We use cookies to enhance your experience and analyze site traffic. By accepting, you consent to our use of analytics cookies. Learn more about our cookie policy

    Skip to main content

    Data Protection Impact Assessment

    Apollo-sourced UK B2B outreach cohort

    Version 1.0 · Adopted 6 May 2026 · Next review 6 May 2027

    1. Processing description

    TRM Flex Limited processes role-based business contact data (name, work email, job title, seniority, employer) sourced from Apollo.io to deliver low-volume, role-relevant introductions about its Event Operations Platform to UK event, venue and hospitality decision-makers.

    2. Lawful basis

    • UK GDPR Art 6(1)(f) — Legitimate interest (cold B2B introduction).
    • PECR Reg 22(2) — corporate subscriber (limited companies, LLPs, partnerships).
    • Standing Legitimate Interest Assessment dated 2026-05-06, valid 12 months.

    3. Necessity & proportionality

    Cold outreach to a tightly-filtered cohort of role-relevant corporate contacts is the proportionate way to introduce a niche operational platform at this scale. We exclude consumers, sole traders, interns and students by data filter. Volume is throttled by deliverability circuit-breakers and per-domain caps.

    4. Identified risks & mitigations

    Sending to non-corporate addresses

    Cohort filter excludes personal-domain emails; lawful-basis gate fail-closes on uncertainty.

    Stale or inaccurate contact data

    Pre-send validation cache (syntax, MX, disposable, role) + 3-strike soft-bounce auto-suppression.

    Excessive retention

    6-month retention cap from approval; weekly retention sweep anonymises expired contacts.

    Unwanted contact / failure to honour opt-out

    One-click RFC 8058 unsubscribe; DNC, suppressions and unsubscribes checked on every send.

    Tracking-pixel intrusiveness

    Open pixel carries only message id; no IP, UA, or fingerprint stored beyond 30 days.

    Sub-processor data transfer

    DPAs in place with Apollo, Resend, Stripe, Lovable; sub-processor list public at /sub-processors.

    Reputation / deliverability harm

    Auto circuit-breaker pauses marketing if block-bounce rate >3% over 24h; DPO notified.

    5. Data subject rights

    Subjects can object, access, rectify or erase their data at any time via /data-request or by emailing privacy@trmflex.com. All requests are fulfilled within 30 days.

    6. Residual risk

    With the controls above in place the residual risk is assessed as low. No prior consultation with the ICO is required.

    Document controller

    TRM Flex Limited · Company No. 17090539 · Registered in England & Wales

    Registered Office: C/O Eaccounts, Ground Floor Cardigan House, Castle Court, Swansea, SA7 9LA

    ICO Data Protection Registration: ZC121365

    Data Protection Officer: Mr Thomas Rhys Morris · hello@trmflex.com

    Supervisory authority: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF · ico.org.uk · 0303 123 1113.