Legal information

Privacy Policy

This Privacy Policy explains how GrowthNest Media Limited collects, uses, shares, stores and protects personal information when you visit our website, enquire about or purchase our services, participate in a campaign, or otherwise communicate with us.

Last updated: 13 July 2026

GrowthNest Media Limited processes personal data in accordance with applicable UK data-protection law, including the UK GDPR and the Data Protection Act 2018.

01

Introduction

GrowthNest Media Limited respects the privacy of clients, prospective clients, website visitors, business contacts and individuals whose information is processed in connection with our lead-generation and customer-acquisition services. This policy describes our approach to personal data and is intended to provide clear information about what we do with it.

“Personal data” means information relating to an identified or identifiable living person. It can include obvious identifiers such as a name, email address or telephone number, as well as online identifiers, campaign responses, call recordings and other information that can be linked to an individual. “Processing” covers any operation performed on personal data, including collecting, recording, organising, using, sharing, storing and deleting it.

This policy applies to personal data processed through growthnestmedia.co.uk, our contact and order journeys, customer support, lead-generation campaigns, telephone and digital interactions, CRM and API services, secure file delivery, invoicing and related business administration. Campaign-specific notices or contractual terms may provide additional information. Where they apply, they should be read together with this policy.

02

Who We Are

GrowthNest Media Limited is a UK lead-generation, customer-acquisition and campaign-services business. For personal data processed for our own website, sales, customer administration, service management and marketing purposes, GrowthNest Media Limited is normally the controller, meaning we determine why and how that personal data is processed.

For campaign activity, our legal role depends on the factual and contractual arrangement. We may act as an independent controller, a joint controller with another organisation, or a processor acting on documented client instructions. The relevant campaign agreement identifies the parties’ responsibilities where required. A client receiving lead data will generally have its own responsibilities for how it uses that data after receipt.

Legal Name

GrowthNest Media Limited

UK Company Number

12762926

India Operations

Grevitywings Technologies

Indian Company Registration

Indian company registration details will be updated following completion of incorporation and statutory registrations.

Registered Office

1st Floor, 7A, A.J.C. Bose Road, Kolkata – 700017, West Bengal, India

Place of Registration

Kolkata, West Bengal, India

Website

growthnestmedia.co.uk

Business Email

business@growthnestmedia.co.uk

Accounts Email

accounts@growthnestmedia.co.uk

General Enquiries

info@growthnestmedia.co.uk

UK Telephone

+44 7864 386980

India Telephone

+91 33 4000 0000

UK Business Hours

Monday – Friday 09:00 – 18:00 GMT/BST

India Business Hours

Monday – Saturday 10:00 – 19:00 IST

Data Protection Law

UK GDPR and Data Protection Act 2018

03

Information We Collect

The information we collect depends on how you interact with us, the service requested and the requirements of a particular campaign. We may collect the following categories.

Identity and contact information

  • Name, job title, employer or organisation, and business role
  • Business and personal contact details, including email address, postal address and telephone number
  • Account, customer, order, invoice and payment reference information
  • Identity or authority information supplied when exercising data-protection rights

Enquiry, client and campaign information

  • Company name, website, industry, service interests and campaign objectives
  • Requested lead type, volume, geographic targeting, qualification criteria and delivery method
  • Messages, quotation requests, support enquiries, complaints, exclusions and special requirements
  • Information contained in documents or files uploaded securely to us

Lead, survey and qualification information

  • Consumer or business contact details and relevant demographic or geographic information
  • Responses to survey, campaign and qualification questions
  • Product or service interests, preferred contact arrangements and campaign source
  • Consent language, consent status, source URL, date and time stamps, call records and suppression status
  • Validation, duplicate-checking, delivery, acceptance, rejection and replacement information

Technical and usage information

  • IP address, browser type, device type, operating system and approximate location derived from IP
  • Website pages viewed, referral source, session events, cookie identifiers and analytics information
  • Server, authentication, API, webhook, delivery, error and security logs
  • CRM record identifiers, integration settings and delivery audit information

We also process correspondence, internal notes, campaign activity histories, delivery reports and records of how an enquiry, order, complaint or rights request was handled. We do not seek to collect more personal data than is reasonably necessary for the relevant purpose.

