Privacy Policy

This Privacy Policy was last updated on 10/06/2024.

 1. Welcome to!

This document describes the privacy policies in force on the website and the SuSy House and SuSy Business apps. “” and “SuSy” are trading names of Sustainable Systems Ltd, a company with registration number 13177191 which has its registered office at The Create Centre, Smeaton Rd, Bristol, BS1 6XN, UK and is referred to in this document as “SuSy”, “we” and “our”. The term “user” refers to those householders who use the website and apps to learn about energy upgrades for their homes. The term “contractor” refers to the contractors, installers and tradespeople who provide such upgrades to our users.

2. Introduction

At SuSy, we recognize your right to privacy. We process your personal data in accordance with the relevant UK and EU legislation which includes but is not limited to the provisions of the General Data Protection Regulation (EU-GDPR). 

SuSy is a data-driven business, and we need to collect your personal data in order to provide the services we advertise on our website and in our apps. If you refuse us access to your personal data, we may not be able to perform those services on your behalf. 

This privacy notice explains how we collect and process your personal data when you interact with our website and the SuSy House and SuSy Business apps. 

3. The roles of SuSy in relation to personal data

SuSy provides services directly to users, but we also act as an intermediary between users and contractors. Under UK and EU privacy law, we are regarded as combining two distinct roles, those of data controller and data processor.

  • In cases where you provide your personal data directly to us or we obtain it from a third-party source, we will be acting as “data controller”. This role makes us responsible for deciding how to hold and use your personal data.
  • In cases where we act as an intermediary, for example a contract under which we forward your personal data to a contractor who is then responsible for delivering the services you’ve requested, our role will normally be that of a “data processor”. In these circumstances, the contractor will act as the “data controller” and will be responsible for deciding how they/we will hold and use your personal data.

When acting as a data controller, we will use your personal data:

  • In order to perform the contract between us.
  • In pursuit of our legitimate interests or those of a third party (provided your interests and fundamental rights do not override those interests)
  • In order to comply with legal or regulatory obligations.

When acting as a data processor, we will process your data:

  • In accordance with the instructions of the company acting as data controller
  • In order to perform our obligations under our contract with them 
  • In accordance with applicable UK and EU data protection legislation. 

If we want to process your personal data for any other purpose, we will seek your specific consent. You have the right to withdraw your consent to our use of your personal data at any time. See section 9. for further details.

4. What types of personal data do we collect?

The term ‘personal data’ refers to any and all information which could be used to identify an individual. We strive to collect only that personal data which we need and to which we are legally permitted access. We process all the following personal data types:

  • Contact data which may include your billing address, delivery address, e-mail address and telephone numbers
  • Identity data which may include your first name, maiden name, last name, marital status, title, date of birth and gender
  • Profile data which may include your username and password along with details of previous purchases or orders, your interests, preferences, feedback and survey responses
  • Usage data which may include information about how you use our website, products and services
  • Energy usage data which may include information about your home energy consumption
  • Transaction data which may include details about your purchases (via the website and apps) and the payments you make for services
  • Financial data which may include your bank account and payment card details
  • Technical data which may include your login data, internet protocol addresses, browser type and version, browser plug-in types and versions, operating system and platform, timezone setting and location, and other details of the devices you use to access this site
  • Marketing and communications data which may include your preferences in receiving marketing communications from us and from any third parties involved in such communications along with your communication preferences.

In addition to these types, we may also process aggregated or anonymized data derived from your personal data. Normally, such data is not considered to be personal data. Should particular circumstances cause us to link aggregated or anonymized data with personal data in such a way that it might be used to identify you, then we will treat it as personal data.

5. What types of personal data don’t we collect?

  • Sensitive data is a special case. The term ‘sensitive data’ refers to details of religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, biometrics, health and genetic data and information about criminal convictions and offences. We will never seek to collect any sensitive data about you.

6. How we collect your personal data

We collect data about you by a variety of methods including direct interactions, automated interactions, and third party interactions.

Direct interactions take place when you:

  • create an account on the website or via our app
  • subscribe to our services, social media channels or publications
  • request resources or marketing
  • enter a competition, prize draw, promotion or survey
  • send us feedback.

