SUST
Privacy Policy
How SUST processes personal data on the website, in lead generation campaigns and on the SUST ESG platform.
Last updated: 3 July 2026
Important notice
This Privacy Policy is a base model prepared to provide transparency about how SUST processes personal data. The document is subject to later legal review and may be updated. This notice does not limit the rights of data subjects under the General Data Protection Regulation (GDPR) and other applicable laws.
1. Controller
The controller of personal data is SUST Sustainability & Technology, based in Paços de Ferreira, Portugal.
For any privacy or data protection question, you can contact us through:
- Email: info@sust.pt
- Website: https://sust.pt
2. Scope of this policy
This policy applies to personal data processing carried out in the context of:
- use of the institutional website
sust.pt; - contact, ESG diagnostic or demo requests;
- lead generation campaigns and forms, including LinkedIn Lead Gen Forms;
- account creation and use of the
esg.sust.ptplatform; - use of SUST ESG platform features, including questionnaires, evidence, reports, operational audit logs and controlled information sharing;
- technical cookies and similar technologies used to provide the website and platform.
3. Personal data we may collect
The data collected depends on the channel used and on the relationship maintained with SUST.
3.1 Commercial contacts and demo requests
We may collect name, professional email address, company, role, phone number, country, submitted message, contact source and information related to the request.
When contact is made through third-party platforms such as LinkedIn, the data received corresponds to the fields completed or made available in the relevant form.
3.2 Institutional website
We may collect technical data necessary for the operation and security of the website, such as IP address, technical identifiers, device type, browser, access date and time, and pages viewed.
3.3 SUST ESG platform
In the context of the platform, we may process account data, professional identification, associated organisation, permissions, access logs, actions performed, ESG questionnaire answers, comments, evidence, submitted documents and information required for support, security, audit and traceability.
Customer organisations are responsible for ensuring that any personal data entered into the platform has an appropriate legal basis and is relevant for sustainability, reporting, evidence and ESG management purposes.
4. Purposes and legal bases
We process personal data for the following purposes:
| Purpose | Possible legal basis |
|---|---|
| Responding to contact, ESG diagnostic or demo requests | Pre-contractual measures or legitimate interests |
| Communicating about ESG products, services and content in a B2B context | Legitimate interests or consent, depending on the channel |
| Creating, managing and protecting user accounts | Contract performance or legitimate interests |
| Providing the SUST ESG platform and its features | Contract performance |
| Organising questionnaires, evidence, reports and audit records | Contract performance, legitimate interests or legal obligation applicable to the customer organisation |
| Ensuring security, abuse prevention, technical diagnostics and traceability | Legitimate interests |
| Complying with legal, tax, accounting or regulatory obligations | Legal obligation |
Where processing depends on consent, the data subject may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
5. Data retention
We retain personal data only for as long as necessary for the purposes for which it was collected, unless the law requires or permits a longer period.
As a reference:
- lead and commercial contact data may be retained while there is a potential commercial relationship or until the data subject objects;
- account and platform usage data is retained while the account or contract is active and for the period required for contractual performance, audit, security and legal obligations;
- technical and security logs are retained for periods proportionate to security, diagnostic and traceability needs;
- data associated with legal obligations may be retained for the applicable statutory periods.
6. Recipients and processors
We may use service providers acting as processors, only to the extent necessary to provide, maintain and protect our services. These may include categories such as:
- cloud hosting and technical infrastructure providers;
- email, communications and support services;
- commercial management or CRM tools, if adopted in the future;
- security, technical monitoring and maintenance providers;
- professional advisers where needed for legal, accounting, tax or technical support.
We do not sell personal data. Sharing data with third parties only occurs when necessary, authorised, contractually governed or required by law.
7. International transfers
Whenever personal data is processed outside the European Economic Area, we will adopt appropriate protection mechanisms, such as European Commission adequacy decisions, standard contractual clauses or other safeguards provided under the GDPR.
8. Cookies and similar technologies
The SUST institutional website currently does not use Google Analytics, Google Tag Manager or equivalent behavioural analytics tools identified in the website code.
We may use strictly necessary cookies or similar technologies to:
- provide essential features;
- maintain technical preferences;
- improve security;
- ensure the correct operation of the website and platform.
If we activate analytics, advertising or other non-essential cookies in the future, this policy will be updated and, where required, an appropriate consent mechanism will be made available.
9. Data subject rights
Under the GDPR, the data subject may exercise the following rights where applicable:
- access to personal data;
- rectification of incomplete or inaccurate data;
- erasure of data;
- restriction of processing;
- data portability;
- objection to processing;
- withdrawal of consent, where processing is based on consent;
- objection to commercial communications.
To exercise these rights, contact us at info@sust.pt. We may request additional information to confirm the identity of the requester before responding.
10. Complaints
The data subject has the right to lodge a complaint with the competent supervisory authority.
In Portugal, the supervisory authority is the Comissão Nacional de Proteção de Dados (CNPD):
11. Security
We adopt technical and organisational measures designed to protect personal data against unauthorised access, loss, alteration, improper disclosure or destruction.
No system is completely risk-free. If you suspect misuse, unauthorised access or a security incident related to our services, contact us at info@sust.pt.
12. Changes to this policy
We may update this Privacy Policy to reflect legal, technical, operational or commercial changes. The version published on this page indicates the date of the last update.
Relevant changes may be communicated through appropriate means, including a notice on the website, on the platform or by direct contact where applicable.
13. Privacy contact
For any question about this Privacy Policy or about SUST's processing of personal data, contact: