DealBrief Privacy Policy
Who we are (Data Controller)
ICO source: UK GDPR Article 13(1)(a) — the controller must identify itself and provide contact details in any privacy notice.
Scale It Up Media Ltd (trading as DealBrief) provides a daily property acquisition intelligence service to commercial property professionals in England and Wales.
| Company name | Scale It Up Media Ltd (trading as DealBrief) |
| Company number | 15538327 |
| Registered address | 10a High Street, Chislehurst, Kent, United Kingdom, BR7 5AN |
| Privacy contact | privacy@dealbrief.co.uk |
| ICO Registration number | C1943414 (application reference; formal certificate pending issuance) |
Scale It Up Media Ltd (trading as DealBrief) is the data controller for the personal data described in this notice.
What personal data we process and why
ICO source: UK GDPR Articles 13(1)(c) and 13(1)(d) — the purposes and legal basis for processing must be stated for each category of data.
2a. Subscriber account data
Data collected: Name, email address, company name, job title, investment thesis preferences.
Purpose: To create and operate your DealBrief account and to deliver daily property acquisition briefings tailored to your investment criteria.
Legal basis: Contract performance — UK GDPR Article 6(1)(b). Processing is necessary to perform the contract between you and Scale It Up Media Ltd (trading as DealBrief).
Source: Collected directly from you at sign-up (UK GDPR Article 13 applies — data collected directly from the data subject).
2b. Director contact data (included in briefings)
Data processed: Director first name, last name, job title, appointment date, professional email address, LinkedIn profile URL.
Purpose: To identify company directors associated with UK properties matching a subscriber's investment thesis, enabling targeted B2B outreach by the subscriber.
Legal basis: Legitimate interests — UK GDPR Article 6(1)(f). DealBrief has conducted a Legitimate Interest Assessment (LIA); see docs/legal/apollo-legitimate-interest-assessment.md. Summary:
- Directors of registered UK companies hold a public-facing commercial role.
- The processing purpose is B2B commercial outreach, not personal profiling.
- Data is limited to professional contact details sourced from public registers and professional B2B databases.
- The intrusion is proportionate; directors retain the right to object at any time (see §6 — Right to object).
ICO guidance notes that Article 6(1)(f) requires a three-part test: legitimate interest exists; processing is necessary; the interests of the controller do not override the rights of the data subject. The LIA document records this assessment.
Source of data (Article 14 disclosure): This data is not collected directly from the director. Sources are:
- Director names and appointment dates: Companies House (UK public statutory register, publicly accessible)
- Professional email address and LinkedIn URL: Apollo.io, Inc. (B2B contact enrichment sub-processor — see §4)
ICO source: UK GDPR Article 14(1)(f) and 14(2)(f) — where data is not obtained directly from the data subject, the controller must name the source and, where applicable, state whether it came from publicly accessible sources.
Every briefing entry where director contact data was sourced via Apollo.io will include the footnote: "Director contact data: source Apollo.io (sub-processor)".
DealBrief processes director data only in their capacity as company officers, sourced from public statutory registers and B2B contact databases. We do not process directors' home addresses, family information, personal financial data, or any data relating to their life outside their commercial role.
2c. Billing and payment data
Data processed: Payment card details, billing address, transaction records.
Purpose: To process subscription payments and comply with financial record-keeping obligations.
Legal basis (dual):
- Payment processing: Contract performance — UK GDPR Article 6(1)(b).
- Financial record retention: Legal obligation — UK GDPR Article 6(1)(c) (UK HMRC requirements).
Important: Scale It Up Media Ltd (trading as DealBrief) does not store payment card data directly. Card data is collected and held by Stripe, Inc. as payment processor. DealBrief receives only a tokenised reference and basic billing metadata.
Source of data (Article 14 disclosure)
ICO source: UK GDPR Article 14(1)(f) and 14(2)(f) — when personal data has not been obtained directly from the data subject, the controller must provide information about the source, including whether data originates from publicly accessible sources.
The following data is obtained from third-party sources rather than directly from the individuals concerned:
| Director names, appointment dates, company roles | Companies House (UK public statutory register) | Yes — statutory public record |
| Professional email address, LinkedIn profile URL | Apollo.io, Inc. (B2B enrichment sub-processor) | Professional public/semi-public records |
| Property title data, registered ownership | HM Land Registry (HMLR) — public title register | Yes — statutory public record |
Directors whose data appears in a DealBrief briefing are data subjects under Article 14. DealBrief provides this privacy notice as the Article 14 transparency mechanism. Individual notification to each director is assessed as disproportionate under Article 14(5)(b) given the volume of public-register data processed; this notice is published at dealbrief.co.uk/privacy and linked from every subscriber briefing.
