Stay Upstream Privacy Policy

1. Introduction and general terms

This policy covers services are provided by Stay Upstream Limited (“Upstream”, “we”, “us” or “our” in this policy).  Upstream’s business is to provide businesses with an online database of companies, together with their business contacts and other relevant information.

If you have any questions or comments about this privacy policy please contact us at:

Stay Upstream Limited, 3.02 Clerkenwell Workshops, 27-31 Clerkenwell Close, London EC1R 0AT

Telephone: +44 (0)20 3861 4459


Upstream is registered with the Information Commissioners Office under registration reference ZA247174.

Upstream is committed to protecting and respecting your privacy. This policy explains the basis on which personal information we collect from you will be processed by us. Where we decide the purpose or means for which personal data supplied by you is processed, we are the “data controller.” We will comply with all applicable data protection laws, including the General Data Protection Regulation 2016/679.

This policy explains the following:

  • What personal information we may collect about you;
  • Ground for processing;
  • Who we share your information with;
  • How we will use that information;
  • Who we may disclose that information to; and
  • Your rights regarding the information.

2. WHY WE COLLECT YOUR INFORMATION?We provide our clients (ie subscribers) with an online database of companies and associated contact details helping them connect and ultimately build relationships with businesses they are interested in working with in a more effective manner. You and others may post information about yourself online and we collect such publicly available information. If you are a contact in a business that we believe is likely to benefit from using services of our clients, we may collect and process personal data on you as part of efforts to sell, promote and market these services to you.

3. What information will UPSTREAM collect about me?

We collect and process the following information which may include your personal data.

The majority of the personal information we collect about you comes from publically available online information. This may include your name, gender, address, telephone number (direct and mobile), e-mail address, job title. We may also collect information on the phone or face to face.

All data collected and processed by Upstream is ‘corporate’ or ‘business to business’ data.

We may also collect technical information about your computer and/or device that may identify you, including your IP address and behaviour when you receiving emails (eg. whether you read the email, open it and forward it on to third recipients). We generally collect this from cookies.


  • Consent

On some occasions, Upstream processes your data with your consent. You have the right to withdraw consent at any time. Where consent is the only legal basis for processing, we will cease to process data after consent is withdrawn.

  • Legitimate interest

Generally, Upstream processes your personal information when it is our legitimate interest to do so and when these interests are not overridden by your data protection rights. As applicable, we will use information about you for delivering, selling and supplying our good and services to our customers, understanding our customers’ behaviour, activities, preferences, and needs, promoting, marketing and advertising our products and services, improving existing products and services and developing new products and services, responding to enquiries and contacting you about matters requiring your attention. We may use third parties to assist us with this.

  • Necessary to fulfil a contract

Upstream may process your data when we need to do this to fulfil a contract with you.

  • Necessary because of a legal obligation

Upstream may process your data to comply with our legal and regulatory obligations eg preventing, investigating and detecting crime, fraud or anti-social behaviour and prosecuting offenders, including working with law enforcement agencies.

5. Data Sharing

We will share your information with the following:

  • Our companies

Access to personal information within Upstream and our group of companies is restricted to those individuals who have a need to access the information for our business purposes.

  • Suppliers, subcontractors

We keep your information confidential, but may disclose it to suppliers or subcontractors insofar as it is reasonably necessary for the purposes set out in this privacy policy. However, this is on the basis that they have agreed to safeguard this information.

  • Our service providers

This includes external third-party service providers, such as accountants, auditors, experts, lawyers and other outside professional advisors; IT systems, support and hosting service providers; technical engineers; data storage and cloud providers and similar third-party vendors and outsourced service providers that assist us in carrying out business activities.

  • Other third parties

We may share personal information with other third parties namely subscribers to our database. We do this because we believe that by doing so, you are more likely to receive relevant business introductions that will be of interest to you in a corporate capacity. This will ensure you are less likely to receive irrelevant introductions, sent in the wrong way at the wrong time.

We are committed to real transparency about this element of our data processing, so may speak to you about it on the phone or send you an email explaining/confirming that we are processing your personal data and it will be shared with third parties.

We are committed to giving you the opportunity to ask for us not to disclose your information to these third parties. If you object, please tell us on the phone, reply to an email we’ve sent you or write to us at the address above.

