SustBridge — Privacy Policy
1. Introduction
This Privacy Policy describes how SustBridge Szolgáltató Korlátolt Felelősségű Társaság ("SustBridge," "we," "us," "our") collects, uses, shares, and protects personal data when you use the SustBridge platform and related services (the "Service").
We are committed to protecting your personal data and being transparent about our data practices. This Privacy Policy is intended to comply with the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and Hungarian data protection law (Act CXII of 2011).
Data controller: SustBridge Szolgáltató Korlátolt Felelősségű Társaság, registered in Hungary, with Hungarian VAT number [VAT_NUMBER_PLACEHOLDER], registered office at [REGISTERED_OFFICE_PLACEHOLDER].
Contact for data protection matters: barnabas@sustbridge.com.
We have not appointed a Data Protection Officer (DPO) as we are not legally required to do so under GDPR Article 37. Should our processing operations require a DPO in the future, we will appoint one and update this Privacy Policy.
2. Personal data we collect
2.1 Data you provide directly
When you register for and use the Service, we collect:
- Account information: name, email address, password (stored as hash), professional role (senior consultant, junior analyst, company representative), professional sector, and similar profile data.
- Billing and tax information: billing address, country, tax identification number (VAT number where applicable), payment method details (handled by our payment processor; we do not store full card details).
- Communication content: messages you send through direct messaging features, content of AI chat sessions, queries, and inputs you provide to AI tools.
- Uploaded content: documents, images, files, and other materials you upload to the Service, including knowledge base contributions, regulation documents, and use case materials.
- Profile and platform contributions: use cases you create, briefs you complete, sector expertise you indicate, peer endorsements, and similar platform activity.
2.2 Data we collect automatically
When you use the Service, we collect:
- Usage data: features accessed, pages viewed, actions taken, time spent on the platform, search queries, and similar interaction data.
- Device and connection data: IP address, browser type and version, operating system, device identifiers, language settings, and referring URL.
- Cookies and similar technologies: see our Cookie Policy for details.
- Performance and error data: technical information about how the Service performs, including error logs, response times, and system metrics.
2.3 Data from third parties
We may receive data about you from:
- Payment processors (Stripe): transaction status, payment failures, dispute information, validated billing information.
- Tax validation services (via Stripe Tax, including VIES for EU VAT validation): validation status of VAT numbers you provide.
- Authentication providers (if you sign in via a third-party identity provider): basic profile information necessary for account creation.
- Public sources: in limited cases, professional background information for verification purposes.
3. Lawful basis for processing
We process personal data on the following lawful bases under GDPR Article 6:
Performance of a contract (Article 6(1)(b)): processing necessary to provide the Service to you, including account management, subscription billing, AI feature delivery, and direct messaging. Most account-related processing falls under this basis.
Legitimate interests (Article 6(1)(f)): processing necessary for our legitimate business interests, including:
- Service security, fraud prevention, and abuse detection;
- Service improvement and platform development;
- Aggregated analytics and benchmarking (using anonymized or aggregated data);
- Direct communications about your account and the Service (transactional emails);
- Defending legal claims.
We have assessed that these interests are not overridden by your rights and freedoms.
Consent (Article 6(1)(a)): for marketing communications, certain optional cookies, and any processing where we explicitly request your consent. You may withdraw consent at any time without affecting prior processing.
Legal obligation (Article 6(1)(c)): for processing necessary to comply with legal obligations, including tax, accounting, anti-money-laundering, and consumer protection requirements.
4. Purposes of processing
We process personal data for the following purposes:
(a) Providing, maintaining, and improving the Service;
(b) Managing your account, processing subscriptions, and billing;
(c) Delivering AI-powered features in response to your inputs;
(d) Communicating with you about your account, the Service, transactional matters, and renewal reminders;
(e) Operating the marketplace matching, discovery, and engagement features;
(f) Generating Platform-Aggregated Insights (anonymized, aggregated analytics) for platform improvement and benchmarking;
(g) Preventing fraud, abuse, and security incidents;
(h) Complying with legal obligations, including tax reporting (NAV Online Számla in Hungary, OSS, UK VAT where applicable);
(i) Defending legal claims;
(j) With your consent, marketing communications about new features and offers.
5. AI processing — specific transparency
The Service uses artificial intelligence (AI) models to provide certain features, including chat, content generation, summarization, and analysis. We want to be transparent about how AI processes your data:
(a) What goes to AI models: when you use AI features, the content of your prompts, retrieved knowledge base context, and conversation history may be sent to AI processing services to generate responses.
(b) Who provides AI services: we use third-party AI service providers, including Anthropic (Claude API) and OpenAI (embeddings), under data processing agreements that prohibit them from training their models on your data and that require deletion of customer data after processing.
(c) Data not used for AI training: your conversations and uploaded content are not used to train our AI providers' general models. They are used solely to generate responses for you.
(d) AI-generated outputs: outputs from AI features may contain inaccuracies and should be independently verified. See Terms section 10 for full disclaimer.
(e) Aggregated analysis: we may analyze aggregate AI usage patterns (anonymized) to improve the Service.
