1. The Types of Personal Data We Collect About You

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data: Name, or similar identifier.
• Contact Data: Email address, telephone number, billing address, etc.
• Financial Data: Payment information (e.g., debit/credit card details).
• Usage Data: Information about how you use our website, products, and services.
• Authentication data: Username
• Children's Data: Our services are not intended for children under 16 years of age. We do not knowingly collect or process personal data from children under 16. If you become aware that a child has provided us with personal data without appropriate parental consent, please contact us immediately so that we can take appropriate steps.

We collect personal information when you:

• Register for our services
• Express interest in our products
• Participate in activities or contact us directly

2. How Is Your Personal Data Collected?

We collect personal data from the following sources:

• Direct interactions. You may provide us with personal data when you complete forms, communicate with us, or use our services.
• Automated technologies or interactions: We collect technical data about your equipment, browsing actions, and patterns.

Our website uses cookies and similar technologies to enhance your browsing experience. For detailed information about the cookies we use and how you can manage them, please refer to our separate Cookie Policy, which can be found on our website.

3. How We Use Your Personal Data

We process your data based on the following legal basis:

• Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose.
• Performance of a contract with you: Where we need to perform the contract, we are about to enter or have entered with you.
• Vital Interests: To protect your vital interests or those of another person.
• Legal obligations: For compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.
• Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, provided your fundamental rights do not override those interests. When we rely on legitimate interests, we will conduct and document a balancing test to ensure your rights are protected.
• Automated Decision Making and Profiling: We do not currently make decisions about you based solely on automated processing, including profiling, which produces legal or similarly significant effects. Should this change, we will notify you and provide meaningful information about the logic involved, the significance, and the envisaged consequences of such processing for you.
• Data Portability: Where applicable, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance.

We use your personal data for the following purposes:

• To provide, improve, and administer our services.
• To communicate with you about our products and services.
• To process transactions and manage your account.
• To respond to your inquiries and provide support.
• For security and fraud prevention.
• To comply with legal obligations.

4. Disclosures of Your Personal Data

We may share your personal data with trusted third parties, including:

• Service providers: Third-party service providers that help us operate our business (e.g., payment processors, cloud storage).
• Regulatory and legal authorities: If required by law or to protect our rights, we may disclose your data to relevant authorities.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

5. International Transfers

We do not transfer your personal data outside the UK

6. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.

7. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including for legal, regulatory, and reporting requirements. Specific retention periods are based on the type of data and applicable laws. In some cases, we may retain your data for longer in the event of a dispute or potential litigation.

If you wish for us to delete or anonymize your personal data, you may request this by contacting us, and we will comply where feasible.

8. Your Legal Rights

Under data protection laws, you have several rights regarding your personal data, including:

• Access: The right to request a copy of the data we hold about you.
• Correction: The right to correct any inaccuracies in your data.
• Erasure: The right to ask us to delete your data in certain circumstances.
• Object to Processing: The right to object to the processing of your data for specific purposes, including marketing.
• Withdraw Consent: The right to withdraw your consent to data processing at any time.
• Restriction: The right to restrict processing of your data in specific situations.

If you wish to exercise any of the rights set out above, please contact us impact@sustaingrc.com

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

9. Contact Details

Data Protection Contact: For matters specifically related to data protection, you may contact our designated Data Protection contact at the below contacts. This individual is responsible for overseeing compliance with data protection legislation and can address your specific data protection concerns.

• Email: impact@sustaingrc.com or ahmed.Laithy@sustaingrc.com
• Post: SustainGRC™ , 128 City Road, London, UK, EC1V 2NX

10. Complaints

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

11. Changes to the Privacy Policy and Your Duty to Inform Us of Changes

We may update this Privacy Notice occasionally to reflect changes in our practices or for other operational, legal, or regulatory reasons.

You are encouraged to regularly review this Privacy Notice to stay informed about how we are protecting your information.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address

12. Third-Party Links

Our website may contain links to third-party sites. These websites have their own privacy policies, and we are not responsible for their content or practices. We encourage you to read their privacy notices before providing any personal data to them.