Contact Enrichment Policy

Last updated: 28 May 2026

1. What This Page Covers

CompanyPulse offers a bulk discovery API (GET /api/v1/companies/search) that returns UK companies filtered by SIC code, region, and status. For each company in the result we attach publicly available business contact information — typically the business email address, phone number, and a named business contact — together with a per-field confidence score and the source of the data.

This page explains how that enrichment is performed, the legal basis for processing, and how data subjects can request removal.

2. What We Collect

For each company we enrich, we collect from public sources up to:

  • Business email address (e.g. bookings@example.co.uk)
  • Business phone number
  • Named business contact (e.g. a manager or owner who has published their role in a business context on the company website)
  • Website URL

We do not collect residential addresses, personal mobile numbers, dates of birth, or any data marked as personal or private. Where we are unable to confirm that a contact identifier is genuinely business-facing, we do not store it.

3. Where the Data Comes From

  1. Company's own website. We use the Brave Search API to locate a company's official website, then fetch the homepage, /contact, and /about pages. Email addresses appear in mailto: links or contact-page text. Phone numbers appear in tel: links or contact-page text. We respect each site's robots.txt and identify ourselves with the user-agent CompanyPulse-Enricher/1.0 (+https://companypulse.co.uk/bot).
  2. Hunter.io domain search (fallback). When we cannot locate a high-confidence email from the company's own website, we query Hunter.io for the discovered domain. Hunter.io maintains its own sourcing and GDPR practices, which can be reviewed at hunter.io/legal/privacy.

We do not scrape personal profiles on LinkedIn, Facebook, or other social networks. We do not collect data from breached datasets.

4. Confidence Scores

Each enriched field carries a confidence score from 0 to 100, derived from heuristics including: domain match between email and website, presence on the dedicated contact page, validity of email format, presence of an MX record, whether the name matches a current director on the Companies House register, and corroboration by a second source. Consumers of the API should treat any field with confidence below 60 as unverified.

5. Legal Basis (UK GDPR)

Processing relies on Article 6(1)(f) — legitimate interests — namely the legitimate interest of business-to-business (B2B) commerce in enabling reasonable due diligence and outreach between UK businesses, an interest specifically recognised by the Information Commissioner's Office in its guidance on B2B direct marketing.

We have performed a Legitimate Interest Assessment (LIA) covering necessity, balancing, and individual rights. Key conclusions:

  • Data collected is strictly business-facing contact information published by the company itself, or sourced from a B2B contact provider operating to UK GDPR standards.
  • Data subjects (typically corporate role-holders) have a reasonable expectation that business contact information they have themselves published online will be used for business correspondence.
  • We do not enrich, store, or expose sole-trader, self-employed, or partnership data where the business identifier is also a personal identifier (e.g. a sole trader using hername@gmail.com on a personal-name domain).
  • We provide a clear, free, no-questions-asked removal path (see Section 7).

6. PECR and the Soft-Opt-In

The Privacy and Electronic Communications Regulations (PECR) govern unsolicited marketing communications. CompanyPulse does not send marketing to enriched contacts; we provide data to authenticated API consumers under contract. PECR obligations fall to those API consumers, who must independently respect the Corporate Telephone Preference Service (CTPS), the Telephone Preference Service (TPS), and PECR Regulation 22 for email.

7. Removing Your Data

If you would prefer that your company's contact data not appear in our API responses, email privacy@companypulse.co.uk from any address ending in your company's domain (or include another reasonable proof of authority).

Removal is free, no-questions-asked, and applied within 72 hours. Once suppressed:

  • The contact-data fields for the named company are redacted in all subsequent API responses;
  • The enrichment worker will not re-collect contact data for that company even on future automated runs;
  • You may choose to suppress only specific fields (email, phone, or named contact), or all of them.

This is a separate process from our main privacy policy, which covers the statutory Companies House register data we display on company profile pages.

8. Refresh and Retention

  • Contact data is re-verified every 180 days. If a previously discovered website returns a 404, redirect to an unrelated domain, or otherwise indicates the business has ceased, the contact data is removed.
  • Suppression list entries are retained indefinitely to ensure your removal request stays honoured across future enrichment cycles.

9. Your Rights

Under UK GDPR you have the right to access, rectify, object to processing, restrict processing, and erase business-facing data we hold about you in this enrichment dataset. To exercise any right, email privacy@companypulse.co.uk. We respond within one calendar month, typically within 72 hours.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office:

10. Contact

Privacy enquiries: privacy@companypulse.co.uk

Bot operator: bot@companypulse.co.uk — if you have concerns about our crawl, email here and we will pause crawling your domain within four working hours.