Building a Compliant Investor List

TL;DR / Key takeaways

Build the list on permission and records: lead with inbound — useful content and an opt-in waitlist — and use outreach carefully within the rules.
You need a lawful basis under UK GDPR (usually consent or legitimate interests) and must follow PECR for electronic marketing — consent for individuals, more latitude for corporate B2B, but always an opt-out.
Most firms must register with the ICO and pay the data protection fee before processing investor data at scale.
Qualify investors factually — risk appetite, funds, timelines — without giving regulated advice, promising returns, or operating an unauthorised collective investment scheme.
Keep a CRM with source, consent, preferences and opt-outs, and nurture contacts honestly toward a waitlist.
This is general information, not financial, legal or tax advice — seek independent professional advice. L&M is currently AML supervision pending and waitlist only.

How do you build a property investor list lawfully? On permission, not purchased data — by publishing useful content, letting investors opt in, and keeping clean records of consent and preferences. A list built that way is one you can actually use; a list scraped or bought is a liability that breaches both UK GDPR and PECR the moment you email it. This guide sets out the compliant route: inbound versus outreach, the lawful basis you need, the PECR rules for business and consumer contact, ICO registration, how to qualify investors without straying into regulated advice, the records to keep, and how to nurture a list toward a waitlist.

This is general information, not financial, legal or tax advice — seek independent professional advice.

Inbound vs outreach: which builds a usable list

Definition

Compliant lead generation for an investor list means acquiring contacts in a way that satisfies UK GDPR (a lawful basis for the data) and PECR (the rules for electronic marketing), with consent and preferences recorded — as opposed to buying or scraping lists, which almost always fails both.

There are two engines for building a list, and a compliance-led firm leans on them in a particular order.

Inbound — investors come to you

ContentOpt-inLower risk

You publish genuinely useful material — guides, analysis, plain-English explainers — and interested investors choose to join your list, usually by opting in to a waitlist. Inbound produces warmer, better-qualified, permission-based contacts and carries the lowest compliance risk, because consent is built into the act of signing up. The trade-off is that it builds more slowly and rewards patience.

Outreach — you contact prospects

TargetedPECR limitsOpt-out

You proactively contact identified prospects. Done within PECR and UK GDPR — proper targeting, a lawful basis, clear identification and an easy opt-out — it can add reach. Done carelessly, it is where firms get into trouble. Outreach is a supplement to inbound, not a substitute for it, and it should never rely on bought or scraped data.

Inbound vs outbound investor acquisition — illustrative comparison
Factor	Inbound (content + opt-in)	Outbound (targeted outreach)
Permission	Built in via opt-in	Must be established and recorded
Contact quality	Warmer, self-selected	Variable, needs qualifying
Compliance risk	Lower	Higher if done carelessly
Speed to scale	Slower, compounds over time	Faster but constrained by PECR
Best role	The primary engine	A careful supplement

UK GDPR: getting your lawful basis right

Before you process anyone's personal data, you need a lawful basis under UK GDPR. For an investor list, two bases come up most often.

Consent. The cleanest basis for marketing — the individual has actively, freely agreed. For most electronic marketing to individuals, PECR effectively requires it anyway.
Legitimate interests. Can apply to some business-to-business processing, but it is not a free pass: you must weigh your interest against the individual's rights and document the reasoning in a legitimate interests assessment.

Whichever you rely on, record it, give people a clear privacy notice explaining what you do with their data, and honour their rights — access, correction, objection and erasure. The lawful basis is not paperwork for its own sake; it is what makes everything downstream defensible. Take advice on which basis fits your specific model.

A practical trap worth naming: the lawful basis you choose for processing the data is not the same question as whether PECR lets you send a marketing message. You can have a perfectly valid basis to hold a contact's details and still be barred from emailing them marketing without consent. The two regimes stack, and you have to satisfy both. Treat the lawful basis as the foundation and PECR as the rule that governs the actual sending — get them confused and you can end up technically holding data lawfully while marketing to it unlawfully.

PECR rules for B2B and consumer marketing

Definition

PECR — the Privacy and Electronic Communications Regulations — sits alongside UK GDPR and governs electronic marketing by email, SMS and phone. It draws a line between marketing to individuals (including sole traders and many partnerships) and marketing to corporate bodies.

