Last updated: 18 July 2026
1. Parties and roles
For marketing data captured through our UK portals, Finance Leads acts as data controller up to introduction. On receipt of a lead the broker or lender partner becomes an independent controller. Where Finance Leads runs a campaign solely for a partner, the partner is controller and Finance Leads acts as processor under this DPA.
Finance Leads is registered at 145 City Road, London, EC1V 1AZ, United Kingdom.
2. Subject matter and duration
Processing is limited to activities required to deliver agreed lead supply or campaign services and continues for the term of the order form or service agreement.
3. Nature and purpose of processing
Collection, validation, vetting, suppression, enrichment and delivery of UK B2B finance enquiries for introduction to authorised brokers and lenders.
4. Categories of data subjects and personal data
- Data subjects: UK business owners, directors and decision-makers
- Data categories: business contact details, company information, finance requirement, consent metadata, and call recordings where applicable
- No UK GDPR special category data is processed
5. Sub-processors
We use a limited set of sub-processors for hosting, telephony, CRM and email delivery. A current list is available on request; material changes are notified with a reasonable opportunity to object.
6. Security measures (Article 32)
- Encryption in transit (TLS 1.2+) and at rest
- Role-based access controls and least privilege
- Multi-factor authentication on administrative accounts
- Audit logging and monitoring
- Regular backups and tested restore procedures
- Staff training on UK data protection
7. Data subject rights
We provide reasonable assistance to partners in responding to data subject requests received through our portals.
8. Breach notification
Where Finance Leads acts as processor, we will notify the partner without undue delay and within 48 hours of becoming aware of a personal data breach affecting their data, with the information needed to meet their own ICO obligations under Articles 33–34.
9. Audit
Partners may request a written audit response once per twelve-month period. On-site audits require reasonable scope, notice and confidentiality terms.
10. Return or deletion
On termination, Finance Leads will return or securely delete personal data processed on a partner's behalf, except where retention is required by law or to evidence consent and suppression.
11. International transfers
Where any transfer falls outside the UK or EEA, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, applies together with a transfer risk assessment.
12. Contact
To request a counter-signed DPA, contact us via the UK contact page. See also our UK Privacy Policy and UK Terms.