Some campaigns may concern products such as insurance or services from which sensitive circumstances could potentially be inferred. Special-category personal data is collected only when it is necessary, proportionate and supported by both an Article 6 lawful basis and an applicable Article 9 condition under the UK GDPR. Campaign forms and scripts are designed to avoid unnecessary sensitive information.

04

How We Collect Information

We collect personal data directly from you when you complete an enquiry or purchase journey, request a quotation, contact us by email or telephone, upload a file, confirm a payment, use customer support or communicate with our team. We may also obtain information from your employer or another authorised representative.

In our lead-generation work, information may be collected directly from consumers or business contacts through clearly identified survey, telephone, digital or market-research interactions. We may also receive data from a client, supplier or campaign partner where the party providing it has confirmed that it is entitled to do so and appropriate contractual safeguards are in place.

  • Website contact, campaign enquiry, account, purchase and quotation forms
  • Email enquiries, telephone conversations, call recordings and customer-support interactions
  • Secure file uploads, invoice requests, payment confirmations and proof-of-payment submissions
  • Consumer surveys, digital campaigns, landing pages, telephone campaigns and market research
  • Clients, campaign partners, introducers and suppliers operating under appropriate agreements
  • CRM systems, API integrations, webhooks and secure campaign-delivery tools
  • Cookies, Google Analytics, server logs and comparable website-measurement technologies
  • Publicly available business sources where their use is lawful and appropriate

Where personal data is obtained from a source other than the individual, we take reasonable steps to provide or make available the information required by UK GDPR, subject to the applicable circumstances and exemptions.

06

How We Use Your Information

We use personal data for specific, explicit and legitimate business purposes. We do not use personal data in a manner that is incompatible with the reason it was collected unless the further use is permitted by law and the necessary information is provided.

  • Respond to enquiries, provide quotations and discuss campaign requirements
  • Create and administer customer accounts, orders, contracts, campaigns and support requests
  • Generate, qualify, validate, deduplicate, suppress, route and securely deliver leads
  • Configure CRM and API integrations and diagnose delivery or technical issues
  • Create invoices, reconcile payments, review payment evidence and maintain financial records
  • Provide customer support, investigate complaints and manage lead replacement requests
  • Maintain service quality, train authorised personnel and improve campaign performance
  • Prevent fraud, misuse, unauthorised access and other security threats
  • Meet legal, tax, accounting, data-protection and regulatory responsibilities
  • Understand website and service performance through proportionate business analytics

We may create aggregated or anonymised statistics that no longer identify individuals to understand delivery volumes, campaign outcomes and service demand. Information that has been effectively anonymised is not personal data, but we maintain controls intended to prevent inappropriate re-identification.

07

Lead Generation & Marketing

Our services include UK B2B and B2C lead generation, consumer surveys, digital marketing, lead qualification, CRM integration, API and CSV lead delivery, and bespoke, shared and exclusive campaigns. Campaigns may operate across the following sectors:

  • Life insurance, funeral plans and wills
  • Broadband, business telecom and consumer telecom
  • Energy, business energy, solar and ECO4
  • Mortgage, homeowner and housing disrepair
  • Boiler replacement, windows and doors, loft insulation and loft appointments
  • Charity, warranty and other UK consumer or business campaigns

Campaign notices, scripts or landing pages explain the identity of the organisation collecting the information, the purpose of the interaction, intended recipients or recipient categories, and the contact or marketing permissions being requested where applicable. Consent and source records may include the wording presented, the method of collection, date and time, campaign identifier and relevant technical evidence.

Lead data is supplied only in accordance with contractual arrangements and applicable data-protection and direct-marketing laws. Clients are required to use lead information only for agreed purposes, respect objections and opt-outs, protect the information they receive, and comply with their own transparency and lawful-basis obligations. Exclusive, shared and bespoke campaign arrangements are documented so the permitted recipients and uses are clear.