The distinction matters because it changes what you can lawfully do:

Individuals (B2C and sole traders/partnerships): you generally need prior consent for electronic marketing, with only a limited "soft opt-in" available for existing customers in narrow circumstances.
Corporate bodies (limited companies, LLPs): unsolicited B2B email is treated more permissively, but you must still identify yourself, provide an opt-out, and respect UK GDPR wherever the data identifies a living individual (for example a named person at a company).
Always: identify who you are, say how to opt out, and act on opt-outs promptly. SMS and live/automated calls have their own rules and screening obligations.

The safe operating posture is to treat individuals as requiring consent, treat corporate contacts carefully, and offer a frictionless opt-out everywhere. When the analysis is finely balanced, do less and take advice.

ICO registration and the data protection fee

Most organisations that process personal data for business purposes must pay the data protection fee and register with the Information Commissioner's Office, unless a specific exemption applies. Building and marketing to an investor database is exactly the kind of processing that brings you within scope.

Check your position using the ICO's self-assessment before you start processing at scale.
Registration is inexpensive relative to the risk and penalties of failing to register.
Keep your registration current and your privacy documentation aligned with what you actually do.

Qualifying investors without giving regulated advice

This is the part where good intentions can drift into regulated territory. Qualifying an investor means understanding fit; it does not mean advising them on what to do with their money.

Gather factual information: stated risk appetite, available funds, timelines and objectives — through straightforward questions.
Assess fit, not merits: whether a future opportunity might match their stated criteria, not whether they should invest.
Do not advise on the investment, and never promise or imply a yield, return or profit.
Do not operate an unauthorised collective investment scheme. Pooling investor money into a common enterprise can engage strict rules — keep well clear and take advice if your model goes anywhere near it.

The line between information and advice is one for professional advice on your specific facts. The conservative default — gather facts, assess fit, make no recommendations, promise nothing — keeps a sourcer on the right side of it.

It also helps to be deliberate about language. The moment your wording shifts from describing a property and its facts to telling an investor that something is "a great opportunity" or projecting what they might make, you have moved from information toward advice and promotion. A compliance-led sourcer trains itself to describe rather than recommend, to present rather than persuade, and to leave the investment decision firmly with the investor and their own advisers. That discipline is not just about staying inside the rules — it is what a serious investor expects from a firm that takes its obligations seriously.

CRM, record-keeping and nurturing to a waitlist

A compliant list is only as good as the records behind it. The CRM is where compliance and commercial value meet.

What the CRM should record

Source: where each contact came from and how they joined.
Lawful basis and consent: which basis you rely on, plus the date and source of any consent.
Preferences: what they agreed to receive, and on which channels.
Opt-outs: recorded and acted on promptly, never overwritten.
Retention: data kept only as long as needed, with a clear deletion process.

Nurturing honestly toward a waitlist

Nurturing is about being useful over time, not about pressure. Send genuinely helpful material, keep frequency reasonable, and let interested investors progress to a waitlist at their own pace. There is no place for urgency theatre, manufactured scarcity or return promises — those tactics damage trust and can stray into misleading-practice territory. A waitlist built on honest communication is a list that converts when the time is right, and that withstands scrutiny.

Who's behind L&M

Built by two disciplines most sourcing firms never combine

L&M was built by two disciplines most sourcing firms never combine — a property operator who has built and run a real-estate portfolio (sourcing, refurbishing, financing and exiting), and a wealth manager who has advised serious capital (underwriting risk, structuring, protecting downside). The same care that goes into researching a deal goes into how investor relationships are built: on permission, with clean records, and without overstated promises.

That is why L&M's list is built permission-based and compliance-led. The firm's HMRC supervision is pending and it is operating a waitlist only — contacts opt in, the lawful basis and preferences are recorded, and no regulated advice or return promise is made while registration is in progress.

Notes and sources cited in this guide

Where the regulatory points come from

The compliance points above are anchored to public, dated sources. We update this article whenever a cited rule changes.

UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018: lawful basis, privacy notices and individual rights.
Privacy and Electronic Communications Regulations 2003 (PECR): the rules for electronic marketing to individuals and corporate bodies.
Information Commissioner's Office (ICO): the data protection fee, registration and self-assessment.
FCA — regulated activities, financial promotions and collective investment schemes: the boundary around advice and pooling, on which model-specific professional advice should be taken.

