Privacy Policy

1. Controller

Borrowsignal is the data controller for (a) customer account data and (b) the UK director / company data we deliver to customers. The contact for any data protection enquiry is [email protected].

2. What we collect about customers

• Email address (you provide on signup).
• Optional metadata supplied during onboarding: role, company name, company size.
• Filter preferences: cities, SIC codes, delivery channel, delivery target.
• IP address + user-agent at signup and login (security, fraud prevention).
• Payment data: handled by our payments processor — we never see your card details.

3. What we collect about UK directors / companies (the data we sell)

• Company name + Companies House number + incorporation date.
• Registered office address (public registry).
• SIC codes + company status + company type.
• Director names + officer roles (Companies House public officers data).
• Telephone numbers where publicly visible on Google Business Profile or company website.
• Outreach-hook text generated by AI from the above public data.

4. Legal basis

Customer data: contract performance (delivering the service you paid for) and legitimate interest (security, fraud prevention).

UK director / company data: legitimate interest under UK GDPR as amended by the Data (Use and Access) Act 2025, for B2B direct-marketing facilitation. Our full Legitimate Interest Assessment (LIA) — including purpose test, necessity test and balancing test — is available on request to [email protected]. We honour all opt-out requests within 72 hours.

5. Sub-processors

• Dodo Payments (Estonia, EU) — subscription billing.
• Resend (US, EU-US Data Privacy Framework certified) — transactional email delivery.
• Fly.io (US, with EU customers served from London region) — application hosting.
• Neon (US/EU) — managed Postgres database.
• Cloudflare (US, with UK edge) — DNS, static asset delivery.

We do not share data with marketing networks, analytics providers, or third-party data resellers.

6. Retention

• Customer account data: lifetime of subscription + 90 days post-cancellation.
• Audit logs: 7 years (UK accounting requirement).
• UK director / company data: delivered leads retained 90 days, then purged from the delivery history (the underlying public Companies House data remains separately published by the UK government).

7. Your rights (UK GDPR)

• Access: request a copy of your data via the dashboard.
• Rectification: edit your account details in the dashboard.
• Erasure: one-click delete in the dashboard (Account options → Delete).
• Objection (UK directors whose data we hold): email [email protected] with your company number — we add you to the suppression list within 24 hours and stop further inclusion in delivered cohorts.

8. Cookies

We use only essential cookies (session management). No tracking, no analytics, no advertising cookies. No cookie banner required under UK GDPR for essential-only cookie use.

9. International transfers

Our service providers may process data outside the UK/EEA under the EU-US Data Privacy Framework or Standard Contractual Clauses with adequacy assessments. We host application data in the London (lhr) region by default.

10. Complaints

You can complain to the UK Information Commissioner's Office at ico.org.uk.

11. Changes to this policy

We may update this policy by emailing the address on file 14 days in advance of any material change.

12. Contact

Data Protection contact: [email protected]