Last updated: 10/14/2025

SUSTEA ENERGY d.o.o., having business seat at Croatia, Zagreb, Prisavlje 10, Tax No (OIB) : 58303042879, registered in company register held by Commercial Court in Zagreb under Company Number (MBS): 081660176, with registered share capital in the amount of EUR 2,500. (“we,” “us,” or “our”, “company”) respects your privacy and is committed to protecting your personal information.

This Privacy Policy explains how we collect, use, and protect your information through our website https://www.sustea.eu.

The personal data controller is: SUSTEA ENERGY d.o.o., having business seat at Croatia, Zagreb, Prisavlje 10

Contact details of the controller: Tea Žakula

Contact email address: info@sustea.eu

Contact of the personal data Protection Officer: info@sustea.eu

Personal data processor: SUSTEA ENERGY d.o.o., having business seat at Croatia, Zagreb, Prisavlje 10

If we use the services of external providers for the processing of your personal data, it is processing (personal data) on order, and we are certainly responsible for the protection of your personal data in that case. We will be happy to answer all your questions regarding the protection and processing of your personal data.

1. Collection of personal data

Your personal data is collected exclusively in contact with you and on your consent. Please note that some of your personal information is also available from publicly available online sources (e.g. social networks like Facebook, LinkedIn, Instagram, etc.). The company is aware of their existence, however, it does not collect and/or process such data without your consent (whether given explicitly to us or to third-party social media service providers).

In general, we process your personal data only for the purposes we have informed you about, for which you have given us explicit personal consent or the processing of personal data is a legal obligation of the company.

Unless you inform us otherwise (withdraw consent), we will process your personal data for a specific purpose. In case of termination or expiry of the legal basis, i.e. the possibility of processing your personal data, we will immediately cease the processing in question.

We reserve the right to the protection of its interests as controller, as well as the protection of data subjects, may therefore: (i) carry out activities to determine the identity of the user, (II) we will only take into account your requests if they are submitted through prescribed and predefined channels of communication, (III) we will determine the merits of your request and send you a reply, (IV) we can reject your request and/or initiate appropriate procedures if we consider it to be a manifestly

2. Purpose of the collection of personal data

We point out that different types of personal data can be collected in different situations, namely:

I-Via our website contact form. You can contact us using our website contact form and leave your name, email address and message to us.

II- Doing business with the company. As a business customer, supplier or business partner, we will ask you to share your personal information with us for the following purposes: (i) ensuring access to information, (II) answering questions or resolving requests for service and/or general enquiries concerning the business relationship with the company, (III) in order to comply with legal obligations, (IV) any other purpose for which we requested express written consent from you at that time.

3. Types of personal data that the company collects or may collect

Our website does not automatically collect any personal data through cookies or tracking technologies while all visits to our Website use tracking of visits analysis via WP Statistics (https://wp-statistics.com/) that collects no cookies from the users only anonymized data on website visits.

The only personal data we collect is the information you voluntarily provide us by filling out the contact form, such as your name, email address, and message.

When sending your message via our contact form the server will also record:

a. IP address of the device that sent message

b. Time of message being stored

c. User-Agent data containing data on device, operating system and web browser of the user (e.g. Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36)

All above listed is collected in order to prevent misuse.

The company collects and processes your personal data based on your explicit, written and voluntary consent, which you have given by accessing our official website or by accessing our official profiles on social networks (LinkedIn), by requesting contact, by requesting information about the operations of the controller, by expressing comments or praise, and by entering into a business relationship with us.

Personal data collected when interacting with the company via mail, email, personal data delivery, telephone, SMS message and/or apps, web or social networks (e.g. if you indicate that you like the company on LinkedIn, etc.), we can request or obtain personal data such as: (i) first and last name, (ii) e-mail address, (iii) and any other personal information that you have provided to us on your own initiative.

As part of the business relationship, you should make available personal data necessary for the establishment and realization of the business relationship, and the fulfilment of related contractual obligations or for the collection of which there is an obligation. Without this information, we can refuse to conclude the contract, execute the order or terminate the execution as well as terminate the existing contract. Of course, you are not obliged to give your consent to the processing of data that are not relevant or prescribed by law for the performance of the contract.

