Forfront Ltd. Product Privacy Policy (e-shot™)
1. Introduction
This Product Privacy Policy explains how Forfront Ltd (“Forfront”, “we”, “us”, “our”) processes personal data when using the e-shot platform and related services (the “Services”) to our clients.
e-shot is a Software-as-a-Service (SaaS) platform that enables clients to create, send, and manage email, SMS and WhatsApp communications, and to manage and analyse their contact data.
This policy applies to:
e-shot basic
e-shot pro
e-shot omni
e-shot engage
API integrations
third-party integrations (e.g. Zapier, Microsoft Teams)
This policy forms part of our Terms and Conditions of Service.
2. Roles and responsibilities
When using the e-shot platform:
Client (you) = Data Controller
Forfront = Data Processor
This means:
You determine how and why personal data is processed
We process personal data on your behalf and on your instructions
You are responsible for ensuring your use of the platform complies with applicable data protection and marketing laws.
3. What data is processed through e-shot
e-shot enables clients to create, send, and manage communications via email, SMS, and other supported messaging channels, including integrations such as WhatsApp where enabled by the client.
The platform enables you to process personal data such as:
contact details (e.g. name, email address, phone number)
demographic or business information (e.g. company, job title)
communication preferences
engagement data:
email opens
link clicks
unsubscribe status
website interactions (where configured)
Data may be added via:
manual input
imports
APIs
integrations with third-party systems
4. How we process personal data
We process personal data:
to provide and operate the Services
to enable message delivery (email, WhatsApp and SMS)
to maintain system functionality and security
to support your use of platform features
as required by law
We only process personal data:
on your documented instructions
as set out in our contract with you
or where required by applicable law
Our personnel are subject to confidentiality contracts when processing personal data.
5. GDPR Article 28 commitments
Processor obligations (UK GDPR Article 28) We will:
assist you in responding to data subject requests
assist with data protection impact assessments (DPIAs) where required
make available information necessary to demonstrate compliance
provide relevant certifications or audit reports
ensure persons authorised to process personal data are bound by confidentiality contracts
6. Client compliance responsibilities
As Data Controller, you are responsible for ensuring that your use of the platform is lawful.
This includes:
Lawful basis
You must ensure you have a valid lawful basis for processing personal data, such as:
consent (commonly used for marketing communications)
legitimate interests (where appropriate and permitted)
Electronic marketing (PECR)
If you use e-shot for email, SMS, WhatsApp, or other electronic marketing communications, you must comply with applicable electronic marketing laws, including:
obtaining valid consent where required
applying “soft opt-in” rules correctly
including clear sender identification
providing a valid unsubscribe mechanism
Transparency
You must:
provide individuals with appropriate privacy information
explain how their data will be used, including tracking where applicable
Record keeping
You should maintain records of:
consent (where relied upon)
communication preferences
lawful basis decisions
7. Tracking and analytics
The e-shot platform includes functionality that enables you to track:
whether emails are opened
whether links are clicked
interactions with linked web pages (where configured)
These features may involve the use of tracking technologies such as pixels and tracked links. Depending on your configuration, this may constitute profiling or tracking under applicable data protection law. You are responsible for assessing and ensuring compliance.
You are responsible for:
assessing whether this constitutes profiling or tracking under applicable law
ensuring appropriate disclosures are made to individuals
obtaining consent where required
Forfront does not use this data for its own marketing purposes.
8. Automated decision-making
The platform does not carry out automated decision-making with legal or similarly significant effects on individuals.
9. Platform features supporting compliance
e-shot includes features designed to support your compliance obligations, including:
Unsubscribe management
Automatically prevents further communications to unsubscribed contacts
Preference centre
Allows contacts to manage communication preferences
Double opt-in
Supports validation of consent
Compliant email footer
Ensures inclusion of required unsubscribe links
Suppression controls
Prevent re-contact without valid re-subscription
Spam and abuse monitoring
Helps identify potential misuse of the platform
These features support compliance but do not replace your legal responsibilities.
10. Data security
We implement appropriate technical and organisational measures to protect personal data, including:
secure hosting environments
encryption of data in transit
access controls and authentication
regular security reviews and testing
You are responsible for:
maintaining the security of your account credentials
controlling access within your organisation
11. Sub-processors
We use third-party service providers (“sub-processors”) to support delivery of the Services, such as:
hosting and infrastructure providers
email delivery systems
support and monitoring tools
We ensure that all sub-processors:
are contractually bound to protect personal data
process data only on our instructions
A current list of sub-processors is available here.
12. International data transfers
Personal data is primarily processed within the United Kingdom. Where applicable, data may also be processed in the European Economic Area (EEA) and the United States via approved service providers.
Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as:
UK adequacy regulations
UK International Data Transfer Agreements (IDTAs)
13. Data retention and deletion
Retention during service provision. Personal data is retained for the duration of your contract and while your account remains active, unless otherwise instructed by you.
Client-controlled retention. You control the retention of personal data within the e-shot platform and may delete or anonymise data at any time using available tools.
Default retention approach. Where no specific instructions are provided, we apply reasonable default retention practices designed to support service delivery, system integrity, and legal compliance.
Categories of retention may include:
Contact and audience data: retained while required for active use within your account
Campaign and engagement data (e.g. opens, clicks): retained for analytics and reporting purposes during account activity
Suppression and unsubscribe data: retained as necessary to prevent further communications in accordance with applicable law
System logs and technical data: typically retained for a limited period (e.g. 6–12 months) for security, troubleshooting, and audit purposes
Post-termination retention. Upon termination of your contract:
personal data will be retained for a limited period to allow account access and data retrieval, where applicable
after this period, personal data will be securely deleted or irreversibly anonymised
Backups and residual data.
Personal data may remain in system backups for a limited period following deletion, in accordance with our backup retention policies. Such data is securely stored and not actively processed.
Legal and regulatory retention. We may retain certain data for longer where required to:
comply with legal obligations
resolve disputes
enforce contractual agreements
We implement appropriate processes to ensure secure deletion or anonymisation of personal data when it is no longer required.
14. Data subject rights
As Data Controller, you are responsible for responding to data subject requests.
We will:
assist you where reasonably required
provide tools within the platform (e.g. unsubscribe, deletion, user audit trail)
support requests where necessary under our contractual obligations.
15. Controller support and accountability
We provide reasonable assistance and information to support your compliance with applicable data protection laws, including maintaining records of processing activities where required.
16. Data breach notification
In the event of a personal data breach affecting data processed on your behalf, we will:
notify you without undue delay
provide relevant information to support your obligations
You are responsible for any required regulatory notifications.
17. Third-party integrations
The platform may integrate with third-party services (e.g. CRM systems, automation tools).
Where you enable such integrations:
you control the data shared
those providers act under their own terms and policies
you are responsible for assessing their compliance
WhatsApp Integration
Where clients choose to use WhatsApp messaging functionality through the e-shot platform, message content, recipient mobile numbers, and related delivery metadata may be processed by the WhatsApp Business Platform operated by Meta Platforms, Inc. Such processing is subject to Meta’s applicable terms, infrastructure, and privacy policies. Clients are responsible for ensuring they have an appropriate lawful basis for sending WhatsApp communications and for complying with applicable electronic marketing and messaging laws.
18. Updates to this policy
We may update this policy from time to time. Updates will be posted on this page with a revised “Last updated” date.
19. Contact
If you have questions about this policy or our role as a data processor, please contact:
dpo@forfront.com
Forfront Ltd. Global House Ashley Avenue Epsom, KT18 5AD United Kingdom
Last updated: May 2026