Legal

Privacy Policy

Last updated: 21 June 2026

This Privacy Policy explains how Esteem (“we”, “us”, or “our”) collects, uses, shares, and protects personal data when you communicate with us, visit our websites at esteem.team and app.esteem.team, or use the Esteem platform and related services (together, the “Services”).

We care about your privacy and about protecting the personal data we handle. This Policy describes what personal data we process, why and on what legal basis we process it, who we share it with, how long we keep it, the measures we take to protect it, and the rights you have. It is incorporated into our Terms of Service (https://esteem.team/legal/terms).

By using the Services, you confirm that you have read and understood this Policy. If you do not agree with it, please do not use the Services.

1. Who this Policy is for

The information in this Policy is intended for:

visitors to our websites;
prospective customers and the employees or representatives of prospective customers (for example, people who request a demo or contact us);
Authorised Users of the Services;
the clients and contacts of our customers, where their data is processed in connection with our customers’ use of the Services; and
people who apply for a job with us.

This Policy describes the personal data for which Esteem is the controller — that is, where we determine the purposes and means of processing. Where we process personal data on behalf of our customers (for example, the data our customers and their Authorised Users put into the Services about their own clients, deals, projects, and finances), we act as a processor, and that processing is governed by our Data Processing Agreement (https://esteem.team/legal/dpa), not by this Policy.

2. Definitions

“Applicable Law” means all data-protection and privacy laws that apply to the processing, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, the EU General Data Protection Regulation (“EU GDPR”), and, where relevant, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), together with related guidance from supervisory authorities.

“Controller” means the organisation that decides the purposes and means of processing personal data.

“Data Subject” means the living individual whose personal data is processed.

“Personal Data” (or “personal information”) means any information relating to an identified or identifiable individual.

“Processing” means any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.

“Processor” means the organisation that processes personal data on behalf of a controller.

“Services” has the meaning given above and in our Terms of Service.

The definitions apply whether or not the term is capitalised.

3. Our role as controller

We are the controller of the personal data described in this Policy. As controller we are responsible for deciding the purpose of the processing (“the why”) and the means of the processing (“the how” — what methods we use, what personal data we process, and for how long we keep it).

We provide a growth and operating platform for service businesses. We need to process personal data in order to create and manage Accounts, to provide and support the Services, to communicate with you, to handle demo requests and enquiries, to process payments, to keep the Services secure, and to comply with our legal obligations. We may also process personal data from usage of the Services to operate, secure, and improve them, and to send product updates and information.

4. Personal data we collect

We collect personal data in several ways: when you provide it to us, when your employer or our customer provides it, automatically through your use of the Services, and from certain third parties.

4.1 Information you provide to us

Demo and contact requests. When you submit our contact or “book a demo” form, we collect your full name, work email address, company name, team size, and the contents of your message.
Account and profile data. When you or your organisation create an Account, we collect your name, email address, job title, organisation, and account credentials, and any profile details you provide.
Billing data. If you purchase a paid plan, we (or our payment processor) collect billing contact details, billing address, tax identifiers, and limited payment information. We do not store full card numbers; card payments are handled by our payment processor.
Support and correspondence. When you contact support or otherwise communicate with us (for example, by email), we collect the information in those communications and records of the correspondence.
Job applications. If you apply for a role with us, we collect the information in your application, such as your CV, contact details, and work history.

4.2 Information collected automatically

When you use the Services, we (and our service providers) may automatically collect:

Device and technical data, such as IP address, browser type and version, operating system, device identifiers, language, and time zone.
Usage data, such as the pages and features you view, the actions you take, dates and times of access, and referring and exit pages.
Log data, such as server logs, error reports, and diagnostic data.
Cookies and similar technologies, as described in our Cookie Policy (https://esteem.team/legal/cookies). We do not run advertising or analytics tracking cookies on our marketing website.

4.3 Information from third parties

We may receive personal data from: your employer or the customer organisation that authorises you to use the Services; our subprocessors and service providers (for example, hosting and security logs); and integrations that you choose to connect to the Services.

We do not process special categories of personal data (such as data revealing health, ethnicity, or political opinions) for our own purposes, and we ask that you do not submit such data through our contact forms.

