Privacy Policy
Effective date: April 27, 2026
Last updated:April27, 2026
Sustainable Projects Group Inc. ("**SPG**", "we", "our", "us") respects your privacy. This Privacy Policy explains what personal information we collect from visitors to suspg.com and our clients, how we use it, who we share it with, how long we keep it, and the rights you have.
This policy is written to comply with Canada's **Personal Information Protection and Electronic Documents Act (PIPEDA)**, Alberta's **Personal Information Protection Act (PIPA)**, Québec's **Law 25**, and — for EU/UK visitors — the **General Data Protection Regulation (GDPR)** and **UK GDPR**.
If you have questions or want to exercise any right described below, email **privacy@suspg.com** or write to the address in §12.
---
1. Who we are
SPG is a Canadian energy and decarbonization firm headquartered in Calgary, Alberta. We help commercial and residential building owners, property managers, municipalities, and Indigenous communities make defensible capital decisions for their buildings. Our head office address is:
Yastremski Associates Inc.
DBA Sustainable Projects Group
3122 114 Ave SE
Calgary, AB T2Z 3V6
Canada
We are the data controller for personal information collected through suspg.com and our client relationships.
2. What personal information we collect
We collect only what we need to deliver our services, operate our website, and communicate with you.
2.1 Information you give us directly
- **Contact details** when you fill out a form, book a consult, or email us: name, work email, phone number (if provided), company, job title, province, building count, project type, and the content of the message you send.
- **Newsletter subscription data**: email address and any preference fields.
- **Client engagement data** when you become a client: project scope, building information, energy data, utility bills, building drawings, condition-assessment outputs, and other technical data required to deliver the work under contract.
- **Event, webinar, or gated-asset registration data** when you register for an SPG webinar, download a guide, or attend a training.
2.2 Information we collect automatically
When you visit suspg.com, our technology partners automatically collect:
**Device and browser data**: IP address, device type, browser type and version, operating system, screen size, referring URL, language, and timezone.
**Usage data**: pages visited, time on page, scroll depth, clicks, form interactions, downloads.
**Cookies and similar technologies**: see our [Cookie Policy](/cookies) for the full list and purpose of each cookie.
**Session-replay data** (Microsoft Clarity): anonymized recordings of how visitors interact with our pages, used to improve usability. Clarity is configured with content masking so typed form content and personal identifiers are not captured.
**Anonymous company-level visitor identification** (HappierLeads): company-level firmographic data derived from IP address for B2B site-analytics purposes. **We do not identify individual visitors by name** through this tool; only company-level aggregation.
2.3 Information we receive from third parties
- Publicly available firmographic data from enrichment partners (e.g., company size, industry) when you submit a work-email form.
- LinkedIn profile data when you interact with SPG's LinkedIn advertising.
- Data from program bodies (BOMA, utility incentive administrators) when SPG is listed as your authorized provider on a funded project.
3. Why we collect it — and our legal basis
We process personal information for the following purposes:
| Purpose | Legal basis |
| Respond to your inquiry or consult request | Your request / consent; contract preparation |
| Deliver contracted services to a client | Contract performance |
| Send you SPG's newsletter or webinar invitations (opt-in only) | Consent |
| Operate, secure, and improve suspg.com | Legitimate interest |
| Understand website performance and fix usability issues | Legitimate interest |
| Manage SPG's sales pipeline, forecasting, and CRM hygiene | Legitimate interest |
| Meet legal obligations (accounting, program reporting, tax) | Legal obligation |
| Send marketing emails to existing clients about related services | Legitimate interest, with opt-out on every email per Canada's Anti-Spam Legislation (CASL) |
Under GDPR, **"legitimate interest"** means a balancing test between your rights and ours. You have the right to object to any processing based on legitimate interest — see §8.
