GDPR Compliant

Privacy Policy

Last updated: 2 July 2026  ·  LeadFlowAI

This Privacy Policy describes how LeadFlowAI collects, uses, stores, and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). Please read this policy carefully before using our platform.

1. Data Controller & Contact Details

LeadFlowAI ("we", "us", "our") is the data controller of personal data collected via this platform. To exercise your data rights or raise a concern: Email: privacy@leadflow-ai.co.uk Website: https://leadflow-ai.co.uk Please mark any urgent data protection enquiries as "URGENT – Data Protection" in the subject line. We aim to respond to all requests within 72 hours.

2. Scope of This Policy

This Privacy Policy applies to: • All personal data you provide when creating or using a LeadFlowAI account. • Personal data of business contacts ("leads") processed through our platform on behalf of subscribing users. • Data collected passively through cookies, analytics, and server logs. • Data collected via our public marketing website. This policy does not apply to third-party services linked from our platform. We encourage you to review the privacy policies of any third party you interact with.

3. Personal Data We Collect

We collect the following categories of personal data: Account & Subscriber Data • Full name, business email, billing address. • Subscription plan, video token balance, payment history. • Login timestamps, session identifiers, last-seen timestamps. Campaign & Business Data • Brand name, website URL, company logo, physical address. • Business phone number, social media profile URLs. • Outreach campaign configuration (target industry, job titles, pain points, CTA URL). Lead / Prospect Data (B2B) • First and last name, business email address, business phone number. • Company name, industry, employee count, LinkedIn URL, company website. • DND/TPS compliance status, GDPR Legitimate Interest Assessment (LIA) basis, and unsubscribe token. • Email interaction events: sent timestamp, delivered, opened, video clicked. Technical & Usage Data • IP address, browser type, operating system, device identifiers. • Pages visited, features used, action timestamps. • Error logs and diagnostics (stripped of personal data where possible). Audit & Security Data • All security-relevant actions (email sends, exports, scrapes, failed access attempts) are recorded in an immutable audit log for compliance and incident investigation purposes.

5. B2B Outreach Processing & GDPR Compliance

LeadFlowAI enables users to conduct B2B email outreach. We take the following mandatory compliance measures: DND/TPS/CTPS Checking Before any business contact is processed for outreach, our platform automatically checks the contact against: (a) Our internal suppression list of opt-out requests. (b) A simulated Telephone Preference Service (TPS) and Corporate TPS (CTPS) phone registry. Any contact matching a suppressed record is permanently flagged MATCHED_SUPPRESSED and cannot receive outreach communications. GDPR Legitimate Interest Assessment (LIA) For B2B outreach conducted under Legitimate Interest (Art. 6(1)(f)), our platform auto-logs the LIA basis per contact at the point of data collection. This satisfies the three-part test: purpose test (genuine B2B interest), necessity test (no less intrusive means), and balancing test (business contact in relevant industry). Unsubscribe Mechanism Every outreach email contains a unique, cryptographically generated unsubscribe token. When a recipient unsubscribes, their email is permanently added to our suppression list and they cannot be contacted again. Data Minimisation We sanitise and truncate all scraped lead fields at point of collection. We do not collect or store sensitive personal data (special category data under Art. 9) via our platform. You (the subscriber) are a data controller for your own lead data. By using our platform, you represent and warrant that you have a valid lawful basis for processing the lead data you collect through our service and that your use complies with applicable data protection law.

6. Data Security

We implement technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction: • Row-Level Security (RLS) on all database tables ensures each subscriber can only access their own data. • Ownership verification on every API endpoint — requests are refused if the requesting user does not own the resource. • All data in transit is encrypted via TLS 1.2+. • Data at rest is encrypted by our database provider (Supabase/PostgreSQL AES-256). • Content Security Policy (CSP), X-Frame-Options (DENY), X-Content-Type-Options (nosniff), HSTS, and CORS headers are enforced on all responses. • All security-relevant events are recorded in an immutable audit log. • Video token budget system prevents abuse of AI generation credits. • Lead export is restricted to paid plan subscribers only; FREE tier accounts cannot download lead data. • Unsubscribe tokens are excluded from bulk CSV exports to prevent token harvesting. Despite these measures, no system is completely secure. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you as required under Art. 33–34 GDPR.

7. Data Retention

We retain data for the minimum period necessary: • Account data: Duration of subscription plus 12 months after cancellation, to allow reactivation and settle any disputes. • Campaign data: Until you delete it, or 24 months after your last platform activity, whichever is sooner. • Lead data: Until deleted by the subscriber, or 24 months after last activity. • Suppression list entries: Indefinitely, to permanently honour opt-out requests as required by GDPR and PECR. • Audit log entries: 36 months, to support compliance investigations and incident response. • Payment records: 7 years, as required by UK tax and accounting law. • Anonymised analytics: Retained indefinitely in aggregate, non-identifiable form. You may request deletion of your data at any time. Deletion requests are processed within 30 days. We may retain a minimal record of deletion to demonstrate compliance.