5. How we use personal data

We process personal data for the following purposes:

to provide, operate, maintain, and support the Services and your Account;
to respond to demo requests, enquiries, and support requests, and to communicate with you about them;
to process transactions, send invoices, and collect payment;
to administer, personalise, and improve the Services, and to develop new features;
to monitor, secure, and protect the Services, prevent fraud and abuse, and ensure the integrity and availability of the Services;
to send service and administrative communications, such as security alerts, changes to our terms, and important notices;
to send product updates, newsletters, and marketing communications where permitted, from which you can opt out at any time;
to understand how the Services are used and to generate aggregated, de-identified statistics;
to comply with our legal obligations, respond to lawful requests, and establish, exercise, or defend legal claims; and
to evaluate job applications and manage recruitment.

We do not sell your personal data, and we do not use Customer Data submitted into the Services to train or improve any generative-AI models.

6. Legal bases for processing

Where the UK GDPR or EU GDPR applies, we rely on one or more of the following legal bases:

Performance of a contract — to provide the Services, administer your Account, and take steps at your request before entering into a contract (for example, handling a demo request).
Legitimate interests — to operate, secure, and improve the Services, to communicate with business contacts, to prevent fraud and abuse, and for direct marketing to existing business customers. Where we rely on legitimate interests, we balance those interests against your rights and freedoms; you may object as described in Section 9.
Consent — where required, for example for certain marketing communications or non-essential cookies. You may withdraw consent at any time, without affecting processing that has already taken place.
Legal obligation — to comply with applicable laws, such as tax, accounting, and reporting obligations and lawful requests from authorities.

Where we ask for your consent, we provide information about the processing at the time we request it.

7. Esteem AI and personal data

The Services include AI features (“Esteem AI”) that may process personal data contained in content you provide (for example, a call transcript) to generate output for you. Where these features rely on third-party AI providers, we share the minimum data necessary to deliver the feature, and we contractually require those providers not to use the data to train or improve their models. Our AI subprocessors are listed at https://esteem.team/legal/subprocessors.

We do not sell personal data, and we do not share it with just anyone. We may share personal data with the following categories of recipients:

Service providers and subprocessors that help us operate the Services — for example, cloud hosting, content delivery and security, business email, payment processing, and AI providers. These providers process personal data on our behalf under written contracts that require appropriate safeguards. Our current subprocessors are listed at https://esteem.team/legal/subprocessors.
Professional advisers, such as lawyers, auditors, and accountants, where necessary for our legitimate interests or legal obligations.
Authorities and other parties where we are required to do so by law, court order, or lawful request, or where necessary to establish, exercise, or defend legal claims, or to protect the rights, property, or safety of Esteem, our customers, or others.
Successors in connection with a merger, acquisition, financing, reorganisation, or sale of assets, subject to appropriate confidentiality protections.

We have entered into data-processing agreements with our processors that set out how they may process personal data and the security measures required.

9. Your rights

Subject to Applicable Law, you have the following rights in relation to your personal data. We always strive to let you exercise your rights as efficiently as possible.

Right of access — to obtain confirmation of whether we process your personal data and to receive a copy of it.
Right to rectification — to have inaccurate personal data corrected and incomplete data completed.
Right to erasure — to have your personal data deleted where it is no longer necessary, where you withdraw consent, or where you object and there is no overriding ground for processing. Where we are required to keep information by law or contract, we will retain only what is necessary for that purpose.
Right to restriction — to ask us to limit our processing in certain circumstances, for example while we consider another request from you.
Right to object — to object to processing based on our legitimate interests, and to object at any time to processing for direct marketing, in which case we will stop using your personal data for that purpose.
Right to data portability — to receive the personal data you provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
Right to withdraw consent — where we rely on consent, to withdraw it at any time (this does not affect prior processing).

How to exercise your rights

To exercise any of these rights, contact us at privacy@esteem.team. We may need to verify your identity before responding. We will respond within the time required by Applicable Law (generally within one month under the UK/EU GDPR, which may be extended for complex requests). There is normally no charge, but we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.

If your personal data is processed by us as a processor on behalf of one of our customers, please direct your request to that customer; we will assist them as required.

