LoomReach is a London-based digital studio, and we take your privacy as seriously as we take our craft. This policy explains how LoomReach Limited collects, uses and protects personal data — both for our own website and business, and when we handle information on behalf of our clients.
Who we are
This policy is issued by LoomReach Limited (trading as “LoomReach” and “LoomReach.ai”), a private limited company registered in England & Wales under company number 16839451. Our registered office is at 411 Oxford Street, Office 1.01, London, W1C 2PE, United Kingdom.
For most of the activities described in this policy, LoomReach is the controller of your personal data — that is, we decide why and how it is processed. Where instead we process personal data on behalf of a client, we act as a processor; this is explained in the section “When we act as a data processor for clients” below.
You can reach us about anything in this policy, or to exercise your rights, using the details below:
- Email: loomreach@loomreach.ai
- Phone: +44 7939 304 897
- Post: LoomReach Limited, 411 Oxford Street, Office 1.01, London, W1C 2PE, United Kingdom
- Website: https://loomreach.ai
LoomReach is registered with the Information Commissioner’s Office (ICO) under data protection reference ZC133362.
Data protection officer
Given our size and the nature of our processing, we are not required to appoint a statutory Data Protection Officer, and we have not appointed one. All data-protection matters are handled by our team and can be raised with us at loomreach@loomreach.ai.
Categories of personal data
Depending on how you interact with us, we may process the following categories of personal data:
- Enquiry, identity and contact data — your name, email address, optional phone number, and the content of the message you send us through our contact form or by email;
- Technical and usage data — your IP address, device and browser information, analytics identifiers, cookie data, and server and security log data generated when you use our website;
- Business-contact data of third parties — where relevant to our service delivery and B2B prospecting, professional details such as a person’s name, job title, employer, business email address, business phone number, and LinkedIn or other publicly available professional details.
We do not process any special-category data (such as data revealing health, racial or ethnic origin, religious or philosophical beliefs, political opinions, trade-union membership, genetic or biometric data, or data concerning sex life or sexual orientation).
How we use your information: purposes and legal bases
We only process personal data where we have a lawful basis to do so under the UK GDPR. The table below sets out, for each purpose, the personal data involved, the legal basis we rely on, and how long we keep the data. Our retention periods are explained more fully in “How long we keep your information”.
| Purpose | Personal data | Legal basis | Retention |
|---|---|---|---|
| Responding to and handling website enquiries, and taking steps prior to entering a contract (our contact form is provided by Contact Form 7; messages are delivered by email via our SMTP provider using WP Mail SMTP) | Name, email address, optional phone number, and the content of your message | Legitimate interests (responding to your enquiry) (Art. 6(1)(f)); and, where your enquiry leads towards an engagement, taking steps at your request prior to entering a contract (Art. 6(1)(b)) | While we are in contact and for up to 24 months after our last interaction, unless a contract requires longer |
| Protecting our contact forms from spam and automated abuse (Google reCAPTCHA) | IP address, device/browser information and interaction data | Legitimate interests (preventing spam, fraud and abuse) (Art. 6(1)(f)) | Short rolling period |
| Website analytics and understanding how our site is used (Google Analytics 4, measurement ID G-4P5LGEP4WZ, and Google Tag GT-WRFMZR4D, via Google Site Kit) — loaded only after you consent | Analytics identifiers, cookie data, IP address (truncated), pages viewed and usage data | Consent (Art. 6(1)(a)), given via our cookie banner | Google Analytics data retention is set to 14 months |
| Website security, fraud prevention and operating the site (hosting by Hostinger; security logging by Wordfence; server logs) | IP address, device/browser information, server and security log data | Legitimate interests (securing and running the website, preventing abuse) (Art. 6(1)(f)) | Short rolling period |
| Delivering services to our clients (website design and build, branding, growth systems, marketing/sales automation, custom CRM builds, AI workflows and consulting, lead generation, and LinkedIn outreach automation) | Client contact and project data; and, where relevant, business-contact data of third parties (see “Categories of personal data”) | Performance of a contract with our client (Art. 6(1)(b)); where we act on a client’s behalf we do so as a processor (see below) | Duration of the engagement and up to 6 years afterwards |
| Our own B2B prospecting and marketing (promoting LoomReach’s services to relevant businesses) | Business-contact data such as name, job title, employer, business email, business phone and LinkedIn/publicly available professional details (see “Categories of personal data”) | Legitimate interests (B2B marketing) (Art. 6(1)(f)); where we send marketing emails, consent where required (Art. 6(1)(a)) | While the contact remains a relevant prospect; suppression/opt-out records kept as long as needed to honour opt-outs |
| Meeting our legal, tax and accounting obligations, and responding to lawful requests | Relevant transaction, contact and records data | Legal obligation (Art. 6(1)(c)) | 6 years for accounting records (Companies Act 2006 / HMRC) |
We do not use advertising or remarketing cookies, we are not linked to Google Ads or AdSense, and we do not sell personal data. We do not process special-category data, and our services are aimed at businesses and professionals rather than children.