  • Government authorities

In addition, we may disclose your information to the extent that we are required to do so by law (which may include to government bodies and law enforcement agencies); in connection with any legal proceedings or prospective legal proceedings; and in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention).

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, you will be notified via email, account message and/or a prominent notice on our website of any change in ownership or uses of this information, as well as any choices you may have regarding this information.

6. How we will use information we collect about you and who will we share it with

We will use information about you for delivering, selling and supplying our goods and services to our customers, understanding our customers’ behaviour, activities, preferences, and needs, promoting, marketing and advertising our products and services, improving existing products and services and developing new products and services, responding to enquiries and contacting you about matters requiring your attention. We may use third parties to assist us with this.

We process personal data to comply with our necessary legal and regulatory obligations. These include preventing, investigating and detecting crime, fraud or anti-social behaviour and prosecuting offenders, including working with law enforcement agencies.

We use various forms of marketing to provide you with promotional materials about our services, as well as the services of other companies in our group of companies. We may use third-party providers to assist us with this.

We will not process your information for the purposes of marketing unless you give your consent or you have given it already.

We process information to understand how visitors use our website and to compile statistical reports regarding that activity.

For these activities, we use an online customer management system called Intercom. Please consult their privacy policies for more information at

This processing is necessary for us to pursue our legitimate interests of improving our services, and providing a better and more personalised experience to our users. We may use third party analytics providers.

7. Consumer Control & Opt-Out Options

If you do not wish to receive promotional or other marketing material from us please contact us using the above contact details.

8. Your rights in relation to personal data which we process relating to you

You have the following rights over the way we process personal data relating to you.  We aim to comply without undue delay, and within one month at the latest.

To make a request, please contact us using the above contact details, addressed to the contact above.

Ask for a copy of data we are processing about you and have inaccuracies corrected

You have the right to request a copy of the personal information we hold about you and to have any inaccuracies corrected.

We will use reasonable efforts to the extent required by law to supply, correct or delete personal information held about you on our files (and with any third parties to whom it has been disclosed to).

Object to us processing data about you

You can ask us to restrict, stop processing, or to delete your personal data if:

  • you ask us to stop processing your information;
  • you consented to Upstream processing the personal data, and have withdrawn that consent;
  • Upstream no longer needs to process that personal data for the reason it was collected;
  • Upstream is processing that personal data because it is in the public interest or it is in order to pursue a legitimate interest of Upstream, you don’t agree with that processing, and there is no overriding legitimate interest for us to continue processing it;
  • the personal data was unlawfully processed; or
  • you need the personal data to be deleted in order to comply with a legal obligation.

Obtain a machine-readable copy of your personal data, which you can use with another service provider

  • If we are processing data in order to perform our obligations to you, or because you consented, if that processing is carried out by automated means, we will help you to move, copy or transfer your personal data to other IT systems.
  • If you request, Upstream will supply you with the relevant personal data in CSV format.  Where it is technically feasible, you can ask us to send this information directly to another IT system provider if you prefer.

Make a complaint to a Supervisory Authority

  • If you are unhappy with the way we are processing your personal data, please let us know.

If you do not agree with the way we have processed your data or responded to your concerns, you have the right to lodge a complaint with the Information Commissioner’s Office. Further information, including contact details, are available at

9. Data Retention

We review the personal data that we store on a cycle of 90-120 days. If the data is still correct, we will keep it. If it is out of date, we will remove it.We typically retain your data for ten years from your last transaction with us to satisfy our regulatory obligations.Please note that Upstream reserves the right to remove from our database, and data which includes any content that we consider to be illegal or offensive.

10. Children

We do not knowingly solicit data from or market to children under the age of 18.  If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us at the above details. We will delete such information from our files within a reasonable time.

11. Security

Upstream is committed to keeping your personal data safe and secure from unauthorised access to or unauthorised alterations, disclosure or destruction of information that we hold. We will take all reasonable technical and organisational precautions to prevent the loss misuse or alteration of your personal information.

Our security measures include:

  • Hashing and encryption of our services and data;
  • Regular review of information collection;
  • Encryption of our services and data;

Restricted access of data to employees, contractors and agents; and internal policies setting out our data security. Please be aware that, although we endeavour to provide reasonable security for information we process and maintain, no security system can prevent all potential security breaches.

