Book a call
Last updated 14 April 2026

Privacy Notice.

How we collect, use and protect personal data. Written in plain English. Compliant with UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR).

v3.0 · Effective 14 April 2026

Privacy Notice

This notice explains what personal data Bold Bookings Ltd collects, why we collect it, who we share it with, and what rights you have under UK data protection law. If anything is unclear, email [email protected] and a real person will reply.

01Who we are

Bold Bookings Ltd is the data controller for the personal data described in this notice (except where we are processing data on behalf of a client — see section 5).

Registered office: 4th Floor, 86–90 Paul Street, London EC2A 4NE, United Kingdom. Registered in England and Wales.

Data protection contact: [email protected]

We are not currently required to register a Data Protection Officer (DPO) under Article 37 of UK GDPR, but our data protection lead is contactable at the address above.

02Data we collect

The personal data we collect depends on how you interact with us.

Website visitors
IP address, browser type, pages visited, referrer, anonymised analytics events.
Enquiries via the contact form
Name, work email, company, role, deal-size band, TAM band, message content, consent record.
Newsletter subscribers
Email address, consent record, opens and clicks (where you allow tracking pixels).
Playbook downloads
Email address, consent record. We do not enrol downloaders in marketing automation.
Active clients
Names and contact details of stakeholders, billing contact details, signed contracts, call recordings (with explicit consent).
Cold outreach prospects
Business name, business email address, job title, employer, publicly available role information. We do not collect special category data.

03How we use your data

We use the data we collect to:

  • Respond to enquiries and proposals.
  • Deliver our services to clients (campaign delivery, reporting, invoicing, support).
  • Send newsletters and resource downloads where you have asked us to.
  • Run cold outbound campaigns on behalf of clients to business prospects who match agreed ICP criteria, in compliance with PECR's "soft opt-in" and legitimate-interests rules for B2B.
  • Maintain the security and integrity of our website and systems.
  • Comply with our legal and accounting obligations.

We do not sell personal data to third parties. We do not engage in profiling that produces legal or similarly significant effects on you.

04Lawful basis for processing

Under UK GDPR, we rely on the following lawful bases:

  • Consent (Article 6(1)(a)) — for newsletter subscriptions and any optional cookies.
  • Contract (Article 6(1)(b)) — to perform our services for clients and to take pre-contract steps at your request.
  • Legitimate interests (Article 6(1)(f)) — to operate our website, prevent fraud, secure our systems, and conduct B2B outreach to relevant business contacts at suitable companies. We have completed a Legitimate Interests Assessment (LIA) for our outreach activity, which is available on request.
  • Legal obligation (Article 6(1)(c)) — for tax, accounting and statutory record-keeping.

05Who we share data with

We share personal data only with the categories of recipient set out below, and only as necessary:

  • Sub-processors and infrastructure providers — including email-sending platforms, CRM platforms, analytics providers, hosting providers and payment processors. A current list of sub-processors is available on request.
  • Our clients — prospect contact details for the engagement they have hired us to run. In this scenario the client is the data controller and we are the processor.
  • Professional advisers — accountants, lawyers and auditors, where required.
  • Regulators or law enforcement — where required by law.

We sign data processing agreements with all sub-processors, requiring UK GDPR-equivalent protections.

06International transfers

Some of our sub-processors are based outside the United Kingdom or the European Economic Area. Where personal data is transferred outside the UK, we rely on:

  • UK adequacy regulations, where the destination country has been assessed by the UK government as providing adequate protection;
  • The UK International Data Transfer Agreement (IDTA), or the European Commission's Standard Contractual Clauses with the UK Addendum, for transfers to countries without adequacy status; and
  • Supplementary measures, including encryption in transit and at rest, where a transfer impact assessment indicates they are appropriate.

07How long we keep your data

We retain personal data only for as long as we need it.

  • Enquiries that don't lead to an engagement: 12 months, unless you ask us to delete sooner.
  • Active client records: for the duration of the engagement plus 7 years for accounting and statutory purposes.
  • Newsletter subscriptions: until you unsubscribe, plus a short suppression period to honour the unsubscribe.
  • Playbook download records: 24 months.
  • Website analytics: aggregated and anonymised after 26 months.
  • Cold outreach prospect records: until the prospect opts out, the engagement ends, or 24 months after last activity, whichever is earliest.

08Your rights under UK GDPR

You have the following rights in respect of your personal data:

  • Right of access — to request a copy of the data we hold about you (Article 15).
  • Right to rectification — to ask us to correct inaccurate or incomplete data (Article 16).
  • Right to erasure — to ask us to delete your data, subject to legal exceptions (Article 17).
  • Right to restrict processing — to limit how we use your data in certain circumstances (Article 18).
  • Right to data portability — to receive your data in a structured, machine-readable format (Article 20).
  • Right to object — including the absolute right to object to direct marketing (Article 21).
  • Rights related to automated decision-making — though we do not engage in solely automated decision-making with legal effects (Article 22).
  • Right to withdraw consent — at any time, where we are relying on consent.

To exercise any of these rights, email [email protected]. We will respond within one calendar month, in line with Article 12(3).

09Cookies and tracking

This website uses a small number of cookies and similar technologies, governed by PECR.

Strictly necessary cookies

Set automatically. These are required for the site to function (for example, remembering whether you've dismissed a banner). No consent is required under PECR.

Analytics cookies

Set only with your consent. We use a privacy-respecting analytics provider that does not use third-party cookies, does not collect personally identifying data, and does not share data with advertising networks.

Marketing cookies

We do not currently use marketing or advertising cookies on this site.

You can change your cookie preferences at any time via the cookie banner.

10Security

We take security seriously. Measures include encryption in transit (TLS 1.2+), encryption at rest for production data stores, role-based access control on internal tooling, multi-factor authentication on all employee accounts, and a documented incident response plan. We will notify the Information Commissioner's Office and affected individuals of any qualifying personal data breach within the timeframes required by Articles 33–34 of UK GDPR.

11A note on cold outreach

We are an outbound agency, so we have to be clear about how we treat the prospects we contact on behalf of our clients. Under PECR, business-to-business email marketing to a corporate subscriber (a body corporate, partnership or LLP) is permitted on the basis of legitimate interests, provided that:

  • The recipient's role is genuinely relevant to the offer being made.
  • The sender is identified clearly in the email.
  • An easy and free way to opt out is provided in every email, and opt-outs are honoured promptly.
  • No special category data is processed.

If you are a recipient of one of our emails and you would like to opt out — either of all messages from us, or from a specific client campaign — reply with "STOP" or "UNSUBSCRIBE" or email [email protected]. We will action it within five working days and add you to a permanent suppression list.

12Complaints

If you are unhappy with how we have handled your personal data, please email us first at [email protected] so we have a chance to put it right.

You also have the right to complain directly to the UK supervisory authority, the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF

Helpline: 0303 123 1113
Online: ico.org.uk

13Changes to this notice

We may update this notice from time to time. The current version is always published at boldbookings.com/privacy. Where we make material changes, we will notify active clients and active newsletter subscribers in advance.

14Contact us

For any privacy-related question, or to exercise your rights under UK GDPR:

Bold Bookings Ltd
4th Floor, 86–90 Paul Street
London EC2A 4NE
United Kingdom

Email: [email protected]