PRIVACY POLICY

Version: April 2026
Last updated: 19 April 2026

Introduction

GRAVITAS TECHNOLOGY LTD trading as Gravitas Tech has prepared this Privacy Policy to describe in a clear and transparent manner:

1. what categories of personal data we collect and otherwise process;
2. how and for what purposes such personal data is used, shared and protected; and
3. the rights and choices available to individuals in relation to our personal data processing practices.

This Privacy Policy is intended to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable Privacy and Electronic Communications Regulations (PECR), and reflects our commitment to lawful, fair and transparent processing of personal data in a business-to-business context.

If you have any questions, requests or comments regarding this Privacy Policy or our data protection practices, you may contact us using the details below:

Privacy requests: Implement a dedicated contact method on the website, for example /privacy-request or a dedicated privacy email address.

Registered address:
C/O Heaton Vences Limited
No.159, Field Maple Barns
Weston Green Road
Weston Longville
Norwich, Norfolk
England, NR9 5LA

Applicability

We provide business-to-business outbound sales development and lead generation services to our customers (the “Services”).

This Privacy Policy applies to personal data that we collect, use, disclose and otherwise process in connection with:

• the provision and operation of the Services;
• our website(s) (the “Website”); and
• business contact data obtained from public sources and reputable third-party data providers for business-to-business purposes.

Where GRAVITAS TECHNOLOGY LTD processes personal data on behalf of a customer in the capacity of a service provider or processor, if applicable, such processing is governed by the relevant customer agreement and, where required, a separate Data Processing Agreement (DPA). In those circumstances, this Privacy Policy does not apply to such processing.

Our Services are designed exclusively for business use and are not intended for personal, family or household purposes. Accordingly, personal data processed under this Privacy Policy relates to individuals acting in a professional or business capacity, rather than in their personal capacity.

Nothing in this Privacy Policy is intended to override or replace the privacy notices or policies issued by our customers in their capacity as independent data controllers.

1. WHO IS RESPONSIBLE FOR THE PROCESSING OF YOUR PERSONAL DATA?

GRAVITAS TECHNOLOGY LTD trading as Gravitas Tech, as data controller

GRAVITAS TECHNOLOGY LTD trading as Gravitas Tech acts as a data controller where it determines the purposes and means of processing personal data, including in connection with:

• the operation and administration of our Website;
• professional and business communications;
• the sourcing, verification, enrichment and maintenance of business contact data used to provide the Services;
• the operation and enforcement of suppression, objection and compliance screening mechanisms;
• internal analytics, reporting and service improvement, in aggregated or anonymised form; and
• compliance with applicable legal and regulatory obligations.

In these circumstances, GRAVITAS TECHNOLOGY LTD trading as Gravitas Tech processes personal data in accordance with this Privacy Policy and applicable data protection laws.

Our customers — as independent data controllers

Where our customers receive business contact data and/or make use of the outputs of the Services, they typically act as independent data controllers. In that capacity, our customers are solely responsible for:

• determining the purposes, scope and lawful basis of their outreach and engagement activities;
• the content of messaging, scripts and communications;
• the selection of communication channels and targeting criteria;
• ensuring compliance with applicable data protection and electronic communications laws, including the UK GDPR and PECR; and
• handling data subject rights requests in relation to their own processing activities.

Our customers’ processing activities are governed by their own privacy notices and policies, and individuals are encouraged to review such notices where applicable.

Processor role, where applicable

Depending on the specific Services and only where expressly agreed in writing, GRAVITAS TECHNOLOGY LTD trading as Gravitas Tech may act as a data processor on behalf of a customer. In such cases, the processing of personal data is governed by the relevant customer agreement and a separate Data Processing Agreement (DPA), and not by this Privacy Policy.

2. WHAT TYPES OF PERSONAL DATA DO WE PROCESS FOR WEBSITE VISITORS AND CUSTOMERS?

Enquiry data

Examples of data:
Full name, business email address, business telephone number, company name, job title, and any information voluntarily provided in enquiry forms, demo requests or correspondence.

Data sources:
Collected directly from you and/or from the customer.

Customer administration data

Examples of data:
Business contact details, professional role, account identifiers, billing and invoicing contact details, and contractual contact information.

Data sources:
Collected from the customer and/or directly from you.

Website analytics data

Examples of data:
IP address, device type, browser type and version, operating system, pages viewed, time spent on pages, interaction data, approximate geographic location such as country or region, and referring URLs.

Data sources:
Automatically collected via the Website and cookies or similar tracking technologies. See our Cookie Policy.

Security and audit log data

Examples of data:
Access logs, authentication records, system and event logs, and security-related metadata.