12. Changes

We will notfiy you of any changes to this policy by email, notice on the website or account message.

13. International Data Transfers

Your Personal Information which you supply to us is generally stored and kept inside the European Economic Area, however due to the nature of our global business and the technologies required, your Personal Information may be transferred to third party service providers outside the EEA, in countries where there may be a lower legal level of data protection.

Where we transfer your data outside of the EEA, we transfer the minimum amount of data necessary, anonymise it where possible and we have agreements in place with those parties which include standard data protection clauses to ensure that appropriate safeguards are in place to protect your personal data in accordance with this Privacy Policy and the European levels of data protection.  If you would like to find out more about these safeguards, please contact us.

Last updated: May 2018

GDPR: ICO Brings Clarity to ‘Legitimate Interests’

By Yusef Sanei

GDPR is the acronym on everyone’s lips. With the implementation date of the regulations less than 2 months away we are reminded of its importance on a daily basis. From Cambridge Analytica scandals to new academic fields around data ethics and Elizabeth Denham’s warning last week around the dangers of Artificial Intelligence and data.

GDPR is quite rightly, permeating our social discourse which is why we wanted to provide you with a simple overview of the recent update from the Information Commissioner’s Office (ICO) around the most relevant of the six-lawful bases for B2B: Legitimate Interests.

Legitimate Interest gives businesses a certain flexibility or room for movement within the regulations. This is for several key reasons:

  • It does not impact individual privacy significantly
  • Individuals can reasonably expect businesses to target them
  • Due to the individual expecting a business to contact them, businesses do not need to hassle the individual with consent request after consent request

This being said, the legitimate interest clause shouldn’t be used as a flexible and default approach to your targeting. The specific context and reason for contact still needs to remain appropriate. This however, is in my opinion a blessing rather than a curse – it simply means you have to make sure your targeting is correct which will ultimately have a beneficial impact on your business.

The disadvantage of this is that you will have to guarantee and make clear the reason why you are contacting someone which can increase business work load, but again, you should have been doing this anyway as best practice.

The legislation around legitimate interests is dense, but as a general rule of thumb, consider these factors and all should be well:

  • Will the person I’m contacting expect me to contact them?
  • Will the person I’m contacting consider my marketing message a nuisance or does it have relevance?
  • Could the frequency of my communication have a negative effect on vulnerable individuals?
    •  For example, if my company is having financial difficulties and I am frequently targeted by high interest loan companies I could be coerced to take  a loan due to my vulnerable state.
  • Have I informed the individual that they have the right to object to me targeting them (Opt-outs)? If they do opt-out, then you cannot legitimately contact them.

If you ask yourself these questions, especially within the business to business setting, then it is very likely that the majority of your targeting and processing will come under the base of legitimate interest.

Still have questions about GDPR? Feel free to call or email now and we can show you how Stay Upstream can get you ready and raring to go ahead of 25th May.

Email or call Chris Finnegan – / 0203 861 4459


Please note that this article is written from writers point of view. The information herein does not replace qualified legal advice, and should not be taken as such. Please consult with legal experts if you would like further clarification.



GDPR: Top Five Questions Answered

By Yusef Sanei

With #DeleteFacebook erupting throughout the Twittersphere due to the Cambridge Analytica scandal, data and data transparency has been dragged into the spotlight. Data is personal, political and profitable which makes the impending GDPR implementation more relevant than ever.

Over the past year or so, much of the GDPR coverage has been scaremongering sensationalism, focusing almost entirely around the hefty fines that businesses could potentially be made to pay. The Cambridge Analytica scandal that is still unfolding before us highlights that data, and indeed GDPR is not the product of an overly bureaucratised European Union who are consumed by tangling us in a web of regulations. Rather those regulations are in place to ensure the protection of the individual and the business.

That being said, GDPR is complex and still raises many questions. In light of this we have compiled a list of the most common questions we get asked on a daily basis, in an attempt to bring some clarity to the situation.

Are B2B emails addresses considered personal data?

The short answer to this is both Yes and No. Any B2C data, or email addresses of sole traders, under the ICO’s Direct Marketing Checklist, are considered personal data. Upstream only holds personal business emails (B2B email addresses), which can still be marketed to under the new GDPR changes, however, must be contacted with “legitimate interest” and given a clear opt-out.

