GDPR Compliance
How LimeProspect helps your business stay compliant with UK data protection law.
Our Commitment to Data Protection
At LimeProspect, data protection is not an afterthought. It is embedded in how we design, build, and operate our platform. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
We understand that as a B2B prospecting platform, trust is paramount. Our customers need to know that the data they access through LimeProspect is sourced legally, processed lawfully, and protected rigorously.
How LimeProspect Helps with GDPR Compliance
LimeProspect provides several features to support your compliance obligations:
- Publicly sourced data only. All prospect data on our platform is sourced from publicly available registers, including Companies House, Contracts Finder, Find a Tender, and the Charity Commission. We do not scrape private data or purchase lists from third-party data brokers.
- Compliance scoring. Every prospect is assigned a compliance score that factors in data freshness, source reliability, and contactability risk. This helps you make informed decisions about which prospects to engage.
- Lawful basis documentation. For B2B prospecting under UK GDPR, legitimate interests is the most common lawful basis. LimeProspect provides tools to document your legitimate interest assessments and maintain processing records.
- PECR-aware outreach tools. Our outreach features distinguish between corporate subscribers and sole traders, helping you apply the correct consent requirements under PECR. Marketing emails to corporate subscribers may rely on the soft opt-in or legitimate interests exemption, while sole traders require prior consent.
- Opt-out management. LimeProspect automatically tracks unsubscribe requests and ensures opted-out contacts are excluded from future sequences.
- Data export and deletion. You can export all data associated with your account at any time and request deletion in accordance with data subject rights.
- Audit trails. The platform maintains logs of data access, outreach activity, and consent records to support your accountability obligations.
Data Processing Agreement
Where Limelai Limited processes personal data on your behalf (as a data processor), we offer a Data Processing Agreement (DPA) that meets the requirements of Article 28 of UK GDPR. The DPA covers:
- The subject matter, duration, nature, and purpose of processing
- The categories of personal data and data subjects
- Obligations and rights of the data controller and processor
- Sub-processor engagement, security measures, and breach notification procedures
- Data return and deletion upon termination
- International transfer safeguards
To request a copy of our DPA, please email privacy@limeprospect.com with the subject line "DPA Request". We will provide a signed copy within 5 business days. Customers on our Growth and Enterprise plans can access the DPA directly from their account settings.
Sub-Processors
We use the following sub-processors to deliver the LimeProspect service. All sub-processors are bound by data processing agreements and are required to maintain appropriate technical and organisational security measures.
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Supabase | Database hosting and storage | EU (Frankfurt) |
| Vercel | Application hosting and edge functions | EU (London) |
| Clerk | User authentication and identity management | US (with EU SCCs) |
| Stripe | Payment processing and subscription management | US / EU |
| Resend | Transactional email delivery | US (with EU SCCs) |
| Google (Gmail API) | Email integration (user-initiated) | US / EU |
| Microsoft (Graph API) | Email and calendar integration (user-initiated) | Per user's Microsoft tenant |
We will notify customers of any changes to our sub-processor list at least 30 days in advance. If you object to a new sub-processor, you may terminate your subscription without penalty.
Data Location
LimeProspect stores primary application data within the UK and EU:
- Database: Our primary database is hosted on Supabase in the EU (Frankfurt, Germany), ensuring data remains within an adequate jurisdiction under UK GDPR.
- Application hosting: Our application infrastructure is hosted on Vercel with the primary region set to London, UK.
- Edge functions: Serverless functions execute in the nearest Vercel edge location, with the London region prioritised for UK users.
- Authentication data: Authentication data processed by Clerk may be stored in the US. Standard Contractual Clauses (SCCs) are in place to ensure adequate data protection.
Where data is transferred outside the UK, we ensure appropriate safeguards are in place as required by Chapter V of UK GDPR, including Standard Contractual Clauses approved by the ICO and transfers to countries with adequacy decisions.
Request a Data Processing Agreement
Need a signed DPA for your records? We are happy to provide one. Send us an email and we will return a signed copy within 5 business days.
Your Rights Under UK GDPR
For full details of your data protection rights, including how to exercise them and how to contact the ICO if you are not satisfied with our response, please see our Privacy Policy.