StoreRadar

Data Processing Addendum

Standard terms governing how business contact data is shared between StoreRadar Limited and a customer who purchases a matched list. No signature is required. Placing an order after the date below constitutes acceptance. A countersigned copy is available on request to legal@storeradar.co.

Last updated: 8 July 2026

Data Processing Addendum

This addendum forms part of the Terms of Service between StoreRadar Limited ("StoreRadar", "we") and the customer purchasing a matched list ("Customer", "you"). It exists to answer the GDPR questions a buyer's compliance team usually has before approving the purchase.

Summary: StoreRadar processes business contact data as an independent controller, not as the Customer's processor. StoreRadar collects the data on its own legal basis before any order is placed. On delivery, the Customer becomes an independent controller of the data it receives, for its own subsequent use. Section 1 defines this relationship.

1. Relationship of the parties

StoreRadar is an independent data controller for the business contact data it aggregates. StoreRadar's processing is carried out on the basis of legitimate interests under UK/EU GDPR Article 6(1)(f). StoreRadar does not process this data on the Customer's instructions and is therefore not a processor under Article 28.

On purchase, StoreRadar transfers a defined extract of that data to the Customer. From that point, the Customer is an independent controller of the data received, for its own outbound purposes as described in Section 4. StoreRadar is not liable for the Customer's subsequent use of the data. The Customer bears that responsibility as its controller, on the same basis as it would for a list assembled by its own personnel.

2. Data StoreRadar shares with you

Each matched-list row may contain, where available:

We do not include personal data unconnected to a business role, and we do not sell consumer data. Full detail on what's collected and why is in the Privacy Policy.

3. Legal basis for StoreRadar's collection

Business contact information is sourced from pages the business itself made public (storefront, contact, about, and legal-disclosure pages), under UK/EU GDPR Article 6(1)(f), legitimate interests. We do not access admin areas, login-gated content, or anything not published by the business itself.

4. Customer's obligations as controller

On receipt of the data, the Customer is responsible as sender for compliant outbound communication under CAN-SPAM, PECR, or the applicable local equivalent, including unsubscribe handling, a physical-address footer, suppression-list management, and honouring opt-outs. StoreRadar provides matched list and contact data only. StoreRadar does not provide an outbound sending tool and is not responsible for how the Customer contacts the businesses on the list.

5. Data subject rights and removal requests

A data subject may request removal at any time by emailing legal@storeradar.co. StoreRadar actions removal requests directly against its own index. If a removal request is sent to the Customer instead of StoreRadar for data StoreRadar supplied, the Customer should forward it to the same address. The Customer is not required to maintain its own suppression logic for StoreRadar's removal obligations under this Section, separate from its own sending obligations under Section 4.

6. Security measures

Data in transit is encrypted using HTTPS/TLS. Access to production systems is restricted to StoreRadar personnel who require it. Card payment data does not touch StoreRadar's servers; it is handled entirely by Stripe. StoreRadar does not currently hold formal certifications such as ISO 27001 or SOC 2. This addendum will be updated if that changes.

7. Sub-processors and data flow

StoreRadar uses the following providers to operate the service. None of them receive card payment data.

8. International transfers

StoreRadar Limited is registered in England & Wales. Where a sub-processor above stores or processes data outside the UK/EEA, transfers rely on that provider's Standard Contractual Clauses or an equivalent adequacy mechanism, consistent with UK/EU GDPR Chapter V.

9. Retention

We retain aggregated business contact data for as long as it remains publicly available and relevant to the service, or until a removal request is honoured. Customer account and order records are retained per the Privacy Policy.

10. Term, liability, and governing law

This addendum runs alongside your StoreRadar order or subscription and ends when it does. Each party is liable for its own compliance with GDPR as an independent controller under this addendum; nothing here creates joint-controller liability between StoreRadar and the Customer. This addendum is governed by the laws of England & Wales, matching the Terms of Service.

11. Contact

Questions from your legal, procurement, or compliance team, or requests for a countersigned copy: legal@storeradar.co. We respond within 5 business days.