, we:

  • ensure that such providers are bound by contractual data protection obligations;
  • only use providers that offer adequate data protection and security measures;
  • remain responsible for the performance of our processors and sub-processors.

Information on key categories of processors and sub-processors can be provided on request or in the relevant DPA.


6. Cookies and Analytics6.1 What are cookies?

Cookies are small text files stored on your device by your browser when you visit a website. They can be used for various purposes, such as enabling core functionality, saving preferences, providing security features and performing analytics. We may also use similar technologies such as local storage, pixels or tags for comparable purposes.


6.2 Types of cookies we use

We generally distinguish between:

  • Strictly necessary cookies - Required for the operation of our websites and the Platform (e.g. authentication cookies, security tokens, load balancing). These are typically set based on our legitimate interests and/or the performance of a contract.
  • Functional and preference cookies - Used to remember your preferences (e.g. language, region, interface settings). Depending on the jurisdiction, these may be based on legitimate interests or consent.
  • Analytics and performance cookies - Used to understand how our websites and Platform are used, to identify issues and improve functionality (e.g. page views, navigation paths, usage frequencies). We typically rely on your consent for such cookies where required by law.
  • Marketing / tracking cookies (if used) - Used to track usage across websites and tailor marketing campaigns. These are only used with your prior consent, where required.

6.3 Cookie consent and management

Where legally required, we display a cookie banner or consent management tool when you first visit our websites or Platform. This allows you to:

  • accept or reject non-essential cookies;
  • obtain information about each category of cookies;
  • change your preferences at any time.

You can also configure your browser to refuse cookies or to delete existing ones. Please note that blocking cookies may affect the functionality of the websites and the Platform.


7. Recipients of Personal Data

We may share personal data with the following categories of recipients, to the extent necessary for the purposes described in this Policy:

  • Service providers / processors (e.g. hosting providers, infrastructure partners, CRM and email service providers, analytics tools, support and monitoring tools);
  • Professional advisers (e.g. lawyers, tax advisers, auditors), subject to confidentiality obligations;
  • Business partners and counterparties where necessary in the context of Platform usage or Transactions and only where consistent with our Terms of Service and this Policy;
  • Public authorities, regulators, courts and law enforcement agencies where required by law or to protect our rights;
  • Successors in title (e.g. in connection with a merger, acquisition, restructuring, or sale of all or part of our business), subject to appropriate safeguards.

We do not sell personal data in the sense of “data brokering”.


8. International Data Transfers

Our primary infrastructure and many of our service providers are located within the European Economic Area (EEA). However, in some cases, personal data may be transferred to countries outside the EEA, including countries that may not provide the same level of data protection as the EU.


Where such transfers occur, we ensure that appropriate safeguards are in place, such as:

  • an adequacy decision of the European Commission;
  • standard contractual clauses approved by the European Commission;
  • other legally recognised mechanisms, including, where applicable, certification under the EU–U.S. Data Privacy Framework or equivalent frameworks.

You may contact us for more information about international transfers and the safeguards applied.


9. Retention Periods

We store personal data only for as long as necessary to fulfil the purposes for which it was collected, or as long as required or permitted by law. In particular:

  • Account and Platform data: stored for the duration of your Company Account and a reasonable period thereafter (e.g. limitation periods for legal claims), unless a longer retention is required by law.
  • Log data and technical records: stored for a short period (typically up to a few months) for security, troubleshooting and audit purposes, unless a longer retention is necessary in specific cases (e.g. investigation of security incidents).
  • Communication and support records: stored for as long as necessary to answer your requests and, where relevant, for the duration of a business relationship, plus any applicable legal retention periods.
  • Marketing data: stored until you withdraw your consent or object to processing, or until the data is no longer needed for the relevant campaign, plus a short technical period to implement your preferences.
  • Job applicant data: typically stored for the duration of the recruitment process and a limited period afterwards (e.g. up to 6–12 months), unless you consent to a longer retention in our talent pool or a longer period is required by law.

When personal data is no longer required, we will delete it or anonymise it in accordance with our data retention and deletion policies.


10. Data Security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. 


These measures include, in particular:

  • access controls and role-based permissions within the Platform;
  • encryption in transit (e.g. TLS) and, where appropriate, at rest;
  • secure development and deployment practices;
  • logging and monitoring of security-relevant events;
  • regular backups and recovery mechanisms;
  • internal policies and training for staff with access to personal data.

No system can be completely secure, but we continuously work to improve our security posture in line with industry standards.


11. Your Rights under the GDPR

Subject to the conditions and limitations set out in the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) - You can request confirmation of whether we process personal data about you and obtain a copy of such data and related information.
  • Right to rectification (Art. 16 GDPR) - You can request that inaccurate or incomplete personal data be corrected.
  • Right to erasure (Art. 17 GDPR) - You can request the deletion of your personal data, for example where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other legal basis, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18 GDPR) - You can request that we restrict processing in certain cases, e.g. while we assess a contested accuracy or a legitimate interest.
  • Right to data portability (Art. 20 GDPR) - Where processing is based on consent or contract and carried out by automated means, you may request to receive your personal data in a structured, commonly used and machine-readable format and transmit it to another controller.
  • Right to object (Art. 21 GDPR) - You may object at any time, on grounds relating to your particular situation, to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds.
  • You also have an unconditional right to object at any time to processing of your personal data for direct marketing purposes.
  • Right to withdraw consent (Art. 7(3) GDPR) - Where processing is based on your consent, you may withdraw it at any time with effect for the future.

To exercise your rights, please contact us at info@evercity.io or using the contact details in Section 1. We may need to verify your identity before responding.


You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. For Evercity, the competent authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.


12. Social Media and External Platforms

We may maintain pages or profiles on social media platforms (e.g. LinkedIn, X/Twitter, YouTube or similar) to communicate with users and share information about Evercity. When you visit or interact with our presence on such platforms, the respective platform operator is responsible for processing your data in accordance with its own privacy policy. In some cases, we may be joint controllers with the platform operator in relation to aggregated statistics (“Insights”). In these cases:

  • we receive only aggregated, anonymised statistics from the platform;
  • we do not control the underlying individual data processed by the platform;
  • our use of such statistics is based on our legitimate interest in understanding how our content is used and improving our communication.

For more information on data processing by a given platform, please refer to the respective platform’s privacy policy.


13. Children’s Data

The Platform is intended solely for professional and business use and is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children under 18. If we become aware that personal data has been collected from a child under 18 without appropriate authorisation, we will take reasonable steps to delete such data. If you believe that a child has provided us with personal data, please contact us at info@evercity.io.


14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, our services or our internal processes.


The most current version will always be available on the Platform and our websites.


We will indicate the effective date at the top of this document.


For significant changes that materially affect your rights or how we process your data, we will take additional steps to inform you (for example, via email or an in-app notification), where appropriate.


If you continue to use the Platform or our websites after changes become effective, you will be deemed to have accepted the updated Privacy Policy. If you do not agree, you should discontinue use and, where applicable, request closure of your Account.


15. How to Contact Us

If you have any questions, concerns or requests relating to this Privacy Policy or to our processing of personal data, you can contact us at info@evercity.io.

© 2025 Evercity UG
Privacy Policy
Terms of Service
Cookie Policy
COMPANY
Services
Contacts
Evercity UG (haftungsbeschränkt)
Neumannstraße 135
13189 Berlin, Germany

info@evercity.io