Privacy Notice

Last updated: 16 July 2026. Effective from publication.

1. Who we are

Leadistry is operated by Leadistry Ltd, a company registered in England and Wales (company number 17340225), whose registered office is Suite RA01, 195-197 Wood Street, London, E17 3NU, United Kingdom. We are registered with the Information Commissioner's Office under registration number ZC149040. We act as the controller for the personal data described in this notice.

For privacy-related queries, contact hello@leadistry.co.uk.

2. What data we hold

We hold company-attached records on UK incorporated entities:

  • Company name, registered number, registered office address, SIC codes, incorporation date, status, and other fields from the Companies House register.
  • Details of company officers (directors, members) as recorded in the Companies House register: name, role, appointment date, nationality, and stated occupation.
  • Where available from the company's own publicly accessible business website: the website URL, a business email address, and the company's social profiles.
  • Where available from public search engines and public professional profiles (for example a LinkedIn profile): a director's public LinkedIn profile URL, and, where a company publishes a named business contact, that person's name and business email address.

We do not collect or hold special-category data. We do not profile or score individuals; any scoring we apply (for example, our internal “website match” confidence score) describes the quality of a company-to-website match, not the individual.

3. Where the data comes from

We build each record from publicly accessible sources:

  • The open Companies House register, made available by Companies House under the Open Government Licence (company details and officer information).
  • The company's own publicly accessible business website (we respect robots.txt and use a clearly identifiable user agent).
  • Public search engines and public professional or social profiles (for example a LinkedIn profile). We use these to locate a company's website, to identify the correct named business contact, and to record a director's public LinkedIn profile where one is publicly available.

We do not purchase marketing contact lists, and we do not buy personal data from third-party data brokers. Our enrichment uses only sources that are already publicly accessible. If you would rather not appear, you can object or ask us to remove a record at any time (see “Your rights” below).

4. The browser extension

The optional Leadistry browser extension is a companion to your account. It matches UK company websites you choose to visit against the Companies House register and your Leadistry account, and lets you save a matched company to that account in one click. That is its single purpose.

While you browse, the extension looks for UK company signals in the visible text of the page you are on (a Companies House number, a UK postcode, a VAT number, or a “Registered in” mention). This detection happens inside your browser. If no UK signal is found, nothing about the page leaves your browser: non-UK browsing is never sent to us.

When a UK signal is found, the extension sends only the page hostname, the page title, and the extracted signals to leadistry.co.uk over HTTPS, solely to check the company against the register and tell you whether it is already in your account. The full page content and full URL path are never transmitted or stored.

  • Saving is always an explicit click.If you click “Save to Leadistry”, we record the company's Companies House number and the source URL against your account and queue a server-side enrichment job (website, business email, phone, director LinkedIn) using the same pipeline as platform searches. Enrichment runs from our servers, never from your browser session.
  • Authentication. The extension stores a scoped, revocable session token locally (the Chrome storage permission) so you do not have to sign in repeatedly. Your full website session is never stored in the extension, and you can sign out from the popup at any time.
  • Manual scan.The optional “Scan this site” button checks the current page only when you click it. If the page is not a UK company, you can still save it to your own account as a basic capture.
  • What it never does. It does not read passwords or payment fields, does not scrape LinkedIn or other sites from your logged-in sessions, does not sell or share browsing data with anyone, and does not collect anything beyond the detection and explicit actions described here. Fresh server-side lookups are limited by a daily quota shown in the popup.

You can remove the extension at any time from your browser's extensions page. Removing it does not delete companies you already saved to your Leadistry account; you can manage or delete those from the “From extension” view inside your account, or by contacting us at hello@leadistry.co.uk.

5. What we use it for

We make these records available to our customers, who are UK businesses, for the sole purpose of identifying and contacting other UK corporate businesses for legitimate B2B marketing (for example: a UK accountant identifying other UK businesses that might wish to engage their services).

Where a customer sends email through our outreach feature, each message includes a small open-tracking pixel and measured (redirected) links, so that opens and clicks are recorded against that message. We record only the fact and time of the open or click; no recipient IP address or device identifiers are stored from these events. If you would rather not be contacted through the platform at all, you can ask us to remove your company's record at /remove-company (see “Your rights” below).

We also use a limited set of business contact details (a company name, its business email address, and SIC sector) to contact relevant UK businesses about Leadistry itself, our own B2B service. We only do this for incorporated entities at their business email address, never consumer webmail or individual subscribers, and every message identifies us and carries a one-click unsubscribe. You can opt out at any time (see “Your rights” below, or the unsubscribe link in any message); we then add you to a permanent suppression list and will not contact you again.

If you hold a Leadistry account, we may send you product updates and prospecting tips by email. When you sign up with an email and password we offer an optional checkbox for this; where you sign up another way (for example with Google) we rely on the PECR “soft opt-in”, because you are an existing customer and the messages are about our own similar B2B service. Either way you can switch these marketing emails off at any time in Settings → Email preferences, and every marketing email includes a one-click unsubscribe (RFC 8058) that takes effect immediately. Service emails about your account (receipts, security notices, search results) are not marketing and are sent regardless of this preference.

