Privacy Policy

Last updated: 27 May 2026

This Privacy Policy explains how THEBACKLINE LTD ("Back Line", "we", "us", "our") collects, uses, stores, and protects personal data when you visit our website (backline.co), engage with us as a prospective customer, become a client, or have data processed by us on behalf of a client.

We take privacy seriously. This policy is written in plain English so you can understand exactly what we do with your data.

1. Who We Are

THEBACKLINE LTD is a private limited company registered in England and Wales.

Company number: 17211956

Registered office: 155 College Road, Sandhurst, GU47 0RG, United Kingdom

Contact email: zak@backline.co

Contact phone: +44 7343 055352

We are in the process of registering as a data controller with the Information Commissioner's Office (ICO). Our ICO registration number will be added to this policy once issued.

2. The Two Roles We Play

We process personal data in two distinct capacities. Different rules apply depending on which role we're in.

2.1 As a Data Controller

We are a data controller when we collect and use personal data for our own business purposes. This includes:

Visitors to our website

Prospective customers who book calls with us

Anyone who emails, calls, or messages us

Our clients (the business owners and decision-makers we contract with)

Suppliers, partners, and contractors we work with

2.2 As a Data Processor

We are a data processor when we handle personal data on behalf of our clients — for example, when we manage the messaging, booking follow-up, or reminder systems on behalf of a client's business. In these cases, our client is the controller, and we process data only according to their written instructions.

A separate Data Processing Agreement (DPA) governs our processor relationship with each client. That DPA takes precedence over this policy when we're acting as a processor.

3. The Personal Data We Collect

3.1 Data we collect when you visit our website

IP address

Browser type and device information

Pages visited and time spent

Referring website

Approximate location (city level)

This is collected through cookies and analytics tools (see Section 9 — Cookies).

3.2 Data we collect when you contact us or book a call

Name

Email address

Phone number

Business name and role

Information you provide about your business

Any other information you choose to share

3.3 Data we collect when you become a client

Contact details for you and authorised members of your team

Business details (company number, VAT number, registered address)

Billing and payment information (processed through Stripe — we don't store card details)

Communication preferences

Records of our conversations and meetings

The settings, integrations, and configurations of your Back Line system

3.4 Data we process on behalf of clients

When we deliver services to a client, we may process personal data relating to their customers, including:

Names, contact details, and communication history

Booking history and appointment information

Marketing preferences and consent records

In some cases, special category data (such as health information for aesthetics clinics or dental practices)

All such processing is governed by our Data Processing Agreement with that client. We process this data only on the client's documented instructions and never use it for our own purposes.

4. Why We Use Your Data and Our Legal Basis

Under UK GDPR, we must have a lawful basis for processing personal data. Here's what we do and why:

What we use data forLegal basisResponding to enquiries and providing informationLegitimate interests (business communication)Delivering services to clientsContract (performance of a contract)Sending invoices and processing paymentsContract / legal obligationMarketing emails to clients and prospects who opted inConsent or legitimate interests (existing customers)Improving our website and servicesLegitimate interestsComplying with tax and regulatory obligationsLegal obligationDefending or pursuing legal claimsLegitimate interests / legal obligation

You have the right to object to processing based on legitimate interests at any time (see Section 8).

5. Who We Share Data With

We do not sell personal data. We only share it with:

5.1 Service providers

We use a limited number of trusted third-party tools to run our business. Each is bound by contractual confidentiality and data protection obligations.

These include (current list):

Google Workspace — email, document storage, calendar

Stripe — payment processing

Calendly — appointment booking

Supabase — secure database hosting

Vercel / Framer — website hosting

n8n / Zapier — workflow automation

Anthropic (Claude API) — AI processing for messaging automations

Twilio — SMS and voice services

Meta (WhatsApp Business, Instagram) — messaging integrations

Google Analytics — website analytics (with anonymised IP)

The current full list of subprocessors used in delivering services to clients is maintained separately and provided in our Data Processing Agreement.

5.2 Professional advisers

Accountants

Solicitors

Auditors

Only when reasonably required and bound by confidentiality.

5.3 Legal and regulatory requirements

We may disclose personal data when required by law, court order, or to a regulator such as the ICO.

