Data Protection

Data Protection Policy

This Data Protection Policy explains how Business2Business Ltd (“we,” “us,” or “our”) collects, processes, stores, and protects personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable laws. All employees, contractors, and third-party partners must adhere to this policy when handling any personal data on behalf of Business2Business Ltd.

1. Scope

This policy applies to all personal data processed by Business2Business Ltd in connection with our SaaS platform at business2businessltd.com, including:

  • Prospective and current customer contacts and end users
  • Employees, contractors, and job applicants
  • Website visitors and newsletter subscribers

It covers any medium (electronic, paper, verbal) through which personal data is collected or used.

2. Roles and Responsibilities

Business2Business Ltd acts as the Data Controller for customer and end-user data. Our appointed Data Protection Officer (DPO) oversees compliance, provides advice on data protection matters, and serves as the point of contact for data subjects and regulators. All staff and third-party processors must:

  • Follow this policy and report data protection concerns to the DPO
  • Complete mandatory data protection training
  • Apply data protection principles in their daily activities

3. Data Protection Principles

We process personal data in line with these principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation: only for specified, explicit, and legitimate purposes
  • Data minimisation: adequate, relevant, and limited to what is necessary
  • Accuracy: kept up to date and rectified without delay
  • Storage limitation: retained only as long as required
  • Integrity and confidentiality: secured against unauthorised access and accidental loss

4. Lawful Bases for Processing

We rely on the following lawful bases to process personal data:

  • Consent: for newsletters and marketing communications
  • Contractual necessity: to fulfil our service agreements
  • Legal obligation: to comply with tax, accounting, or regulatory requirements
  • Legitimate interests: for platform security, fraud prevention, and service improvement

5. Categories of Personal Data

We collect and process the following types of personal data:

  • Identity and contact data: names, job titles, email addresses, phone numbers
  • Account and authentication data: usernames, hashed passwords, security tokens
  • Transaction and billing data: payment details (via PCI-compliant processor), invoices, purchase orders
  • Usage data: IP addresses, device information, feature usage logs
  • Support and communications data: helpdesk tickets, chat transcripts, feedback surveys

6. Purposes of Processing

Personal data is processed to:

  • Register and manage user accounts and subscriptions
  • Authenticate users and secure access to our platform
  • Process payments, generate invoices, and handle billing inquiries
  • Provide customer support and manage disputes
  • Conduct product analytics and improve service functionality
  • Send service-related notifications and marketing communications (where consented)

7. Data Subject Rights

Data subjects may exercise these rights under UK GDPR:

  • Access: obtain confirmation and copies of their personal data
  • Rectification: correct or update inaccurate or incomplete data
  • Erasure: request deletion of data where lawful
  • Restriction: suspend processing under certain conditions
  • Portability: receive data in a structured, machine-readable format
  • Objection: challenge processing based on legitimate interests or direct marketing
  • Withdraw consent: for any consent-based processing

Requests should be sent to the DPO and will be addressed within one month, or two months for complex cases.

8. Data Retention and Disposal

We retain personal data only as long as necessary:

  • Active customer accounts: until account termination plus six months
  • Billing and transaction records: seven years for statutory compliance
  • Support logs: three years for service quality and dispute resolution
  • Marketing consent records: until consent is withdrawn

Obsolete data is securely deleted or irreversibly anonymised.

9. Security Measures

We employ technical and organisational safeguards, including:

  • Encryption of data in transit (TLS) and at rest
  • Role-based access controls and regular permission reviews
  • Multi-factor authentication for administrative and privileged access
  • Regular vulnerability scans, penetration tests, and security audits
  • Secure backup, disaster recovery plans, and incident response procedures

All staff receive annual security and privacy training.

10. Third-Party Processors and International Transfers

We engage third-party processors (hosting, payments, analytics) under written contracts that stipulate GDPR-compliant safeguards. Personal data may be transferred outside the UK/EEA only if:

  • The destination has an adequacy decision by the UK/EU Commission
  • Standard Contractual Clauses or equivalent safeguards are in place

These measures ensure continued protection of personal data.

11. Data Protection Impact Assessments

We conduct DPIAs for high-risk processing activities, such as:

  • Profiling and automated decision-making features
  • Large-scale processing of sensitive data
  • Use of new or intrusive technologies

DPIAs document processing risks and mitigation steps before operations begin.

12. Personal Data Breach Response

In the event of a breach, we will:

  1. Contain and mitigate the incident immediately
  2. Notify the Information Commissioner’s Office within 72 hours, if required
  3. Inform affected data subjects without undue delay when high risk to their rights exists
  4. Document the breach, response actions, and lessons learned

Our incident response plan is reviewed and tested annually.

13. Training and Awareness

All employees and relevant contractors must:

  • Complete data protection and information security training on onboarding
  • Attend annual refresher courses and role-specific workshops
  • Stay informed of policy updates, regulatory changes, and emerging threats

We foster a culture of accountability and “privacy by design.”

14. Policy Review

This policy is reviewed at least annually or when significant changes occur in:

  • Data protection legislation or guidance
  • Our processing activities, services, or technologies
  • Recommendations from supervisory authorities

Updates are approved by senior leadership and communicated internally and externally as needed.

15. Contact Information

For questions, data subject requests, or to report concerns, contact:

Data Protection Officer

Email: info@business2businessltd.com

Address: 124 City Road, London, EC1V 2NX

Effective Date: 1 October 2025

Business Management

Our experts here show you how our app can streamline your team’s work.

Get Started