Legal

Privacy Policy

This policy was last updated on 22 June 2026. It does not constitute legal advice.

Who we are

Datuma is a UK-based CRM data integrity product operated from datuma.co.uk. This policy covers the datuma.co.uk website and the free service offered at portal.datuma.co.uk/signup.html. For the technical controls that back this policy, see our Security page. For all privacy queries, contact support@datuma.co.uk.

What data we collect via the website

When you sign up at portal.datuma.co.uk/signup.html, we collect:

  • Your name
  • Your work email address
  • Your organisation name
  • The contact CSV you upload for processing (which may include names, email addresses, phone numbers, job titles, LinkedIn URLs, and organisation names)

We also collect standard server and analytics information (request logs, page views, approximate location from IP) to operate and secure the site.

What data we process during enrichment

When a contact CSV is processed (in the free demo, or for a paying client), minimal identifiers from each row (name, email, LinkedIn URL where present) are sent to our contact-data enrichment provider for lookup. The provider returns professional and organisational data, which is scored by Datuma and written back into the result.

Depending on the features enabled for a given account, enrichment may also include:

  • Business email validation: a deliverability check on a business email address, returned as a status (for example, verified or undeliverable).
  • Personal mobile number: where this feature is enabled, a personal mobile number associated with a business contact, together with the date it was found and the category of source.
  • Phone number verification: where this feature is enabled, a liveness check on an uploaded phone number, returned as a status (for example, live and reachable).

Contact CSVs are processed, not stored permanently. For paying clients, enriched data is written into the client's own database and retained under the Datuma Client Agreement.

Where enriched contact data comes from

Some contact details in an enriched record (including business email deliverability status and, where enabled, a personal mobile number) are not collected from the individual directly. They are sourced from third-party contact-data providers. These providers collect information that is publicly available or has been made public by the individual, or obtain it from suppliers who have confirmed a lawful right to share it.

On request, we will tell an individual the category of source for a given record and, where available, the immediate source of that record. Individuals can ask us to access, correct, or delete their data, or object to its processing, using the contact details below.

Data retention

  • Enrichment data: purged from our pipeline after processing. Raw uploads are not retained long-term.
  • Personal mobile numbers: where this feature is enabled for an account, a personal mobile number is re-verified or expired on a 90-day cycle and is purged alongside the rest of the contact record.
  • Demo data: purged within 7 days of the demo completing.
  • Enrichment API provider: retains the minimal lookup identifiers for the term of the agreement and deletes them within 60 days of termination under a formal Data Processing Addendum.
  • Email-verification provider: retains email addresses sent for deliverability validation solely to perform the check, and deletes them on termination. Results are stored only in your isolated records in Datuma's EU environment.
  • Phone-verification provider: where phone verification is enabled, phone numbers sent for a liveness check are retained by the provider solely to perform the check, for up to 30 days. On termination all data is deleted under the DPA. Results are stored only in your isolated records in Datuma's EU environment.
  • Client databases: for paying clients, retention is governed by the Datuma Client Agreement and the client's own Supabase instance, not by this policy.

Third-party processors

We rely on the following infrastructure partners to deliver the demo and the website:

  • Supabase: PostgreSQL database hosting, EU region.
  • Contact-data enrichment provider: professional and organisational data enrichment (under DPA with EU SCCs and UK IDTA).
  • Email-verification provider: email deliverability validation for business addresses (EU region).
  • Phone-verification provider: mobile number liveness validation, where this feature is enabled (UK-domiciled, under DPA).
  • Resend: transactional email delivery for demo results and notifications.
  • GoCardless: Direct Debit mandate setup and recurring payment collection for paying clients (under DPA, UK-regulated payment institution).
  • Netlify: website hosting for datuma.co.uk.

Each partner operates under appropriate data processing agreements. See /subprocessors for the current sub-processor list.

Cookies

datuma.co.uk uses a minimal set of cookies. We do not set third-party tracking or advertising cookies. Any cookies used are strictly essential for the site and demo form to function.

Your rights

Under UK and EU data protection law, you have the following rights in relation to personal data we hold about you:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to object to processing
  • Right to restrict processing

To exercise any of these rights, email support@datuma.co.uk.

Legal basis for processing

  • Free demo: legitimate interest in evaluating the product on data you have chosen to upload, together with your request to run the demo.
  • Contact data enrichment: legitimate interest in helping business customers maintain accurate business contact data, balanced against the rights and reasonable expectations of the individuals concerned. Individuals can object to this processing at any time using the contact details below.
  • Paying clients: performance of the contract set out in the Datuma Client Agreement.
  • Website operation and security: legitimate interest in running a secure, functioning site.

International transfers

Where personal data is transferred outside the UK or the European Economic Area, transfers take place under EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) supplemented by a UK International Data Transfer Addendum. Our enrichment API provider operates under these mechanisms as part of its Data Processing Addendum with Datuma.

Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of this page shows when it last changed. Material changes will be reflected here before they take effect.

Contact

For any privacy or data protection query, email support@datuma.co.uk.