TPSClear
Menu
Legal

Privacy Policy

How TPSClear handles personal data, including the UK phone numbers we screen on behalf of our customers, whether they call the API directly or use a native CRM integration.

Last updated: 8 May 2026.

1. Who we are

TPSClear is a UK Telephone Preference Service (TPS) and Corporate TPS (CTPS) list-cleaning service operated by Voll Studios Ltd, a company registered in England and Wales (company number 09302803, registered office 5 Brayford Square, London, England, E1 0SG). In this policy "TPSClear", "we", "us" and "our" refer to Voll Studios Ltd in our capacity as operator of the TPSClear service.

For privacy queries, contact us at privacy@tpsclear.co.uk.

2. The service this policy covers

TPSClear is delivered in two ways:

  • REST API. A direct screening interface used by customers building TPS/CTPS compliance into their own systems.
  • Native CRM integrations. Marketplace applications for HubSpot (live), with Salesforce, Microsoft Dynamics 365, Pipedrive, Zoho CRM and Capsule CRM in build. These call the API on the customer's behalf and write verdicts back to CRM records.

This policy applies to all of them and to the marketing site at tpsclear.co.uk.

3. Roles under UK GDPR

Customer data submitted for screening (CRM records or API request payloads): the customer (the organisation or individual that holds a TPSClear account) is the data controller. TPSClear is the data processor, processing this data on the customer's documented instructions to perform the screening service. A Data Processing Agreement (DPA) covers this relationship; see section 12.

Marketing-site visitors and account holders: for example, anyone who emails us, requests beta access, or opens a TPSClear account. TPSClear is the data controller.

4. What data we process

4.1 Customer data (as processor)

Across both the API and CRM integrations:

  • UK phone numbers submitted for screening. We normalise these to E.164, query the TPS and CTPS registers, and return a verdict.
  • The screening verdict returned or written back: TPS-listed, CTPS-listed, Clean, or Unknown, with a timestamp.
  • Account identifiers required to authenticate the request: CRM-side OAuth tokens, API keys, customer account IDs.
  • Optional metadata the customer chooses to send with API calls, for example a request reference for the customer's own audit trail.

We do not require, request, or rely on names, email addresses, or other personal data attached to the phone numbers being screened. The screening operation works on the number alone.

4.2 Account holder and marketing-site visitor data (as controller)

  • Email address, name, organisation and any message content sent to us.
  • Account information when an account is created or a CRM app is installed: account ID, billing contact, and acceptance records for these terms and the DPA.
  • Operational telemetry: request timestamps, error logs, usage counts. We do not log phone numbers alongside this telemetry.
  • Standard server logs (IP address, user agent) retained for security and abuse-prevention purposes.

5. Why we process it (lawful bases under UK GDPR)

  • Contract. To deliver the TPSClear screening service to customers and account holders.
  • Legitimate interests. To secure the service, prevent abuse, improve performance, monitor usage against fair limits, and respond to support enquiries. We balance these interests against your rights.
  • Legal obligation. Where we are required by law to retain records or respond to lawful requests.

6. Sub-processors

We do not sell or share customer data with third parties for marketing purposes. We share data only with sub-processors who help us run the service:

  • Vercel Inc. (United States; serves UK and EU traffic from EU edge regions) — application hosting, API gateway.
  • Supabase Inc. (managed Postgres in EU region) — database hosting for account metadata and screening audit logs.
  • Cloudflare, Inc. — DNS and email routing for the tpsclear.co.uk domain.
  • HubSpot, Inc. — for HubSpot-integration customers, the platform on which the app runs and to which verdicts are written.
  • The Direct Marketing Association (DMA) — as the source of the UK TPS and CTPS register data, under our list-cleaner licence.

A current list of sub-processors with full company details is maintained and available on request. We require sub-processors to provide appropriate security and data-protection commitments. Material changes are notified in advance to active customers.

7. International transfers

Some sub-processors may process data outside the United Kingdom and the European Economic Area. Where they do, we rely on UK-approved transfer mechanisms, including the UK International Data Transfer Addendum and equivalent Standard Contractual Clauses, to safeguard the data.

8. Retention

  • Screening verdicts written to a customer's CRM remain on the customer's records for as long as the customer keeps them. We do not separately retain copies.
  • API request and response logs are retained for 90 days as a default audit window. Customers can request shorter or longer retention as part of an enterprise agreement.
  • Operational logs (timestamps, error codes, usage counts) are retained for up to 12 months, then deleted or fully anonymised.
  • Customer account records are retained for as long as the account is active, plus 12 months after closure for legitimate-interest record-keeping, unless a longer period is required by law.

9. Your rights

Under UK GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased in certain circumstances;
  • restrict or object to certain types of processing;
  • data portability where applicable;
  • lodge a complaint with the Information Commissioner's Office (ico.org.uk) if you believe we have not handled your data properly.

To exercise any of these rights, email privacy@tpsclear.co.uk. For data we process on behalf of a customer (CRM records or API submissions), please direct requests to the customer who is the controller; we will assist as the processor.

10. Cookies

The TPSClear marketing site does not set marketing or advertising cookies. Strictly necessary cookies may be set for session, security, and load-balancing purposes by our hosting provider.

11. Security

We protect data with industry-standard measures: encryption in transit (TLS 1.2 or higher), encryption at rest for stored audit logs, scoped API keys, role-based access controls, administrative-action logging, and principle-of-least-privilege practices for staff. No system is perfectly secure; we will notify affected customers and the ICO of any qualifying data breach in line with UK GDPR requirements (within 72 hours of becoming aware, where applicable).

12. Data Processing Agreement

For customers who require a separate written DPA in addition to these terms, a TPSClear DPA is available on request. The DPA covers the standard UK GDPR processor obligations: processing on documented instructions, confidentiality, security measures, sub-processor controls, assistance with data-subject requests, breach notification, and return or deletion of data on termination.

13. Changes to this policy

We may update this policy from time to time. Material changes will be announced on this page and, where appropriate, by direct communication to active customers. The "Last updated" date at the top of the page reflects the most recent change.

14. Contact

Email privacy@tpsclear.co.uk or write to Voll Studios Ltd at the registered address above.

Back to home