Hello. We are Sustainably Ltd. We make giving easy, safe, transparent and fun. Here’s how we protect your data and respect your privacy.
Our role in your privacy
If you are a Sustainably customer, or just visiting our website, this notice applies to you.
If you are a Sustainably customer or a visitor to our website, we (Sustainably Ltd, company number SC521865) act as the “data controller” of your personal data. This means we collect, use and share information about you in accordance with this Notice. Unless we are relying on your explicit consent, your continued use of our services, whether through our website, our app or otherwise, indicates you acknowledge the use of your personal data by us and other parties as set out below.
Our registered address is Bright Red Triangle, 10 Colinton Road, Edinburgh, EH10 5DT. We are registered as a data controller at the UK Information Commissioner’s Office under number ZA438705. You can write to us there or email us at firstname.lastname@example.org.
In relation to our regulated account information services, Sustainably is an agent of the ID Co Limited (IDCo). IDCo is responsible for determining the means by you connect to your bank and works with Sustainably to implement the technical and organisational measures to protect any personal data that passes between Sustainably and IDCo. Otherwise, Sustainably has agreed with IDCo that Sustainably will be responsible for providing you with this Notice; for ensuring that the collection and processing of personal data is in accordance with the law; and for dealing with you in relation to any privacy requests you make.
Read this Privacy Notice carefully. If you do not agree with it then you should stop using Sustainably and delete your account.
We collect, use and share information about you in accordance with this Notice. Read this notice carefully in conjunction with our Terms & Conditions.
By sharing your personal data with us, you confirm that you have the right to authorise us to process it on your behalf in accordance with this Notice. We may make changes to this Notice from time to time and you should regularly review this page.
The data we collect
From the first moment you interact with Sustainably, we are collecting data. Sometimes you provide us with data, sometimes the data is about you and collected automatically.
The types of data we collect are:
- Details about you
- Details about the services we provide to you
- Details about your employer
- Details about who you bank with
- Details about your spending
- Other data related to you
- Data on how you use Sustainably
Details about you
Your full name, email address and postcode.
If you choose to add gift aid to your donations, then we are also required by HMRC to capture your full home address and title.
Details about the services we provide to you
Your giving preferences including your selected charities, donation types and donation dates.
Your account preferences, including permission to send you marketing emails.
Your impact history.
Your customer services interactions and outcomes.
Details about your employer
Your employer name and an identifying number your employer recognises, to enable your employer to match your donations.
Details about who you bank with
Your bank or credit card provider, sort code and account number, account name and payment information. These types of information are obtained, stored and processed securely by regulated payment service providers.
We only store the name and last four digits of the credit/debit card you use for payments.
Your Round Ups and donation history.
Details about your spending
Your financial transaction data, expenditure, the merchants you purchase goods or services from when Round Ups take place.
Other data that relates to you
Your device, browser type, IP address and operating system.
With your permission we may collect location information about where you are, to enable you to make location-based donations.
Data on how you use Sustainably
Your usage times, login information and system interactions.
Where we collect your data:
- You browse our website
- You sign up to Sustainably
- You connect your bank account and card
- You use the Sustainably website or app
- You receive emails from us
- You chat with our Customer Support team
- You update your details or personal preferences
From information you give to us
We receive and collect data from you when you fill in forms on the website or through our mobile site, such as when you register for an account or if you contact us through phone, email or otherwise. The information you give to us is necessary to enter into our contract. Without any information about you, we cannot provide you with our services.
From information we collect about you
From information third parties give to us
We may get information about you from our charitable, corporate and merchant partners or through other third parties such as advertising networks, search engine providers, analytics providers, and social networking sites.
If you have accessed Sustainably through another service, that service may provide us with personal information to allow us to integrate our offering and your user journey.
Financial transaction data
You can explicitly choose to securely share financial transaction data with us, in which case we will obtain this from your bank or card provider. We do this as an agent of a registered account information service provider and this means we access financial transaction data safely and securely.
Your financial transaction data is used to power the Sustainably Round Ups and to enable us to collect merchant contributions to supercharge your giving. You are not obliged to provide this data to us, but if you do not then you will not be able to use all of Sustainably’s features. You can withdraw your consent to our use of financial transaction data at any time.
How do we use your personal data in providing our services?
The grounds on which we process your data are:
To allow us to perform the contract we have with you
To provide you with the services you request from us, customised to your preferences.