Our legitimate interests
Where we rely on legitimate interests, we have carried out a balancing assessment — identifying the interest, confirming the processing is necessary to achieve it, and weighing it against your rights and freedoms. The specific interests we pursue are:
- operating, maintaining and securing our website, and preventing fraud, spam and abuse;
- responding to and managing business enquiries we receive;
- promoting LoomReach’s services to relevant businesses through B2B prospecting; and
- analysing and improving our services and how our website performs.
For B2B prospecting, we take into account that a business contact’s reasonable expectations differ in a professional context, and we limit our processing to business-contact information used to make a relevant, professional approach. You can object to processing based on our legitimate interests at any time — see “Your right to object” below.
Cookies and analytics
We use a small number of cookies to operate the site securely and, with your consent, to understand how it is used. Strictly necessary cookies (including those that remember your cookie choice, keep logged-in administrators signed in, and support Wordfence security and reCAPTCHA) are set without consent because the site cannot function properly without them. Analytics cookies (Google Analytics) are set only after you accept them: on your first visit a banner lets you “Accept all” or choose “Necessary only”, and non-essential cookies and tags are blocked until you accept, using Google Consent Mode v2 (consent defaults to “denied”).
You can change your choice at any time via the “Cookie settings” link in our website footer, or by clearing cookies or using your browser controls. For the full list of cookies, their purposes and durations, and how consent works, please see our Cookies Policy. We do not use advertising or targeting cookies.
When we act as a data processor for clients
When we deliver lead-generation, LinkedIn-automation, CRM and AI-automation services, we sometimes process personal data of third-party individuals (for example, business contacts on an outreach list) on behalf of a client. In those cases the client is the controller and LoomReach acts only as a processor.
As a processor, we act only on the client’s documented instructions and under a written data processing agreement (DPA) that sets out the security and confidentiality obligations we must meet. We do not decide the purposes of that processing, and we do not use that data for our own purposes.
If you have been contacted as part of a client’s campaign and want to understand or exercise your rights over that processing, the client (as controller) is responsible for the primary privacy notice and is usually the right organisation to contact. If you reach out to us at loomreach@loomreach.ai, we will, where appropriate, direct your request to the relevant client.
B2B prospecting and marketing
Where LoomReach carries out its own B2B prospecting, we act as a controller and rely on legitimate interests, supported by a balancing assessment. We use business-contact data to make relevant, professional approaches to organisations that may benefit from our services.
Under the Privacy and Electronic Communications Regulations (PECR), the electronic-mail consent rule does not apply to corporate subscribers (such as limited companies and LLPs), so we do not need consent to email a corporate body. Even so, we never conceal our identity, we include a valid opt-out in every marketing message, and we honour opt-outs by keeping a suppression / “do not contact” list. Where a contact is an individual subscriber (for example, a sole trader or certain partnerships), we rely on consent or the soft opt-in as required.
Regardless of PECR, because we are processing an individual’s personal data you have the absolute right to object to direct marketing at any time — see “Your right to object” below.
Where this data comes from
Some of the business-contact data we use for prospecting and service delivery is not collected directly from you. It comes from publicly available and professional sources — such as company websites, Companies House, professional networking platforms (for example, LinkedIn) and press coverage — and, for client work, from details provided by our clients (for example, outreach lists). Data obtained from a public source remains personal data and is protected under the UK GDPR, and we provide the relevant privacy information within a reasonable period and no later than one month. Our use of LinkedIn and similar platforms is also subject to those platforms’ own terms (see our Terms & Conditions).
