Provisional notice, under legal review. This document is a working draft and has not yet been reviewed by our data-protection counsel. If you are relying on the specific terms of this notice for a regulatory or contractual decision, please contact us at [email protected] before doing so.

Privacy Notice

Last updated: 1 June 2026. Effective from publication.

1. Who we are

Leadistry is operated by Cameron Clark, a sole trader, with correspondence address available on request. We are registered with the Information Commissioner's Office under registration number ZC149040. We act as the controller for the personal data described in this notice.

For privacy-related queries, contact [email protected].

2. What data we hold

We hold company-attached records on UK incorporated entities:

  • Company name, registered number, registered office address, SIC codes, incorporation date, status, and other fields from the Companies House register.
  • Names of company officers (directors, members) as recorded in the Companies House register.
  • Where available from the company's own publicly accessible business website: the website URL, a business email address, and the company's social profiles.

We do not collect or hold special-category data. We do not profile or score individuals; any scoring we apply (for example, our internal “website match” confidence score) describes the quality of a company-to-website match, not the individual.

3. Where the data comes from

Two sources only:

  • The open Companies House register, made available by Companies House under the Open Government Licence.
  • The company's own publicly accessible business website (we respect robots.txt and use a clearly identifiable user agent).

We do not purchase contact lists, scrape social media platforms, or obtain data from third-party data brokers.

4. What we use it for

We make these records available to our customers, who are UK businesses, for the sole purpose of identifying and contacting other UK corporate businesses for legitimate B2B marketing (for example: a UK accountant identifying other UK businesses that might wish to engage their services).

We do not use the data for credit decisions, fraud assessment, employment screening, insurance pricing, or any automated decision-making that produces legal or similarly significant effects on individuals.

5. Lawful basis

Our lawful basis for processing under UK GDPR Article 6(1)(f) is legitimate interests. The legitimate interest is enabling UK businesses to identify and contact other UK businesses for B2B marketing, which we believe is a recognised commercial interest. We have conducted a written Legitimate Interests Assessment (LIA) recording the purpose, necessity, and balancing tests.

Where personal data is delivered to a customer (for example, a named director email address), we additionally apply the following safeguards on top of Article 6(1)(f):

  • Named personal email addresses are only ever delivered for incorporated entities (private limited, public limited, LLP, and similar). They are never delivered for sole traders or general partnerships.
  • Named personal email addresses on freemail domains (gmail, outlook, proton, UK ISP webmail, and similar) are never delivered, regardless of the company type, because such addresses are individual subscriber addresses under PECR.
  • Email addresses are MX-validated before being classified for delivery. Addresses on domains that do not accept email are not delivered.
  • The public objection mechanism at /remove-company applies globally across every customer's subsequent searches.

We rely on the Article 14(5)(b) exemption (information not provided directly to data subjects because it would involve disproportionate effort), supported by this publicly accessible privacy notice and the global suppression mechanism. We are available to discuss the basis for this reliance with the ICO on request.

6. Who we share it with

We share the records with our paying customers, subject to contractual restrictions in our Terms of Service requiring them to (a) contact only corporate subscribers, (b) honour opt-out requests they receive, and (c) identify themselves clearly in any marketing they send. Customers act as independent controllers in respect of any marketing they send.

Our technical processors (Stripe for payments, Resend for transactional email, Vercel for hosting the website, Railway for hosting our backend, Cloudflare for content delivery, Sentry for error tracking, PostHog (US region) and Microsoft Clarity for product analytics, and Google Analytics 4 for traffic measurement) process limited operational data on our behalf under Article 28 controller-processor contracts. PostHog (US Cloud), Microsoft Clarity, and Google Analytics involve transfers of limited operational data outside the UK; those transfers are covered by the UK's International Data Transfer Addendum to the EU SCCs or equivalent transfer mechanisms published by each processor. Analytics tools only load after you accept the relevant cookie category in the consent banner.

We do not sell the data onward to third-party data brokers.

7. How long we keep it

Company-level records are retained for as long as the company remains active on the Companies House register or until you successfully exercise an objection right via the suppression mechanism described below. Suppression entries are kept indefinitely so that objections are honoured across all future data refreshes.

Account-level data we hold about you as a customer (sign-up email, billing records) is retained for the duration of your account plus a maximum of 7 years after account closure to meet UK statutory record-keeping requirements.

8. Your rights

Under UK GDPR you have the right to access the personal data we hold about you, to ask us to correct inaccurate data, to ask us to erase data in certain circumstances, to object to processing for direct marketing under Article 21, to restrict our processing, and to data portability where the data was provided by you directly. These are described in more detail at leadistry.co.uk/gdpr.

9. How to exercise your rights

The fastest route is the public form at leadistry.co.uk/remove-company. It accepts requests to remove a company, remove personal data, correct data, object to processing, exercise the right of access, or exercise the right of erasure. We aim to acknowledge requests within 72 hours and to action them within 30 days where applicable.

Alternatively, email [email protected]. We may need to verify your identity before responding to requests concerning personal data.

10. Complaints

If you are not satisfied with how we have handled your data, you have the right to complain to the Information Commissioner's Office. You can do so at ico.org.uk/make-a-complaint or by calling the ICO helpline on 0303 123 1113. We would, however, appreciate the opportunity to address your concerns directly first.

11. Changes to this notice

We may update this notice from time to time. Material changes will be communicated on this page with the “Last updated” date above. Previous versions are available on request.