Your explicit consent
Where you agree to share access to your financial transaction data or connect us to your employer or corporate social responsibility sponsor. You can withdraw consent at any time. We use your financial transaction data to calculate Round Ups and to identify qualifying expenditure at merchants. We use your details to administer match donation programmes operated by your employer or corporate social responsibility sponsor.
You can change your mind by either unsubscribing, emailing us at email@example.com or updating your preferences.
To comply with our legal obligations
We are required to keep proper records about the use of the GiftAid scheme; we have duties to prevent financial crime, including money laundering and fraud.
To pursue a legitimate interest
To identify you and administer your account and for our internal purposes, examples of which are set out below:
Information about the services you use
We will use some of your personal data to track the services you use through our website or app and to validate the data provided to us by our partners. This statistical and behavioural analysis assists us in improving our website and the services offered to you or other individuals in the future.
We will use your information to keep you informed (subject to your expressed preferences) by email or other electronic means such as via social and digital media about current and new products, services, offers, promotions, and your charitable impact which may be of interest to you.
We may utilise a third-party software and storage solution to analyse the personal data that you have provided to us in order to ensure that the marketing that you receive is as relevant and beneficial to you as possible. We retain full ownership of your personal data and ensure that it is secure at all times.
If you are not happy for your personal data to be used in this way, you can manage your preferences through your account or unsubscribe at any time to remove your details from our contact list. If you have further queries with regards to your personal data, please feel free to contact us at firstname.lastname@example.org.
Market and statistical analysis
We use your personal data to carry out market research on a personalised or aggregated basis. We produce insights from aggregated information which does not identify you and in no longer classed as personal data which may have value to third parties, such as our charitable or merchant partners.
Audit and insurance
Our services will be subject to internal, external or partner audit to ensure that the donations that you make and any matching donations from other sources are, and any revenue due to us is accurate using your personal data. We also will use data about our customers in the arrangement and administration of insurance.
Improvements to profiling
We use automated tagging of transactions. To improve our profiling and the quality of the service that we give to our customers, we may use de-identified financial data or profiles to train our algorithms. We do not consider that our profiling of customers gives rise to a legal or significant effect.
Third party processing
We use generic service providers, who control or process personal data on our behalf to enable the efficient technical and logistical provision of our services. These service providers supply us with cloud data storage, data security services, customer relationship management software, and support ticketing services. We may substitute a technical or logistical service provider from time to time. Such parties are generally not permitted to use your personal data for any other purposes than for what your personal data was collected, and we require them to act consistently with applicable laws and this Notice as well as to use appropriate security measures to protect your personal data.
Prevention of fraud and financial crime
We may carry out analysis and research using your personal data to prevent or detect fraud or other financial crime.
In the event of an interruption or cessation of our business, we need to ensure that we can implement our business continuity procedures (for example, we may need to rebuild our IT systems). This may involve the processing of your personal data, including a transfer to an alternative service provider.
How do our partners use your personal data?
We work with some carefully selected partners who use your personal data to enable us to deliver our services to you, and to meet their own legal and regulatory requirements. In particular, we would draw your attention to the following:
We are an agent of The ID Co Limited which is the registered account information service provider that helps you to share your financial transaction data with Sustainably in a safe and secure manner. This means that IDCo are ultimately responsible for ensuring our services to you comply with the regulatory requirements of the Financial Conduct Authority and accordingly we are obliged to share your personal data with them.
Stripe Payments UK Limited acts as our payment processor. They store payment credentials to allow us to collect your donations and transfer these to your chosen charities. Sustainably never has access to your payment information.
Sustainably partners with charities, employers and retailers to make the world a better place. We only pass non-identifiable aggregated data to them as part of our service.
You may discover and access Sustainably through a third-party site, marketplace or application, such as your bank, into which our service is integrated or supplied through. To improve your use and enjoyment of those other services, you may choose to allow us to share some of your data with that third-party.
We offer GiftAid through Sustainably. This means that we must capture and retain information necessary for our charitable partners to claim the tax benefit from HMRC. Ultimately HMRC will receive personal data to verify the eligibility of your GiftAid donations.
Our partners may use the personal data you provide for purposes such as fraud prevention or for internal analysis (such as monitoring customer demographics, market trends or pricing analysis).
We are not responsible for the privacy policies or practices of our partners (or other websites you may click though to from our website). You should ensure you read and are fully aware of the terms and conditions and the privacy policies of third party websites.
Do we pass personal data to other third parties?