6. Sharing personal data
We share personal data with the following categories of recipients:
6.1 Subprocessors
We engage third-party service providers to operate the Service. These subprocessors process personal data on our behalf under data processing agreements:
| Subprocessor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase (Supabase Inc.) | Database hosting and authentication | EU (eu-central-1, Frankfurt) | Within EU/EEA |
| Vercel (Vercel Inc.) | Application hosting and content delivery | Global edge network | Standard Contractual Clauses (SCCs) |
| Stripe (Stripe Payments Europe Ltd.) | Payment processing and tax handling | EU (Ireland) | Within EU/EEA |
| Anthropic (Anthropic, PBC) | AI model service (Claude) | United States | Standard Contractual Clauses (SCCs) + Anthropic's data protection commitments |
| OpenAI (OpenAI, L.L.C.) | Embedding generation | United States | Standard Contractual Clauses (SCCs) + OpenAI's data protection commitments |
| Számlázz.hu | Invoice generation and NAV reporting | EU (Hungary) | Within EU/EEA |
| SzámlaBridge | Stripe-Számlázz.hu integration | EU (Hungary) | Within EU/EEA |
| Resend (or equivalent SMTP provider) | Transactional email delivery | EU/US (depending on configuration) | Standard Contractual Clauses where applicable |
We update this list when we add or change subprocessors. Material changes are communicated through the Service or via email.
6.2 Other recipients
We may share personal data with:
- Other users of the Service: in the context of the marketplace functionality, your professional profile, contributions, expertise areas, and similar information may be visible to other users (consultants, juniors, companies) for matching and discovery purposes.
- Legal and regulatory authorities: where required by law, court order, or legal process.
- Professional advisors: lawyers, accountants, auditors under confidentiality obligations.
- Successor entities: in the event of a corporate restructure, merger, acquisition, or asset sale, we may transfer personal data to the successor entity, which will be bound by privacy commitments substantially equivalent to those in this Policy.
We do not sell personal data.
7. International data transfers
Some of our subprocessors are located outside the EU/EEA, including in the United States. Where personal data is transferred to such jurisdictions, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- Additional safeguards as required following the Schrems II decision, including encryption in transit and at rest;
- The subprocessors' own certifications and data protection commitments.
You may request a copy of the SCCs in place by contacting us at barnabas@sustbridge.com.
8. Data retention
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law:
- Account data: retained for the duration of your account plus a reasonable period (typically 30-90 days) after account deletion to allow for account recovery and to handle related obligations.
- Billing and tax data: retained for periods required by Hungarian tax law (typically 8 years for invoicing records).
- Communication content (DMs): retained for the duration of your account; deleted upon account deletion subject to legal obligations.
- AI conversation history: retained according to your account settings; you may delete individual conversations at any time.
- Usage logs: retained for analytical purposes for up to 24 months in identifiable form, then anonymized.
- Legal hold: in cases of legal claims or regulatory inquiries, data may be retained for the duration of the matter plus relevant limitation periods.
9. Your rights
Under GDPR and applicable data protection law, you have the following rights:
Right of access (Article 15): you may request a copy of the personal data we hold about you.
Right to rectification (Article 16): you may request correction of inaccurate or incomplete data.
Right to erasure ("right to be forgotten") (Article 17): you may request deletion of your personal data in certain circumstances, subject to our legal obligations.
Right to restriction of processing (Article 18): you may request that we limit our processing in certain circumstances.
Right to data portability (Article 20): you may request to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to object (Article 21): you may object to processing based on legitimate interests, including profiling, on grounds relating to your particular situation.
Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint: you may lodge a complaint with a supervisory authority, particularly the Hungarian National Authority for Data Protection and Freedom of Information (NAIH, https://naih.hu), or the supervisory authority of your habitual residence.
To exercise any of these rights, contact us at barnabas@sustbridge.com. We will respond within one month, extendable by up to two further months for complex requests, in accordance with GDPR Article 12.
10. Security
We implement technical and organizational measures designed to protect personal data, including:
- Encryption of data in transit (TLS) and at rest;
- Access controls and authentication requirements;
- Logging and monitoring of access to systems containing personal data;
- Regular security reviews and updates;
- Subprocessor due diligence and contractual safeguards;
- Incident response procedures.
No system is perfectly secure. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authorities as required by GDPR.
11. Children's data
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.
12. Marketing communications
We may send you marketing communications about new features, offers, or related services where you have consented or where we are permitted to do so under applicable law (such as similar products to ones you have already purchased, where you have not objected).
You may opt out of marketing communications at any time using the unsubscribe link in our emails or by contacting us. Opting out of marketing does not affect transactional communications about your account.
13. Cookies and similar technologies
The Service uses cookies and similar technologies to provide functionality, remember your preferences, analyze usage, and (with your consent) provide personalized features.
For details, see our Cookie Policy, which is incorporated by reference into this Privacy Policy.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service at least 30 days in advance. The "Effective Date" at the bottom of this Policy indicates when it was last updated.
15. Successor entity and corporate restructure
In the event of a corporate restructure, merger, acquisition, sale of substantially all of our assets, or similar transaction, we may transfer personal data to the successor entity. The successor entity will be bound by privacy commitments substantially equivalent to those in this Privacy Policy at the time of transfer, and you will be notified of any material changes resulting from the transfer.
This provision is included to enable future corporate developments while preserving your privacy rights. It does not constitute a present intention to undertake any specific transaction.
16. Contact
For any questions, requests, or concerns regarding this Privacy Policy or our data practices, contact:
SustBridge Szolgáltató Korlátolt Felelősségű Társaság
Email: barnabas@sustbridge.com
Registered office: [REGISTERED_OFFICE_PLACEHOLDER]
You may also contact the Hungarian supervisory authority:
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
1055 Budapest, Falk Miksa utca 9-11.
Web: https://naih.hu
Email: ugyfelszolgalat@naih.hu
Effective date: [TO BE FILLED IN UPON LAUNCH]
Last updated: [DATE OF LATEST REVISION]