GDPR-Compliant
Cold Outreach.
Cold outreach to professional B2B contacts is lawful in the UK and EU when it's done properly. Properly means a documented basis under Art. 6(1)(f) legitimate interest, a balancing test, UK/EU-only hosting, a 24-hour opt-out SLA, an auditable record, and a real person you can contact.
The full pack — LIA, processing record, sub-processor list and DPA — is shared during onboarding for your legal review.
Request the compliance packThis page is informational only. It is not legal advice. Your obligations may vary; consult your own counsel.
Six Things We Get
Right.
Compliance is not a checkbox at the end of onboarding — it is the operating posture that runs every campaign, every day.
Lawful basis: legitimate interest (UK/EU GDPR Art. 6(1)(f))
B2B outreach to professional contacts in their role-relevant capacity is operated under legitimate interest, with a documented Legitimate Interest Assessment (LIA) and balancing test recorded for each campaign segment. Purpose, necessity and safeguards are written down before any sends.
Documentation pack
Every engagement receives the full pack: the LIA, processing record (Art. 30), data sources, retention windows, the DPA, and the procedural flow for handling subject requests — ready for your DPO or legal team to review.
UK/EU-only hosting, no material sub-processors
Personal data is processed and stored only on UK or EU infrastructure. Fortitude Labs does not introduce material sub-processors that move personal data outside the UK/EU. Where any technical sub-processor is used, it is named in the engagement pack with its role and location.
24-hour opt-out SLA
Opt-outs are honoured within 24 hours of receipt. Suppression is global across all current and future campaigns, persists indefinitely, and is matched on email, normalised email, and contact identifier so it survives data refreshes and re-imports.
Audit trail and access control
We keep a full audit trail of outreach activity, suppressions and access events. Workspaces are isolated per client, access is least-privilege, and credentials are rotated. Data in transit and at rest uses industry-standard encryption.
Named Data Protection contact
A named Data Protection contact is assigned to your engagement and listed in the pack. Contact details are also published below for subjects exercising rights under UK GDPR / EU GDPR.
How the Posture
Stays Live.
Purpose limitation
Contact data sourced for cold outreach is used only for that purpose. It is not sold, shared, or repurposed for unrelated activities.
Data minimisation
Only role-relevant fields are collected: name, role, employer, work email, and public profile data. Special category data is never processed.
Storage and retention
Active campaign data is retained for the duration of the engagement plus a defined wind-down. Suppression records are retained indefinitely so past opt-outs are honoured forever.
Transfers and processors
Sub-processors are listed in the engagement pack with their roles and locations. Personal data stays in the UK/EU; no material international transfers are introduced by Fortitude Labs.
Subject rights
Access, rectification, erasure, restriction and objection requests are routed via a documented intake. Standard requests are completed within statutory timelines.
Security
Workspaces are isolated per client, access is least-privilege, credentials are rotated, and encryption is applied to data in transit and at rest.
How to Reach Us.
Subject access & erasure
Individuals can exercise their UK / EU GDPR rights at any time by writing to privacy@fortitudelabs.co.uk. We acknowledge within one working day and complete standard requests within statutory timelines.
Erasure and opt-out requests are propagated to the global suppression list within 24 hours so the contact is excluded from any current and future outreach.
Data Protection contact
A named Data Protection contact is assigned to every engagement. The contact details below are the public route into our compliance function:
- Name: Data Protection Lead, Fortitude Labs (named individual provided in your engagement pack)
- Email: privacy@fortitudelabs.co.uk
- Postal: Fortitude Labs, United Kingdom (full registered address in the DPA)
Sub-processors and any technical processing locations are documented in the engagement pack and updated as the stack changes.
How compliance ties to operations
Compliance posture only works if the operating model behind it lines up. The pages below show how the lanes are kept apart, how deliverability is run safely, and how the cold and LinkedIn services are scoped.
Want the full compliance pack?
Book a discovery call and we'll share the LIA template, processing record, sub-processor list and DPA for your team to review.
Book a Discovery Call