Sub-processors
ICO source: UK GDPR Article 13(1)(e) and 14(1)(e) — recipients or categories of recipients of personal data must be disclosed. Article 46 — transfer safeguards must be stated for international transfers.
DealBrief uses the following third-party sub-processors. All are subject to data processing agreements (DPAs).
| Apollo.io, Inc. | United States | B2B contact enrichment — director professional email and LinkedIn | EU Standard Contractual Clauses (SCCs); UK adequacy decision where applicable |
| Stripe, Inc. | United States | Payment processing and billing | EU SCCs; UK adequacy decision where applicable |
| Supabase, Inc. | United States (data stored EU West — AWS eu-west-1) | PostgreSQL database hosting | EU SCCs |
| Resend, Inc. | United States | Transactional email delivery (briefings, account notifications) | EU SCCs |
| OpenRouter, Inc. | United States | AI model routing for briefing generation | EU SCCs |
| Anthropic, PBC | United States | AI briefing narrative generation via Claude API | EU SCCs — Note: director name, email, and LinkedIn URL are redacted before prompts are sent; Anthropic receives pseudonymised references only (job title, appointment date, and signal presence indicators) |
| Google LLC | United States | Google Street View imagery embedded in property briefings | EU SCCs; UK adequacy decision where applicable |
| Companies House | United Kingdom | Source of director and company public register data | No transfer — UK domestic public authority |
| HM Land Registry (HMLR) | United Kingdom | Source of property title and ownership data | No transfer — UK domestic public authority |
All US sub-processors rely on EU Standard Contractual Clauses (SCCs) as the transfer safeguard under UK GDPR Article 46(2)(c), supplemented by UK International Data Transfer Agreements (IDTAs) or UK addenda as applicable. Where the UK-US Data Bridge applies, this is noted above.
Retention periods
ICO source: UK GDPR Article 13(2)(a) and 14(2)(a) — the period for which personal data will be stored, or the criteria used to determine that period, must be disclosed.
| Subscriber account data (name, email, preferences) | Duration of active subscription + 6 months | Contract; legitimate interest in handling post-cancellation queries |
| Director contact data (email, LinkedIn, title) | 90 days from briefing generation date, then automatically purged | Minimum necessary for legitimate interests processing; enforced by automated weekly purge job |
| Billing records and transaction metadata | Per Stripe's legal retention (minimum 7 years) | UK HMRC legal obligation for financial records |
| Briefing content — company and property data | Retained indefinitely | Public registry data; no personal data; legitimate interest in maintaining historical briefing record |
Director contact data is hard-deleted from the DealBrief database 90 days after the briefing was generated. This is enforced by an automated scheduled process (dealbrief-data-purge.timer, running weekly), not a manual review.
DELETE /users/me) or by Mo manually. An automated inactive-account sweep that deletes subscriber accounts 6 months after cancellation is required before this retention period can be considered operationally accurate. This is scheduled as a Sprint 2 backend task.Your rights as a data subject
ICO source: UK GDPR Articles 13(2)(b) and 14(2)(c) — the controller must inform data subjects of their rights. Articles 15–22 define the individual rights. The ICO privacy notice checklist requires all applicable rights to be listed with how to exercise them.
Under UK GDPR you have the following rights. To exercise any right, email privacy@dealbrief.co.uk with your name, the nature of your request, and sufficient information to identify you. We will respond within one calendar month (30 days) of receiving your request (UK GDPR Article 12(3)).
Right of access — Article 15
You may request a copy of the personal data DealBrief holds about you, together with supplementary information about how we process it (purposes, categories, recipients, retention, source).
Right to rectification — Article 16
You may request that inaccurate personal data be corrected. If data is incomplete you may request it be completed.
Right to erasure ("right to be forgotten") — Article 17
You may request deletion of your personal data where: it is no longer necessary for the purpose it was collected; you withdraw consent (where consent was the basis); you object and we have no overriding legitimate grounds; it was unlawfully processed; or deletion is required by law.
Right to restrict processing — Article 18
You may request that we limit processing (for example, while the accuracy of data is contested, or while an objection is being considered).
Right to data portability — Article 20
Where processing is based on contract performance (Article 6(1)(b)) and is carried out by automated means, you may request your personal data in a structured, commonly used, machine-readable format. This right applies to subscriber account data only (not to director contact data processed under legitimate interests).
Right to object — Article 21
You have the right to object at any time to processing based on legitimate interests (Article 6(1)(f)). This is particularly important for directors whose contact data appears in a DealBrief briefing.