10. International transfers

We use service providers located in various countries, including outside the UK and the European Economic Area (EEA). Where we transfer personal data outside the UK or EEA to a country that has not been recognised as providing an adequate level of protection, we put in place appropriate safeguards, such as:

an adequacy decision or adequacy regulations recognising the destination country; or
the European Commission’s Standard Contractual Clauses (SCCs) and/or the UK’s International Data Transfer Agreement or Addendum; together with
supplementary technical and organisational measures where necessary.

You may contact us at privacy@esteem.team to request more information about these safeguards or a copy of the relevant transfer mechanism.

11. Data retention

We keep personal data only for as long as necessary for the purposes for which it was collected, after which we delete or anonymise it. The retention period depends on the type of data and the basis for processing:

Demo and contact-request data is kept for as long as needed to handle your request and any resulting relationship, after which it is deleted or anonymised.
Account data is kept for the duration of the Account and for a reasonable period afterwards.
Billing and transaction records are kept for as long as required to comply with tax, accounting, and legal obligations (typically up to seven years).
Support correspondence and logs are kept for as long as needed for support, security, and dispute-resolution purposes.

We regularly review the personal data we hold and delete or anonymise data that is no longer needed. Where we are required by law to retain certain data, we will retain it only for the period and purpose required.

12. Security

We take appropriate technical and organisational measures to protect personal data against loss, misuse, and unauthorised access, disclosure, alteration, or destruction. These measures include:

Organisational measures

internal policies, procedures, and access governance;
confidentiality obligations for personnel;
secure credential and access management; and
staff awareness and training on privacy and security.

Technical measures

encryption of data in transit using TLS, and encryption of data at rest;
access controls, role-based permissions, and the principle of least privilege;
multi-factor authentication for administrative access;
a hardened, monitored network with security headers and protections against common web threats;
logging and traceability of access to systems; and
regular security reviews, patching, and vulnerability management.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. We will notify the relevant supervisory authority and, where required, affected individuals of a personal-data breach in accordance with Applicable Law (under the UK/EU GDPR, generally within 72 hours of becoming aware of a notifiable breach).

13. Cookies and similar technologies

We use cookies and similar technologies as described in our Cookie Policy (https://esteem.team/legal/cookies). Our marketing website uses only strictly necessary cookies and does not run advertising or analytics tracking cookies. The Esteem application uses cookies that are necessary for authentication and security. You can manage cookies through your browser settings and, where applicable, our consent controls.

14. California privacy rights

If you are a California resident, the CCPA/CPRA gives you additional rights regarding your personal information.

Categories and purposes

In the preceding 12 months we may have collected the categories of personal information described in Section 4 (such as identifiers, contact and professional information, commercial information, and internet activity information), for the business and commercial purposes described in Section 5, and from the sources described in Section 4. We may disclose these categories to the categories of recipients described in Section 8.

Your California rights

Right to know the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties to whom we disclose it.
Right to delete personal information we have collected, subject to exceptions.
Right to correct inaccurate personal information.
Right to opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we have not done so in the preceding 12 months.
Right to limit the use of sensitive personal information. We do not use sensitive personal information for purposes that require an opt-out.
Right to non-discrimination for exercising your rights.

To exercise these rights, contact us at privacy@esteem.team. We will verify your request as required, and you may use an authorised agent. We will acknowledge and respond within the timeframes required by the CCPA/CPRA.

15. Children

The Services are intended for businesses and are not directed at children. We do not knowingly collect personal data from children under the age of 16. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.

16. Complaints

If you believe we have not processed your personal data in accordance with Applicable Law, please contact us first at privacy@esteem.team so we can try to resolve the matter. You also have the right to lodge a complaint with a supervisory authority:

In the UK, the Information Commissioner’s Office (ICO) — https://ico.org.uk.
In the EEA, your local data-protection authority. A list is available at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

17. Changes to this Policy

We may update this Policy from time to time. The “last updated” date at the top shows when it was last revised. Where a change materially affects your rights or how we use your personal data, we will provide notice (for example, by email or through the Services) before it takes effect. Your continued use of the Services after a change takes effect constitutes acceptance of the updated Policy.

18. Contact us

If you have any questions about this Policy or about how we process your personal data, or if you wish to exercise your rights, please contact us:

Esteem Privacy enquiries: privacy@esteem.team General enquiries: stasy@esteem.team

We have not appointed a Data Protection Officer; privacy matters are handled by our team at privacy@esteem.team.

This Privacy Policy was last updated on 21 June 2026.