Sustance logo
Logga InSkapa Konto

Privacy Policy

Sustance is operated by WhyWay AB, org. no. 559379-1428, Birger Jarlsgatan 57C, 113 56 Stockholm, Sweden (“we”, “us”, “our”). We are the controller of personal data described in this Privacy Policy for the purposes of the EU General Data Protection Regulation (“GDPR”) and the UK GDPR, where applicable.

Effective date: 22 April 2026

This Privacy Policy describes how we collect, use, store, and share personal data when you use the Sustance online sustainability platform, related websites, and communications (together, the “Service”). It should be read together with our Terms of Service.

For privacy questions or requests, contact legal@sustance.com.

1. Who this policy covers

This policy applies to:

  • Users of Sustance (including account owners and members).
  • Representatives of organisations that register for or use Company, Agency, or Enterprise plans.
  • Visitors to our marketing site and public pages (such as published sustainability showcases), where we collect limited technical data.

The Service is intended for business (B2B) use. We do not market Sustance to children, and it is not intended for individuals under 16.

2. Personal data we collect

Depending on how you use the Service, we may process:

Account and authentication

  • Name, email address, and similar contact details.
  • Marketing preferences — if you opt in to optional marketing communications in the product (for example at acceptance), we process your choice and contact details to send that category of email.
  • Credentials and security data processed through our authentication provider (for example password hashes and session information—we do not store plaintext passwords in readable form in our application layer).
  • Multi-factor or verification data where we offer it (for example one-time codes for sign-in).

Organisation and workspace data

  • Company or organisation name, identifiers, billing workspace identifiers, and role (for example owner or member).
  • Business profile information you provide (such as country, industry, size, registration numbers where applicable).
  • Content you create in the Service (strategies, reports, policies, uploads, showcase text and media, collaboration inputs).

Relationships between organisations

  • Where an Agency and Company workspace connect (including invitations and sponsorship arrangements), we process data needed to manage that relationship, including which users may see or collaborate on connected workspaces. Email addresses and minimal related data may be processed for invitations, including for sponsored access before a full paid subscription exists.

Payments

  • Payment-related data is handled primarily by Stripe. We receive limited billing identifiers, subscription status, and related metadata as needed to provide the Service. We do not store full card numbers on our own infrastructure; card data is processed by Stripe according to its terms and this policy.

Service usage and technical data

  • Logs, diagnostics, performance, and security information (such as IP address, device/browser type, timestamps, error reports).
  • Activity and product analytics at account or workspace level (for example feature usage) to operate and improve the Service.
  • Cookies and similar technologies on our sites—see Section 8 and your browser settings.

AI features

  • Inputs you provide to AI-assisted features (for example prompts and context derived from your workspace data) are processed to generate outputs for you. Details of our AI subprocessors are in Section 6.

Optional public content

  • If you publish a sustainability showcase or similar public page, we process the content you choose to make visible, in line with your settings.

Third-party company lookups (Sweden)

  • If you use Swedish company registry lookup (Bolagsverket, Värdefulla datamängder), we process identifiers you submit and receive data from that authority as described on Bolagsverket’s information pages.

We aim to collect only what we need for the purposes in Section 4.

3. Aggregated and research use

We may use aggregated or de-identified information to understand usage patterns, improve Sustance, and support research and development (including improving product features and AI-assisted experiences). We do not sell aggregated personal data to third parties for their own marketing. Where we use aggregated information, we take steps to reduce the risk of re-identification consistent with our role and applicable law.

4. Why we process personal data (purposes) and legal bases

Under the GDPR, we rely on one or more of the following legal bases, depending on the processing:

Performance of a contract — Providing the Service, accounts, billing, support, security, and connection features you request.

Legitimate interests — Operating, securing, and improving the Service; fraud prevention; product analytics; internal reporting; and aggregated analytics and R&D, where we balance our interests against your rights.

Consent — Where we ask for consent (for example certain cookies or optional marketing emails when we offer a separate opt-in in the product), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Essential service-related emails (for example security and important account or Service notices) may be sent as described in our Terms of Service and do not depend on marketing consent.

Legal obligation — Where we must retain or disclose information to comply with law or competent authorities.

Vital interests — Rarely, if needed to protect life or physical safety.

5. Sharing between Agency and Company workspaces

Sustance allows Agency workspaces and Company workspaces to connect for advisory or sponsorship scenarios. When a connection exists, personal data in shared or visible content may be accessible to permitted users in the connected workspace, in line with roles and product settings. You should review who can see what before you connect workspaces or publish content. Disconnecting a relationship may limit further sharing going forward, subject to retention in Section 10.

