Privacy Policy

Last updated: 16th September 2025

1) Who we are

Controller (our website & own marketing):
[Briddgr Ltd] (“Briddgr”, “we”, “us”)
Data protection contact: [[email protected]]

Processor (client campaigns):
When clients ask us to contact their leads/customers, we process personal data on their instructions. In that case, the client is the Controller and Briddgr is the Processor.

This policy explains how we handle data when we act as Controller and what we commit to when we act as Processor.

2) What data we collect

A) Website visitors & our own prospects (Controller)

Identifiers: name, email, phone, company, role.

Comms: message contents (contact forms, email, chat), booking details.

Marketing tech: page views, referrer/UTMs, device/IP, consent preferences, unsubscribe/STOP logs.

Sources: you (forms/booking), cookies/analytics (subject to consent), and business-to-business sources when you contact us on social or email.

B) Client-provided leads & customers (Processor)

CRM data: name, email, phone, tags/stage, offer of interest, owner/notes.

History: prior conversations (email/DM/SMS), last activity, purchases (if provided).

Engagement: replies, intent/qualification notes, bookings/no-shows, unsubscribe/STOP.
We ask clients not to send special category data. If they do, we’ll reject/delete it.

3) Why we process it (purposes & lawful bases)

When we’re the Controller (our website & sales)

Responding to enquiries. We use your details to reply to messages, book calls, and send quotes.
Lawful basis: Contract (pre-contract steps) or Legitimate interests.

Sales and marketing. We send updates about our services to business contacts who’ve opted in or where a soft opt-in applies.
Lawful basis: Consent (for email/SMS marketing) or Legitimate interests in line with PECR.

Analytics and improvement. We measure page performance and fix bugs. Non-essential analytics only run if you accept cookies.
Lawful basis: Consent (for non-essential cookies); limited aggregated metrics may run under Legitimate interests.

Security and fraud prevention. We keep logs, backups, and abuse protections.
Lawful basis: Legitimate interests and, where required, Legal obligation.

You can withdraw consent at any time (unsubscribe link in emails; reply STOP to SMS).

When we’re the Processor (client campaigns)

We act on a client’s instructions to:

Reconnect with prior leads/customers via contextual SMS/email/DM referencing their original interest.

Handle two-way Q&A (FAQs, objections), and escalate to a human when needed.

Qualify interest (goal, timeline, budget) and book calls.

Update the client’s CRM and report outcomes/performance.

Lawful basis: the client (Controller) decides the lawful basis (often Legitimate interests, Contract, or Consent) and is responsible for PECR/e-privacy compliance.

We record and honour opt-outs (unsubscribe/STOP) and follow their documented instructions.

4) AI & automation

We use AI to draft message variants, score intent, and suggest next actions. We don’t sell personal data. Where available, we configure vendors not to train public models on client data. We do not make decisions with legal or similarly significant effects solely by automation. Ask for human review any time.

5) Sharing data (service providers)

We use vetted sub-processors for hosting, messaging, and operations—only what’s necessary:

CRM & automations: GoHighLevel / LeadConnector

SMS/voice: Twilio / LeadConnector SMS

Email sending: [Mailgun/SendGrid/LeadConnector Email]

Calendars/meetings: Google/Microsoft

Storage/productivity: Google Workspace / Microsoft 365

Analytics: [Plausible/Google Analytics]

Payments & billing: [Stripe/…] (if applicable)

We have DPAs in place and maintain a current list on request.

6) International transfers

Some providers process data outside the UK/EEA (e.g., US). We use approved safeguards (UK Addendum/SCCs, provider certifications) and assess risk.

7) Retention

Enquiries & sales records (Controller): usually 24 months after last contact.

Campaign logs (Processor): 12–24 months or per client instruction.

Consent & suppression records: kept as needed to honour opt-outs and demonstrate compliance.
We delete or anonymise when no longer needed unless law requires longer retention.

8) Your rights (UK GDPR)

You can access, rectify, erase, restrict, object, and port your data, and withdraw consent where used.

If the data is ours (Controller): email [[email protected]].

If the data belongs to a client (we’re Processor): contact the client (Controller); we’ll help them respond.

You can complain to the ICO (ico.org.uk). Please give us a chance to fix it first.

9) Marketing & PECR

We only send electronic marketing where we have consent or a soft opt-in (existing customer relationship about similar services).

Email: every message has an unsubscribe link.

SMS: reply STOP (or STOP ALL where supported).

We maintain suppression lists and won’t message you after you opt out.

10) Cookies & tracking

We use essential cookies for site operation. Analytics/marketing cookies run only with consent. You can change preferences via our cookie banner at any time. See our Cookie Notice for details (types, purposes, retention).

11) Security

We apply reasonable technical and organisational measures: least-privilege access, MFA on admin systems, encryption in transit, audit logging, staff training, and vendor due diligence. No system is 100% secure; if a breach occurs, we’ll follow legal notification duties.

12) Children

Our services target businesses and adults. We don’t knowingly process children’s data. If you believe we have, contact us and we’ll act.

13) When we’re a Processor (summary of commitments)

When we handle data for a client, we will:

Process only on documented instructions;

Keep data confidential and secure;

Assist with data-subject requests, breaches, and DPIAs where required;

Use sub-processors only with appropriate safeguards;

Delete/return data at end of contract (subject to legal retention);

Provide records/audit support as agreed.

14) Changes to this policy

We’ll update this policy as our practices or laws change. The “Last updated” date shows the latest version. Significant changes will be communicated where appropriate.

15) Contact

Questions or requests: [[email protected]]
Postal: available on request for official correspondence.
If unresolved, you can contact the Information Commissioner’s Office (UK).