Support | Sign in

Data Processing Transparency Statement

This document was last updated on 12/05/2025.

Contact State Ltd provides technology services to insurance and finance providers and their intermediary partners (together referred to as "providers"), and to the operators of marketing websites ("marketing sites") where individuals register interest in such products and services.

When we provide services to these organisations, we act solely as a data processor, processing personal data on their behalf. This statement explains what data we process in this role, and the measures we take to protect it.

Our Role as a Data Processor

When marketing sites or providers use our platform to validate, manage, or route lead data, we process personal data strictly under their instruction. We do not determine the purpose or means of processing and do not retain, reuse, or access this data for our own purposes.

In legal terms, the marketing site or provider is the data controller, and Contact State Ltd is a data processor.

The marketing site is responsible for informing individuals (data subjects) about the processing of their data via its privacy notice. The provider is similarly responsible for their use of data once it has been received.

Categories of Personal Data We Process on Behalf of Our Customers

In our role as processor, we may process the following categories of personal data:

  • Full name and contact details submitted via marketing forms
  • IP address and browser metadata
  • Device characteristics and usage patterns
  • Referrer and interaction data
  • Time and date of submission

This data is handled solely for the purpose of providing validation, routing, and certification services to our customers.

Subprocessors

We use a limited number of subprocessors to help us provide our services. Each subprocessor is contractually bound to meet our security and privacy standards and may only process data in accordance with our instructions.

A full list of our subprocessors can be found here.

Security Measures

We implement appropriate technical and organisational measures to ensure data is processed securely and in compliance with UK GDPR. These include:

  • Encryption in transit and at rest
  • Access control and role-based permissions
  • Secure coding and deployment practices
  • Regular security testing and audit logging
  • Employee training and confidentiality agreements

International Data Transfers

Some of our subprocessors are located outside the UK and EEA. When personal data is transferred internationally, we ensure adequate protection through:

  • The UK Addendum to the EU Standard Contractual Clauses (SCCs)
  • Additional technical safeguards such as encryption

Copies of these transfer mechanisms are available upon request.

Data Retention

We retain personal data only as long as instructed by our customers. Typically, raw data is retained only as long as necessary for validation and transmission, after which it is deleted or encrypted in accordance with our data retention policy and customer instructions.

Your Rights

If you submitted data via a marketing site or provider, your rights (such as access or erasure) are managed by the data controller — typically the website operator or provider you interacted with.

We do not hold contact details or identifiers that allow us to identify or communicate with individuals directly. Please contact the relevant marketing site or provider if you wish to exercise your rights under data protection law.

Summary

  • We act as a data processor, not a controller, for most of the data we handle.
  • We do not use raw personal data for our own purposes.
  • We use subprocessors who meet UK GDPR standards.
  • We protect personal data through encryption, minimisation, and secure access controls.

Contact Us

If you're a customer or have questions about our data processor responsibilities, contact us at:

Contact State Ltd
22 Bishopsgate
London, EC2N 4BQ
United Kingdom
📧 support@contactstate.com