4. Legal basis and purposes for the processing of personal data

All types of your personal data are processed by the controller for the following purposes and based on:

1. Fulfilment of legal obligations – we process your personal data in accordance with applicable regulations as well as for informing and reporting that we are obliged to perform in accordance with applicable regulations, all with the purpose of fulfilling legal obligations;
2. Fulfilment of the contract – we process personal data for the purpose of fulfilling the contract and fulfilling the contractual obligations that are the subject of the contract (e.g. the Civil obligations Act), based on the fact that the processing is necessary for fulfilling the contractual obligations;
3. With the purpose of contacting us for the efficient execution of business contracts, requests for information, application to a newsletter etc., based on the consent you gave us or on the legitimate interest of the controller;
4. Another purpose, provided that you have been previously informed and given your consent.

All your personal data are processed on the basis of law, contract, legitimate interest and your explicit, voluntary and written consent.

5. Retention period of personal data

The controller shall keep the personal data of natural persons for as long as is necessary for the purposes for which the data are processed. The controller is guided by the criterion that the minimum retention period is also the maximum period and is guided by legal obligations regulating the retention of personal data. For each data processing purpose for which the law does not prescribe a mandatory retention period, the controller has set a deadline for deletion or anonymization of the data.

Below we provide you with a brief overview of the type of personal data and purpose as well as the time of their retention:

Personal information	Obtained from	Purpose	Legal basis	Storage time
Publicly available user profile on social media	Directly from user	Marketing	Legitimate interest	Until withdrawn
Digital data: geolocation, IP address, type of device, OS version	Directly from user	Prevention of misuse	Legitimate interest	Until withdrawn
Name, email address	Directly from user	Message sent by the user	Consent	Until withdrawn

For reasons of understanding, if, for example, a procedure is initiated, personal data will be kept until the procedure is finalized in accordance with the applicable regulations.

6. Management of personal data processing consent

You can change your consent (supplement, complete or partial revocation) at any time by contacting us by e-mail or by post.

If you revoke the given consent, we will no longer use your data for the stated purposes, but this may result in the possibility of using some additional benefits related to them.

Withdrawal of consent shall not affect the lawfulness of the processing which was based on consent before it was withdrawn.

If you want to give your consent again, you can do so in the same way as when you revoke it.

If you do not provide us with your personal data for which consent is not required, which is necessary for concluding the contract with us, fulfilling the concluded contract or due to obligations we have under the law, we will not be able to fulfil our contractual obligations towards you nor will we be able to conclude and/or possibly fulfil the contract with you.

7. Rights of data subjects

The company takes care of your rights at all times and none of the provisions of this Privacy Policy, as well as any action by the company and/or its employees, is aimed at diminishing and/or violating your rights, but on the contrary the company is making significant efforts to preserve your rights.

Therefore, your rights are exhaustively listed below:

1. Right of access and information on the processing of personal data – each data subject has the right to request confirmation as to whether your personal data are being processed, and the purpose of processing if such personal data are processed, the groups of your personal data that we keep, third parties or groups of third parties with whom your personal data are shared, the period during which we retain the data as well as the source of your personal data that we did not collect directly from you
2. Right to rectification – at any time you may request us to rectify or supplement your personal data that we process in case it is incomplete or inaccurate
3. Right to erasure – you can request us to erase your personal data
4. Right to restriction of processing – you can request restriction of processing of your data:
   • if you challenge the accuracy of the data over a period of time that allows us to verify the accuracy of these data,
   • if the processing of the data has been unlawful but you refuse to delete it and instead request a restriction on the use of the data; and
   • if we no longer need the data for the intended purposes, but you still need it to fulfil legal requirements or if an objection has been raised as a result of the processing of those data.
5. Right to object to the processing of personal data
6. Right to the possibility of data transmission – You can ask us to deliver the data you have entrusted to you in a structured format, in a customary machine-readable format:
   • if we process this data on the basis of the consent given to us and which you can revoke; and
   • where processing is carried out using automated processes.
7. Right to file a complaint with the supervisory authority – if you are of the opinion that we have breached Croatian or European data protection regulations when processing your data, please contact us to clarify any questions

In order to exercise the aforementioned rights or in case of suspected personal data breaches, it is possible to contact our personal data Protection Officer at: info@sustea.eu . You have the right to lodge a complaint with the Croatian personal data Protection Agency Selska cesta 136, HR – 10 000 Zagreb, e-mail: azop@azop.hr , Tel. 00385 (0)1 4609-000, Fax. 00385 (0)1 4609-099, web: www.azop.hr .

