e-shot Product Privacy Policy

1. Introduction 

 

This e-shot Product Privacy Policy ("Policy") describes how Forfront Ltd. ("Forfront," "we," "us," or "our") processes personal data when providing the e-shot software as a service solution and related services (collectively, the "Services") to our clients ("Client," "you," or "your"). 

Forfront Ltd. provides e-shot™, a SaaS solution enabling clients to create messages, manage their subscriber lists (contact lists), and send personalised messages to their subscribers through an online platform. 

This Policy applies to the following products and services: 

  • e-shot basic 

  • e-shot pro 

  • e-shot omni 

  • e-shot engage 

  • API integration 

  • Zapier integration 

  • Microsoft Teams integration 

 

Use of the e-shot solution is subject to the Forfront Terms and Conditions of Service. This Policy forms part of those Terms and Conditions. 

Forfront complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data Protection and Digital Information Act 2023, and the new UK Data Use and Access Act 2025 (referred to here as DUAA 2025). This Policy incorporates relevant provisions from the DUAA 2025, which introduces updates around data subject rights, lawful processing, international data transfers, and use of data in automated systems. 

 

Definitions: 

Data Controller: The entity that determines the purposes and means of processing personal data. In the context of the e-shot Services, the Client is the Data Controller for the contact data and content they upload or manage within the platform. 

Data Processor: The entity that processes personal data on behalf of the Data Controller. Forfront acts as a Data Processor for the personal data processed through the e-shot Services under the instruction of our Clients. 

Personal Data: Any information relating to an identified or identifiable natural person. 

Services: The e-shot platform and associated integrations listed above. 

 

2. Forfront's Role as a Data Processor 

 

Forfront complies with all applicable data protection regulations. When you use the e-shot platform, Forfront acts as a Data Processor on your behalf. You, the Client, are the Data Controller for any personal data that we process in the course of providing the Services to you. 

Our processing of personal data is governed by our Terms and Conditions of Service and this Policy. 

As required by DUAA 2025, Forfront maintains detailed records of processing activities and assists Clients in conducting Data Protection Impact Assessments (DPIAs) where required. 

 

3. Information Processed by e-shot on Behalf of Clients 

 

The e-shot solution allows Clients to: 

  • Create and send bulk messages via email and SMS. 

  • Manage contact lists, including personal data such as names, email addresses, phone numbers, and other information Clients choose to include. 

  • Track and record data relating to interactions of individual contacts with these messages, including opens, clicks, and subsequent website interactions (if configured by the Client). 

  • Organise and analyse contact and company information. 

  • Information can be added to the platform via various methods, including online form completion by individual contacts, bulk uploading, and integrations with API or third-party services as initiated by the Client. 

 

4. How Clients Use the e-shot Platform 

 

Clients control the content of the messages they send and the contact data they use to target and personalise these messages. Forfront does not control, monitor, or verify the accuracy or lawfulness of the content or the contact data Clients use within the Services. Clients are solely responsible for ensuring they have a lawful basis for processing the personal data of their contacts and for the content of their communications. 

 

5. Data Security Measures 

 

Forfront is committed to protecting the security of Client data. We implement and maintain appropriate technical and organisational measures to protect personal data processed through our Services against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, but are not limited to: 

  • Secure hosting of our servers by our hosting partner. 

  • Encryption of data where appropriate. 

  • Access controls to limit access to personal data to authorised personnel. 

  • Regular security assessments and updates to our security practices. 

  • While we strive to protect your data, no security system is impenetrable. Clients also play a crucial role in securing their accounts by using strong user authentication and safeguarding their login credentials. 

 

6. Use of Personal Data by Forfront (as a Processor) 

 

Forfront will only process personal data stored within the e-shot platform based on the Client's instructions, as outlined in the Terms and Conditions of Service, this Policy, or as required by applicable law. 

We warrant that we will not disclose any personal data to any business, organisation, or individual without the Client's prior written consent, unless required by law. 

We shall not use any Client data except in connection with the provision of Services to the Client or as required by law, regulation, regulatory body, or any court of competent jurisdiction. 

Client Data Backups: While Forfront performs regular backups of the platform for service continuity and disaster recovery purposes, the Client remains entirely responsible for making its own backups of its data if required. Forfront shall not be liable for any loss of Client data to the extent permitted by applicable law, except where such loss is a direct result of Forfront's breach of its obligations under the Terms and Conditions or applicable law. 

 

7. Features Supporting Client Data Protection Compliance 

 

e-shot provides several features to help Clients meet their data protection obligations: 

  • Unsubscribe: If a contact unsubscribes from communication, e-shot will prevent further messages to that contact for the specific communication channel. The system is designed so that an unsubscribe status cannot be overridden unless proof is provided by the data subject of their consent to resubscribe. SMS opt-out facilities are also automated. 

  • Automatic Unsubscribe: Every email sent via e-shot automatically includes a header unsubscribe to process unsubscribes submitted via this method. 

  • Preference Centre: Granular consent can be captured, processed, updated, and automatically adhered to using e-shot’s Preference Centre function, allowing contacts to manage their communication preferences. 

  • Double Opt-in: New subscribers can be subjected to a double opt-in process to verify their credentials and consent and prevent accidental or malicious use of submitted data. 

  • Compliant Footer: Every email sent automatically contains a compliant footer with relevant legal information and unsubscribe links. If this information is accidentally deleted from a design, it will be automatically re-added to the sent communication. 

  • Spam Monitoring: We use algorithms to scan emails to improve deliverability and recognise potential patterns of abuse, checking for bad URLs and questionable keywords, combined with validation services and blocklist information. 

