SUST

SUST

Privacy Policy

How SUST processes personal data on the website, in lead generation campaigns and on the SUST ESG platform.

Last updated: 3 July 2026

Important notice

This Privacy Policy is a base model prepared to provide transparency about how SUST processes personal data. The document is subject to later legal review and may be updated. This notice does not limit the rights of data subjects under the General Data Protection Regulation (GDPR) and other applicable laws.

1. Controller

The controller of personal data is SUST Sustainability & Technology, based in Paços de Ferreira, Portugal.

For any privacy or data protection question, you can contact us through:

2. Scope of this policy

This policy applies to personal data processing carried out in the context of:

  • use of the institutional website sust.pt;
  • contact, ESG diagnostic or demo requests;
  • lead generation campaigns and forms, including LinkedIn Lead Gen Forms;
  • account creation and use of the esg.sust.pt platform;
  • use of SUST ESG platform features, including questionnaires, evidence, reports, operational audit logs and controlled information sharing;
  • technical cookies and similar technologies used to provide the website and platform.

3. Personal data we may collect

The data collected depends on the channel used and on the relationship maintained with SUST.

3.1 Commercial contacts and demo requests

We may collect name, professional email address, company, role, phone number, country, submitted message, contact source and information related to the request.

When contact is made through third-party platforms such as LinkedIn, the data received corresponds to the fields completed or made available in the relevant form.

3.2 Institutional website

We may collect technical data necessary for the operation and security of the website, such as IP address, technical identifiers, device type, browser, access date and time, and pages viewed.

3.3 SUST ESG platform

In the context of the platform, we may process account data, professional identification, associated organisation, permissions, access logs, actions performed, ESG questionnaire answers, comments, evidence, submitted documents and information required for support, security, audit and traceability.

Customer organisations are responsible for ensuring that any personal data entered into the platform has an appropriate legal basis and is relevant for sustainability, reporting, evidence and ESG management purposes.

4. Purposes and legal bases

We process personal data for the following purposes:

PurposePossible legal basis
Responding to contact, ESG diagnostic or demo requestsPre-contractual measures or legitimate interests
Communicating about ESG products, services and content in a B2B contextLegitimate interests or consent, depending on the channel
Creating, managing and protecting user accountsContract performance or legitimate interests
Providing the SUST ESG platform and its featuresContract performance
Organising questionnaires, evidence, reports and audit recordsContract performance, legitimate interests or legal obligation applicable to the customer organisation
Ensuring security, abuse prevention, technical diagnostics and traceabilityLegitimate interests
Complying with legal, tax, accounting or regulatory obligationsLegal obligation

Where processing depends on consent, the data subject may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

5. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, unless the law requires or permits a longer period.

As a reference:

  • lead and commercial contact data may be retained while there is a potential commercial relationship or until the data subject objects;
  • account and platform usage data is retained while the account or contract is active and for the period required for contractual performance, audit, security and legal obligations;
  • technical and security logs are retained for periods proportionate to security, diagnostic and traceability needs;
  • data associated with legal obligations may be retained for the applicable statutory periods.

6. Recipients and processors

We may use service providers acting as processors, only to the extent necessary to provide, maintain and protect our services. These may include categories such as:

  • cloud hosting and technical infrastructure providers;
  • email, communications and support services;
  • commercial management or CRM tools, if adopted in the future;
  • security, technical monitoring and maintenance providers;
  • professional advisers where needed for legal, accounting, tax or technical support.

We do not sell personal data. Sharing data with third parties only occurs when necessary, authorised, contractually governed or required by law.

7. International transfers

Whenever personal data is processed outside the European Economic Area, we will adopt appropriate protection mechanisms, such as European Commission adequacy decisions, standard contractual clauses or other safeguards provided under the GDPR.

8. Cookies and similar technologies

The SUST institutional website currently does not use Google Analytics, Google Tag Manager or equivalent behavioural analytics tools identified in the website code.

We may use strictly necessary cookies or similar technologies to:

  • provide essential features;
  • maintain technical preferences;
  • improve security;
  • ensure the correct operation of the website and platform.

If we activate analytics, advertising or other non-essential cookies in the future, this policy will be updated and, where required, an appropriate consent mechanism will be made available.

9. Data subject rights

Under the GDPR, the data subject may exercise the following rights where applicable:

  • access to personal data;
  • rectification of incomplete or inaccurate data;
  • erasure of data;
  • restriction of processing;
  • data portability;
  • objection to processing;
  • withdrawal of consent, where processing is based on consent;
  • objection to commercial communications.

To exercise these rights, contact us at info@sust.pt. We may request additional information to confirm the identity of the requester before responding.

10. Complaints

The data subject has the right to lodge a complaint with the competent supervisory authority.

In Portugal, the supervisory authority is the Comissão Nacional de Proteção de Dados (CNPD):

https://www.cnpd.pt

11. Security

We adopt technical and organisational measures designed to protect personal data against unauthorised access, loss, alteration, improper disclosure or destruction.

No system is completely risk-free. If you suspect misuse, unauthorised access or a security incident related to our services, contact us at info@sust.pt.

12. Changes to this policy

We may update this Privacy Policy to reflect legal, technical, operational or commercial changes. The version published on this page indicates the date of the last update.

Relevant changes may be communicated through appropriate means, including a notice on the website, on the platform or by direct contact where applicable.

13. Privacy contact

For any question about this Privacy Policy or about SUST's processing of personal data, contact:

info@sust.pt