Dynamis Privacy Policy

Last updated: June 2025

1. Introduction

Dynamis (“we”, “our”, “us”) is committed to safeguarding the privacy and security of business and client data. This Privacy Policy explains how we collect, use, share, and protect information when conducting B2B cold-email outreach and when providing consulting services to our clients. By interacting with our outreach campaigns or engaging our services, you consent to the practices described herein.

2. Data Controller

Dynamis
Founder: Jack Gardner
Email: solutions@dynamis-consultancy.com
Registered in the UK

We are the Data Controller for all personal data processed under this policy.

3. Information We Collect

3.1 Cold-Email Outreach Data

When conducting B2B outreach, we collect only business-related contact information, such as:

  • First Name & Last Name

  • Business Email Address

  • Company Name & Website

  • Job Title (if publicly available)

  • AI-Generated Icebreaker (a short sentence used solely for personalization)

We do not collect personal (non-business) email addresses, sensitive personal data (e.g., race, health), or any financial account information in our outreach process.

3.2 Client Engagement Data

When onboarding clients or delivering services, we may collect additional information, including:

  • Client Contact Details: Business email, phone number, billing address, point of contact names.

  • Credentials & Access Information: Usernames, passwords, API keys, OAuth tokens, or other credentials to integrate and automate client systems (e.g., CRM, automation platforms, APIs).

  • Project Details & Specifications: Workflow diagrams, process maps, technical requirements, and any documents shared to scope and deliver our consulting services.

  • Usage Logs & Analytics: Logs of automated workflows, performance metrics, system logs, and reports—necessary for troubleshooting and continual improvement.

Note: All credentials and sensitive access information provided by clients are treated as Confidential Information (see Section 7).

4. How We Collect Information

4.1 Cold-Email Outreach

  • Publicly Available Sources: We use an Apify actor to extract business contact data (names, emails, company websites) from publicly available resources such as LinkedIn, company websites, and Apollo.

  • Website Scrape for Context: We crawl company websites (only their public pages) to collect text snippets for personalizing icebreakers.

4.2 Client Onboarding & Service Delivery

  • Direct Provision: Clients send credentials, workflow diagrams, and requirements via secure channels (e.g., encrypted email, secure file transfer).

  • Forms & Questionnaires: During onboarding, clients complete intake forms that may request business details, system access info, and specific project objectives.

  • In-Person or Virtual Meetings: We may collect notes or recordings from strategy calls or workshops (with explicit client approval).

5. Purposes & Legal Basis for Processing

5.1 Cold-Email Outreach

  • Purpose:

    1. Send personalized, AI-generated cold-email introductions to targeted business roles.

    2. Invite recipients to schedule strategy calls.

    3. Store outreach performance metrics for analytics and optimization.

  • Legal Basis (UK GDPR Art. 6(1)(f)): Legitimate Interest—contacting business professionals at their work email addresses to offer relevant automation services. We have documented a Legitimate Interest Assessment to confirm minimal intrusion and strong relevance.

5.2 Client Engagement & Service Delivery

  • Purpose:

    1. Design, implement, and support automation workflows in client environments.

    2. Manage credentials and access to configure integrations (e.g., Airtable, Smartlead, n8n).

    3. Provide training, documentation, and ongoing advisory services.

    4. Invoice, bill, and maintain client accounts.

  • Legal Basis (UK GDPR Art. 6(1)(b)): Contract Performance—we process client data as necessary to fulfill contractual obligations and deliver agreed-upon services.

6. Data Sharing & Recipients

6.1 Cold-Email Outreach

We do not sell or rent outreach data. We may share limited contact information with:

  • Email Automation Platforms (e.g., Smartlead, Instantly) for sending campaigns and tracking engagement.

  • CRM & Database Providers (e.g., Airtable) for storing enriched lead records.

  • Analytics Tools (e.g., Google Analytics) to measure web traffic from outreach links.

All third-party processors are contractually bound to GDPR compliance and may use the data only for the purposes we specify.

6.2 Client Engagement & Service Delivery

When clients request, we may share data with:

  • Third-Party Integrations/Plugins (e.g., Zapier, Make.com, n8n nodes) as necessary to implement workflows.

  • Sub-Processors (e.g., Stripe for payments, cloud hosting providers) under strict confidentiality agreements.

  • Professional Advisors (accountants, legal counsel) when needed for compliance or legal advice.

Note: Any sharing of client credentials or access tokens occurs only with the client’s explicit approval, and these credentials are exclusively used to configure and maintain the client’s automation setup.

7. Safeguarding Sensitive Client Information

7.1 Confidential Treatment

  • All client credentials, including passwords, API keys, and OAuth tokens, are classified as Confidential Information.

  • We store credentials in encrypted vaults within n8n or equivalent secure password managers (with AES-256 or comparable encryption).

  • Access to these credentials is restricted to those team members directly responsible for the client’s configuration and support.