 

8. Third-Party Integrations 

 

The e-shot platform can be integrated with various third-party services. Clients are responsible for any data shared with these services through such integrations. 

 

API integration: 

Our robust e-shot API empowers you to seamlessly connect your own applications and third-party systems directly with the e-shot platform. This allows for powerful automation of your email and SMS marketing workflows, custom data synchronisation, and the development of bespoke solutions tailored to your unique business needs. By leveraging the API, you can extend e-shot's capabilities, streamline data management, and integrate our messaging services deeply into your existing software ecosystem for enhanced efficiency and flexibility. 

 

Zapier Integration: 

If you use the Zapier integration with e-shot, you can send and receive data to and from various third-party services authenticated to the same Zapier account. These third-party services may consequently have access to personal data from your e-shot account. You control this data flow via Zapier directly, and such transfers are subject to Zapier's terms and policies and the policies of the connected third-party services. Forfront accepts no responsibility for controlling access to or the security of information from the e-shot platform once it is transferred to or processed within any third-party service via Zapier. You are responsible for configuring your Zaps securely and understanding the data implications. Do not share your Zapier credentials. 

 

Microsoft Teams Integration: 

If you use the Microsoft Teams integration with e-shot, you will have access to information associated with your e-shot account, including contact data and activity relating to email and website interactions of corresponding contacts, within your Teams interface. No contact data from the e-shot platform is stored directly in Microsoft Teams by this integration. Authentication is via your e-shot login credentials. Forfront accepts no responsibility for controlling access to information from the e-shot platform inside Microsoft Tams. Do not share your e-shot credentials. 

 

9. Sub-processors 

 

Forfront uses certain third-party service providers (sub-processors) to help us deliver the e-shot Services effectively. These sub-processors may have access to Client data in the course of providing their services to us, such as hosting providers. We maintain a list of our sub-processors, and we ensure that all sub-processors are bound by contractual obligations compatible with our commitments to you under this Policy and applicable data protection laws. 

You can request a list of our current sub-processors by contacting us via our contact page. 

 

10. International Data Transfers 

 

Personal data processed by Forfront on behalf of Clients is stored and processed within  the United Kingdom. 

If any Client data is transferred to, stored, or processed by Forfront or its sub-processors in a country outside the UK or EEA that is not recognised as providing an adequate level of data protection, we will ensure that appropriate safeguards are in place to protect the data in accordance with applicable data protection laws. These safeguards may include the use of Standard Contractual Clauses approved by relevant authorities, or reliance on an Adequacy Decision. 

 

11. Data Retention and Deletion 

 

As a Data Processor, Forfront will retain personal data stored within the e-shot platform for the duration of your contract or for as long as instructed by you, the Client, and as necessary to provide the Services, or as required by applicable law. 

Upon termination of your e-shot account and Services, Forfront will delete Client data in accordance with the terms agreed in our Terms and Conditions of Service, unless retention is required by law. 

Please review our retention policy for more detailed information. 

You, as the Data Controller, are responsible for defining and implementing your own data retention policies for the contact data you manage within e-shot. 

 

12. Assisting with Data Subject Rights 

 

Forfront is committed to assisting our Clients (Data Controllers) in meeting their obligations to respond to Data Subject Rights (DSR) requests under applicable data protection laws (e.g., requests for access, rectification, erasure, restriction, data portability, or to object to processing). 

The e-shot platform provides features (such as unsubscribe and preference centres) that enable Clients to manage some of these requests directly. For other requests relating to data processed within the e-shot platform, Forfront will provide reasonable assistance to the Client upon their verified request. 

In accordance with DUAA 2025, Forfront also supports Clients in addressing data subject objections to processing involving legitimate interests and automated decision-making. Clients are encouraged to document all data subject interactions as DUAA 2025 requires greater accountability in rights response handling. 

 

13. Data Breach Notification 

 

In the event of a personal data breach affecting Client data for which Forfront is a processor, Forfront will notify the affected Client(s) without undue delay after becoming aware of the breach. This notification will include information to help the Client meet their own data breach notification obligations under applicable data protection laws. 

DUAA 2025 introduces stricter timelines and transparency requirements around breach communications. Forfront is committed to timely and detailed breach reporting to aid Clients’ regulatory obligations. 

 

14. Client Responsibilities 

 

As a Client using the e-shot platform, you are the Data Controller and are responsible for: 

  • Ensuring you have a lawful basis for collecting and processing all personal data uploaded to or managed within the e-shot platform. 

  • The accuracy, quality, and legality of the personal data and the means by which you acquired it. 

  • Complying with all applicable data protection laws in your use of the Services, including providing necessary notices and obtaining consents from data subjects. 

  • Managing and responding to Data Subject Rights requests from your contacts. 

  • Securely managing your account credentials and access to the Services. 

 

15. Updates to this Policy 

 

We may update this Product Privacy Policy from time to time to reflect changes in our Services, legal obligations, or for other operational reasons. We will notify you of any material changes to this Policy by posting a notice on our platform, sending an email to our Clients, or other appropriate means prior to the change becoming effective. We encourage you to review this Policy periodically. Your continued use of the Services following any revision of this Policy is deemed to be acceptance of the modifications or amendments. 

We update this Policy to reflect changes in applicable law, including the DUAA 2025. We are committed to proactive notification in cases where material changes significantly alter how personal data is processed. 

 

16. Contact Information 

 

If you have any questions or concerns about this Product Privacy Policy, your personal data, or our role as a Data Processor, please contact us at: 

Forfront Ltd. 

Global House, Ashley Avenue, Epsom KT18 5AD UK 

Or via our contact page. 

 

Last Updated 29 June 2025