1. Who we are
First60 ("we", "us", "our") is the trading name of [Your registered company name] Ltd, a private limited company registered in England & Wales under company number [Company No.], with registered office at [Registered office address].
For the purposes of UK GDPR, we are the data controller of any personal data we collect about you directly. For data we process on behalf of our clients (for example, lead data flowing through systems we install), we act as a data processor under a Data Processing Agreement with that client.
We are registered with the UK Information Commissioner's Office (ICO) under registration number [ICO Reg No.].
2. What data we collect
2.1 When you visit first60.co.uk
- Anonymous analytics: pages visited, approximate location (country/region), browser type, referrer (we do not use cookies that identify you personally without your consent).
- If you submit our enquiry form: name, business name, email address, phone number, and any free-text you include.
- If you book an audit call via our scheduling tool: the above, plus your chosen time slot.
2.2 When we contact you proactively (B2B outreach)
- We may contact directors of UK Limited companies using publicly available data from Companies House and corporate websites, under the lawful basis of legitimate interest for B2B marketing, in line with PECR.
- The data we hold from this is limited to: business name, registered address, director name, corporate phone number, and corporate email address.
- We only contact corporate numbers and roles, never personal mobile numbers or personal email addresses, and we screen all phone numbers against the Corporate Telephone Preference Service (CTPS) before calling.
2.3 When you become a client
- Billing information (handled by Stripe and/or GoCardless — we never see your full card number).
- Service-related data: access credentials (stored encrypted), business details needed for installation, lead data flowing through systems we set up for you.
3. Why we collect it (lawful basis)
| Data | Why | Lawful basis |
|---|---|---|
| Website enquiry form | Answer your enquiry | Consent |
| Audit call booking | Run the call you booked | Performance of contract / consent |
| B2B cold outreach to corporate roles | Tell you about our service | Legitimate interest |
| Billing & service data | Deliver the service you paid for | Performance of contract |
| Anonymous analytics | Improve the site | Legitimate interest |
4. Who we share data with (sub-processors)
To deliver the service we use the following third-party tools. Each one is contractually bound by UK GDPR-compliant Data Processing Agreements:
| Provider | What they process | Where |
|---|---|---|
| GoHighLevel (HighLevel Inc.) | CRM, automations, SMS, email, scheduling | USA — with UK GDPR Standard Contractual Clauses |
| Twilio Inc. | SMS & voice routing | USA — SCCs in place |
| Vapi AI | AI voice agent processing | USA — SCCs in place |
| Stripe Inc. | Card payments | USA / UK — PCI-DSS compliant |
| GoCardless Ltd | UK Direct Debit | United Kingdom |
| Cloudflare Inc. | Website hosting & DNS | Global edge — UK SCCs in place |
| Google LLC (Workspace) | Business email | USA / EU — SCCs in place |
We do not sell your data to anyone, ever. We never share data with advertising networks.
5. How long we keep it
- Website enquiries that don't become customers: 24 months from last contact, then deleted.
- Client billing & service records: 7 years (HMRC requirement).
- Client lead/conversation data processed on their behalf: retained per the client's own retention policy, deleted on their instruction or contract end + 90 days.
- Cold-outreach prospect lists: 12 months from last contact, or until you tell us to delete you, whichever is sooner.
6. Your rights
Under UK GDPR you have the right to:
- Access the data we hold about you
- Rectify inaccurate data
- Erase ("right to be forgotten") your data, subject to legal retention requirements
- Object to our processing on legitimate interest grounds — including stopping all marketing
- Restrict how we use your data
- Port your data to another provider in a machine-readable format
- Complain to the Information Commissioner's Office: ico.org.uk/make-a-complaint
To exercise any right, email us at privacy@first60.co.uk and we'll respond within 30 days.
7. Cookies
This site uses only essential cookies for functionality. We don't currently set advertising or tracking cookies. If we add analytics in future (e.g. Google Analytics, Plausible), this policy will be updated and any non-essential cookies will require your consent via a banner.
8. Security
We use industry-standard security including:
- TLS encryption for all data in transit
- Encrypted storage for credentials and sensitive data
- Two-factor authentication on every internal account
- Regular review of sub-processor security posture
- Breach notification within 72 hours to ICO and affected parties (as required by UK GDPR)
9. International transfers
Some of our sub-processors are based in the USA or process data globally. Where data leaves the UK, we rely on:
- UK adequacy regulations where they apply
- UK International Data Transfer Agreements / Standard Contractual Clauses with each provider
- Additional safeguards where required by ICO guidance
10. Changes to this policy
We may update this policy from time to time. Material changes will be notified at least 14 days before they take effect, either via the email we have on file for you or via a notice on this page. The "Last updated" date at the top reflects the most recent revision.
11. Contact
Questions about this policy or how we handle your data:
- Email: privacy@first60.co.uk
- Post: [Your registered office address]
- ICO complaint: ico.org.uk/make-a-complaint