Where telephone or electronic direct marketing rules apply, we consider the Privacy and Electronic Communications Regulations and relevant Telephone Preference Service or Corporate Telephone Preference Service requirements. A person’s inclusion in a campaign does not remove the recipient organisation’s responsibility to verify that its intended contact is lawful at the time it is made.

08

Telephone Calls & Call Recording

We may communicate by telephone to respond to enquiries, discuss client campaigns, conduct consumer or business surveys, qualify interest, provide support, confirm information, manage complaints and maintain service quality. Calls may be recorded for quality assurance, agent training, verification, compliance monitoring, dispute resolution, fraud prevention and the establishment or defence of legal claims.

Where a call is recorded, callers or participants are informed at the start of the call or through another clear notice. Access to recordings is restricted to authorised personnel and approved service providers with a business need. Recordings are not retained indefinitely and are deleted or anonymised according to our retention schedule unless they are needed for an active complaint, investigation or legal obligation.

For live direct-marketing calls, relevant numbers are screened against applicable preference services and internal suppression records where required. We identify the calling organisation, provide appropriate contact information and honour objections. Automated marketing calls are not made without the specific consent required by law.

09

Lead Qualification

Lead qualification is used to assess whether an enquiry meets documented campaign criteria. Depending on the campaign, this may involve confirming contact details, location, service interest, property or business characteristics, availability, eligibility indicators, preferred contact time and answers to client-approved questions.

Qualification criteria are configured for the relevant campaign and should be limited to information reasonably required for that service. We may validate formats, remove duplicates, apply client suppression files, check campaign exclusions, review call or source evidence and flag inconsistent responses. These controls support data quality; they do not guarantee that a person will purchase a product, pass a provider’s separate eligibility assessment or produce a particular commercial outcome.

We do not ordinarily make decisions based solely on automated processing that produce legal or similarly significant effects on individuals. Automated validation, routing or matching may assist our teams, but material campaign exceptions and disputes can be reviewed by an authorised person.

10

API Integrations

Clients may choose to receive leads or exchange campaign information through an API, webhook, CRM integration, secure portal, CSV or another agreed method. Integration data can include lead fields, campaign and client identifiers, delivery time, response status, validation results, retry information and technical logs needed to operate and troubleshoot the service.

We use API credentials and access controls to authenticate authorised connections and maintain delivery records for security, reconciliation and support. Clients are responsible for protecting credentials issued to them, limiting access within their organisation, promptly reporting suspected compromise and ensuring that destination systems are appropriately secured.

Where a third-party CRM or integration platform is involved, its provider may process information under its own terms or as a processor for us or the client. The relevant contractual arrangement determines responsibility. We do not permit an integration to be used to obtain personal data outside the agreed campaign purpose.

11

Payments

When a customer purchases lead-generation services, we process information needed to create an order and invoice, assign a payment reference, provide payment instructions, reconcile funds, prevent fraud and maintain accounting records. This may include the payer’s name, company, billing contact details, order and invoice references, amount, currency, selected payment method, payment date, payment status and correspondence.

If payment evidence is uploaded, we process the document and information visible within it solely to review and reconcile the payment, investigate discrepancies and maintain appropriate financial records. Customers should obscure information that is not needed for those purposes. Proof files are stored with restricted access and are not published.

Payments may involve banks, transfer providers or other payment-service providers selected by the customer. Those organisations process payment information under their own privacy notices and legal obligations. We do not request account passwords or security codes and do not use payment data for unrelated marketing.

12

Cookies

Our website uses cookies and similar technologies to operate essential features, remember choices, protect forms and systems, understand website use and, where permitted, measure campaign performance. Essential cookies may be placed without consent where they are strictly necessary. Non-essential analytics or marketing technologies are used only after the required choice has been made through our cookie controls.

Where enabled with consent, Google Analytics helps us understand matters such as pages visited, session activity, general device information and traffic sources. We configure analytics to support proportionate business reporting and do not use it to obtain information that we do not need. Google may act as a separate provider for parts of this processing.

You can accept, reject or manage non-essential cookies through the cookie-consent controls and can also adjust browser settings. Withdrawing cookie consent does not affect the lawfulness of processing that occurred before withdrawal. Full details are available in our Cookie Policy.

