What we do with what you send
This page explains how SustainBit Pty Ltd handles information from this website: the contact form, optional updates, analytics, bot protection, and security logs. There is no account and no login. If you choose to ask for updates, that is handled as described below.
Who runs this site
This site is run by SustainBit Pty Ltd, a company registered in New South Wales, Australia. If you want to reach us about anything on this page, write to [email protected].
What the contact form collects
When you send a brief through the form, we store the email address you type, the message you write, and the page you sent it from. We also record whether you ticked the box to get updates, and the country your request appears to come from, which we use to apply the right consent rules.
We do not store your raw IP address or full browser user-agent in our database. We process them briefly to run the form, apply the right country and rate-limit rules, and create salted fingerprints for abuse prevention and the audit record. Those fingerprints are pseudonymous; where a law treats them as personal information, we treat them that way too. Note that Cloudflare, which runs the bot check, may process your IP and device details before our own hashing happens.
What not to send
Please do not include sensitive information, confidential material, client data, or other people's personal information in a first-contact brief unless it is necessary. If you do include it, we use it only to assess and answer your enquiry, and we may delete or minimise it if we do not need it.
What happens when you submit
Every submission is checked by a Cloudflare Turnstile challenge first, to keep bots out. Each submission is then rate-limited per visitor: up to five per minute and twenty per hour. The form passes a compliance check before anything is stored; if that check cannot run, the submission is refused rather than saved.
Once a brief is accepted, it is written to our database and queued so a person on our team can read and answer it. We write a record of each submission, allowed or denied, to an append-only audit log. That log can be added to but not edited or deleted, so the trail of what happened stays honest.
If you ask for updates
Ticking the updates box is optional and it is not pre-ticked. You can send a brief without it, and we never add you to updates just because you sent a brief. If you do tick it, what happens next depends on where you are.
From the EU/EEA and the United Kingdom, we use double opt-in: we record your request as pending and only mark you as subscribed once it is confirmed. Everywhere else, your opt-in is recorded when you submit. Either way, every consent step is written to an append-only consent history we keep but never rewrite, and you can unsubscribe at any time.
Analytics
We measure how the site is used with PostHog. We do not use cookies for analytics, but we do use browser local storage as described below. We keep a random visitor id, under the key sb-visitor-id, with a matching session id that resets after thirty minutes of inactivity. This id is not tied to your name or email.
The events we record cover things like page views, which device type you are on, whether you have reduced motion turned on, and where you arrived from. On the server side we also record whether a submission succeeded, failed, was rate-limited, or was a subscription confirmation. When a subscription is confirmed, the analytics event is keyed by a salted hash of your email, never the address itself.
How long we keep it
We keep a brief while we assess and answer it, and then for up to twenty-four months for our business records and in case of a dispute, unless the law requires longer. Analytics records are kept for up to twelve months. Security and audit logs are kept for up to twelve months. Consent and unsubscribe records are kept for as long as we need them to prove consent and honour unsubscribe requests. When we no longer need personal information, we delete or de-identify it where practicable.
Who else sees this
The site runs on Cloudflare, which serves the pages, runs the Turnstile bot check, and holds the database. Analytics events go to PostHog, and the pages load web fonts from Google Fonts. These providers may process information outside Australia, including in the United States. We do not sell your information. We do not give your brief to external advisers, advertisers, or unrelated third parties to read or respond to it. We do use the service providers above to host, secure, analyse, and operate the site for us.
If we become aware of a data incident involving personal information, we assess it and notify the people affected or the regulator where the law requires.
Your choices
You can ask to access, correct, or delete the personal information we hold about you, or complain about how we handled it, by writing to [email protected]. We may need to verify your identity, and we aim to respond within thirty days. If you are in Australia and remain unhappy after we respond, you can complain to the Office of the Australian Information Commissioner.
Some records, such as minimal audit, security, and consent entries, are append-only and may be kept where reasonably needed for security, legal compliance, and to honour unsubscribe requests. Where we cannot erase an earlier entry without breaking the integrity of the log, we record the deletion request and stop actively using the earlier information where appropriate.
Last updated June 2026. This page describes the site as built today and changes as the product changes.