Privacy policy
This page explains what personal data Business Leads holds, why we hold it, and how to make us stop. It is written in plain English because you should not need a lawyer to understand what happens to your details.
Last updated 11 July 2026
This policy covers two groups of people. Part A is for customers and anyone who starts our signup form. Part B is for prospects: the people who receive the emails we send on our customers’ behalf. If one of our emails reached you and you want it to stop, go straight to Part B, or simply use the unsubscribe link in the email. It works immediately.
Who we are
Business Leads is run by Felix Clarke and operates from Eastham Hall, Eastham, Cheshire, CH62 0AF. For the purposes of UK data protection law, Business Leads is the controller of the personal data described on this page.
One address covers everything in this policy: hello@business-leads.co.uk. You can also write to Business Leads, Eastham Hall, Eastham, Cheshire, CH62 0AF.
Part A: customers and signups
This part applies if you are a customer, or if you started our signup form, whether or not you finished it.
What we collect, step by step
Our signup form asks only for what each step needs:
- Step one: your name and your work email address.
- Step two: your company name, your website address, a line on what you sell, and whether you sell to businesses, consumers or both.
- If you choose to book a call instead of continuing, we record that choice alongside the details you have already given.
- While we draft your campaign: the public text of your website (see the Claude section below), the audience you choose, and the email you approve.
- At checkout: Stripe collects your payment details. We receive confirmation that a payment succeeded or failed, never your card number.
- Once you are running: the reports we send you and normal account records.
Why we use it, and the lawful bases
We use your details to provide the service you signed up for. The lawful basis for that is contract. We also use funnel records to run and improve the signup process, keep proper business records and prevent abuse. The lawful basis for that is legitimate interests. We do not sell your data and we do not share it with advertisers.
Sending infrastructure (the bit most people care about)
Every campaign email we send for you goes from our own email addresses. Never from yours. You add no DNS records, you connect no mailbox, and we never ask for access to your email account. If cold outreach ever upsets anyone, the sending reputation at stake is ours, not yours.
The tracking that powers your morning report is first party. Links in campaign emails pass through our own domain, and each email carries a small open pixel hosted on our own domain. No third-party tracking company ever sees that data.
Claude, and what the AI sees
We use Claude, an AI service from Anthropic, to draft your ideal customer profile and your campaign email. To do that, we send Claude your signup details and the public text of your website. Nothing else.
Anthropic processes this data under its data processing agreement with us. Anthropic is based in the United States, so transfers are covered by the safeguard UK law requires: the UK International Data Transfer Addendum incorporated into that agreement. Your campaign data is not used to train any third-party AI model.
Payments
Card payments are handled by Stripe. Your card details go straight to Stripe and never touch our servers. We never see your card number. We see that a payment succeeded or failed, nothing more.
How long we keep it
- Customers: we keep your account records while your account is open. After it closes, we keep what tax and accounting law requires us to keep, for six years, then delete it.
- Incomplete signups: kept so you can pick up where you left off, and so we can see where the form loses people. Deleted after no more than 12 months.
- Declined signups: if you tell us you sell only to consumers, we decline the signup, and we do it properly. Your name and email address are removed immediately, on the spot. An anonymous record of the visit, with no personal details in it, is kept for 30 days for funnel statistics, then deleted too. We also keep a hashed fingerprint of your email address, which cannot be turned back into the address, on our do-not-market list, so we never send you marketing again.
Backups
We take an encrypted backup of our database every night. Each backup is kept for 30 days and then destroyed. If we ever restore from a backup, we re-apply every erasure made since that backup was taken, so data you asked us to delete stays deleted.
Cookies and analytics
We set only strictly necessary cookies: a session cookie that keeps your place in the signup form, and a sign-in cookie for our own staff console. That is the lot. No advertising pixels, no third-party analytics, no cookie banner, because there is nothing to ask consent for. If we measure how the site is used, we do it with a first-party, cookieless tool running on our own server.
Your rights as a customer
You have the full set of rights: access, correction, erasure, restriction, portability and objection. The Your rights section below explains how to use them. The same single email address covers everything.
Part B: prospects, the people our customers’ emails reach
If an email sent by Business Leads landed in your work inbox, this part is about you.
Where your details came from
You did not fill in a form, and we did not scrape your details. Our database of UK business contacts is built from two sources: licensed business data providers, and public Companies House records. Every record is deduplicated and checked before it is used, and records that go stale or cannot be verified are removed, not hoarded.
What we hold about you
Business contact data only: your name, your business email address, your job title, your company, its city and its industry. We work with business contact details, not personal ones.
Our lawful basis, and the PECR position
Our lawful basis for holding and using your details is legitimate interests: our customers’ interest in reaching businesses that may genuinely want what they sell, balanced against your rights. We have completed a legitimate interests assessment, and you can have a copy on request.
UK email marketing law, PECR, allows unsolicited marketing email to corporate subscribers: people contacted in their work role at a company. We take that boundary seriously. Every contact is matched against Companies House records, and sole traders, who count as individual subscribers under PECR, are excluded by default.
How we measure opens and clicks
When a customer’s email reaches you, links in it pass through our own domain before reaching their destination, and the email contains a small image hosted on our domain that records when it is opened. We log the time, the browser type and the IP address, and we filter out openings caused by security scanners rather than people. All of this stays on our own systems. No third-party tracking company is involved.
Who sees your details
If you show interest in a customer’s email, by opening it or clicking a link in it, we pass your business contact details to that one customer so they can follow up. Our terms require customers to use those details lawfully, honour your objections and never resell them. We do not sell your details to anyone.
One opt-out covers everything
We keep a single permanent suppression list that applies across all our customers. Unsubscribe once, from any email, and no campaign we run for any customer will ever email you again. The list is never cleared.
Your rights
You do not need a form, a lawyer or a reason. One email to hello@business-leads.co.uk does all of this. We act promptly, and always within one calendar month:
- Object. For direct marketing this right is absolute: tell us to stop and we stop. No questions, no balancing test.
- Erasure. We delete your record. We also keep a hashed fingerprint of your email address on the suppression list, so that even if the same address appears in a future data import, it can never be re-added or emailed.
- Access. Ask, and we will send you a copy of everything we hold about you.
The unsubscribe link in any of our emails handles the objection part instantly, with no email needed.
Complaints and the ICO
If you think we have got something wrong, please email hello@business-leads.co.uk first. This is a small operation and problems get looked at quickly. You also have the right to complain to the Information Commissioner’s Office, the UK data protection regulator, at ico.org.uk.
Changes to this policy
When this policy changes, we update this page and the date at the top. If a change genuinely matters, customers hear about it by email as well.