Privacy Policy

Gaea-Lab Ltd
5 Canon Court, Institute Street,
Bolton, England, BL1 1PZ, United Kingdom
Email (for privacy matters): info@gaea-lab.co.uk Website: https://gaea-lab.com

We have not appointed a Data Protection Officer, as our processing activities do not require one.

Our website is designed for information purposes only. We do not collect analytics or tracking data, and we set no cookies.

You can contact us through the following channels only:

• Calendly: to book meetings – https://calendly.com/lzauli/30min
• WhatsApp: +44 7553 128216 – to send us direct messages
• Email: info@gaea-lab.co.uk – for business or privacy enquiries
• ESPR Assessment Tool: an online tool hosted on our website that collects personal data to generate a personalised ESPR/DPP readiness report (see Section 4A for details)

These platforms operate independently under their own privacy policies. We do not use newsletter sign-ups on our website.

We process only business-related personal data. The categories are:

• **Identification & Contact Data**: name, business email address, business phone number, company, job title/role.
• **Professional Profile Data**: industry, seniority, public professional profile links (e.g., LinkedIn URL).
• **Interaction & Communications Data**: messages exchanged, dates of contact, meeting scheduling status, non-sensitive interaction notes.
• **Scheduling Data (Calendly)**: name, email address, meeting date/time and related details (Calendly is an independent controller for its part of processing).
• **Messaging Data (WhatsApp)**: your phone number and message content (processed also under WhatsApp/Meta terms).
• **Technical Security Logs (Website Hosting)**: minimal server logs (e.g., IP address and timestamp) generated by our hosting provider strictly for security, diagnostics, and anti‑abuse

We do not collect special category data, criminal offence data, precise geolocation, device identifiers, browsing analytics, payment/financial data, or account credentials via our Website.

4A. ESPR Assessment Tool

We offer an online ESPR Assessment Tool (also referred to as "DPP Assessment") that allows fashion-industry professionals to evaluate their organisation's readiness for the EU Ecodesign for Sustainable Products Regulation (ESPR) and Digital Product Passport (DPP) requirements.

Data collected through the tool When you use the ESPR Assessment Tool, you will be asked to provide the following personal information via an integrated data-collection form:

• Full name;
• Business email address;
• Company name;
• Job title or role;
• Any additional information you voluntarily include in free-text fields.

Purposes of processing We use the data collected through the ESPR Assessment Tool for the following purposes: (a) To generate and deliver a personalised ESPR/DPP readiness report to you; (b) To contact you with relevant follow-up information, service proposals, or regulatory updates related to the assessment results; (c) To improve and refine the assessment methodology and our services; (d) To maintain records for compliance and accountability purposes.

Legal basis We process ESPR Assessment Tool data on the following legal bases:

• Consent (Article 6(1)(a) UK/EU GDPR): By submitting your data through the tool, you provide explicit consent to its collection and processing for the purposes described above. You may withdraw your consent at any time by contacting us at info@gaea-lab.co.uk, without affecting the lawfulness of processing carried out before withdrawal.
• Legitimate interest (Article 6(1)(f) UK/EU GDPR): To follow up with relevant service information in a proportionate B2B context, where you have a reasonable expectation of hearing from us based on completing the assessment.

Retention Data collected through the ESPR Assessment Tool is retained for up to 24 months from the date of submission, or until you withdraw consent or request erasure, whichever occurs first. Assessment results may be retained in anonymised/aggregated form beyond this period for statistical and service-improvement purposes.

Your rights In addition to the general rights described in Section 14, you have the specific right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. To exercise any of your rights, please contact info@gaea-lab.co.uk.

We may collect data from: you directly (email/Calendly/WhatsApp); public and professional sources (company websites, speakers lists, LinkedIn Sales Navigator); licensed B2B databases and our CRM/email systems used to manage relationships and communications. We use LinkedIn Sales Navigator in accordance with LinkedIn’s terms and do not circumvent technical measures or scrape content.

We process personal data only when there is a valid legal basis under the UK and EU GDPR.

B2B Prospecting and Outreach

We identify and contact relevant business professionals using legitimate sources (such as LinkedIn Sales Navigator) to offer information about our services or collaborations.

