Privacy Policy

Introduction

SUSTREAM Ltd ("we", "us", or "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you visit our website (sustream.com), access our secure website features, or engage with our services, features or documentation. We take a risk-based and governance-led approach to data protection, aligned with our broader cyber resilience, ESG, and governance advisory principles.

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). This policy applies to all personal data processed by SUSTREAM Ltd, a company registered in England and Wales (Company Registration Number: 17164530).

What Data We Collect

We may collect the following types of data:

• Personal Information: Name, email address, telephone number, job title, and other details you provide through contact forms, client enquiries, or during consulting engagements.

• Technical Data: IP address, browser type, operating system, device details, and cookie data (see our separate Cookie Policy for details).

• Usage Data: Information about your interactions with our website, including pages visited, time spent, and engagement with dashboards, toolkits, or other features.

• Client Data: Business-related information provided during consulting engagements, such as project details or data submitted via our website. This may include personal data relating to individuals acting on behalf of client organisations.

We may process information provided by organisations and their representatives in connection with our Readiness Assessments, Six‑Step Methodology, and related advisory services. This may include operational, governance, cyber resilience, ESG and performance‑related information.

Where AI-enabled tools are used, this may include analysis of operational, organisational or user-provided data to generate insights, recommendations, or risk indicators. We implement human review processes to validate outputs and mitigate risks such as bias, inaccuracy, or inappropriate reliance. AI systems are not used to make decisions that produce legal or similarly significant effects on individuals. We apply governance and risk management controls aligned to emerging AI regulatory expectations and best practice frameworks. AI-generated outputs may be probabilistic in nature and should not be relied upon without appropriate human review and professional judgement and do not constitute advice or recommendations without appropriate contextual analysis. Client data is not used to train AI models (whether internal or third-party), unless expressly agreed in writing.

We do not collect special categories of personal data (e.g., health, religion, or political opinions) unless explicitly required for a specific service and with your consent and only where a valid legal basis under UK GDPR applies (such as explicit consent or another permitted condition).

How We Use Your Data

We use your personal data to:

• Provide and improve our services, including consulting, governance frameworks, audits, and other supporting business services.

• Facilitate secure access to our website for toolkits, dashboards, and collaboration.

• Analyse website performance to enhance user experience.

• Communicate with you, including responding to enquiries and sending service-related updates.

• Send marketing communications (with your explicit consent, where required under PECR).

• Comply with legal and regulatory obligations.

Our Role in Data Processing
Depending on the context, SUSTREAM Ltd acts as either a data controller or a data processor:

• We act as a data controller when processing personal data for our own purposes (e.g. website enquiries, marketing, and service delivery administration).

• We act as a data processor when processing personal data on behalf of our clients as part of consulting, readiness assessments, or advisory services. In such cases, processing is governed by client agreements and documented instructions. We process personal data only on those documented instructions and implement appropriate security and confidentiality measures in accordance with UK GDPR requirements.

Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Consent: For non-essential cookies, marketing communications, or processing special categories of data (where applicable). You can withdraw consent at any time by contacting us.

• Contract: To fulfil agreements for consulting services or to provide access to our secure website features.

• Legitimate Interests: To ensure website functionality, improve services, and deliver relevant content, provided your rights are not overridden.

• Legal Obligation: To comply with UK laws, such as tax or regulatory requirements.

Data Sharing

We may share your personal data with:

• Service Providers: Third-party providers (e.g., cloud hosting, analytics, or IT services) who act as data processors under UK GDPR-compliant agreements.

• Professional Advisors: Lawyers, accountants, or auditors, where necessary, under strict confidentiality.

• Authorities: Regulatory or law enforcement bodies, if required by law.

We do not sell your personal data. Client data shared during engagements is protected by confidentiality agreements and stored securely.

Data Storage and Security

Your personal data is stored on secure, UK GDPR-compliant cloud servers located in the UK or European Economic Area (EEA). We implement appropriate technical and organisational measures designed to protect personal data, including encryption, firewalls, and restricted access controls. Access to our online features is secured with authentication protocols to ensure only authorised users can view dashboards or toolkits.

Data is retained only for as long as necessary in line with UK legal requirements (including applicable statutory limitation periods) to fulfil the purposes outlined in this policy, meet legal obligations, or as specified in client contracts. For example:

• Personal data from enquiries is retained for 12 months unless a contract is formed.

• Client data is retained for the duration of the contract plus 6 years, in line with UK legal requirements.

• Technical and usage data is retained for up to 24 months for analytics purposes.

When data is no longer needed, it is securely deleted or anonymised.

Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Access: Request a copy of the data we hold about you.

• Rectification: Correct inaccurate or incomplete data.

• Erasure: Request deletion of your data (subject to legal exemptions).

• Restriction: Limit how we process your data in certain circumstances.

• Objection: Object to processing based on legitimate interests, including marketing.

• Data Portability: Receive your data in a structured, machine-readable format.

• Withdraw Consent: Revoke consent for processing, where applicable.

To exercise these rights, contact us at engage@sustream.com. We will respond within one month, as required by law, though complex requests may take longer (we will inform you if an extension is needed).

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk or via their helpline: 0303 123 1113.

Cookies and Tracking

We use cookies and similar technologies to enhance your experience, analyse performance, and deliver personalised content. For details, including how to manage cookie preferences, please refer to our Cookie Policy. You can opt out of non-essential cookies at any time via our website’s cookie settings.

Marketing Communications

We may send you marketing communications (e.g., newsletters or service updates) if you have given explicit consent or where permitted under PECR (e.g. where you are an existing client and have been given the opportunity to opt out). You can opt out at any time by clicking “unsubscribe” in our emails or contacting us at engage@sustream.com.

Automated Decision-Making

We do not carry out solely automated decision-making that produces legal or similarly significant effects on individuals. Some of our services may involve analytical assessments or scoring of organisational data to support decision-making; however, these outputs are always subject to human review and are not used to make automated decisions about individuals.

International Data Transfers

Your personal data is primarily stored on secure, UK GDPR-compliant cloud servers located in the UK or European Economic Area (EEA).

Updates to This Policy

We may update this Privacy Policy to reflect changes in law, regulation, or our operations. Any updates will be posted on this page, and significant changes will be communicated via email or a website notice. Please check this page regularly for the latest version.

Contact Us

For questions, concerns, or to exercise your rights, please contact us at:

Email: engage@sustream.com
Postal Address: SUSTREAM Ltd, DC Business Centre, 10 Charles Wood Road, Dereham, Norfolk, NR19 1SX

SUSTREAM is a trading name of SUSTREAM Ltd, registered in England and Wales (Company Registration Number: 17164530).

If you are not satisfied with our response, you may contact the Information Commissioner’s Office (ICO) at www.ico.org.uk.

Last Updated

April 2026