Privacy Policy

Last updated: 13 May 2026

1. About this policy

This Privacy Policy explains how Globally Outsourced Marketing Ltd, trading as EDERA Lab ("EDERA Lab", "we", "us", "our"), collects and uses personal data when you visit our website at www.ederalab.com (the "Website"), submit an enquiry, download our gated content, or otherwise interact with us through the Website.

We are the data controller for the personal data described in this policy. This means we decide why and how your personal data is processed.

Our details are:

Company name: Globally Outsourced Marketing Ltd (trading as EDERA Lab)
Registered office: International House, 36-38 Cornhill, London, EC3V 3NG, United Kingdom
Company number: 11670012 (registered in England & Wales)
VAT number: 325044043
ICO registration number: ZA748092
Contact email:hello@ederalab.com
Person responsible for data protection matters: Bogdan Marinescu, Co-founder and Managing Director, contactable via hello@ederalab.com

If you have a question about how we handle your personal data, want to exercise any of the rights described in this policy, or wish to make a complaint, please contact us at hello@ederalab.com.

2. The law that applies

We process personal data in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). Where we process personal data of individuals located in the European Economic Area, we also comply with the EU General Data Protection Regulation ("EU GDPR").

3. The personal data we collect

We collect personal data in the following ways:

Information you give us directly when you use the Website:

When you complete the contact form, we collect the information you provide, which typically includes your name, business email address, the name of your organisation, and the content of your message.
When you complete a form to download a whitepaper or industry report ("gated content"), we collect your name, business email address, organisation name, role, and (where you choose to provide it) your phone number. A separate privacy notice on the download page describes how we handle this data; please read it alongside this policy.
When you sign up to our email newsletter (if and when we make this available), we collect your name and email address, and a record of your consent.

Information we collect automatically when you visit the Website:

Technical data, including your IP address, browser type and version, operating system, device type, and approximate location (derived from your IP address).
Usage data, including the pages you visit, how you arrived at the Website, the time and duration of your visit, and the actions you take on the Website.
Cookie and similar tracking data, as described in our Cookie Policy.

We do not knowingly collect personal data from children. The Website is intended for use by businesses and is not directed at individuals under the age of 18.

We do not obtain personal data about you from third-party sources or data brokers. All personal data we hold about you has been provided directly by you or generated through your interaction with the Website.

4. Why we use your personal data and the lawful basis for doing so

We use your personal data only for the purposes described below, and only where we have a lawful basis under Article 6 of the UK GDPR.

Purpose

Lawful basis

Purpose To respond to your enquiry submitted via the contact form, and to follow up with you about how we might support your business

Lawful basis Legitimate interests: our interest in responding to business enquiries and developing client relationships, balanced against your interests and reasonable expectations as someone who has contacted us

Purpose To deliver the gated content you have requested and to follow up with you about how EDERA Lab might support your business

Lawful basis Legitimate interests: our interest in offering relevant services to individuals who have shown interest in our subject-matter expertise, balanced against your interests and reasonable expectations

Purpose To send you marketing emails about our services, insights, and content, only where you have actively opted in

Lawful basis Consent under Article 6(1)(a) UK GDPR and Regulation 22 PECR

Purpose To operate, secure, and improve the Website, including through analytics

Lawful basis Consent for non-essential cookies. Legitimate interests in maintaining the security and integrity of the Website for cookies that are strictly necessary. See our Cookie Policy.

Purpose To comply with our legal, regulatory, and tax obligations

Lawful basis Legal obligation under Article 6(1)(c) UK GDPR

Purpose To establish, exercise, or defend legal claims

Lawful basis Legitimate interests in protecting our legal position

Where we rely on legitimate interests, we have carried out a balancing assessment to confirm that our interests are not overridden by your interests, rights, or freedoms. You can ask us for further information about this assessment by emailing hello@ederalab.com.

5. Marketing communications

We will only send you marketing emails if you have given us your active, informed consent, for example, by ticking an unticked consent box when you download gated content or sign up to our newsletter.

You can withdraw your consent at any time, free of charge, by:

clicking the "unsubscribe" link in any marketing email we send you; or
emailing us at hello@ederalab.com.

Withdrawing your consent does not affect the lawfulness of any processing we carried out before you withdrew it. It also does not stop us from contacting you in response to enquiries you make, to deliver content you have requested, or for non-marketing purposes (for example, in connection with a service we are providing to your organisation).

6. Who we share your personal data with

We do not sell your personal data, and we do not share it with third parties for their own marketing purposes.

