Data Processing & GDPR

How we handle prospect data in our outbound campaigns

Last updated: April 2026

Why this page exists

As a B2B lead generation agency, we process business contact data on behalf of our clients. Enterprise buyers and compliance teams regularly ask how we handle this data. This page answers those questions transparently.

Our role in data processing

When we run outbound campaigns for a client, we act in two capacities:

  • Data Controller — for prospect data we source independently (e.g. from public business directories, LinkedIn, company websites, and licensed B2B databases) for the purpose of legitimate B2B outreach.
  • Data Processor — when a client provides us with their own contact lists to reach on their behalf. In this case, we process data strictly according to the client's instructions.

What data we process

The business contact data we handle typically includes:

  • Full name and job title
  • Business email address
  • Business phone number
  • Company name, industry, and size
  • Country and region
  • LinkedIn profile URL

We do not process personal (non-business) contact data, sensitive personal data, or data relating to individuals acting in a purely private capacity.

Legal basis for processing

Our B2B outreach activities rely on legitimate interest (Article 6(1)(f) UK GDPR) as the lawful basis. This is based on:

  • The data subjects are business professionals being contacted in their professional capacity
  • The outreach is relevant to their role and industry
  • We provide a clear and easy opt-out mechanism in every communication
  • We maintain suppression lists and honour all opt-out requests immediately
  • The processing is proportionate — we target specific ICPs rather than mass-mailing

We conduct Legitimate Interest Assessments (LIAs) and can provide documentation upon request.

Data sources

We source B2B contact data from:

  • Licensed B2B data providers (e.g. Apollo, ZoomInfo)
  • Publicly available business information (company websites, press releases, industry directories)
  • LinkedIn (professional profiles in a business context)
  • Client-provided lists (processed under Data Processing Agreement)

We verify email addresses before sending to maintain deliverability and reduce unnecessary processing.

Data security

We implement appropriate technical and organisational measures to protect prospect data:

  • Data is stored in encrypted, access-controlled systems
  • Access is limited to team members who need it for campaign execution
  • We use enterprise-grade email platforms with security certifications
  • Client data is logically separated — one client's data is never accessible to another
  • We conduct regular reviews of our data handling practices

Opt-out and suppression

Every email we send includes a clear unsubscribe mechanism. When a prospect opts out:

  • They are added to a permanent suppression list within 24 hours
  • They are removed from all active campaigns immediately
  • Their domain may be added to a client-specific block list if requested
  • Suppression lists are maintained indefinitely and checked before every campaign launch

Prospects can also opt out by replying to any email or contacting us directly.

Data retention

We retain prospect data for the duration of the client engagement plus 12 months for reporting and suppression list maintenance. After this period, data is either deleted or anonymised unless there is a legal or contractual reason to retain it.

Suppression lists (opt-outs and do-not-contact records) are retained indefinitely to ensure we never re-contact someone who has opted out.

International transfers

We are a UK-based company. Where data is processed using tools or sub-processors based outside the UK, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses, UK adequacy decisions) in compliance with UK GDPR requirements.

Data Processing Agreements

We enter into Data Processing Agreements (DPAs) with clients who require them. Our standard DPA covers:

  • Scope and purpose of processing
  • Categories of data processed
  • Security measures
  • Sub-processor obligations
  • Data breach notification procedures
  • Data return and deletion upon termination

If your organisation requires a DPA, contact us and we will provide one promptly.

Prospect rights

If you have been contacted as part of one of our campaigns, you have the right to:

  • Opt out — Reply to any email or click unsubscribe. We will remove you immediately.
  • Access — Request a copy of the data we hold about you.
  • Rectification — Request correction of any inaccurate data.
  • Erasure — Request deletion of your data from our systems.
  • Object — Object to processing of your data for outreach purposes.
  • Complain — Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email privacy@lynnleadgen.com. We aim to respond within 30 days.

For clients and prospective clients

If you are evaluating Lynn as a vendor and have questions about our data handling practices, compliance posture, or need documentation for your procurement process, we are happy to provide:

  • Our standard Data Processing Agreement
  • Details of our sub-processors
  • Our Legitimate Interest Assessment methodology
  • Information about our technical security measures

Contact privacy@lynnleadgen.com and we will respond within 48 hours.