Last updated: 8 September 2025

This notice explains how BECOME BUSINESS LTD (“Growth Runner“, “we“, “us“, “our“) collects, uses, shares, and protects personal data when you visit growthrunner.com (the “Site“), contact us, or use our services. It also describes your rights and how to exercise them.

We aim to meet the requirements of the UK GDPR, the EU GDPR (where applicable), the Data Protection Act 2018, PECR (cookies/e‑privacy), and relevant US state privacy laws (e.g., CPRA/CCPA, Colorado, Virginia, etc.). If anything here conflicts with a law that applies to you, we will follow that law.

Quick summary

  • We collect contact and business details you provide, and technical/usage data via cookies and similar technologies.
  • We use analytics and customer‑data tools (including Google Analytics, Segment and RudderStack) to understand Site usage and improve our content and services. Non‑essential tools run only with consent where required.
  • We do not sell your personal information and we do not share it for cross‑context behavioural advertising.
  • You can manage cookies via our cookie banner and your browser. You can opt out of marketing, withdraw consent, and exercise your data rights (access, rectify, erase, etc.).

1) Who we are & how to contact us

  • Controller (for this Site): BECOME BUSINESS LTD.
  • Registered address: BECOME BUSINESS LTD, 124 City Road, EC1V 2NX.
  • Privacy email: [email protected]

When we act as a processor: For client projects we may process personal data on behalf of our clients under a Data Processing Addendum (DPA). In those cases, our client is the controller and their privacy notice applies to that processing.

2) Scope of this notice

This policy covers personal data we process when:

  • you browse the Site, interact with pages, or download resources;
  • you contact us, book a call, or subscribe to updates;
  • you become a client or supplier, or otherwise do business with us;
  • we run analytics, diagnostics, and security on the Site using tools including GA4, Segment, RudderStack, Google Tag Manager, and similar technologies.

3) The data we collect

We collect data in three ways: (A) you provide it, (B) we collect it automatically, and (C) we receive it from third parties.

A) Data you provide directly

  • Identity & contact: name, email, phone, company, role.
  • Communications: enquiry details, meeting notes, feedback.
  • Contract & billing (if you become a client): invoicing contacts, postal addresses, VAT/company numbers, contract metadata. We do not store card details on our systems.

B) Data collected automatically (cookies & similar)

  • Device/technical: IP address, device identifiers, browser type/version, OS, language, time zone.
  • Usage: pages viewed, time on page, events (e.g., clicks), referrers, error logs, campaign parameters (e.g., utm_*, gclid, fbclid, ttclid).
  • Approximate location: derived from IP (city/country level).
  • Consent status: your cookie preferences when a CMP/banner is used.

Where required by PECR/e‑Privacy, we seek consent before setting non‑essential cookies (e.g., analytics/advertising cookies). Some Site functions may rely on cookies and may not work without them.

C) Data from third parties

  • Leads & business contacts (lawfully obtained) from events, referrals, or business databases.
  • Client‑provided data where we act as a processor under contract.

We do not intentionally collect special category data via the Site (e.g., health, religion), and our Site is not directed to children.

4) How we use personal data & legal bases

PurposeExamplesLegal basis
Operate & secure the Siteload pages, prevent abuse/fraud, diagnostics, loggingLegitimate interests (secure, reliable operation)
Analytics & performancemeasure traffic, improve UX/contentConsent for non‑essential cookies; otherwise legitimate interests where consent is not required
Respond to enquiriesdemos, proposals, supportLegitimate interests or contract (pre‑contractual steps)
Client onboarding & deliverySOWs, project execution, vendor managementContract
Marketing communicationsnewsletters, event invitesConsent (to individuals) or legitimate interests (B2B soft opt‑in, where permitted); always with opt‑out
Legal & compliancerecord‑keeping, regulatory requests, dispute handlingLegal obligation; legitimate interests

You can withdraw consent at any time (see Your rights). Where we rely on legitimate interests, we balance our interests against your rights and expectations.

5) Cookies & tracking technologies

We use cookies, pixels, and similar technologies to:

  • remember preferences (e.g., consent state);
  • understand Site performance and content effectiveness;
  • attribute traffic and campaigns (utm_*, click IDs);
  • keep the Site secure and reliable.

You can manage preferences via our cookie banner and your browser settings. Blocking some cookies may impact Site functionality. See our Cookie Notice for details of cookie categories and lifetimes.

Cookie categories we use

  • Strictly necessary: required for the Site to work (security, load balancing, consent logging).
  • Analytics: GA4, Segment, RudderStack events (run only with consent where required).
  • Functionality (if used): remembering choices or enhancing features.
  • Advertising (if used): retargeting/measurement pixels. We do not run these without consent where required.

6) Analytics & customer data platforms (disclosures)

Google Analytics

  • Data: pageviews, events, device/tech data, approximate geolocation, referrers, campaign parameters.
  • Purpose: understand aggregate usage and improve content.
  • Controls: opt‑out via our banner; browser settings; Google’s opt‑out add‑on. We configure GA4 with data‑minimisation settings where feasible.

Segment (Twilio Segment)

  • Role: Customer Data Platform (CDP) that standardises event collection and routes data to selected destinations.
  • Data: site events and properties (e.g., page views, clicks), device/tech, campaign parameters; we may pass hashed identifiers (e.g., hashed email) if you submit a form and consent covers that use.
  • Purpose: consistent analytics, lower code, and improved governance.

RudderStack

  • Role: Alternative or complementary CDP (open‑source/hosted options) used to collect/route events.
  • Data: similar to Segment, depending on configuration and your consent choices.
  • Purpose: infrastructure flexibility and governance.