7.2 Secure Transmission

  • Clients must transmit any user credentials or sensitive files over encrypted channels (e.g., PGP-encrypted email, secure file‐transfer services).

  • We never request credentials in plain email or unencrypted chat.

7.3 Internal Access Controls

  • Our internal servers (e.g., self-hosted n8n instance, Airtable workspace) are protected by two-factor authentication (2FA), IP whitelisting (where feasible), and strong password policies.

  • Only authorized personnel (e.g., consultants assigned to a specific project) have access to client credentials.

  • All access attempts are logged, and periodic audits are performed to ensure compliance.

7.4 Retention & Deletion of Client Data

  • Credentials & Access Info: Deleted or revoked immediately upon project completion or at client request.

  • Project Files & Notes: Retained for up to 12 months after the final deliverable, then securely archived or deleted unless the client directs otherwise.

  • Audit Logs: We keep system and access logs for 12 months solely for security monitoring; logs are then purged.

8. Data Retention

8.1 Outreach Leads

  • Active Leads: Retained for up to 12 months if there is no engagement (no reply or booked call).

  • Unsubscribed/Bounced Contacts: Removed or anonymized within 30 days of unsubscribing or hard bounce.

  • Anonymization: After 12 months of inactivity, personally identifying fields (email → deleted@deleted.com; name → Removed) are replaced, leaving only limited metadata (e.g., “Last Contacted: [Date]”) for auditing.

8.2 Client Data

  • Client Credentials: Deleted or credentials revoked within 7 days of project end or upon client request.

  • Project Materials & Documentation: Retained for up to 12 months post-project unless the client requests earlier deletion or extended storage.

  • Financial Records (Invoices, Payments): Retained for 6 years in accordance with HMRC requirements.

9. Security Measures

We implement robust technical and organizational controls to protect all personal and client data:

  1. Encryption

    • All data in transit uses HTTPS/TLS.

    • Stored credentials (passwords, API keys) are encrypted at rest (e.g., AES-256 encryption in n8n vault).

  2. Access Controls

    • Two-Factor Authentication (2FA) on all accounts handling sensitive data (Google Workspace, n8n, Airtable, Smartlead).

    • Role-Based Access Control: Only designated personnel can access specific data (e.g., outreach leads vs. client project credentials).

  3. Logging & Monitoring

    • All access to sensitive client credentials is logged.

    • Regular security audits (every 6 months) identify and remediate any vulnerabilities.

  4. Incident Response

    • In case of a data breach involving personal data, we will notify affected parties within 72 hours of discovery and report to the Information Commissioner’s Office (ICO) as required.

    • We maintain an internal Incident Response Plan that outlines steps for containment, investigation, notification, and remediation.

10. Your Rights & Choices

Under UK GDPR, you have the following rights regarding your personal data:

  1. Right of Access: Request a copy of the personal data we hold about you.

  2. Right to Rectification: Request correction of inaccurate or incomplete data.

  3. Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data, except where we have a legal obligation to retain it.

  4. Right to Object: Object to our processing if you believe our legitimate interest is overridden by your rights.

  5. Right to Restrict Processing: Ask us to limit processing of your data (e.g., if you dispute its accuracy).

  6. Right to Data Portability: Request a machine-readable copy of your data for transfer to another controller.

To exercise any of these rights, email solutions@dynamis-consultancy.com with the subject line “GDPR Request.” We will respond within 30 days.

Opt-Out/Unsubscribe:
Every outreach email includes a one-click “Unsubscribe” link. If you click it, we will remove your email from all future campaigns within 24 hours and anonymize or delete your data within 30 days.

11. Cookies & Third-Party Links

  • Our website (e.g., dynamis-consultancy.com) may use cookies for analytics (like Google Analytics) and performance monitoring. You can configure your browser to block or alert you about cookies.

  • We may link to third-party sites (e.g., Apify, n8n documentation, Smartlead). This Privacy Policy does not apply to their sites; please consult each site’s own privacy policy.

12. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or regulatory requirements. The “Last updated” date at the top will indicate the most recent revision. We encourage you to review this policy periodically.

13. Contact Us

If you have questions, complaints, or requests regarding your data or this policy, please contact:

Jack Gardner
Founder, Dynamis
Email: solutions@dynamis-consultancy.com

Document Location & Access

  • Internal Record: Store this Privacy Policy (and any future versions) in your company’s secure documentation folder (e.g., Google Drive, SharePoint, or internal wiki) labeled “Compliance.”

  • Public Reference: Link to this Privacy Policy from the footer of your website (“Privacy Policy”). It does not need to be publicized beyond that, but it must be accessible to anyone who wishes to review it.

  • Client Distribution: Provide a copy to clients during onboarding or upon request so they understand how we handle credentials, sensitive data, and compliance measures.

This Privacy Policy ensures transparency and regulatory compliance in both our B2B outreach and client consulting activities. Continuous adherence to these principles helps protect personal data, maintain trust with contacts and clients, and demonstrate our commitment to data security and privacy.