Request a conversation
Privacy Policy — Sustenra

Legal

Privacy Policy

Last updated: 28 April 2026

This policy explains how Sustenra Advisory Limited ("Sustenra", "we", "us") collects, uses, and protects personal data when you visit sustenra.com, contact us directly, or engage with us as a prospective or current client.

We are the data controller for personal data processed via this website and through direct business enquiries. If you have any questions about this policy or how we handle your data, please contact us at info@sustenra.com.

Data controller: Sustenra Advisory Limited
Contact: info@sustenra.com

1. What data we collect

Contact enquiries

When you submit an enquiry via our contact form, we collect your name, email address, organisation if provided, and the content of your message. This data is submitted through Fluent Forms and delivered to our inbox.

Prospective and client relationship data

Where you contact us, meet with us, request information, discuss a potential engagement, or become a client, we may process professional contact details, organisation details, correspondence, meeting notes, proposal information, contract information, and other information you choose to provide. Where enquiries lead to client engagements, additional personal data may be processed in the course of delivering advisory services, subject to contractual confidentiality obligations and applicable data protection law.

Website analytics

We use Google Analytics via MonsterInsights to collect aggregated and pseudonymised usage data about how visitors use this website. This may include pages visited, time on site, device type, and approximate geographic location. This data does not directly identify you.

Session recordings and heatmaps

We use Microsoft Clarity to generate session insights and heatmaps that help us understand how visitors interact with pages. Clarity may capture mouse movements, clicks, and scroll behaviour. Microsoft Clarity is configured to support masking of sensitive form fields. We do not intentionally use it to collect content entered into forms or other sensitive personal data.

Company-level visitor identification

We use Leadfeeder by Dealfront to infer the organisations that may be visiting our website at company level using aggregated IP intelligence. Leadfeeder does not provide us with personal identities of individual visitors. This helps us understand which types of organisations are engaging with our content. This data is processed by Dealfront and subject to their privacy policy. We do not use this information to make automated decisions about individuals.

Cookies

We use CookieYes to manage cookie consent on this site. Cookies are small text files placed on your device. Non-essential analytics, behavioural analytics, and tracking cookies are only deployed following your consent. We use the following categories of cookies:

  • Strictly necessary: Required for the website to function. These cannot be disabled.
  • Analytics: Google Analytics cookies used to understand site usage. These are only placed with your consent.
  • Analytics / behavioural analytics: Microsoft Clarity cookies used for session insights and heatmaps. These are only placed with your consent.
  • Marketing / tracking: Leadfeeder cookies used to infer visiting organisations at company level. These are only placed with your consent.

You can manage or withdraw your cookie consent at any time using the cookie settings link in the footer of this website.

Spam filtering

Contact form submissions are filtered through Akismet to prevent spam. Akismet processes the content of form submissions for this purpose. It is operated by Automattic Inc. and subject to their privacy policy.

Children

This website and our services are not directed to children, and we do not knowingly collect personal data from children.

2. How we use your data

We use personal data for the following purposes:

  • To respond to enquiries you submit via the contact form or by contacting us directly
  • To discuss potential advisory work, prepare proposals, and take steps before entering into a contract
  • To manage client relationships and deliver advisory services
  • To follow up with prospective clients or professional contacts where relevant to our services
  • To understand how visitors use our website and improve its content and performance
  • To infer which types of organisations are visiting our site for business development purposes
  • To maintain the security and integrity of this website
  • To comply with legal, regulatory, accounting, and professional obligations

We take reasonable technical and organisational measures to protect personal data and limit collection to what is necessary for the purposes described above.

3. Legal basis for processing

We process personal data on the following legal bases under UK GDPR:

  • Legitimate interests (Article 6(1)(f)): Website analytics, session insights, company-level visitor identification, business development follow up, relationship management, website security, and service improvement, where we have assessed that our legitimate interests do not override your rights and freedoms.
  • Consent (Article 6(1)(a)): Analytics, Microsoft Clarity, and Leadfeeder cookies, which are only placed where you have given consent via our cookie banner.
  • Contract / pre-contractual steps (Article 6(1)(b)): Processing your enquiry, preparing proposals, entering into agreements, and delivering services where you contact us with a view to engaging Sustenra.
  • Legal obligation (Article 6(1)(c)): Processing required for legal, regulatory, accounting, or tax obligations.

Where processing is based on legitimate interests, we have assessed necessity, proportionality, and the impact on individuals’ rights.

4. How long we keep your data

  • Contact form enquiries: Retained in our inbox for up to 3 years from the date of the enquiry, unless a professional relationship develops, in which case we retain relevant correspondence for 6 years.
  • Prospective client and business development contacts: Retained for up to 3 years from the last meaningful interaction, unless you ask us to delete your details sooner and we have no lawful reason to retain them.
  • Client records and engagement correspondence: Retained for 6 years after the end of the relevant client relationship or engagement, unless a longer period is required for legal, regulatory, accounting, or dispute-related reasons.
  • Google Analytics data: Retained for 14 months in accordance with our Analytics account settings.
  • Microsoft Clarity data: Retained for 13 months by default per Clarity's data retention settings.
  • Leadfeeder data: Processed and retained by Dealfront in accordance with their privacy policy and our account settings.

5. Who we share data with

We do not sell or rent personal data to third parties. We use the following third-party services that process data on our behalf or as independent controllers:

  • IONOS: Our website hosting provider. Personal data processed via this website is stored on IONOS infrastructure.
  • Google Analytics / MonsterInsights: Aggregated and pseudonymised analytics data is processed by Google LLC. Data may be transferred to the United States under appropriate safeguards.
  • Microsoft Clarity: Session insight and heatmap data is processed by Microsoft Corporation. Data may be transferred to the United States under appropriate safeguards.
  • Dealfront / Leadfeeder: Company-level visitor intelligence is processed by Dealfront Group GmbH, based in Germany, under their own privacy policy.
  • Automattic / Akismet: Form submission content is processed for spam detection. Automattic Inc. is based in the United States.
  • CookieYes: Cookie consent management is handled by CookieYes Limited, based in the UK.

Where third parties process personal data on our behalf as processors, we have appropriate data processing agreements in place as required under UK GDPR. Our service providers process personal data only on documented instructions where acting as processors.

Where personal data is transferred outside the UK or European Economic Area, transfers are subject to appropriate safeguards, including Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms where required.

6. Your rights

Under UK GDPR, you have the following rights:

  • Access: You can request a copy of the personal data we hold about you.
  • Rectification: You can ask us to correct inaccurate or incomplete data.
  • Erasure: You can ask us to delete your personal data where there is no compelling reason for us to continue processing it.
  • Restriction: You can ask us to restrict processing of your data in certain circumstances.
  • Objection: You can object to processing based on legitimate interests, including business development follow up.
  • Data portability: Where processing is based on consent or contract and carried out by automated means, you can request your data in a portable format.
  • Withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at info@sustenra.com. We will normally respond within one month, as required under UK GDPR.

7. How to complain

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the UK's data protection supervisory authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113

We would appreciate the opportunity to address your concerns directly before you contact the ICO. Please email us first at info@sustenra.com.

8. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. The date at the top of this page indicates when the policy was last revised. We recommend checking this page periodically.