We share your personal data only with the following categories of recipient:

Service providers acting as our processors, who process personal data on our behalf and under our instructions. The main service providers relevant to your use of the Website are:
- Squarespace, Inc.: our website hosting provider.
- HubSpot, Inc.: our customer relationship management ("CRM") and (in future) email marketing platform.
- Google LLC: provider of Google Analytics 4 and Google Workspace (which we use for our business email).
Professional advisers (such as lawyers and accountants) where necessary for the management of our business and the exercise or defence of legal claims.
Regulators, law enforcement, and other public authorities where we are legally required to disclose personal data.
Prospective buyers and their advisers in the event of a sale, merger, or reorganisation of our business, subject to appropriate confidentiality protections.

Where we use processors, we have entered into written data processing agreements with them under Article 28 UK GDPR, requiring them to process your personal data only on our instructions, to apply appropriate security measures, and to assist us in meeting our obligations to you.

7. International transfers of personal data

Some of our service providers are based outside the United Kingdom, including in the United States. When we transfer your personal data to a country outside the UK, we rely on one of the following safeguards under Article 46 UK GDPR:

The UK Extension to the EU-US Data Privacy Framework (the "UK-US Data Bridge"), where the recipient is a US-based organisation that is certified under the framework. Squarespace, Inc., HubSpot, Inc., and Google LLC are all currently certified under this framework.
The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, where no adequacy mechanism applies. In those cases, we also carry out a transfer risk assessment.

You can ask us for a copy of the safeguards we rely on for a specific transfer by emailing hello@ederalab.com.

8. How long we keep your personal data

We keep your personal data only for as long as we need it for the purposes set out in this policy. Our standard retention periods are:

Type of data
Retention period

      Type of data
      Contact form enquiries that do not lead to a client engagement
    
      Retention period
      24 months from the date of last meaningful contact, after which the data is deleted or anonymised
    
      Type of data
      Gated content download records, where the individual did not opt in to marketing and did not become a client
    
      Retention period
      24 months from the date of download
    
      Type of data
      Newsletter subscriber data, when the newsletter is live
    
      Retention period
      For as long as your consent remains current. We will re-confirm or delete after 24 months of no engagement, meaning no opens or clicks
    
      Type of data
      Personal data of individuals connected with our clients, where it was collected via the Website and later formed part of a client engagement
    
      Retention period
      For the duration of the engagement, plus 6 years afterwards, in line with the statutory limitation period for contract claims under the Limitation Act 1980
    
      Type of data
      Google Analytics 4 data
    
      Retention period
      14 months
    
      Type of data
      Website server logs
    
      Retention period
      12 months

We may retain your data for longer where we are legally required to do so, or where it is necessary to establish, exercise, or defend legal claims.

9. How we keep your personal data secure

We have put in place appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, and disclosure. These measures include access controls on our systems, encryption in transit, and staff training on data protection.

We also require our service providers to apply appropriate security measures when they process personal data on our behalf.

No method of transmission over the internet is entirely secure, so while we do our best to protect your personal data, we cannot guarantee its absolute security.

10. Your rights

Under the UK GDPR, you have the following rights in relation to your personal data:

Right of access: to ask for a copy of the personal data we hold about you.
Right to rectification: to ask us to correct personal data that is inaccurate or incomplete.
Right to erasure: to ask us to delete your personal data in certain circumstances.
Right to restrict processing: to ask us to suspend the processing of your personal data in certain circumstances.
Right to data portability: to ask us to provide certain personal data to you, or to another controller, in a structured, commonly used, and machine-readable format.
Right to object: to object to our processing of your personal data where we rely on legitimate interests, including for direct marketing purposes.
Right to withdraw consent: where we rely on your consent, you can withdraw it at any time.
Right not to be subject to automated decision-making: we do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, please email hello@ederalab.com. We will respond within one month of your request. There is normally no charge for exercising your rights, but we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.

11. Your right to complain

If you are unhappy with how we have handled your personal data, please contact us first at hello@ederalab.com so that we can try to resolve the issue.

You also have the right to lodge a complaint with a supervisory authority:

In the United Kingdom: the Information Commissioner's Office ("ICO"), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. Telephone: 0303 123 1113. Website: ico.org.uk.
In the European Economic Area: the supervisory authority of the EU/EEA member state where you live, work, or where the alleged infringement took place. A list of authorities is available at edpb.europa.eu.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the "Last updated" date at the top of this policy and, where appropriate, notify you by another means (for example, by email or a notice on the Website).

We encourage you to review this policy periodically to stay informed about how we handle your personal data.