Sustainably Ltd (Sustainably, we, us or our) are committed to protecting and respecting your privacy and understand how important that is for you. We collect, use and share information about you in accordance with this Notice. This Notice is important, and you should read it carefully in conjunction with our Terms of Service.
Unless we are relying upon your explicit consent, your continued use of our services, whether through our website, our app or otherwise, indicates that you acknowledge the use of your personal data by us and other parties as set out below. We may make changes to this Notice from time to time and you should regularly review this page. If you do not agree with this Notice, then you should stop using the website and contact us to delete your account.
The data controller is Sustainably Ltd. We are a company registered in Scotland (company number SC521865) and our registered address is Bright Red Triangle, 10 Colinton Road, EDINBURGH, EH10 5DT. You can write to us there or email us at firstname.lastname@example.org
What data do we expect to hold about you?
In the normal course of our relationship we expect to collect the following information about you:
- Details about you: your name, address, postcode and email address;
- Details about who you bank with: your bank or credit card provider.
- Details about your spending: financial transaction data, expenditure, and the merchants you purchase goods or services from.
- Details from the services we provide to you: the profile we create about you, the charities that you support, your employer or other corporate social responsibility sponsor.
Where do we get the data we hold about you?
From information you give to us
We receive and collect data from you when you fill in forms on the website or through our mobile site, such as when you register for an account or if you contact us through phone, email or otherwise. The information you give to us is necessary to enter into our contract. Without any information about you, we cannot provide you with our services.
From information we collect about you
From information third parties give to us
We may get information about you from our corporate and merchant partners or through other third parties such as advertising networks, search engine providers, analytics providers, and social networking sites.
If you have accessed Sustainably through another service, that service may provide us with personal information to allow us to integrate our offering and your user journey.
How do we use your personal data in providing our services?
The grounds on which we process your data are:
- To allow us to perform the contract we have with you: to provide you with the services you request from us, customised to your preferences.
- Your explicit consent: where we ask for your agreement to share access to certain data or to connect us to your employer or corporate social responsibility sponsor. You can withdraw consent at any time. We use your details to administer match donation programmes operated by your employer or corporate social responsibility sponsor.
- To comply with our legal obligations: we are required to keep proper records about the use of the GiftAid scheme; we have duties to prevent financial crime, including money laundering and fraud.
- To pursue a legitimate interest: to identify you and administer your account(s) and for our internal purposes, examples of which are set out below.
Information about the services you use
We will use some of your personal data to track the services you use through our website or app and to validate the data provided to us by our partners. This statistical and behavioural analysis assists us in improving our website and the services offered to you or other individuals in the future.
We will use your information to keep you informed (subject to your expressed preferences) by email or other electronic means such as via social and digital media about current and new products, services, offers, promotions, and your charitable impact which may be of interest to you.
We may utilise a third-party software and storage solution to analyse the personal data that you have provided to us in order to ensure that the marketing that you receive is as relevant and beneficial to you as possible. We retain full ownership of your personal data and ensure that it is secure at all times.
If you are not happy for your personal data to be used in this way, you can manage your preferences through your account or unsubscribe at any time to remove your details from our contact list. If you have further queries with regards to your personal data, please feel free to contact us at email@example.com.
Market and statistical analysis
We use your personal data to carry out market research on a personalised or aggregated basis. We produce insights from aggregated information which does not identify you and in no longer classed as personal data which may have value to third parties, such as our charitable or merchant partners.
Audit and insurance
Our services will be subject to internal, external or partner audit to ensure that the donations that you make and any matching donations from other sources are, and any revenue due to us is accurate using your personal data. We also will use data about our customers in the arrangement and administration of insurance.
Improvements to profiling
To improve our profiling and the quality of the service that we give to our customers, we may use deidentified profiles to train our algorithms. We do not consider that our profiling of customers gives rise to a legal or significant effect.
Third party processing
We use generic service providers, who control or process personal data on our behalf to enable the efficient technical and logistical provision of our services. These service providers supply us with cloud data storage, data security services, customer relationship management software, and support ticketing services. We may substitute a technical or logistical service provider from time to time. Such parties are generally not permitted to use your personal data for any other purposes than for what your personal data was collected, and we require them to act consistently with applicable laws and this Notice as well as to use appropriate security measures to protect your personal data
Prevention of fraud and financial crime
We may carry out analysis and research using your personal data to prevent or detect fraud or other financial crime.
In the event of an interruption or cessation of our business, we need to ensure that we can implement our business continuity procedures (for example, we may need to rebuild our IT systems). This may involve the processing of your personal data, including a transfer to an alternative service provider.
How do our partners use your personal data?