8. Data Sharing & Third-Party Processors

We do not sell, rent, or trade your personal data. We share data only in the following circumstances: Data Processors (acting on our instructions) • Supabase Inc. — database, authentication, and storage infrastructure (EU data region). Supabase acts as a data processor under a Data Processing Agreement. • Netlify / Vercel — web hosting and CDN delivery. Standard Contractual Clauses (SCCs) are in place. • Email delivery providers — SMTP relay for outreach emails; only hashed recipient metadata is shared. Legal Disclosure We may disclose data to law enforcement, regulatory bodies, or courts where we are legally compelled to do so under applicable law. We will notify you of such requests unless prohibited by law. Business Transfers In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the successor entity. We will notify affected users in advance and you retain the right to object to such transfer.

9. International Data Transfers

Our primary data storage is within the European Economic Area (EEA) via Supabase's EU data region. Where personal data is transferred to countries outside the UK or EEA (e.g., CDN edge nodes, analytics providers), we ensure adequate safeguards are in place via one or more of the following mechanisms: • Standard Contractual Clauses (SCCs) approved by the European Commission. • An adequacy decision by the European Commission for the recipient country. • Binding Corporate Rules where applicable. You may request a copy of the safeguards applicable to international transfers by emailing privacy@leadflow-ai.co.uk.

10. Your Rights Under UK/EU GDPR

You have the following rights regarding your personal data: • Right of Access (Art. 15): Request a copy of all personal data we hold about you. • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data. • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to our legal retention obligations. • Right to Restriction (Art. 18): Request that we limit processing of your data pending resolution of a dispute. • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (CSV/JSON). • Right to Object (Art. 21): Object to processing based on legitimate interest at any time, including direct marketing. • Rights Related to Automated Decision-Making (Art. 22): We do not make solely automated decisions with legal or similarly significant effects. • Right to Withdraw Consent (Art. 7(3)): Withdraw consent for consent-based processing at any time. To exercise any right, email privacy@leadflow-ai.co.uk with "DATA RIGHTS REQUEST" in the subject line. We will respond within one calendar month (extendable by a further two months for complex requests). There is no charge for exercising your rights unless requests are manifestly unfounded or excessive. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with the relevant supervisory authority in your EU member state.

11. Cookies & Tracking Technologies

Strictly Necessary Cookies (always active) • Session identifiers for platform authentication. • CSRF protection tokens. • Cookie consent preference record. Analytics Cookies (with consent) • Anonymised page-view analytics to understand platform usage and improve the service. Marketing Cookies (with consent) • Retargeting pixels (if you explicitly consent via our cookie banner). We do not use third-party advertising cookies without explicit consent. You can manage cookie preferences at any time via the cookie banner or your browser settings. Withdrawing cookie consent will not affect the lawfulness of prior processing. We do not use browser fingerprinting or cross-site tracking techniques.

12. Children's Privacy

LeadFlowAI is a B2B professional service. It is not directed at individuals under the age of 18 and we do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a person under 18, we will delete it promptly. Contact privacy@leadflow-ai.co.uk if you believe we may have collected such data.

13. Automated Processing & AI-Generated Content

Our platform uses algorithms to generate personalised video scripts and email content based on campaign configuration you provide. This processing is not "automated decision-making" within the meaning of Art. 22 GDPR as it does not produce legal or similarly significant effects on data subjects. All generated content is reviewed by the subscribing user before delivery. Lead data is processed to personalise outreach content. No profiling of special category data occurs. No credit scoring, employment, or other high-stakes decisions are made using our platform.

14. Data Breach Notification

In the event of a personal data breach, we will: • Report to the ICO within 72 hours of becoming aware of the breach (Art. 33 GDPR), where the breach is likely to result in a risk to the rights and freedoms of individuals. • Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR). • Maintain an internal record of all breaches, including those not reportable to the ICO. If you believe a security incident has occurred involving your data, contact privacy@leadflow-ai.co.uk immediately.

15. Subscriber Data Controller Responsibilities

When you use LeadFlowAI to collect and process lead data, you act as a data controller for that data. You are responsible for: • Having a valid lawful basis for collecting and contacting each lead. • Complying with the Privacy and Electronic Communications Regulations (PECR) and applicable national marketing law. • Honouring opt-out and unsubscribe requests promptly. • Not using the platform to process sensitive personal data (Art. 9 GDPR) without explicit consent from data subjects. • Ensuring any third-party data you import into the platform was obtained lawfully. We provide compliance tooling (DND checking, LIA logging, suppression lists, unsubscribe tokens) but cannot guarantee your compliance. You indemnify LeadFlowAI against claims arising from your failure to comply with data protection law.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes (including changes to how we use your data, changes to your rights, or changes to our data processors) will be communicated by: • Email notification to your registered address at least 14 days before the change takes effect. • A prominent banner on the platform. The date of the most recent revision is shown at the top of this page. Continued use of the platform after the effective date of a material change constitutes your acceptance of the updated policy.

17. Contact & Complaints

For all data protection enquiries: Email: privacy@leadflow-ai.co.uk Website: https://leadflow-ai.co.uk/privacy For complaints that we have not resolved to your satisfaction, you may contact the Information Commissioner's Office (ICO): Website: ico.org.uk Telephone: 0303 123 1113 Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

© 2026 LeadFlowAI. All rights reserved.