13

Third Party Services

We use carefully selected suppliers and may disclose personal data where necessary to deliver our services, operate the website, manage the business or meet legal duties. Depending on the context, recipients may act as our processor, as a client’s processor, as an independent controller or as a joint controller.

  • Clients purchasing or receiving leads under a written campaign agreement
  • CRM, API, webhook, hosting, cloud-storage and secure file-transfer providers
  • Email, telephony, call-recording and customer-support providers
  • Analytics and cookie technology providers, including Google Analytics where consented to
  • Banks, payment-service providers and accounting or invoice-service providers
  • Fraud-prevention, identity, data-validation, screening and security providers
  • Professional advisers, including legal, compliance, tax, insurance and audit advisers
  • Regulators, courts, law-enforcement bodies and public authorities where disclosure is lawful
  • A prospective purchaser, investor or adviser involved in a legitimate corporate transaction

Processors acting for us are required by contract to process personal data only on documented instructions, maintain confidentiality, implement appropriate security, support relevant rights and delete or return data when their services end. We carry out proportionate due diligence based on the nature and risk of the processing.

Our website may link to external websites or services. We are not responsible for the privacy practices of a third party acting independently. You should review the privacy notice presented by that organisation before providing personal information.

14

International Data Transfers

Some technology, cloud, analytics, communications or support providers may store or access personal data outside the United Kingdom. A restricted transfer occurs only where the relevant legal conditions are met, and we do not treat the use of an international supplier as removing our UK data-protection responsibilities.

Before making a restricted transfer, we use a permitted transfer mechanism where required. This may include UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to approved standard contractual clauses, or another safeguard or exception permitted by UK law. Where appropriate, we assess the destination, recipient, transfer circumstances and supplementary safeguards before the transfer takes place.

You may contact us for further information about the safeguards relevant to your personal data. Commercially confidential or security-sensitive information may be redacted, but we will provide the information required by law.

15

Data Retention

We retain personal data only for as long as reasonably necessary for the purpose for which it was collected, including service delivery, campaign administration, legal and regulatory compliance, accounting, complaints, dispute resolution, fraud prevention and the establishment or defence of legal claims.

Retention decisions consider the amount, nature and sensitivity of the information, the potential risk of harm, the purpose of processing, contractual commitments, whether the purpose can be achieved in another way and applicable legal requirements. Our normal retention framework is:

  • Website and quotation enquiries: normally up to 24 months after the last meaningful contact
  • Client contracts, orders, invoices and payment records: normally six years after the relevant financial year or relationship ends
  • Operational lead and campaign records: for the campaign period and normally up to 12 months afterwards, unless a longer period is needed for a complaint, legal claim or documented compliance requirement
  • Consent, source, suppression and campaign audit records: normally up to six years where required to demonstrate instructions, permissions, objections or compliance
  • Call recordings: normally up to 12 months, or longer where they are relevant to an active complaint, dispute or legal requirement
  • Marketing records: until consent is withdrawn, an objection is received, or after 24 months of inactivity unless refreshed
  • Suppression records: a minimal record may be retained for as long as necessary to honour an opt-out or do-not-contact request
  • Security and server logs: normally up to 12 months unless required for an active security investigation
  • Google Analytics event data: according to the configured analytics retention period, normally no longer than 14 months

These periods may be shortened where information is no longer needed or extended where a legal hold, complaint, investigation, contractual requirement or statutory obligation applies. At the end of the relevant period, information is securely deleted, anonymised or placed beyond operational use in accordance with our retention procedures.

16

Data Security

GrowthNest Media Limited maintains technical and organisational security measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Measures are selected according to the nature of the system, information and processing risk.

  • Role-based access and least-privilege controls for systems containing personal data
  • Authentication, password controls and administrative access restrictions
  • Secure API, CRM, email and file-delivery procedures appropriate to the campaign
  • Logging, monitoring and audit records for important administrative and delivery actions
  • Data minimisation, validation, duplicate detection and suppression controls
  • Supplier due diligence and contractual confidentiality and data-protection obligations
  • Staff confidentiality, awareness and operational handling procedures
  • Backup, recovery, incident-management and personal-data-breach response processes
  • Periodic review of access rights, retention needs and technical vulnerabilities

No method of transmission or storage can be guaranteed to be completely secure. If we become aware of a personal-data breach, we assess the likely risk, take steps to contain and investigate it, maintain appropriate records, and notify affected individuals and the Information Commissioner’s Office where legally required.