Other tools (from time to time): Google Tag Manager, performance/error monitoring, A/B testing, form analytics, or security tooling. Non‑essential tools run only with consent where required.

We do not use these tools to make automated decisions that produce legal or similarly significant effects about you.

7) Sharing your data

We share personal data only as needed:

  • Service providers / processors who support hosting, analytics/CDP, communications, CRM, document management, security, and professional services (bound by contract and confidentiality);
  • Professional advisers (legal, accounting) under confidentiality;
  • Legal/regulatory bodies when required by law or to protect rights, safety, or security; and
  • Business transfers (e.g., merger/acquisition) with appropriate protections and notices where required.

We do not sell your personal information and we do not share it for cross‑context behavioural advertising.

8) International transfers

Where we transfer personal data outside the UK/EEA (e.g., to the United States), we use safeguards such as:

  • Standard Contractual Clauses (SCCs) and, for UK transfers, the UK Addendum;
  • Transfer Impact Assessments and supplementary measures (e.g., encryption in transit/at rest);
  • Where available, transfers to countries covered by an adequacy decision.

Contact us for details of specific safeguards in place.

9) Data retention

We keep personal data only for as long as necessary for the purposes above or as required by law.

  • Website analytics: retained in the relevant tool according to its configurable limits (e.g., GA4 event‑level retention up to 14 months); aggregated reports may be kept longer.
  • Enquiries & CRM records: typically 24–36 months from last contact unless we need to keep them longer (e.g., to establish or defend legal claims).
  • Contracts & finance records: typically 6–7 years to meet tax/accounting obligations.

When data is no longer needed, we will delete or anonymise it. If deletion is not immediately possible (e.g., backups), we will securely store and segregate it until deletion is feasible.

10) Security

We use a combination of organisational and technical measures to protect personal data, including access controls, encryption in transit, least‑privilege permissions, and vendor due diligence. No system is 100% secure; transmission of data over the Internet is at your own risk.

11) Your rights (UK/EU/EEA/Swiss)

Depending on where you live, you may have the right to access, rectify, erase, restrict, object (including to direct marketing), portability, and withdraw consent. You also have the right to complain to a supervisory authority (in the UK, the ICO).

How to exercise your rights: email us at [email protected]. We may request information to verify your identity. We aim to respond within one month (extendable where allowed by law for complex requests).

We do not carry out automated decision‑making that produces legal or similarly significant effects about you.

12) United States residents

If you are a resident of a US state with privacy rights (e.g., California, Colorado, Connecticut, Utah, Virginia), you may have the right to know/access, correct, delete, opt out of targeted advertising (“sharing” in CA), and receive a copy of your data, subject to legal limits. You may submit a request to [email protected]. We will verify requests to a reasonable degree of certainty and respond within the timelines set by applicable law.

We do not sell personal information and we do not share it for cross‑context behavioural advertising. Where applicable, we honour Global Privacy Control (GPC) signals as an opt‑out preference signal.

Appeals (where required): If we decline your request, you may appeal by replying to our decision email. If your appeal is denied, you may contact your state attorney general.

13) Children’s data

Our Site is not intended for children and we do not knowingly collect data from children. If you believe a child has provided us data, please contact [email protected] and we will take appropriate steps.

14) AI & automated decision‑making

We may use trustworthy AI‑assisted tools for internal workflows (e.g., drafting or summarising content) under confidentiality commitments with providers. We do not use AI on this Site to make decisions that produce legal or similarly significant effects about individuals.

15) Our role: controller vs processor

  • For this Site and Growth Runner’s own sales/marketing/operations, we act as a controller.
  • For client deliveries, we often act as a processor under a contract/DPA and follow our client’s written instructions.

16) Changes to this notice

We may update this policy from time to time. The latest version will always be posted here with the “Last updated” date. If changes are material, we will take additional steps to inform you.

17) Contact us

Questions or requests about this policy can be sent to [email protected].  Postal address: BECOME BUSINESS LTD, 124 City Road, EC1V 2NX. If you are in the UK, you also have the right to contact the ICO.

Annex A — Core tools & vendors (customise before publishing)

Replace placeholders with your exact stack, links to each vendor’s privacy notice, and your configuration choices.

Hosting, delivery & security

  • Cloud hosting/CDN: [e.g., Cloudflare, Google Cloud Platform] — logs, IPs, security events.

Analytics & CDP

  • Google Analytics — analytics events and usage data (consent‑based where required).
  • Segment (Twilio Segment) — event collection/routing; may include hashed identifiers if supplied with consent.
  • RudderStack — event collection/routing (open‑source/hosted), configured per consent.
  • Google Tag Manager — tag orchestration; does not itself collect personal data beyond what tags/tools configured to run collect.

Communications & CRM

  • Brevo — contact records, emails, preferences.
  • G Suite  — transactional/marketing emails.

Productivity

  • Google Workspace,  Notion, Slack — business communications and files.

Notes on configuration

  • Ensure analytics/marketing tags are gated by the consent banner.
  • Prefer IP truncation/collection disabled where available.
  • Limit data retention in tools to the minimum necessary.
  • Use hashed identifiers only with a clear purpose and consent where required.

Annex B — Cookie categories (example; align with your CMP)

CategoryExamplesTypical lifetime
Strictly necessaryconsent log, load balancer, security cookiessession to 12 months
AnalyticsGA4 (_ga, _ga_*), Segment (ajs_anonymous_id, ajs_user_id), RudderStack (rudder_anon_id)1–24 months (per tool)
Functionalityremember preferencesup to 12 months
Advertising (if used)retargeting/measurement pixelsvaries; consent‑based