Data sources:
Generated automatically by our systems and by authorised service providers.

3. WHAT TYPES OF PERSONAL DATA DO WE PROCESS FOR BUSINESS CONTACT DATA USED IN OUR SERVICES?

Professional activity data

Examples of data:
Full name, professional job title or role, business email address, business telephone or mobile number, employer company name, and LinkedIn profile URL.

Data sources:
Reputable third-party data vendors, publicly available professional or business-oriented sources, company websites, and professional networking platforms.

Company-level context

Examples of data:
Company name, industry classification, company website domain, company LinkedIn profile, and high-level company attributes such as size or sector, where publicly available.

Data sources:
Publicly available sources and reputable third-party data vendors.

Suppression and opt-out data

Examples of data:
Opt-out or objection status, and minimal identifiers required to ensure “do not contact” compliance.

Data sources:
Provided directly by data subjects, and generated and maintained internally for compliance purposes.

We do not intentionally process personal or free email addresses, consumer contact data, or special category personal data within the meaning of Article 9 UK GDPR.

4. FOR WHICH PURPOSES IS YOUR DATA PROCESSED BY GRAVITAS TECHNOLOGY LTD TRADING AS GRAVITAS TECH?

Data regarding Website visitors and customers

Online requests and professional communications

Examples of use of personal data:
Managing and responding to enquiries, demo requests and other communications, arranging meetings and calls, and providing requested information about the Services.

Legal bases:
Legitimate interests, to manage business relationships, and steps prior to entering into a contract.

Provision and administration of the Services

Examples of use of personal data:
Account setup and administration, operational communications, service delivery, support, and customer relationship management.

Legal bases:
Performance of a contract and legitimate interests.

Website analytics and performance

Examples of use of personal data:
Measuring usage of the Website, analysing traffic and user interactions, improving functionality, performance and content, and troubleshooting technical issues.

Legal bases:
Legitimate interests, and consent where required under applicable cookie and ePrivacy laws.

Security, integrity and fraud prevention

Examples of use of personal data:
Monitoring systems to prevent unauthorised access, detecting misuse or security incidents, maintaining audit logs, and incident response.

Legal bases:
Legitimate interests, and compliance with legal and regulatory obligations.

Legal claims, compliance and disputes

Examples of use of personal data:
Establishing, exercising or defending legal claims, responding to regulatory enquiries, and record keeping for compliance purposes.

Legal bases:
Legitimate interests and legal obligations.

Data regarding business contacts processed for the Services

Providing Services to customers

Examples of use of personal data:
Identifying relevant business decision-makers, conducting lawful B2B one-to-one outreach, appointment-setting, and reporting campaign outcomes to customers.

Legal bases:
Legitimate interests, ours and our customers’, balanced against the rights and interests of the data subjects.

Data quality, accuracy and maintenance

Examples of use of personal data:
Verification, cleansing, updating, de-duplication and rolling refresh of business contact data to ensure relevance and accuracy.

Legal bases:
Legitimate interests.

Compliance and suppression management

Examples of use of personal data:
Screening against applicable preference services, such as CTPS, maintaining suppression and opt-out lists, and honouring objections and do-not-contact requests.

Legal bases:
Legal obligations and legitimate interests.

Aggregated insights and analytics

Examples of use of personal data:
Producing aggregated, anonymised or non-identifiable operational reports and statistical analyses to improve the Services.

Legal bases:
Legitimate interests.

Important: Nothing in our Services constitutes the sale of personal data as a commodity, nor do we provide behavioural profiling of individuals.

5. WHO DO WE SHARE YOUR DATA WITH?

We share personal data on a limited, need-to-know basis and only where necessary for the purposes described in this Privacy Policy.

Authorised personnel of GRAVITAS TECHNOLOGY LTD

Purposes:
Internal operational, administrative and service delivery purposes, including customer support, compliance, security and reporting.

Customers

Purposes:
Provision of the agreed Services and delivery of service outputs, strictly in accordance with the applicable contractual arrangements.

Service providers and sub-processors

Purposes:
Hosting, infrastructure, CRM, analytics, security, communications and IT support services, insofar as necessary to operate and deliver the Services.

Professional advisers

Purposes:
Legal, regulatory, compliance, accounting and audit support, subject to professional confidentiality obligations.

Competent authorities and regulators

Purposes:
Where required by applicable law, regulation or court order, or where necessary to establish, exercise or defend legal rights.

All third parties receiving personal data are subject to appropriate contractual, confidentiality and data protection obligations consistent with applicable law.