Taking into account the above, the company has developed a system of physical, technical and organizational and other measures aimed at protecting your personal data. Security maintenance and testing shall be carried out on a permanent basis and partners contracted with appropriate security measures shall be engaged.

The company does not transfer personal data to third countries (countries outside the borders of the European Union and the European Economic area) or international organisations. If external service providers appear to the company during the company’s operations and there is a need for such transfer, the company will do the same only if the same is permitted and in accordance with the positive regulations governing the area.

The company has the right to the protection of its interests, as well as the protection of its users, and the company will accordingly:

• carry out the identification activities of the applicant, including requesting additional information for that purpose, before responding to the request;
• valid requests will only be accepted through defined channels of communication and forms;
• carry out an assessment of the merits of the application and provide a response to the application;
• carry out an assessment of the excessive nature of the application and if any of these rights are used excessively and with a manifest intention of abuse;
• The company has the right to collect the administrative fee or refuse to comply with the request.

Taking into account the above, the company has developed a system of technical and other measures aimed at protecting your personal data.

Understanding for the sake of, as already pointed out, some of those rights are not absolute, and the controller has the right to restrict the exercise of certain rights, under the conditions and in the manner prescribed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EZ (General data Protection Regulation) and any applicable regulations. The reasons and grounds for rejecting each individual application will be communicated to the beneficiary. The controller shall provide the necessary information within one month of receiving the request for appropriate rights. That period may be extended, where appropriate, by an additional two months, taking into account the complexity and number of applications.

8. Transmission of data to third parties

We commit to keep your personal data and we will not communicate it or make it available to third parties except in the following cases:

• if you explicitly agree in writing to communicate certain confidential information for a particular purpose or to a particular person,
• by order of the competent national authorities (courts, ministries, etc.),
• where the information is required by a court, or other public authorities for the proceedings they are conducting and the production of that information is requested in writing,
• if these data are needed by the tax Administration, the Institute for pension and Health Insurance, all based on the legal obligations of the controller towards them,
• such information is required by the Ministry of Finance or the tax authority in the proceedings which it carries out within its competence; and
• if we have to provide information in the context of a contractual relationship with you to third parties, data transmitted automatically to digital service providers – Microsoft, Google, using standard personal data protection clauses.

Please note that when using third-party digital services such as Google and their Google Analytics4, Microsoft, etc. (hereinafter: “large IT companies”) the company has agreed to the standard operating conditions offered by these large IT companies, but the company does not have the possibility of additional verification and/or influence over any transfer of your personal data by large IT companies outside the framework guaranteed by these large IT companies. The company shall use technical methods, in particular pseudo-anonymization, to mitigate any potential risks. More about the methods of protection can be found in point 12 of this privacy policy.

9. Use of digital services (Internet site, apps)

We collect only personal data that visitors to our official website voluntarily make available to us when submitting contact requests and business information, requests for entry into a business relationship, job competitions, callback services, and other electronic forms. These personal data shall be used in a confidential manner and only for a specific purpose included in each form. The transfer of personal data to third parties shall be carried out if there is a legal obligation or an order from an official body, where those personal data may be transmitted to the competent authority and only those data which are necessary for that purpose. Access to the website shall be prototyped and technical data such as site visit, operating system used, screen resolution, visiting time and the size of data transmitted shall be recorded on that occasion.

10. Other provisions

All issues not regulated by this policy are governed by the law of the Republic of Croatia.

In the event of an infringement or suspected infringement of personal data by a company and/or its employees, an individual who considers that his rights have been infringed should first contact the company for an attempt at conciliation, by e-mail or to a physical address. The company shall reply to any such request within one month of receipt thereof. In the event that the company receives an individual’s request, the individual is obliged to initiate an out-of-court conciliation procedure before the initiation of litigation proceedings, and only after a possible non-successful conciliation will he initiate litigation proceedings before the competent court in Zagreb.