Customers and clients also have responsibilities. They should use secure devices and networks, protect credentials, restrict access to downloaded lead data, promptly apply opt-outs, and notify us without delay if they suspect unauthorised access involving our services.

17

Marketing Communications

We may send relevant information about GrowthNest Media services, campaign availability, industry insights or related business offerings where we have consent or another lawful basis and the communication is permitted by applicable direct-marketing rules. We distinguish our own business marketing from campaign communications sent for a client.

Customers and other recipients may opt out of marketing at any time by using an unsubscribe facility where provided, replying to the communication, telling the caller or contacting us at accounts@growthnestmedia.co.uk. We will action valid objections and may retain a minimal suppression record so that the preference continues to be respected.

Withdrawing from marketing does not prevent necessary service messages about an existing enquiry, order, invoice, payment, security issue, campaign or contract. It also does not require us to erase information that must be retained for another lawful purpose.

18

Your Rights under UK GDPR

Subject to the circumstances and any lawful exemptions, UK data-protection law gives individuals the following rights:

  • The right to be informed about how personal data is used
  • The right to request access to personal data and receive a copy
  • The right to ask for inaccurate or incomplete personal data to be corrected
  • The right to request erasure where the legal conditions are met
  • The right to request restriction of processing in certain circumstances
  • The right to object to processing based on legitimate interests
  • The absolute right to object to the use of personal data for direct marketing
  • The right to data portability where processing is based on consent or contract and carried out by automated means
  • The right to withdraw consent at any time, without affecting earlier lawful processing
  • Rights relating to solely automated decision-making that has legal or similarly significant effects
  • The right to complain to the Information Commissioner’s Office

These rights are not all absolute and their application can depend on the lawful basis and the facts. Data portability applies only in specified circumstances, and information needed to comply with a legal obligation or establish or defend legal claims may not have to be erased.

To exercise a right, use our secure Submit a Data Rights Request portal, email accounts@growthnestmedia.co.uk, or use the contact details below. Please describe the information or campaign concerned and the right you wish to exercise. We may request proportionate evidence of identity or authority before disclosing or changing personal data. We normally respond without undue delay and within one month, although the law permits an extension for complex or numerous requests. We will explain any extension or lawful refusal.

You may complain to the Information Commissioner’s Office, the UK supervisory authority for data protection, through ico.org.uk. We would appreciate the opportunity to address your concern first, but contacting us does not affect your right to approach the ICO.

19

Children’s Privacy

Our website and lead-generation services are intended for businesses and adults aged 18 or over. We do not knowingly design campaigns to collect personal data from children, offer lead-generation services to children or use children’s personal data for direct marketing.

If we learn that personal data relating to a child has been submitted to us without an appropriate lawful basis or necessary authorisation, we will investigate and delete or restrict the information as appropriate. A parent, guardian or other responsible person who believes a child’s information has been provided to us should contact us promptly.

20

Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in our services, campaign practices, technology, suppliers, legal requirements or regulatory guidance. The current version will always be published on this page and the date of the latest revision will be shown prominently.

Where a change materially affects how we use personal data, we will take reasonable steps to bring it to the attention of affected individuals through the website, direct communication or a campaign-specific notice where appropriate. We will seek fresh consent where a new use legally requires it.

Last Updated: 13 July 2026

21

Contact Details

Questions about this Privacy Policy, the use of personal data, a marketing preference or a data-protection rights request can be directed to GrowthNest Media Limited using the details below.

Company

GrowthNest Media Limited

Email

accounts@growthnestmedia.co.uk

Telephone

+44 7864 386980

When contacting us about lead data, please provide any relevant campaign name, date of contact, telephone number or email address so that we can locate the correct record without collecting unnecessary additional information.

Have a Privacy or Data Protection Question?