Last fact-check pass: 2 June 2026. Author: L&M Property Sourcing Editorial Team. This article is for information only and does not constitute legal, financial or tax advice — always seek independent professional advice before acting.

Frequently asked questions about building an investor list

How do I build a property investor list lawfully?

Build it on permission and a clear record. The most durable route is inbound — publishing useful content and letting interested investors opt in to a waitlist or list themselves — supported by carefully targeted, compliant outreach where the law allows it. You need a lawful basis under UK GDPR for processing the data, you must follow PECR rules for electronic marketing, you should be registered with the ICO where required, and you must keep records of consent and preferences. Lawful list building is slower than buying a list, but it produces a list you can actually use.

What is the difference between inbound and outbound investor acquisition?

Inbound means investors come to you — through content, search, referrals and word of mouth — and choose to join your list, usually by opting in. Outbound means you proactively contact prospects you have identified. Inbound tends to produce warmer, better-qualified, permission-based contacts and carries lower compliance risk, but it builds more slowly. Outbound can scale faster but must be done within PECR and UK GDPR limits, with proper targeting, an opt-out, and a lawful basis. A compliance-led approach usually leads with inbound and uses outbound carefully.

What lawful basis do I need under UK GDPR to email investors?

Processing personal data needs a lawful basis under UK GDPR — commonly consent or legitimate interests. For marketing, consent is the cleanest basis and is often required for electronic marketing to individuals under PECR. Legitimate interests can apply to some business-to-business processing but must be balanced against the individual's rights and documented in a legitimate interests assessment. You should record which basis you rely on, provide a clear privacy notice, and honour rights such as access and objection. Take advice on which basis fits your model.

What are the PECR rules for B2B versus consumer marketing?

PECR — the Privacy and Electronic Communications Regulations — governs electronic marketing. For marketing to individual subscribers, including sole traders and some partnerships, you generally need prior consent, with a limited soft opt-in for existing customers. Corporate bodies are treated differently and unsolicited B2B email is more permissive, but you must still identify yourself, provide an opt-out, and respect UK GDPR where the data identifies an individual. The safe approach is to treat individuals as requiring consent and to always offer an easy opt-out.

Do I need to register with the ICO to build an investor list?

Most organisations that process personal data for business purposes must pay the data protection fee and register with the Information Commissioner's Office unless an exemption applies. Building and marketing to an investor database is the kind of processing that typically brings you within scope. Registration is straightforward and inexpensive relative to the risk of not doing it. Check your position on the ICO self-assessment and register before you start processing data at scale.

How do I qualify investors without giving regulated advice?

Qualifying means understanding fit — an investor's stated risk appetite, available funds, timelines and objectives — through factual questions, not by recommending what they should do with their money. You gather information and assess whether a future opportunity might match their stated criteria. You do not advise on the merits of an investment, promise or imply a return, or operate anything resembling a collective investment scheme without the right permissions. Keep questions factual, keep records, and take professional advice on where regulated advice begins.

How should I keep records for an investor database?

Use a CRM or structured system that records where each contact came from, the lawful basis and any consent, the date and source of that consent, communication preferences, and any opt-out. Keep a privacy notice that explains what you do with the data, retain data only as long as you need it, and make it easy to action access, correction and deletion requests. Good records are both a UK GDPR requirement and the thing that lets you prove you built the list properly.

Is L&M currently building or operating an investor list?

L&M is operating a waitlist only while its HMRC anti-money laundering supervision is pending, and it is not transacting deals during that period. Any list building L&M does is permission-based and compliance-led — contacts opt in to the waitlist, the lawful basis and preferences are recorded, and no regulated advice or return promise is made. This article describes that compliant approach as general information, not as an offer to transact or invest.

L&M

About the L&M Property Sourcing Editorial Team

L&M Property Sourcing is a UK Limited company based in London, building a compliance-led property sourcing service for investors and sellers. We publish plain-English guides to the regulation and practice that governs property sourcing — AML, data protection, due diligence and conduct standards — reviewed against legislation.gov.uk, ICO and FCA sources. L&M's AML supervision is pending and the firm is currently waitlist only.

Build your investor list the compliant way

The L&M partner programme sets out how permission-based, compliance-led investor relationships are built — clean records, clear consent, and no shortcuts.

See the partner programme → AML supervision pending. Waitlist only. This is general information, not financial, legal or tax advice — seek independent professional advice.