If you are a company director and you wish to object to your professional contact data being included in DealBrief briefings, email privacy@dealbrief.co.uk. We will cease processing your personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless we need the data for the establishment, exercise or defence of legal claims.
Rights in relation to automated decision-making — Article 22
DealBrief does not make automated decisions that produce legal effects or similarly significantly affect any individual. Briefings surface property acquisition opportunities for human subscribers, who make all outreach and investment decisions independently. No profiling with legal or significant effect is carried out on directors or subscribers.
Right to complain to the ICO
ICO source: UK GDPR Articles 13(2)(d) and 14(2)(e) — data subjects must be informed of their right to lodge a complaint with a supervisory authority.
If you are not satisfied with how DealBrief has handled your personal data or a rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.
Please contact us first at privacy@dealbrief.co.uk — we will do our best to resolve your concern directly.
If you wish to escalate to the ICO:
- Website: https://ico.org.uk/make-a-complaint/
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
International transfers
ICO source: UK GDPR Articles 13(1)(f) and 14(1)(f) — where personal data is transferred to a third country, the controller must inform data subjects of the safeguards in place (Article 46) or the derogations applied (Article 49).
Several DealBrief sub-processors are based in the United States. When personal data is transferred to these processors, DealBrief relies on the following safeguards:
- EU Standard Contractual Clauses (SCCs) — adopted under Article 46(2)(c) of UK GDPR, incorporating UK-specific terms (UK IDTA addenda) as required following Brexit.
- UK-US Data Bridge — where applicable and where the US recipient participates in the UK Extension to the EU-US Data Privacy Framework.
- UK adequacy regulations — where the UK Government has made a formal adequacy determination for the relevant country or framework.
Sub-processors subject to international transfer:
| Apollo.io, Inc. | US | EU SCCs + UK IDTA addendum |
| Stripe, Inc. | US | EU SCCs + UK IDTA addendum |
| Supabase, Inc. | US (data EU West) | EU SCCs + UK IDTA addendum |
| Resend, Inc. | US | EU SCCs + UK IDTA addendum |
| OpenRouter, Inc. | US | EU SCCs + UK IDTA addendum |
| Anthropic, PBC | US | EU SCCs + UK IDTA addendum |
| Google LLC | US | EU SCCs + UK IDTA addendum |
Copies of applicable transfer safeguards are available on request at privacy@dealbrief.co.uk.
Automated decision-making and profiling
ICO source: UK GDPR Articles 13(2)(f) and 14(2)(g) — the controller must provide meaningful information about any automated decision-making, including profiling, that produces legal effects or similarly significantly affects individuals.
DealBrief does not carry out automated decision-making that produces legal effects or similarly significantly affects any individual (UK GDPR Article 22).
Specifically:
- DealBrief's AI briefing engine (powered by Anthropic Claude via OpenRouter) processes company-level property and financial data to generate narrative briefings. Director contact data is redacted before being passed to AI models: the actual email address, director name, and LinkedIn URL are replaced with pseudonymous references ("Primary director", "direct email on file", "profile on file") in all AI prompts. AI models receive only the director's job title, appointment date, and the signal that contact data exists.
- Subscribers receive briefings identifying potential acquisition opportunities. All decisions about whether to contact a director, make an offer, or take any other action are made by human subscribers acting independently.
- No scoring, ranking, or profiling of individual directors or subscribers is carried out in a way that produces legal or similarly significant effects.
Changes to this policy
ICO source: ICO privacy notice guidance — where a privacy notice is updated, data subjects should be informed of material changes.
DealBrief will update this privacy notice as processing activities change or as legal requirements evolve. The "Last updated" date at the top of this document reflects the most recent revision.
Material changes (changes to purposes, legal bases, sub-processors, or rights) will be communicated to active subscribers by email at least 14 days before taking effect, where practicable.
The current version of this policy is always available at: dealbrief.co.uk/privacy
Public data processing register
Directors wishing to verify whether their company's data has been processed by DealBrief may search by Companies House company number at dealbrief.co.uk/data-processing. Enter a company number to receive a yes/no result indicating whether that company has appeared in a DealBrief briefing. The lookup does not reveal which subscribers received the briefing, which signals were assessed, or any director personal data.
Directors wishing to exercise their Article 21 right to object (see §6) should email privacy@dealbrief.co.uk with the company name and company number.
GET /public/data-processing?company_number=X API endpoint and the static lookup page at dealbrief.co.uk/data-processing are scheduled for Sprint 2. Until that page is live, directors may contact privacy@dealbrief.co.uk directly to ask whether their company's data has been processed.