Introduction
Substribe Ltd is committed to ensuring the privacy and security of personal data we process as part of our B2B subscription intelligence services. This policy outlines how we collect, use, store, and protect personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
About Us
Substribe Ltd provides specialised advisory services to B2B subscription businesses, focusing on optimising recurring revenue quality and customer sentiment. Our services include Sprint & Market Testing, Revenue Performance Transformation, Customer Sentiment Tracking, and strategic consultation.
Substribe Ltd is registered with the Information Commissioner’s Office (ICO) under application number C1682084.
Data Protection Principles
We are committed to processing data in accordance with our responsibilities under the UK GDPR and follow these key principles:
- Processing lawfully, fairly and transparently
- Collecting data for specified, explicit and legitimate purposes
- Ensuring data is adequate, relevant and limited to what is necessary
- Keeping data accurate and up to date
- Storing data for no longer than necessary
- Processing data securely and protecting against unauthorised processing, accidental loss, or damage
Personal Data We Collect
Client Business Data
- Company information including business contact details
- Service usage data
- Subscription performance metrics
Client Customer Data
- When analysing client data, we generally use anonymised datasets with unique identifiers rather than personally identifiable information
Research Participant Data
- For interview projects: Name, email address, job title, and employer of interview participants
- Interview recordings and transcripts (with consent)
- Survey responses
Website Users
- Information provided through contact forms
- Technical information (e.g., IP address, browser type)
Lawful Basis for Processing
We process personal data on the following lawful bases:
- Contractual necessity: To fulfill our contractual obligations to clients
- Legitimate interests: For B2B communications and service improvements where the processing is proportionate and respects individual rights
- Consent: For specific activities, such as interview recordings or marketing communications
- Legal obligation: To comply with legal requirements
Consent Practices
For research participants and interviewees, we:
- Obtain verbal consent prior to interviews and data collection
- Explain that collected data will be used for internal product development purposes
- Clarify that insights derived from interviews contribute to our knowledge base
- Ensure participants understand the business context of their participation
We recognise that product strategy development and innovation requires access to historical data and insights as reference points. Interview data forms an essential part of our organisational knowledge base, particularly as AI and machine learning technologies evolve toward creating more sophisticated analytical capabilities. This necessitates the retention of valuable interview insights for ongoing business purposes.
How We Use Personal Data
We use personal data to:
- Deliver our subscription intelligence services
- Analyse subscription business performance
- Conduct customer research and market testing
- Provide strategic advice based on data insights
- Manage our client relationships
- Improve our services
Data Retention
We retain personal data for the following periods:
- Client business information: 3 years after the end of our business relationship, or longer if required for legal or accounting purposes
- Research participant data: May be retained indefinitely to support ongoing product strategy and development
- Interview recordings and transcripts: May be retained indefinitely as part of our organisational knowledge base
- Client customer data: Deleted or returned to the client upon project completion unless otherwise agreed
We recognise that product strategy development and innovation requires access to historical data and insights. As AI technologies continue to evolve, historical interview data becomes increasingly valuable for creating “living” personas and knowledge systems that support our business mission.
Sharing Personal Data
We may share personal data with:
- Service providers who support our business operations (e.g., cloud storage providers)
- Other parties with client consent
- Regulatory authorities where legally required
We do not sell personal data or share it with third parties for marketing purposes.
International Transfers
Some of our trusted service providers (such as Google, Fathomai, and other cloud-based tools) may process data on servers located outside the UK or European Economic Area (EEA). When this occurs, we ensure that appropriate safeguards are in place to protect your personal data, such as:
- Using providers certified under approved transfer mechanisms (such as UK GDPR adequacy decisions or standard contractual clauses)
- Selecting providers with robust data protection practices
- Limiting the personal data transferred to what is necessary
We regularly review our providers’ compliance with data protection standards.
Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Password protection of electronic documents and systems
- Secure cloud storage with appropriate access controls
- Limited personnel access (sole access by the data protection contact)
- Data encryption for stored files
- Regular security reviews of our processing activities
We use several trusted service providers to process data securely:
- Google Workspace Business Account for business communications and file storage
- Fathom AI Notetaker for interviews and client discussions
- CoLoop AI for research interview analysis
- SurveyMonkey and Google Forms for data collection
Client data is securely provided to the respective client only, with no cross-sharing between clients.
Individual Rights
Under data protection law, individuals have rights regarding their personal data, including:
- The right to be informed about how their data is used
- The right of access to their data
- The right to rectification of inaccurate data
- The right to erasure in certain circumstances
- The right to restrict processing in certain circumstances
- The right to data portability
- The right to object to processing based on legitimate interests
- Rights related to automated decision making and profiling
To exercise these rights, individuals can contact us at andy@substribe.co.
Data Breaches
In the event of a data breach that poses a risk to individual rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to the affected individuals, we will also inform those individuals without undue delay.
Policy Updates
We may update this policy periodically to reflect changes in our practices or regulatory requirements. The latest version will be available on our website.
Contact Information
For any questions about this policy or our data protection practices, please contact:
Andy Burden Substribe Ltd Email: andy@substribe.co
If you believe we have not addressed your concerns adequately, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.
Last updated: May 2025
Contact Information
