Data Protection Impact Assessment
Apollo-sourced UK B2B outreach cohort
Version 1.0 · Adopted 6 May 2026 · Next review 6 May 2027
1. Processing description
TRM Flex Limited processes role-based business contact data (name, work email, job title, seniority, employer) sourced from Apollo.io to deliver low-volume, role-relevant introductions about its Event Operations Platform to UK event, venue and hospitality decision-makers.
2. Lawful basis
- UK GDPR Art 6(1)(f) — Legitimate interest (cold B2B introduction).
- PECR Reg 22(2) — corporate subscriber (limited companies, LLPs, partnerships).
- Standing Legitimate Interest Assessment dated 2026-05-06, valid 12 months.
3. Necessity & proportionality
Cold outreach to a tightly-filtered cohort of role-relevant corporate contacts is the proportionate way to introduce a niche operational platform at this scale. We exclude consumers, sole traders, interns and students by data filter. Volume is throttled by deliverability circuit-breakers and per-domain caps.
4. Identified risks & mitigations
Sending to non-corporate addresses
Cohort filter excludes personal-domain emails; lawful-basis gate fail-closes on uncertainty.
Stale or inaccurate contact data
Pre-send validation cache (syntax, MX, disposable, role) + 3-strike soft-bounce auto-suppression.
Excessive retention
6-month retention cap from approval; weekly retention sweep anonymises expired contacts.
Unwanted contact / failure to honour opt-out
One-click RFC 8058 unsubscribe; DNC, suppressions and unsubscribes checked on every send.
Tracking-pixel intrusiveness
Open pixel carries only message id; no IP, UA, or fingerprint stored beyond 30 days.
Sub-processor data transfer
DPAs in place with Apollo, Resend, Stripe, Lovable; sub-processor list public at /sub-processors.
Reputation / deliverability harm
Auto circuit-breaker pauses marketing if block-bounce rate >3% over 24h; DPO notified.
5. Data subject rights
Subjects can object, access, rectify or erase their data at any time via /data-request or by emailing privacy@trmflex.com. All requests are fulfilled within 30 days.
6. Residual risk
With the controls above in place the residual risk is assessed as low. No prior consultation with the ICO is required.
Document controller
TRM Flex Limited · Company No. 17090539 · Registered in England & Wales
Registered Office: C/O Eaccounts, Ground Floor Cardigan House, Castle Court, Swansea, SA7 9LA
ICO Data Protection Registration: ZC121365
Data Protection Officer: Mr Thomas Rhys Morris · hello@trmflex.com
Supervisory authority: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF · ico.org.uk · 0303 123 1113.