Cold outreach privacy notice.

This notice explains how LaunchKit handles personal data of UK businesses receiving cold business-to-business email outreach. It is required by UK GDPR Article 14, which applies when a controller holds personal data not collected from the data subject directly.

For LaunchKit’s separate website / orders / support privacy notice, see /privacy.

1. Who we are (Data Controller)

LaunchKit is a trading name of Kevin McCulloch, sole trader, based in the United Kingdom.
hello@yourlaunchkit.co.uk

A geographic service address can be provided on request — contact hello@yourlaunchkit.co.uk. The full address is supplied within one working day of an emailed request and is provided directly to the ICO or other regulators on request without precondition.

For data-protection enquiries, please use the subject line beginning “GDPR — ” so we can route your message correctly.

2. What personal data we hold about you

If you have received a cold outreach email from LaunchKit, we may hold one or more of the following:

• Director or sole-trader name (from the Companies House public register)
• Business name (from the Companies House public register)
• Business correspondence address (from the Companies House public register)
• Business email address (from the Companies House public register where given; otherwise sourced from your business website’s publicly visible contact page)
• Business sector / SIC code (from the Companies House public register)
• Date of incorporation, limited companies only (from the Companies House public register)

We do not hold personal phone numbers, residential addresses (unless they are the same as the registered business address), payment data, sensitive personal data, special-category data (health, race, religion, political opinion, trade-union membership, biometric, genetic, sexual orientation), or data about persons under 16.

3. Where we got your data

• Companies House — the free public register at find-and-update.company-information.service.gov.uk. This is a UK statutory public register; data on it is publicly accessible by design.
• Your business’s own publicly accessible website — where Companies House did not include an email and your business website lists a contact email on a public page (e.g. “Contact” or footer), we may have recorded that email.

We do not purchase lists from third-party data brokers. We do not scrape private social media. We do not extract data from privately-shared sources (LinkedIn private connections, paid databases, etc.).

4. Why we hold your data and how we use it (Lawful Basis)

Lawful basis: UK GDPR Article 6(1)(f) — Legitimate Interests, in conjunction with the Privacy and Electronic Communications Regulations 2003 (PECR) Reg 22 (corporate-subscriber direct marketing).

Specific purposes:

• Direct marketing to UK business contacts — sending up to three emails over twenty-one days promoting LaunchKit’s UK-niche-specific business documents and tools.
• Ensuring relevance — matching the message to your recorded business niche so you receive only relevant offers.
• Honouring opt-out — maintaining a suppression list of businesses that have asked us to stop.
• Audit and accountability — retaining a record of what we sent, when, and to whom for ICO accountability.

We have completed and documented a Legitimate Interests Assessment (LIA) under the ICO 3-part test (Purpose / Necessity / Balancing). The LIA is reviewed annually and produced on request to the ICO or to you.

5. How long we keep your data

• Active prospect record (you have not been contacted yet) — until first contact, then moved to the active campaign stage.
• Active campaign record — twenty-one days from first contact, then moved to the post-campaign stage.
• Post-campaign record (no engagement) — twelve months from last contact, then permanently deleted.
• Engaged record (you replied, clicked or opted in) — per the relationship; moves to standard customer-data retention if you become a customer (see the website privacy notice for customer data retention).
• Suppression list (you opted out) — indefinite. We keep your address on a one-way suppression list to ensure we never contact you again. Only your email address (hashed) and the date suppressed are held.
• Audit log of past sends — twenty-four months, for ICO accountability under UK GDPR Article 5(2).

6. Who we share your data with

We share your data with the following processors, all bound by data-processing agreements:

• Resend Inc — email transmission (EU + United States; UK ↔ US Data Bridge under the Data Protection (Adequacy) (United States of America) Regulations 2024)
• Companies House — source of public-register data (read-only; no data flows back; United Kingdom)

We do not share your data with advertisers, brokers, social-media platforms, retargeting networks, or anyone for monetary consideration. We do not “sell” your data in any sense.

7. Your rights under UK GDPR

You have the following rights with respect to your data:

• Right to be informed — this notice
• Right of access — request a copy of your data
• Right to rectification — correct inaccurate data
• Right to erasure — have your data deleted; or click unsubscribe in any email
• Right to restrict processing — pause processing pending dispute
• Right to object — object to processing on legitimate-interests basis; clicking unsubscribe in any email is automatic and unconditional, no reason needed
• Right to data portability — receive your data in machine-readable form (JSON or CSV)

To exercise any right, email hello@yourlaunchkit.co.uk with the subject line “GDPR — [your enquiry]”. We will respond within the UK GDPR statutory window of thirty days. No fee.

You have the absolute right to object to direct marketing at any time.

8. Right to complain

If you believe we have mishandled your data, you have the right to complain to the UK Information Commissioner’s Office (ICO):

ICO
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Online: ico.org.uk/concerns

We would prefer the chance to address your concern first — please email us at hello@yourlaunchkit.co.uk — but you are not required to.

9. International transfers

Email is delivered via Resend Inc, which has servers in the EU and US. UK ↔ US data flow is permitted under the UK Extension to the EU–US Data Privacy Framework (Data Protection (Adequacy) (United States of America) Regulations 2024). Resend is certified under this framework.

We do not transfer data to any other jurisdiction.

10. Cookies

This privacy notice covers cold outreach email only. Cold outreach emails contain a small open-tracking pixel (a one-by-one transparent gif) that records whether the email was opened. They contain trackable links that record click-throughs. No cookies are placed on your device by the email itself.

If you visit yourlaunchkit.co.uk after clicking, see the website’s separate privacy notice.

11. Children

We do not knowingly process data of persons under 16. Companies House director records exclude under-16s by registration rules.

12. Changes to this notice

We may update this notice. The “Last updated” date below shows when it was most recently revised. Material changes will be flagged in the next email you receive (if any) and on this page.

13. Contact

For any data-protection question: hello@yourlaunchkit.co.uk — subject line “GDPR — [your enquiry]”.