Growth for purposeful organisations using AI and open data.

Data Protection Policy 

  1. Introduction

At Ziptrix, we are committed to safeguarding the personal data of our clients, partners, and employees. This Data Protection Policy outlines how we collect, use, store, and protect personal information in compliance with the UK General Data Protection Regulation (UK GDPR). Our goal is to handle data responsibly and transparently, ensuring the privacy and rights of individuals within a business context are respected.

We collect, process and maintain personally identifiable data records for three purposes: 

1. data about our clients in order to contract and deliver our services (under the lawful purpose of contracting); 

2. data about our personnel for HR purposes (under the lawful purpose of contracting); 

3. data (names, roles, any available contact information) about professional individuals related to the businesses and charities we research and deliver in the course of providing our services to clients (under the lawful purpose of legitimate interest) 

Regarding item 3: We specialise in identifying business-to-business sales prospects for companies and sourcing grant and corporate funders for charities. Additionally, we conduct research on marketing and social media reach to determine effective content strategies. In the course of these activities, we collect and process personal data that pertains to individuals in their professional capacity, such as business contact details and publicly available professional information. 

2. Data Protection Principles

There are seven key principles that must be followed:

  • Lawfulness, fairness, and transparency
  • Lawfulness: We only process personal data where we have a clear legal basis to do so, such as legitimate interest, contractual necessity, or legal obligation. We ensure that our processing does not contravene data protection laws.
  • Fairness: We process personal data in ways that individuals would reasonably expect, ensuring that our use of data does not have unjustified adverse effects on their rights or freedoms.
  • Transparency: We are open about how we collect, use, and share personal data. We provide clear and accessible information to individuals regarding their data rights and how we handle their data. We offer guidance to our clients on how they should provide transparency information to individuals and abide by GDPR and PECR rules under their data protection policies. 
  • Purpose limitation: Personal data must be collected for specific, explicit, and legitimate purposes. Further processing must fall in line with the original purpose for which it was collected.
  • Data minimisation: Personal data collected must be relevant and minimal, limited only to what is necessary for the purposes for which it was collected.
  • Accuracy: Personal data must be accurate, and where possible, kept up to date. Inaccurate or out-of-date information should be deleted.
  • Storage limitation: Once its purpose has been fulfilled, the data should be deleted and not stored for longer than needed.
  • Integrity and confidentiality (security): Data should be stored securely, and access should only be given to authorized specific individuals.
  • Accountability: The data controller is responsible for compliance with GDPR law.

3. Data Collection

We collect business-related personal data through various means, including:

  • Information provided directly by clients and partners.
  • Publicly available sources, such as company websites and social media platforms.
  • Third-party data providers in limited circumstances and only where due diligence has been undertaken.

4. Purpose of Data Processing

The business-related personal data we collect is used for the following purposes:

  • Identifying and connecting with potential business prospects and partners.
  • Conducting research to enhance marketing strategies and social media outreach.
  • Providing tailored services to our clients based on their specific needs.

For most of our processing activities, the legal basis is legitimate interest. We have undertaken a comprehensive Legitimate Interest Assessment (LIA) on each of our services (Ingrid, Percy and Nancy) to ensure our data processing activities are necessary and balanced against individuals' rights. The processing of our employee and client data is conducted under the legal basis of contract to fulfil employment and customer contracting obligations.

Please contact us to review our DPIA and LIAs for our services, which we are happy to share and discuss. 

We do not collect sensitive personal data or in ways that introduce unfair bias. If we process the data of individuals (for example, social media influencers or individual role-holders within companies), we take care to ensure that the data we collect relates strictly to their professional lives. Furthermore, we process their data and contact them only in ways that we believe they will reasonably expect.

We do not process personal data for purposes unrelated to business interactions, and our services are strictly limited to professional contexts.

5. Data Storage and Security

We implement appropriate technical and organisational measures to protect Ziptrix’-own and business-related personal data against unauthorized access, alteration, disclosure, or destruction.

We use various software solutions to find, store, and share data securely. Where possible we use providers who use servers that are based in the EU. Some providers that we share data with use servers that are based outside of the EU (for example, OpenAI, LinkedIn, and other platforms).

Access to stored data is restricted to authorised personnel only, and we regularly review our security practices to maintain a high level of data protection.

6. Data Sharing

We only share business-related personal data with our clients under a contractual agreement that includes data protection clauses (acting in place of a Data Sharing Agreement). This agreement ensures that:

  • Clients use the data solely for the agreed business purposes.
  • Clients uphold GDPR and PECR compliance when processing the data.
  • Clients undertake data processing under their policies, including for example to provide appropriate security measures to prevent unauthorised access or misuse of the data.

We do not share business-related personal data with third parties unless it is necessary for our services or required by law. In such cases, we ensure that appropriate safeguards are in place to protect the data.

7. Automated Decision-Making and AI

We do not employ fully automated decision-making processes that have a significant impact on individuals. While we utilise AI tools to assist in data analysis and research, all final decisions involve human oversight to ensure fairness and accuracy.

We use AI and automation to enhance the efficiency and effectiveness of our services in the following areas:

  • Content Creation: Assisting with the generation of reports, summaries, and insights based on collected data.
  • Web Scraping: Identifying and collecting publicly available business-related information to support research activities.
  • Data Enrichment: Cross-referencing datasets to provide more comprehensive insights while ensuring accuracy, including finding contact details from public platforms like LinkedIn.
  • Prioritising Matching Partnerships: Identifying potential business connections based on shared values, location, or industry relevance.
  • Engagement Activities: Using AI-assisted tools to analyse social media interactions and website engagement trends to inform marketing strategies.

All AI-driven processes are used solely to support human decision-making, and we ensure that appropriate safeguards are in place to maintain accuracy and fairness.

8. Data Retention

Business-related personal data is retained only for as long as necessary to fulfil the purposes for which it was collected or as required by law. Once data is no longer needed, we securely delete or anonymise it.

9. Individual Rights

Individuals whose business-related personal data we process have the following rights:

  • Access: The right to request a copy of the personal data we hold about them and understand how we process it.
  • Rectification: The right to ask us to correct inaccurate or incomplete data.
  • Erasure: Also known as the "right to be forgotten," this allows individuals to request deletion of their personal data where it is no longer needed or if they withdraw consent.
  • Restriction: The right to ask us to limit processing if there are concerns about accuracy, legality, or the necessity of processing.
  • Objection: The right to object to data processing in certain circumstances, such as direct marketing.

To exercise these rights, individuals can contact us at Tom@ziptrix.co.uk.

10. Data Protection Officer

We are registered with the Information Commissioner's Office (ICO) under UK data protection regulations. Our ICO registration number is ZB690849.

For certain services, we act as a data processor on behalf of our clients, who are the data controllers. Where we determine the purposes and means of processing personal data, we act as the data controller.

11. Policy Updates 

This policy was updated and published in May 2025 and will be under frequent review.

12. PECR and Direct Marketing Compliance

We comply with the Privacy and Electronic Communications Regulations (PECR) in all aspects of our direct marketing activities, including ensuring transparency of who we are, how we obtained their data, what it is used for and how they can object to the use of their data. 


By adhering to this policy, we aim to maintain the trust of our clients, partners, and business contacts, ensuring that personal data in a professional context is handled with care and respect.


Tom Brushwood Chloe Dickinson

Director and Co-Founder Director and Co-Founder


BACK TO HOME PAGE