Automated interactions take place when you: 

  • Interact with our website or apps

In the course of such interactions, we may collect technical data about your equipment, browsing actions and usage patterns by means of cookies, server logs and similar technologies. Please see our cookie policy at for further details.

Third party interactions take place when we receive personal data about you from third party sources including:

    • Analytics providers such as Google
    • Advertising networks such as Facebook
    • Search information providers such as Yahoo 
    • Providers of payment and delivery services such as Worldpay
  • Data brokers or aggregators
  • Publicly available sources such as Companies House and the Electoral Register
  • We may also receive data from third party websites which use our cookies.

Some of these sources may be based outside the UK and EU. In such cases, we will process the personal data provided only in accordance with the relevant UK and EU legislation.

7. What are SuSy’s responsibilities in respect of your personal data?

SuSy’s principal responsibilities under UK and EU data protection legislation concern disclosure, data security and data retention.


We may need to share your personal data with third parties:

  • Partner companies
  • Service providers
  • Professional advisers including lawyers, bankers, auditors and insurers
  • HM Revenue & Customs, regulators and other authorities
  • Third parties to whom we may sell, transfer, or merge parts of our business or our assets.


In such cases, we will require third parties to respect the security of your personal data and to treat it in accordance with UK and EU law, and we will require them to process your personal data only for specified purposes and in accordance with our instructions.

Data security

We are responsible for the security of your personal data. We do this by:

  • Putting in place appropriate security measures to protect it against unauthorized access, alteration or disclosure and accidental loss
  • Limiting access to those employees, agents, contractors and other third parties who have a ‘need to know’. 

Despite best efforts, things sometimes go wrong. We have put in place procedures to deal with any suspected data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Data retention

In general we will retain your personal data only as long as it is needed for the performance of the contracted services, including the satisfaction of any legal, accounting, or reporting requirements.

Under some circumstances, you can request the erasure of your personal data. (See section 9. for details.) Note that we may be legally obliged to retain particular items of personal data. In such cases, we will retain your personal data only as long as required by UK and EU law.

We may anonymise your personal data so that it can no longer be used to identify you. We are then entitled to use this anonymized data indefinitely without further notice.

8. What are your responsibilities in respect of your personal data?

It is your responsibility to ensure that the personal data which SuSy holds is accurate and up-to-date. Please let us know of any changes by emailing us at By providing us with your personal data, you warrant to us that you are over 17 years of age. 

9. What are your rights in respect of your personal data?

UK and EU law grants you a number of rights under data protection laws, including the right to:

  • Request access to your personal data
  • Request correction of your personal data
  • Request erasure of your personal data
  • Request transfer of your personal data
  • Object to processing of your personal data
  • Request restriction of processing your personal data
  • Withdraw consent for processing your personal data.

More information about these rights is available at:

If you wish to make a request under data protection law, please email us at 

10. How will SuSy respond to a request under data protection law?

SuSy will normally respond to a request to exercise any of your rights under UK and EU data protection law within 28 working days. We may take longer if your request is particularly complex or you have made a series of requests. If this is so, we will notify you about the delay.  

Normally, we will not charge you for carrying out any requests you make under data protection legislation. However, we may impose a charge if we believe your request to be unfounded, repetitive or excessive. Alternatively, we may simply refuse to comply.

We may need to request specific information from you to enable us to confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to anyone who does not have the right to receive it. 

11. Marketing communications and your personal data

You will receive marketing communications from us after providing us with your contact data in the course of registering to use the website or app, unless you have opted out. We won’t share your contact data with any third parties for marketing purposes without your consent. You can opt out of marketing messages at any time by following the opt-out links on any marketing message or by emailing us at

12. Contact Details

Our full details are:
Sustainable Systems Ltd.
The Create Centre, Smeaton Rd, Bristol, BS1 6XN

To contact our Data Protection Officer, please email:

If you object to the ways we have handled your personal data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues ( Before making such a complaint, we’d like you to reach out to us so that we can do our best to resolve it for you.