Sharing your information
We share personal data only with trusted providers and recipients who help us run our business, and only as far as necessary. These include:
- Google LLC — Google Analytics, Google Site Kit and reCAPTCHA;
- Hostinger — website hosting (servers in the EU/UK);
- our SMTP / email delivery provider — for delivering contact-form messages (WP Mail SMTP);
- CRM and marketing-automation platforms — which we use to manage enquiries and projects;
- professional advisers, such as accountants and lawyers, where necessary; and
- competent authorities and regulators, where we are legally required to disclose information.
A full list of our current providers is available on request. We do not sell personal data.
International transfers
Some of our providers (for example, Google) may process personal data outside the United Kingdom, including in the USA. Where this happens, we make sure appropriate safeguards are in place — such as the UK “adequacy regulations” / the UK Extension to the EU–US Data Privacy Framework, or the ICO’s International Data Transfer Agreement (IDTA) / the UK Addendum to the EU Standard Contractual Clauses, together with additional safeguards as appropriate. You can obtain a copy of the relevant safeguards by contacting us at loomreach@loomreach.ai.
How long we keep your information
We keep personal data only for as long as we need it for the purposes set out in this policy, after which we delete or anonymise it. Our main retention periods are:
- Enquiry and contact data: kept while we are in contact and for up to 24 months after our last interaction, unless a contract requires us to keep it longer;
- Client project records: kept for the duration of the engagement and up to 6 years afterwards, to meet legal and accounting obligations;
- Accounting records: 6 years (Companies Act 2006 / HMRC);
- Analytics data: Google Analytics data retention is set to 14 months;
- Security and server logs: a short rolling period.
Providing your information
Where you contact us through our enquiry form, you do not have to provide more than you choose to, but we do need at least your name, email address and message to be able to respond — without them we cannot reply to your enquiry. If we go on to work together, we will need certain information to deliver the service and to meet our legal and accounting obligations; if that information is not provided, we may be unable to deliver the service. This requirement does not apply to business-contact data we obtain from public or third-party sources for prospecting.
Automated decision-making
We do not carry out solely-automated decision-making that produces legal effects, or similarly significant effects, on individuals. Any prioritisation or sorting we apply during prospecting is not solely automated and has no legal or similarly significant effect on you.
Your rights
Under the UK GDPR you have a number of rights over your personal data. The rights available to you in a given situation depend on the lawful basis we are relying on:
- Access — to be told whether we hold your data and to receive a copy;
- Rectification — to have inaccurate or incomplete data corrected;
- Erasure — to have your data deleted in certain circumstances;
- Restriction — to limit how we use your data in certain circumstances;
- Data portability — to receive certain data in a portable format, where processing is based on consent or contract and carried out by automated means.
Your right to object
You have the right to object to our processing of your personal data where we rely on legitimate interests, including our B2B prospecting. You also have an absolute right to object to direct marketing at any time; if you object to direct marketing, we will stop using your data for that purpose. To object, email us at loomreach@loomreach.ai or use the unsubscribe link in any marketing message.
Your right to withdraw consent
Where we rely on your consent — for analytics cookies and tags, and for any marketing emails — you can withdraw it at any time, and it is as easy to withdraw as it was to give. You can change your cookie choices via the “Cookie settings” link in our website footer (or by clearing cookies or using your browser controls), and you can opt out of marketing using the unsubscribe link in any message or by emailing loomreach@loomreach.ai. Withdrawing consent does not affect the lawfulness of any processing we carried out before you withdrew it.
How to exercise your rights and complaints
To exercise any of your rights, please email us at loomreach@loomreach.ai. We will respond within one month, which we may extend by up to two further months for complex or numerous requests (we will tell you if so). There is normally no charge.
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). We would appreciate the chance to resolve matters first via loomreach@loomreach.ai, but this is not a barrier to complaining. You can contact the ICO at:
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Changes to this policy
We may update this policy from time to time to reflect changes in our practices or the law. When we do, we will revise the “Last updated” date shown with this policy and, where changes are significant, take reasonable steps to bring them to your attention. This policy should be read together with our Cookies Policy and our Terms & Conditions.