Substribe Data Protection Policy

Introduction

Substribe Ltd is committed to ensuring the privacy and security of personal data we process as part of our B2B subscription intelligence services. This policy outlines how we collect, use, store, and protect personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

About Us

Substribe Ltd provides specialised advisory services to B2B subscription businesses, focusing on optimising recurring revenue quality and customer sentiment. Our services include Sprint & Market Testing, Revenue Performance Transformation, Customer Sentiment Tracking, and strategic consultation.

Substribe Ltd is registered with the Information Commissioner’s Office (ICO) under registration reference ZB896431.

Data Protection Principles

We are committed to processing data in accordance with our responsibilities under the UK GDPR and follow these key principles:

Processing lawfully, fairly and transparently
Collecting data for specified, explicit and legitimate purposes
Ensuring data is adequate, relevant and limited to what is necessary
Keeping data accurate and up to date
Storing data for no longer than necessary
Processing data securely and protecting against unauthorised processing, accidental loss, or damage

Personal Data We Process

Client Business Data

Company information including business contact details
Service usage data
Subscription performance metrics
Strategic context and consulting work product

Client Customer Data (We Process as Data Processor)

When conducting research on behalf of clients, we process personal data of our client’s customers:

Names, email addresses, job titles, and employers of interview participants
Interview recordings and transcripts
Survey responses
Customer sentiment and feedback

Important: For client customer data, our client is the data controller and we act as their data processor. This means the client determines the purposes and means of processing, and we process data solely on their instructions to deliver our services.

Website Users

Information provided through contact forms
Technical information (e.g., IP address, browser type) for website functionality

Lawful Basis for Processing

We process personal data on the following lawful bases:

Contractual necessity: To fulfil our contractual obligations to clients

Legitimate interests:

For B2B business relationship management
To deliver effective consulting services using our proprietary methodology
For maintaining client project records and continuity across engagements
For public information research supporting strategic analysis

We have conducted Legitimate Interests Assessments to ensure our processing is proportionate and respects individual rights.

Consent: For specific activities where required, such as interview recordings

Legal obligation: To comply with legal requirements (e.g., accounting records retention)

How We Use Personal Data

Client Consulting Services

We use AI-powered tools (Claude Projects by Anthropic) as our working environment for client engagements. This involves maintaining project records including:

Client context and strategic discussions
Methodology application and frameworks
Work product and recommendations
Business contacts in their professional capacity

This is necessary to deliver effective consulting that requires continuity and context. Claude Projects serves as the digital equivalent of a consultant’s project file, allowing us to:

Maintain continuity across conversations
Apply our methodology consistently
Provide contextual, relevant advice
Build on prior strategic work

Safeguards in place:

Paid Pro account with model training disabled
Single user access (confidential to Substribe)
Client-specific workspaces (data segregation)
Archived/deleted when engagement concludes
Used for work product only, not personal matters

Client Customer Research

When conducting research on behalf of clients, we:

Record and transcribe interviews using Fathom AI (with participant consent)
Analyse interviews using CoLoop AI
Share recordings and transcripts with client teams
Anonymise findings in reports where required by client
Use insights to inform strategic advice

Public Information Research

We may research publicly available information (websites, annual reports, public statements, press releases) to support strategic positioning and market analysis. This is legitimate business intelligence activity proportionate to our consulting purpose.

Business Relationship Management

We maintain records of our business relationships with clients for ongoing service delivery, invoicing, and business development purposes.

Consent Practices for Research Participants

For client customer research interviews, we obtain verbal consent at the start of each interview. We explain:

The interview will be recorded using Fathom AI for transcription
The recording and transcript will be shared with the client’s team
Insights will be anonymised in written reports
The client controls retention and use of their customer data
Data is stored securely with appropriate access controls

Consent is documented through the recording itself and in our project records.

Participants understand they are providing feedback to help improve products or services they use, and that the client (who has the existing customer relationship) is the data controller.

Data Retention

We retain personal data according to different schedules depending on our role and the type of data:

Client Business Information (We are Controller)

Retention: Active relationship + 6 years
Rationale: UK accounting and legal obligations
Deletion: Deleted from all systems after retention period

Client Customer Data (We are Processor)

Client controls retention. We retain data per client instruction:

Interview recordings (Fathom):

Default: Active engagement + 6 months, then review with client
Client-directed: Client may instruct extended retention for ongoing strategic use
Deletion: Per client instruction or within 90 days of relationship ending

Interview transcripts:

With identifiers: Per client instruction, typically anonymised within 90 days
Anonymised: During engagement as work product (no longer personal data once names/companies removed)
Deletion: Per client instruction

Research participant contact details:

Retention: Project duration + 6 years (to support legal/accounting obligations)
Deletion: Deleted from all systems after retention period

Review process: We contact clients at regular intervals (minimum every 12 months) to confirm continued retention requirements for data held in our systems.

When relationships end: Data deleted within 90 days of relationship conclusion unless client has instructed otherwise or opted for ongoing service with context retention.

Claude Projects (Collaborative Workspace)

Active engagement clients: Projects maintained throughout active relationship. Context accumulation is part of service value for ongoing engagements.

Concluded relationships: Projects archived and client data removed when engagement concludes. Our methodology frameworks remain as our intellectual property.