6. INTERNATIONAL TRANSFERS

Where personal data is transferred outside the United Kingdom, we ensure that such transfers are subject to appropriate safeguards in accordance with the UK GDPR.

Such safeguards may include, as applicable:

• a UK adequacy decision;
• the UK International Data Transfer Agreement (IDTA);
• the UK Addendum to the EU Standard Contractual Clauses; and
• where required, the implementation of supplementary technical and organisational measures and the completion of transfer risk assessments.

Personal data is transferred only where necessary for the purposes described in this Privacy Policy and subject to appropriate contractual and security protections.

7. FOR HOW LONG ARE YOUR PERSONAL DATA STORED?

We retain personal data only for as long as is necessary and proportionate for the purposes described in this Privacy Policy and in accordance with applicable legal and regulatory requirements.

In particular:

• business contact data is retained on a rolling refresh and review basis, taking into account accuracy, relevance and suppression or objection requirements;
• suppression and opt-out data may be retained for as long as necessary to ensure ongoing compliance with legal and regulatory obligations and to prevent further contact; and
• personal data may be retained for longer periods where required to comply with applicable laws, accounting or record-keeping obligations, or to establish, exercise or defend legal claims.

Where personal data is no longer required, it is securely deleted or anonymised in accordance with our data retention and deletion procedures.

8. WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?

Subject to applicable law, you may have the following rights in relation to the personal data we process about you.

Right of access

The right to request confirmation as to whether we process your personal data and, if so, to receive a copy of such data and information about how it is used.

Right to rectification

The right to request correction of inaccurate or incomplete personal data.

Right to erasure, also known as the “right to be forgotten”

You have the right to request the erasure of your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected or where you have objected to the processing.

Please note that this right is not absolute. We may retain limited personal data where necessary to:

• comply with applicable legal or regulatory obligations;
• maintain suppression or opt-out records to ensure you are not contacted again; and
• establish, exercise or defend legal claims.

Where erasure is granted, we will take reasonable steps to securely delete or anonymise the relevant personal data without undue delay.

Right to restriction of processing

The right to request that we limit the processing of your personal data in certain circumstances, such as while a dispute regarding accuracy is being resolved.

Right to data portability

Where applicable, the right to receive certain personal data in a structured, commonly used and machine-readable format and to transmit it to another controller.

Right to object

The right to object, at any time, to processing of your personal data based on legitimate interests, including processing for business-to-business outreach purposes.

To exercise any of the above rights, please contact us at:

Privacy requests: Implement a dedicated contact method on the website, for example /privacy-request or a dedicated privacy email address.

We may request additional information to verify your identity before responding to a request, in order to protect personal data from unauthorised access. We will respond to all valid requests within the timeframes required by applicable law.

You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner’s Office (ICO). Further information is available at: https://ico.org.uk.

9. HOW TO OPT OUT / OBJECT

You may object at any time to our processing of your business contact data for business-to-business outreach or related purposes.

You can exercise your right to object by:

• using the opt-out or privacy-request method made available on the Website; or
• contacting us via the privacy contact method published on the Website.

Upon receipt of a valid objection or opt-out request, we will cease the relevant processing without undue delay and will retain only the minimum information necessary to record and enforce your preference and to ensure ongoing compliance with applicable legal and regulatory requirements.

Where required by law, we may notify relevant customers or service partners of your objection in order to ensure that your preference is respected.

10. WHAT HAPPENS IF CHILDREN USE OUR WEBSITE?

Our Services are intended solely for use by businesses and professionals and are not directed at children.

We do not knowingly collect or process personal data relating to children. If we become aware that personal data relating to a child has been collected or processed inadvertently, we will take appropriate steps to delete such data without undue delay, unless retention is required by applicable law.

If you believe that we may have collected personal data relating to a child, please contact us via the privacy contact method published on the Website.

11. HOW DO WE PROTECT YOUR PERSONAL DATA?

We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Such measures include, where appropriate:

• role-based access controls and the principle of least privilege;
• multi-factor authentication for access to systems processing personal data;
• logging and monitoring of system access and activity;
• encryption and secure configuration of systems and data;
• incident detection, response and escalation procedures; and
• staff confidentiality obligations and data protection training.

We regularly review and, where appropriate, update our security measures to reflect changes in technology, risk and regulatory expectations.

While we take reasonable steps to protect personal data, no system can be guaranteed to be completely secure.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes to our practices, services, or applicable legal or regulatory requirements.

The most current version of this Privacy Policy will always be made available on our website and will be identified by the “Last updated” date shown at the top of the document.

Where required by applicable law, we will take reasonable steps to notify individuals of material changes.

‍