5.4 Business transfers

If Back Line is acquired or merges with another business, personal data may be transferred as part of that transaction. You will be notified of any such change.

6. International Data Transfers

Some of our service providers are based outside the UK and EEA, including the United States. When personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

The UK International Data Transfer Agreement (IDTA) or UK Addendum

EU Standard Contractual Clauses

Adequacy decisions where applicable

You can request copies of these safeguards by emailing zak@backline.co.

7. How Long We Keep Data

We retain personal data only as long as necessary for the purposes set out in this policy or as required by law.

Type of dataRetention periodWebsite analytics26 monthsProspect enquiry data (no contract)24 months from last contactClient data (during contract)Duration of contractClient data (after contract ends)6 years (UK statutory record-keeping for contracts and tax)Marketing consent recordsUntil consent is withdrawn, plus 12 monthsFinancial and tax records6 years (HMRC requirement)Data processed on behalf of clientsPer the client's DPA — typically deleted within 30 days of contract end

When retention periods expire, data is securely deleted or anonymised.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of access — request a copy of the data we hold about you

Right to rectification — correct inaccurate or incomplete data

Right to erasure — request deletion of your data (subject to legal exceptions)

Right to restrict processing — limit how we use your data

Right to data portability — receive your data in a structured, machine-readable format

Right to object — to processing based on legitimate interests or for direct marketing

Right to withdraw consent — where consent is our lawful basis

Right to lodge a complaint — with the Information Commissioner's Office (ICO)

To exercise any of these rights, email zak@backline.co. We will respond within one calendar month.

If you're unhappy with how we've handled your data, you can complain to the ICO:

Website: ico.org.uk

Phone: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We'd appreciate the chance to address your concerns first before you contact the ICO.

9. Cookies and Tracking

Our website uses cookies and similar technologies. There are three categories:

9.1 Essential cookies

Required for the website to function. Cannot be turned off.

9.2 Analytics cookies

Help us understand how visitors use the site. We use Google Analytics with IP anonymisation enabled.

9.3 Marketing cookies

We currently do not use marketing or advertising cookies. If we add them in the future, we will request your consent through a cookie banner.

You can manage cookies through your browser settings. Disabling certain cookies may affect site functionality.

10. Security

We use industry-standard technical and organisational measures to protect personal data, including:

Encrypted data storage (at rest and in transit using TLS 1.2+)

Multi-factor authentication on all internal systems

Role-based access controls

Regular software updates and patching

Secure password management (no shared credentials)

Vendor security review before adding new tools

Incident response plan for any suspected data breach

Regular review of access logs

We will notify the ICO within 72 hours of any data breach that is likely to result in risk to individuals' rights and freedoms, in accordance with UK GDPR.

11. Special Category Data

Some of our clients (such as aesthetics clinics, dental practices, or wellness providers) handle health data, which is "special category data" under UK GDPR.

When we process special category data on behalf of clients, additional safeguards apply:

Explicit contractual instructions in the DPA

Encryption at rest and in transit

Restricted access (only authorised Back Line personnel)

Audit trail logging for all access

The client remains the data controller and is responsible for obtaining lawful basis from data subjects

We do not collect or process special category data about you when you visit our website or contact us as a prospect.

12. Marketing Communications

If you opt in to receive marketing communications from us (newsletters, case studies, updates), we will only send what you've consented to. Every marketing email contains an unsubscribe link.

If you are an existing client, we may send service-related communications under the "soft opt-in" provision (the PECR exception for existing customers receiving information about similar services). You can opt out at any time.

We never share your contact details with third parties for their own marketing purposes.

13. Children's Data

Our services are not directed at children under 18. We do not knowingly collect data from anyone under 18. If we become aware that we have done so, we will delete the data promptly.

14. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of the policy will reflect the most recent change.

If we make material changes, we will notify affected parties — typically by email for clients, and through a notice on our website for general visitors.

Previous versions are available on request.

15. Contact Us

Questions, requests, or concerns about this policy or how we handle your data:

Email: zak@backline.co

Phone: +44 7343 055352

Post: 155 College Road, Sandhurst, GU47 0RG, United Kingdom

Company number: 17211956