Except as set out in this Notice, we will not disclose any of your personal data to other parties without your explicit and freely given consent, unless we are legally required to do so by (for example, a court order, for the purposes of prevention of fraud or other crime, or by a competent regulator).
Transferring your personal data outside of the European Economic Area (“EEA”)
Some processing of your personal data may be undertaken by nominated processors outside of the EEA. In these circumstances, the processing will only be undertaken where it is in accordance with the provisions of the General Data Protection Regulation to ensure an adequate level of protection for your personal data.
Privacy and Confidentiality
We will treat all your personal data as private and confidential. We comply with and are registered under the data protection laws in the United Kingdom and take all reasonable care to prevent any unauthorised access to your personal data. Other than under the terms of this Notice, we will not disclose any personal data about you. Please be aware however that under certain circumstances we may be subject to a legal obligation to disclose personal data about you, or there may be a public duty to disclose that personal data.
Should you decide to complain about the service we have provided to you, we may be obliged to forward details about your complaint, including your personal data, to the relevant ombudsman. You can be assured that they are similarly obliged to adhere to data protection legislation and to keep your personal data strictly confidential.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law, you can complain to the Information Commissioner’s Office (ICO), as follows:
Serious breaches should be reported to the ICO using its security breach helpline on 0303 123 1113 (open Monday to Friday, 9am to 5pm). Select option 3 to speak to staff, who will record the breach and give you advice about what to do next.
If you would like to report a breach in writing you can send it by post to the office address Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
Under the terms of the data protection legislation you have a number of rights.
You have the right to access information we hold about you
Ask for a copy of the information, or some of the information, that we hold about you (rights of access and portability);
You have the right to correct any inaccuracies in the personal data we hold about you
Ask us to correct or remove any information about you that we hold (rights to rectification and erasure);
You can object to us using your data for profiling you or making automated decisions
Ask us to stop processing or restrict the processing of information that we hold about you (rights to restrict and object to processing, including profiling).
If you cannot do any of these things this through ‘My Account’, you may ask us to do so by writing to the Privacy Officer, by email (email@example.com) or to the correspondence address above, and we will do this free of charge. We will respond to your request within 30 days.
Changing your information and deleting your account
If you need to change any of your personal information you should log in to your account to make the necessary changes.
If you want to stop Sustainably accessing to your financial transaction data, you may revoke consent within Sustainably. You may also revoke authorisation directly with your account provider.
If you want to stop using Sustainably, please email firstname.lastname@example.org using your registered email address and we will cancel your account.
How long do we keep your data for?
We have procedures in place to ensure that information is not kept for longer than is necessary. The maximum time that we envisage retaining any information is six years following account cancellation.
We will retain personal data about you for as long as your account is active.
We only keep financial transaction data for so long as is necessary to ensure that all your Round Ups and match donations are accurately captured and will not retain this information longer than a year.
After account cancellation, we will retain only that information required for so long as it is necessary to comply with our legal or regulatory obligations, to resolve any dispute or to enforce our agreements. If we do need to retain information after termination, we will ensure that your data is archived in a way that access is restricted.
Subject to our legal or regulatory obligations, if you ask us to delete any data, it is promptly deleted or otherwise rendered unusable from within our systems and we will no longer have any access to that data.
How we keep your data secure
We have physical, electronic and managerial procedures in place to safeguard and secure the information we collect.
Sustainably operates on EU-based AWS servers that complies with strict international standards. All data is encrypted both at rest and in transit. We have continuous resource and infrastructure monitoring in operation 24/7 365 days a year, with alerts actioned immediately by senior team members.
- You provide personal data at your own risk: unfortunately, no data transmission is guaranteed to be 100% secure
- You are responsible for keeping your password secret and safe!
- If you believe your privacy has been breached, please contact us immediately on email@example.com
How can I block cookies?
Which types of cookies do we use?
Strictly necessary cookies
These cookies are required for the operation of Sustainably. They include, for example, cookies that enable you to log in to the secure areas of our website.
These allow us to recognise and follow visitors moving around on our website. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
These are used to recognise when you return to our website. This enables us to personalise content for you and remember your preferences.
Targeted advertising cookies
These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
Help us become even more transparent
This privacy notice was last updated on the 1st June 2019.
Thank you for reading it.
We aim to be as transparent as possible. If you have any feedback on how we could make our privacy notice clearer, please engage with us at firstname.lastname@example.org to let us know how we can be even better.