Website Contact Forms

Retention: Response + 3 years if no relationship formed
Deletion: Deleted from systems after retention period

Business Records

Email correspondence: Relationship + 6 years
Contracts and invoices: 6 years (legal requirement)
Anonymised market insights: No limit (no longer personal data)

Sharing Personal Data

We share personal data with:

AI service providers who support our business operations (see International Transfers section below)

Clients receive their customer research data (as they are the data controller)

Other parties with client consent where required

Regulatory authorities where legally required

We do not sell personal data or share it with third parties for marketing purposes.

International Transfers

Some of our trusted service providers process data on servers located outside the UK or European Economic Area (EEA). We have implemented appropriate safeguards:

Service Provider	Purpose	Processing Location	Transfer Mechanism	DPA/Security Info
Google Workspace	Business communications and file storage	Multi-region (includes US)	Google UK GDPR-compliant framework with Standard Contractual Clauses	DPA
Anthropic (Claude Pro)	AI-powered consulting methodology and analysis	United States	Consumer account with training disabled; 30-day data retention	Privacy Policy
Fathom AI	Interview recording and transcription	United States	Standard Contractual Clauses per Fathom DPA; SOC2 Type II compliant	DPA
CoLoop AI	Interview analysis	User-selectable: UK, EU, or US (we use UK region for raw files; derived outputs in US)	AWS-based infrastructure; GDPR compliant with regional storage options	Compliance Info

Additional safeguards implemented:

Encryption in transit and at rest
Access controls limiting data access
Paid accounts with enhanced data protection features
Training disabled where available (Claude Pro)
Contractual data protection obligations
Regular review of provider compliance
Data Processing Agreements in place with service providers

We have completed Transfer Impact Assessments for our service providers and implemented supplementary measures to protect data transferred internationally.

We regularly review our providers’ compliance with data protection standards, particularly as processing locations or practices change.

Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

Technical measures:

Password protection of electronic documents and systems
Secure cloud storage with appropriate access controls
Data encryption for stored files
Multi-factor authentication where available
Regular security updates and patches

Organisational measures:

Limited personnel access (sole access by data protection contact)
Confidentiality obligations
Regular security reviews of processing activities
Data Processing Agreements with service providers
Incident response procedures

Service provider security:

We use trusted service providers with robust security practices:

Google Workspace Business Account: Enterprise-grade security for communications and file storage
Anthropic Claude Pro: Paid consumer account with training disabled; 30-day data retention
Fathom AI: Interview recording and transcription; SOC2 Type II certified; does not train on user data
CoLoop AI: Secure interview analysis platform with regional storage options; does not train on user data
SurveyMonkey and Google Forms: Secure data collection

Client data is securely provided to the respective client only, with no cross-sharing between clients.

AI Tools and Data Processing

We use AI-powered tools to improve the efficiency and quality of our services. We configure these tools to maximise data protection:

Claude Projects (Anthropic):

Paid Pro consumer account with model training disabled
Used for methodology application and strategic analysis
Client-specific workspaces maintained during engagement
Anonymised data used where practical (initials, role descriptors)
Data retained for 30 days when training disabled
Processed in United States
Privacy Policy

Fathom AI:

Interview recording and transcription service
Data stored in United States; SOC2 Type II certified
Does not use data for AI model training
Access shared with clients as data controllers
Data Processing Agreement

CoLoop AI:

Interview analysis and insight generation
Raw files stored in UK region (user-selectable)
Does not use data for AI model training
Access maintained per client instruction
GDPR compliant with regional data storage options
Compliance & Security Information

General AI usage practices:

We prioritise anonymisation where practical (using initials and role descriptors)
We use paid accounts with enhanced data protection features
Training on client data is disabled where available
We maintain Data Processing Agreements or documented arrangements with all AI providers
We regularly review provider terms and security practices

Individual Rights

Under data protection law, individuals have rights regarding their personal data, including:

The right to be informed about how their data is used
The right of access to their data
The right to rectification of inaccurate data
The right to erasure in certain circumstances
The right to restrict processing in certain circumstances
The right to data portability
The right to object to processing based on legitimate interests
Rights related to automated decision making and profiling

For client customer data (research participants):
Since our client is the data controller for their customer data, data subject requests should be directed to the client. We will assist clients in responding to requests where needed.

For our business contacts and other data where we are controller:
Requests should be directed to andy@substribe.co.

Response timeframe: We respond to data subject requests within one month of receipt.

To exercise these rights, individuals can contact us at andy@substribe.co.

Data Breaches

In the event of a data breach that poses a risk to individual rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to the affected individuals, we will also inform those individuals without undue delay.

For breaches involving client customer data, we will immediately notify the client (as data controller) to enable them to fulfil their notification obligations.

Controller and Processor Relationships

When we are the data controller:

Our business client contacts and relationship records
Website contact form submissions
Our own business records and correspondence
Anonymised research insights (our intellectual property)

When we are a data processor:

Client customer interview data (recordings, transcripts)
Research participant personal data collected for client projects
Any personal data we process solely on client instructions

When acting as processor, we:

Process data only on documented client instructions
Maintain confidentiality and security measures
Assist clients with data subject rights requests
Delete or return data per client instruction
Notify clients immediately of any data breaches

Policy Updates

We may update this policy periodically to reflect changes in our practices or regulatory requirements. The latest version will be available on our website.

Last updated: October 2025

Contact Information

For any questions about this policy or our data protection practices, please contact:

Andy Burden
Substribe Ltd
Email: andy@substribe.co

If you believe we have not addressed your concerns adequately, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.

This policy reflects our commitment to transparent and lawful data processing in accordance with UK GDPR. We regularly review our practices to ensure ongoing compliance and protection of personal data.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.