1. Introduction

NullReach is a lead intelligence product operated by UseCodify Ltd. NullReach provides hand-curated business leads and outreach tools to agencies, freelancers and sales teams. This policy explains what personal data we collect, how we use it, how we protect it, retention practices, your rights, and how to contact us.

NullReach currently focuses on businesses that do not have a website. We manually source and verify leads today; we plan to add AI-driven enrichment and automated collection tools in the future. Any new automated collection will be documented and audited for legal compliance before launch.

2. Scope and legal framework

This policy applies to all personal data processed through the NullReach website, platform, forms, support channels and exported data. We process personal data under applicable law including the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, PECR and comparable international privacy laws. Where local law provides greater protection, we will apply local law.

3. What we collect

A. Lead / Business data (collected and verified by NullReach)

• Business name and trading name
• Business address and geolocation where available
• Business phone number and business email
• Public Google Business Profile, website and public directory links
• Public social media links (when available)
• Business category / service match tags and non-sensitive descriptive notes
• Verification metadata (verification date, verifier ID, verification status)
• Status flags and per-user flags (Viewed, Contacted, Follow-Up, Favourite)

B. User / Account data (supplied by platform users)

• Full name and professional email address
• Company name, role and country
• Billing name and billing email for invoicing; payment processors store card details separately
• Account activity logs (credits used, leads unlocked, actions taken)
• User notes, tags and private annotations (visible only to the account owner)
• Support correspondence and attachments

C. Technical and analytics data

• IP address, browser and device information, session identifiers, cookie identifiers, usage metrics, error logs

4. How we collect lead data and verify it

Manual curation: A research team locates and verifies leads before adding them to the database. Verification steps and metadata are recorded.

Planned automation: Future AI scraping/enrichment (for example, Google Maps) will be introduced only after legal and platform-terms review and after implementing safeguards and lawful bases.

5. Purposes of processing & lawful bases

We process personal data for the following purposes and legal bases:

• Contract: to operate the service, provide the database, allow lead unlocks, manage accounts and billing.
• Legitimate interest: supplying verified business contact details to our users for outreach and lead generation (see LIA below).
• Consent: for marketing communications where required by law.
• Legal obligations: to comply with legal, tax, and regulatory requirements.

6. Sharing and recipients

We do not sell personal data. Recipients include:

• Processors: hosting providers, payment processors, email delivery and analytics vendors under Data Processing Agreements.
• Customers: when a user exports leads, that exported dataset is delivered to the exporting user who then controls it.
• Legal/Regulatory: where required by law or to prevent fraud or harm.
• Corporate transactions: on sale or merger we may transfer data consistent with this policy.

7. International transfers and safeguards

Data may be transferred or processed outside the EEA/UK. Where transfers occur we rely on appropriate safeguards such as Standard Contractual Clauses or other lawful mechanisms. Contact hello@nullreach.io for details of the safeguards for specific data.

8. Retention

• Lead records: retained while useful to the service; stale or low-quality leads are archived and deleted per our retention schedule (typical archival: 24 months inactivity).
• Account and billing records: retained while account is active and for up to 24 months after termination for legitimate business reasons.
• Logs and security data: retained for monitoring and security (typically 6–24 months).

To request earlier deletion contact hello@nullreach.io.

9. Security measures

We implement safeguards including TLS encryption in transit, secure hosting, role-based access controls, password policies, monitoring, backups and vendor security requirements. We require subprocessors to maintain comparable controls. In case of a notifiable breach we will comply with legal notification requirements.

10. Your rights

Subject to legal limits, you may: access, correct, erase, restrict processing, object to processing, and request portability. Withdraw consent for marketing at any time. To exercise rights contact hello@nullreach.io. We will respond as required by law. You may also lodge a complaint with your supervisory authority.

11. Marketing and anti-spam

Transactional emails (account, billing, security) are necessary to operate the service. Marketing emails and newsletters will include an easy unsubscribe mechanism. Users who export lead data are responsible for complying with local marketing laws (CAN-SPAM, CASL, PECR, etc.).

12. Responsibilities of users who export data

When you export data you become responsible as a data controller for that dataset. You must use exported data lawfully, maintain suppression lists, honor opt-outs and secure exported data. NullReach disclaims liability for misuse of exported datasets.

13. Cookies and tracking

We use cookies for essential functionality, security and analytics. See our Cookie Policy for details. You can control cookies through your browser settings.

14. Children

NullReach is not for children and we do not knowingly collect data from minors.

15. Changes to this policy

We will update this policy as the service evolves. Material changes will be communicated to account holders and posted with a new effective date.

16. Contact

For privacy questions, data requests, or complaints contact us at:
Email: hello@usecodify.com | hello@nullreach.io
Phone: +44 7477 477698
Controller: UseCodify Ltd (NullReach product)

Legitimate Interest Assessment (LIA) — NullReach B2B Leads

This LIA documents the balancing test for processing business contact data under legitimate interest.

1. Purpose: Provide hand-curated business contact details to paying users for lawful B2B outreach.
2. Necessity: Processing business contact details is necessary to deliver the service.
3. Interests: Provide accurate leads, improve product, prevent fraud, and maintain service quality.
4. Scope: Business contact data only; no special category data intentionally collected.
5. Impact: Low to medium; main risk is nuisance marketing or inaccurate data.
6. Safeguards: Manual verification, data minimisation, opt-outs and suppression lists, retention limits, DPAs with processors, security controls.
7. Conclusion: Processing under legitimate interest is appropriate with the safeguards maintained. Reassess if automated scraping or consumer personal data is introduced.

Reviewer: [Compliance Officer name]   Date: [10/08/2025]