We do not use the data for credit decisions, fraud assessment, employment screening, insurance pricing, or any automated decision-making that produces legal or similarly significant effects on individuals.

6. Lawful basis

Our lawful basis for processing under UK GDPR Article 6(1)(f) is legitimate interests. The legitimate interest is enabling UK businesses to identify and contact other UK businesses for B2B marketing, which we believe is a recognised commercial interest. We have conducted a written Legitimate Interests Assessment (LIA) recording the purpose, necessity, and balancing tests.

We rely on the same basis, Article 6(1)(f) legitimate interests, for our own direct marketing of Leadistry to UK businesses, together with the business-to-business exemption in PECR Regulation 22(3) for marketing email to corporate subscribers. A separate Legitimate Interests Assessment records that purpose, necessity, and balancing test. We send only to business email addresses of incorporated entities, never to individual subscribers, and we honour opt-outs immediately and permanently.

Where personal data is delivered to a customer (for example, a named director email address), we additionally apply the following safeguards on top of Article 6(1)(f):

  • Named personal email addresses are only ever delivered for incorporated entities (private limited, public limited, LLP, and similar). They are never delivered for sole traders or general partnerships.
  • Named personal email addresses on freemail domains (gmail, outlook, proton, UK ISP webmail, and similar) are never delivered, regardless of the company type, because such addresses are individual subscriber addresses under PECR.
  • Email addresses are MX-validated before being classified for delivery. Addresses on domains that do not accept email are not delivered.
  • The public objection mechanism at /remove-company applies globally across every customer's subsequent searches.

We rely on the Article 14(5)(b) exemption (information not provided directly to data subjects because it would involve disproportionate effort), supported by this publicly accessible privacy notice and the global suppression mechanism. We are available to discuss the basis for this reliance with the ICO on request.

7. Who we share it with

We share the records with our paying customers, subject to contractual restrictions in our Terms of Service requiring them to (a) contact only corporate subscribers, (b) honour opt-out requests they receive, and (c) identify themselves clearly in any marketing they send. Customers act as independent controllers in respect of any marketing they send.

Our technical processors (Stripe for payments, Resend for transactional email, Vercel for hosting the website, Railway for hosting our backend, Cloudflare for content delivery and email open/click measurement infrastructure, Microsoft 365 for operating the hello@leadistry.co.uk mailbox (UK/EU region), Sentry for error tracking, PostHog (US region) and Microsoft Clarity for product analytics, and Google Analytics 4 for traffic measurement) process limited operational data on our behalf under Article 28 controller-processor contracts. OpenAI (US) processes the text you type into our AI-assisted features (the flow builder, outreach drafting suggestions, and location search interpretation) together with the minimum context needed to answer; under OpenAI's API terms this data is not used to train their models. PostHog (US Cloud), Microsoft Clarity, Google Analytics, and OpenAI involve transfers of limited operational data outside the UK; those transfers are covered by the UK's International Data Transfer Addendum to the EU SCCs or equivalent transfer mechanisms published by each processor. Analytics tools only load after you accept the relevant cookie category in the consent banner.

We do not sell the data onward to third-party data brokers.

8. How long we keep it

Company-level records are retained for as long as the company remains active on the Companies House register or until you successfully exercise an objection right via the suppression mechanism described below. Suppression entries are kept indefinitely so that objections are honoured across all future data refreshes.

Account-level data we hold about you as a customer (sign-up email, billing records) is retained for the duration of your account plus a maximum of 7 years after account closure to meet UK statutory record-keeping requirements.

9. Your rights

Under UK GDPR you have the right to access the personal data we hold about you, to ask us to correct inaccurate data, to ask us to erase data in certain circumstances, to object to processing for direct marketing under Article 21, to restrict our processing, and to data portability where the data was provided by you directly. These are described in more detail at leadistry.co.uk/gdpr.

10. How to exercise your rights

The fastest route for whole-company removal is the public form at leadistry.co.uk/remove-company: no account is needed and suppression is applied automatically within seconds. For director-level removal and other requests (access, correction, objection to processing, erasure), use the form at leadistry.co.uk/data-removal; those requests are reviewed manually. We aim to acknowledge them within 72 hours and to action them within 30 days where applicable.

Alternatively, email hello@leadistry.co.uk. We may need to verify your identity before responding to requests concerning personal data.

11. Complaints

If you are not satisfied with how we have handled your data, you have the right to complain to the Information Commissioner's Office. You can do so at ico.org.uk/make-a-complaint or by calling the ICO helpline on 0303 123 1113. We would, however, appreciate the opportunity to address your concerns directly first.

12. Changes to this notice

We may update this notice from time to time. Material changes will be communicated on this page with the “Last updated” date above. Previous versions are available on request.