4. Who we share it with
SPG does **not** sell personal information. We share personal information only with service providers who help us run the business, under written agreements that require them to protect your data:
- **HubSpot** (CRM, website, forms, email marketing) — data stored in HubSpot's managed infrastructure
- **Microsoft** (Microsoft 365 email, SharePoint document storage, Clarity analytics)
- **Google** (Google Analytics 4, Google Ads conversion signals, Google Workspace reporting)
- **HappierLeads** (anonymous company-level website visitor identification)
- **Apollo.io** (outbound sales prospecting and enrichment)
- **LinkedIn** (advertising and lead-gen forms, when you opt in via LinkedIn)
- **Zoom** (for webinars and video consults)
We may also share information when required by law (e.g., subpoena, regulator request), to protect SPG's legal rights, or in the context of a corporate transaction (merger, acquisition, financing). If such a transaction occurs, you will be notified before your data is transferred to a new controller.
5. Where your data is stored (cross-border transfers)
Most of our providers host data in **Canada** or the **United States**. If you are located in the EU or UK, transferring your personal information to Canada or the US is covered by one of: the EU adequacy decision for Canada (for commercial data covered by PIPEDA), Standard Contractual Clauses, or your explicit consent.
We do not transfer personal information to jurisdictions without adequate safeguards.
6. How long we keep it
- **Website visitor analytics**: 14 months (GA4 default retention), longer only in anonymized aggregate form.
- **Session recordings** (Clarity): 30 days.
- **Contact-form and consult-request data**: 3 years from last meaningful engagement, then we delete or anonymize.
- **Client project data**: retained for the life of the client relationship plus 7 years after final invoice, for tax, audit, and program-reporting compliance.
- **Newsletter subscription data**: until you unsubscribe, plus a short suppression record to ensure we don't email you after you opt out.
- **Financial records**: 7 years per Canadian tax law.
After the retention period, we delete or irreversibly anonymize the data.
7. How we protect it
We use a mix of technical, organizational, and contractual safeguards — encryption in transit (TLS 1.2+), role-based access controls on CRM and file storage, MFA on all administrator accounts, regular access reviews, vendor due diligence, and confidentiality clauses in every employee and contractor contract.
No online system is perfectly secure. If a breach affects your personal information in a way that creates a real risk of significant harm, we will notify you and the Office of the Privacy Commissioner of Canada as required by PIPEDA.
8. Your rights
You have the right to:
- **Access** the personal information we hold about you.
- **Correct** inaccurate or incomplete information.
- **Delete** your information, subject to our legal retention obligations.
- **Withdraw consent** at any time (this does not make past processing unlawful).
- **Object** to processing based on legitimate interest.
- **Restrict** processing while a dispute is resolved.
- **Data portability** — receive your data in a structured, commonly used format.
- **Opt out of marketing** — every SPG marketing email includes an unsubscribe link. You can also email privacy@suspg.com.
- **Complain** to a regulator. In Canada: the Office of the Privacy Commissioner (priv.gc.ca). In Alberta: Office of the Information and Privacy Commissioner (oipc.ab.ca). In the EU: your national data protection authority. In the UK: the Information Commissioner's Office (ico.org.uk).
To exercise any of these rights, email **privacy@suspg.com**. We'll respond within 30 days (sometimes faster). We may need to verify your identity before acting on a request.
9. Cookies & tracking technologies
See our dedicated **[Cookie Policy](/cookies)** for the full list of cookies, their purpose, how long they live, and how to opt out. In summary: we use strictly necessary cookies (for the site to work), analytics cookies (to measure performance), functional cookies (to remember preferences), and marketing cookies (for advertising). You can accept, reject, or manage cookies via our consent banner.
10. Children
suspg.com is a B2B website aimed at building owners, operators, and public-sector facility managers. We do not knowingly collect personal information from anyone under 18. If you believe we have, please email privacy@suspg.com and we will delete it.
11. Changes to this policy
We may update this policy as our practices, vendors, or the law change. Material changes will be posted here with an updated "Effective date" at the top, and — for material changes that affect how we use your existing data — we will notify you by email if you're on our list.
12. Contact
Email: **privacy@suspg.com**
Mail: Privacy Officer, Sustainable Projects Group Inc., 3122 114 Ave SE, Calgary, AB T2Z 3V6, Canada
We answer every privacy inquiry. If we're slow, email again — we'd rather hear from you twice than miss your request.