Article 6(1)(f) gives you a lawful basis for processing where:

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Will GDPR stop me from telemarketing?

Again, the answer is as above. Keep your calling focused and most of all relevant. You can use the legitimate interest reasoning to have a lawful basis to call someone, but it is being advised that you give contacts an opt-out option when calling. Something as simple as, “Would you mind if I contact you again in the future?”, will help with this, just be sure to record all previous conversations and make it clear where people no longer want to be contacted again.

With Brexit, we don’t need to worry about GDPR as we live in the UK and contact UK companies?

The UK Government themselves have confirmed that GDPR will still apply to the UK even after Brexit. After Brexit, there may be one or two changes to the current GDPR legislation, however, the guidelines set out by GDPR and the new ePrivacy Regulation will be used as a tight guideline for the UK, so do not expect anything to change anytime soon!

Even if we don’t comply, does it really matter? These are surely only guidelines, not actual laws.

Just to be clear, GDPR is being set out as a legal requirement for anyone processing data within Europe. Failure to meet with these can be met with hefty fines of up to 4% of the companies worldwide turnover or €20 million (whichever is greater). In the UK, the ICO (Information Commissioner’s Office) will be in charge of issuing any fines within the UK.

Does GDPR mean I need to delete all of the current contacts in my database/CRM?

Wetherspoons may have deleted their entire database, but you don’t have to! What will be paramount, is to ensure your database is as accurate and up to date as possible. This means going through all of your records and ensuring that they are not only correct but making sure it is everyone’s responsibility in your organisation to keep these up to date going forward. The only time you will need to delete a contact is when they request to do so, under Article 17 of GDPR which gives everyone the right to be forgotten.

Do all of our contacts have to opt-in?

Whilst it is best practice to have your contacts already opted in, Article 6 means that any direct marketing does not have to be consent based. However, if you are using GDPR’s own terminology of ‘legitimate interest’ to market directly to contacts, be sure to make sure that your messaging is relevant to the recipient, has a clear opt-out from further communications and that you then record specifically the outcome of the communication e.g. the time/date of their opt out if they requested.

We hope this sheds light on some of your concerns and highlights that GDPR is not the doomsday some would suggest but rather a reminder to all business to implement best practice. If there is one thing we should take away from this week’s events concerning Cambridge Analytica, it’s that data regulations should be taken seriously and businesses, irrelevant of size, should ensure they follow these necessary regulations for the protection of themselves and the individual.

Still have questions about GDPR? Feel free to call or email now and we can show you how Stay Upstream can get you ready and raring to go ahead of 25th May.
Email or call Chris Finnegan – / 0203 861 4459

Please note that this article is written from writers point of view. The information herein does not replace qualified legal advice, and should not be taken as such. Please consult with legal experts if you would like further clarification.


Movers and Shakers

It’s hard to keep track of all the changes and the latest Movers & Shakers. Each week, our team at Upstream provide a round up of the new appointments to help you stay ahead.

Here are this week’s Movers and Shakers we recommend that you keep an eye on:

Jess Christie, former Director of PR & Communications at Matches Fashion has been promoted. She has taken on her new role as Chief Brand Officer. One of her biggest projects this year will be the launch of 5 Carlos Place- the brand’s new space in Mayfair.

Aston Martin has promoted Gerhard Fourie from Director of Brand Strategy to Director of Marketing and Brand Strategy. His new role will include the added responsibility for global marketing, CRM and launch planning.

Kara Keough has been promoted at JLL (Jones Lang LaSalle). She has moved from Director of Brand and Campaign Strategy to her new role of Global Marketing Director, Brand.

Shane Hoyne has left Bacardi where he was Chief Marketing Officer- Europe. He has moved to Quintessential Brands where he has taken the same role as Chief Marketing Officer.

Former Marketing Director of Topman, Jason Griffiths has been promoted to Group Brand Communications Director of Arcadia Group.

Harvey Nichols have appointed Deborah Bee as their new Group Marketing and Creative Director. She has left Eco-Age where she was formerly Brand Director.

If you would like to keep up to date on the latest movers & shakers as they happen each day, then you can stay ahead with our data and insight platform Stay Upstream. Click here to find out more.