Legal basis: Legitimate interest (Article 6(1)(f) UK/EU GDPR) – proportionate B2B context – and compliance with UK PECR and EU e‑Privacy laws. Member States implement e‑privacy differently; where consent is required for specific recipients/channels (e.g., certain individual/sole‑trader recipients), we obtain consent before contacting.

Relationship Management

To respond to messages, organise meetings through Calendly, and maintain professional correspondence. Legal basis: Legitimate interest and, where applicable, Contractual necessity (Article 6(1)(b)).

Business Records and Compliance

To maintain accounting records, audit trails, and suppression lists for opt‑out management. Legal basis: Legal obligation (Article 6(1)(c)) and Legitimate interest for record keeping.

Website Operation

Our website functions purely as an informational site with no cookies or analytics. Legal basis: Not applicable.

Transparency for Indirectly Obtained Data (Article 14 GDPR):

When we collect business contact data from third‑party or public sources (e.g., LinkedIn), we provide this information no later than our first communication, usually by including a link to this Privacy Policy in the outreach message.

We may send professional outreach messages to business contacts obtained from legitimate sources. Each message includes a clear opt‑out option. If you opt out, we will stop all further communications and retain your details only on a suppression list to ensure we do not contact you again.

We do not sell or rent contact data.

We share personal data only where necessary and with trusted service providers who act under

binding contracts, agreements and appropriate safeguards:

• Hosting provider: Keliweb (EU);
• B2B data providers;
• CRM and email platforms: used to manage outreach and communications;
• Calendly: meeting scheduling (independent controller);
• WhatsApp (Meta): messaging (independent controller);
• Business Partners: some products and services of interest to you may be sold to you by our partners directly or through our services;
• Professional advisers and authorities: where legally

We do not disclose data to advertising networks, analytics providers, or social media tracking tools.

Some of our service providers may process data outside the UK or EEA (for example, in the US or Canada). When transfers occur, we rely on:

• Adequacy decisions issued by the UK or EU, where available; or
• Standard Contractual Clauses (SCCs) with the UK Addendum/IDTA. Information about these safeguards can be provided upon request.

We retain personal data only as long as necessary for the purposes described above:

• B2B prospect records: up to 24 months from the last interaction or until you opt
• Suppression lists: retained indefinitely, solely to ensure no further
• Pre‑contract or project correspondence: up to 24 months (or longer if required for ongoing discussions).
• Contracts and financial records: up to six years in accordance with UK record‑keeping
• Calendly and WhatsApp data: retained according to their own After these periods, we securely delete or anonymise data.
• ESPR Assessment Tool data: up to 24 months from submission, or until consent is withdrawn or erasure is requested; anonymised/aggregated results may be retained beyond this period.

We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit, and limited authorised access. While we strive to protect all information, electronic transmission via email or WhatsApp can never be entirely secure.

Our website is operated from the United Kingdom and primarily intended for UK and EEA users. If you access it from outside these regions, your data may be processed in the UK, where protections are comparable to EU standards. We apply appropriate safeguards to maintain consistent privacy protection worldwide.

Under the UK GDPR and EU GDPR, you have the following rights:

• Access: to obtain a copy of your
• Rectification: to correct
• Erasure: to request deletion of your
• Restriction: to limit how your data is
• Portability: to receive your data in a portable format where
• Objection: to object to processing, including direct
• Withdrawal of consent: where processing is based on

We may reasonably verify your identity before responding to a rights request. We respond within one month (extendable by two months for complex requests).

If you believe your data has been unlawfully processed, you may lodge a complaint with the UK

Information Commissioner’s Office (ICO) or your local EU Data Protection Authority.

Our website uses no cookies or similar tracking technologies.

Our hosting provider may generate minimal server logs (e.g., IP address and timestamp) to maintain security, diagnose issues, and prevent abuse. We do not use these logs for analytics or marketing, and we do not combine them with other information to profile visitors.

Third‑party sites accessed through our links (such as WhatsApp, Calendly, or partners) may use their own cookies under their respective privacy policies.

Our website may contain links to partner organisations or third‑party websites. We are not responsible for the content, security, or privacy practices of external sites, and we encourage you to review their respective privacy notices.

Our services are intended for business professionals and are not directed at minors. We do not knowingly collect or process data relating to individuals under 18 years old.

We may amend this Privacy Policy from time to time to ensure ongoing compliance with applicable laws. Any updated version will be published on this page with a new “Last updated” date.