6. AI processing (Cleura LLM-as-a-Service)

Certain features send inputs to Cleura AB LLM-as-a-Service for inference using large language models. According to Cleura’s service description:

  • Inference for this service is run in Cleura’s Stockholm (STOCOM) region within the EU.
  • Cleura states that prompt and completion content is not stored by Cleura for inference in the manner described in their documentation, while metadata (such as timestamps, token counts, source IP address, and API key identifier) may be logged for billing and security audit trails.
  • Cleura states that customer data is not used to train the underlying models for model improvement in the manner described in their documentation.

Sustance may still process inputs and outputs in our own systems as part of providing the Service (for example to show you results and to maintain security). Cleura’s specifications may evolve; we will update this policy for material changes to subprocessors or regions where required.

We do not use your personal data to train third-party foundation models except as stated in this policy and our agreements with providers.

7. Subprocessors and categories of recipients

We use service providers (“subprocessors”) who process personal data on our instructions. These include:

Provider (examples)Role
Cleura ABCloud hosting and LLM inference (see Section 6).
SupabaseAuthentication, database, storage, and related infrastructure for the product (hosted in line with our deployment configuration).
StripePayment processing and billing data.
Vercel Inc.Hosting and delivery of web properties, CDN, and security features (for example WAF/edge).
Email / transactional messaging providersDelivering account, security, and transactional emails.
BrevoWhen you opt in to marketing communications, we may sync your contact details to Brevo to send marketing emails and manage related lists. Essential service emails may use other providers as described above.

We may also share data with professional advisers (lawyers, auditors) where necessary, and with authorities when required by law.

We do not sell your personal information as “sale” is commonly understood in privacy laws.

8. International transfers

Our primary product processing is designed around EU/EEA hosting (including Cleura in Sweden for LLM inference as described above). Some providers (such as Stripe or Vercel) may process or transfer data outside the EU/EEA (for example the United States). Where we do this, we use appropriate safeguards such as the EU Commission Standard Contractual Clauses and vendor data processing agreements, supplemented where required by transfer impact assessments and vendor measures. You may contact us for more information on such transfers.

9. Cookies and similar technologies

We use cookies and similar technologies for essential operation of our sites (for example security, session, load balancing), and where applicable for analytics or preferences. You can control many cookies through your browser settings; essential cookies may be required for the Service to function. We may update a separate cookie notice or settings where required by law.

10. Retention

We retain personal data as long as necessary for the purposes in this policy, including:

  • Account and workspace data while your account or organisation is active and for a reasonable period afterwards to resolve disputes, enforce terms, and comply with law.
  • Billing and tax records as required by accounting and tax rules.
  • Security and audit logs for a limited period consistent with security needs.

Team and personal workspaces may be treated differently for closure and inactivity; detailed retention schedules may be described in product communications or separate policies as we publish them. You may request erasure subject to Section 11 and legal exceptions.

11. Your rights

Depending on your location and subject to applicable law, you may have the right to:

  • Access a copy of your personal data.
  • Rectify inaccurate data.
  • Erase data in certain cases.
  • Restrict processing in certain cases.
  • Object to processing based on legitimate interests (including direct marketing, if applicable).
  • Data portability for data you provided, where processing is automated and based on contract or consent.
  • Withdraw consent where processing is consent-based.

To exercise these rights, contact legal@sustance.com. We may need to verify your request. You may also lodge a complaint with a supervisory authority. In Sweden, the supervisory authority is the Swedish Authority for Privacy Protection (IMY) (imy.se).

12. Automated decision-making

We do not use solely automated decision-making that produces legal or similarly significant effects concerning you, as described in GDPR Article 22. AI-assisted features provide suggestions; you decide what to rely on or publish.

13. Security

We implement technical and organisational measures appropriate to the risk, including access controls, encryption in transit, separation between customer workspaces, monitoring, and vendor security practices. No method of transmission or storage is completely secure; we encourage strong passwords and safeguarding credentials.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy on our website and update the effective date. Material changes may require additional steps (for example in-product notice or, where required, renewed consent). The version that applies is the one linked from the Service at the time of use. Continued use after changes may constitute acceptance where permitted by law.

Use of the Service is also subject to acceptance of our terms and policies as implemented in the product (including versioned acceptance where we offer it).

15. Contact

WhyWay AB
Birger Jarlsgatan 57C, 113 56 Stockholm, Sweden
Org. no. 559379-1428

Email: legal@sustance.com