We work with some carefully selected partners who use your personal data to enable us to deliver our services to you, and to meet their own legal and regulatory requirements. In particular, we would draw your attention to the following:
- Stripe acts as our payment processor. They store payment credentials to allow us to collect your donations and transfer these to your chosen charities. Sustainably never has access to your payment information.
- Sustainably partners with charities, businesses and merchants to make the world a better place. We will pass personal data to them as part of our service, but we do not disclose personal contact details to them.
- You may discover and access Sustainably through a third-party site, marketplace or application, such as your bank, into which our service is integrated or supplied through. To improve your use and enjoyment of those other services, you may choose to share to allow us to share some of your data with that third-party.
- We offer GiftAid through Sustainably. This means that we must capture and retain information necessary for our charitable partners to claim the tax benefit from HMRC. Ultimately HMRC will receive personal data to verify the eligibility of your GiftAid donations.
Our partners may use the personal data you provide for purposes such as fraud prevention or for internal analysis (such as monitoring customer demographics, market trends or pricing analysis).
We are not responsible for the privacy policies or practices of our partners (or other websites you may click through to from our website). You should ensure you read and are fully aware of the terms and conditions and the privacy policies of third party websites.
Do we pass personal data to other third parties?
Except as set out in this Notice, we will not disclose any of your personal data to other parties without your explicit and freely given consent, unless we are legally required to do so by (for example, a court order, for the purposes of prevention of fraud or other crime, or by a competent regulator).
Transferring your personal data outside of the European Economic Area ("EEA")
Some processing of your personal data may be undertaken by nominated processors outside of the EEA. In these circumstances, the processing will only be undertaken where it is in accordance with the provisions of the General Data Protection Regulation to ensure an adequate level of protection for your personal data.
Privacy and Confidentiality
We will treat all your personal data as private and confidential. We comply with and are registered under the data protection laws in the United Kingdom and take all reasonable care to prevent any unauthorised access to your personal data. Other than under the terms of this Notice, we will not disclose any personal data about you. Please be aware however that under certain circumstances we may be subject to a legal obligation to disclose personal data about you, or there may be a public duty to disclose that personal data.
Should you decide to complain about the service we have provided to you, we may be obliged to forward details about your complaint, including your personal data, to the relevant ombudsman. You can be assured that they are similarly obliged to adhere to data protection legislation and to keep your personal data strictly confidential.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law, you can complain to the Information Commissioner’s Office (ICO), contact details below: Serious breaches should be reported to the ICO using its security breach helpline on 0303 123 1113 (open Monday to Friday, 9am to 5pm). Select option 3 to speak to staff, who will record the breach and give you advice about what to do next.
- If you would like to report a breach in writing you can send it by post to the office address Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
Under the terms of the data protection legislation you have a number of rights. You may:
- ask for a copy of the information, or some of the information, that we hold about you (rights of access and portability);
- ask us to correct or remove any information about you that we hold (rights to rectification and erasure);
- ask us to stop processing or restrict the processing of information that we hold about you (rights to restrict and object to processing, including profiling).
If you cannot do any of these things this through ‘My Account’, you may ask us to do so by writing to the Privacy Officer, by email (firstname.lastname@example.org) or to the correspondence address above, and we will do this free of charge. We will respond to your request within 30 days.
Changing your information and deleting your account
If you need to change any of your personal information you should log in to your account to make the necessary changes.
If you want to stop Sustainably accessing to your financial transaction data, you may revoke consent within ‘My Account’. You may also revoke authorisation directly with your account provider.
If you want to stop using Sustainably, please email email@example.com using your registered email address and we will close your account.
How long we keep your data for?
We have procedures in place to ensure that information is not kept for longer than is necessary but in summary:
- we will retain personal data about you for as long as your account is active;
- after termination, we will retain only that information required for so long as it is necessary to comply with our legal or regulatory obligations, to resolve any dispute or to enforce our agreements. If we do need to retain information after termination, we will ensure that your data is archived in a way that access is restricted; and
- the maximum time that we envisage retaining any information is six years following termination.
Subject to our legal or regulatory obligations, if you ask us to delete any data, it is promptly deleted or otherwise rendered unusable from within our systems and we will no longer have any access to that data.
A cookie is a small piece of code, sent from a website to a user's internet browser, which allows that website to track the user's previous activity when they return to that website. This allows us to provide you with the experience that you expect from us and lets us continually improve our servic
You can block cookies by changing the settings on your browser, but if you do you will not be able to access all or parts of our website.
The types of cookies we use are:
Strictly necessary cookies
These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
If you want more information about how cookies operate, or how to manage them, please visit AboutCookies
This Data & Privacy Notice is subject to the laws of Scotland and the exclusive jurisdiction of the Scottish Courts.
This Data & Privacy Notice was last updated on 31 September 2018.