Privacy Policy

Last updated: 27 March 2026

1. Controller

The controller responsible for the processing of your personal data is:

Lead IP GmbH Trogerstraße 50 81675 Munich, Germany

Email: privacy@leadlex.com Commercial register: Amtsgericht München, HRB 263320

2. Data Protection Contact

Lead IP GmbH has not appointed a Data Protection Officer as it is not required to do so under Art. 37 GDPR. For all data protection inquiries, please contact:

Email: privacy@leadlex.com

3. Information We Collect

3.1 Website Visitors

When you visit our website, our hosting provider automatically collects:

• IP address (anonymized where technically feasible)
• Browser type and version
• Operating system
• Referring URL
• Pages visited and time of access
• Date and time of the server request

Legal basis: Legitimate interest in ensuring the security and operation of the website (Art. 6(1)(f) GDPR).

3.2 Form Submissions

When you submit a form on our website (e.g. contact, demo request, signup, or sales inquiry), we collect the data you provide, which may include:

• Full name
• Email address
• Company or firm name
• Firm size
• Practice area
• Current subscription plan (for sales inquiries)
• Preferred contact time
• Message content
• Consent confirmation and timestamp (for GDPR audit trail)

Legal basis: Performance of pre-contractual measures at your request (Art. 6(1)(b) GDPR) and, where applicable, your consent (Art. 6(1)(a) GDPR).

3.3 Account Data

When you create a LeadLex account, we collect:

• Full name
• Email address
• Organization name
• Billing details (for paid plans)
• Login credentials (passwords stored hashed, never in plain text)

Legal basis: Performance of the contract (Art. 6(1)(b) GDPR).

3.4 Usage Data

When you use the LeadLex platform, we collect:

• Product feature interactions and navigation patterns
• Device and browser type
• Performance diagnostics and error logs
• Timestamps of actions

Legal basis: Legitimate interest in improving and securing the Services (Art. 6(1)(f) GDPR). Our legitimate interest is to maintain service quality, detect and resolve technical issues, and improve product usability. We have determined that these interests are not overridden by your rights and freedoms, as the data is processed in aggregate form and does not reveal sensitive personal information.

3.5 Content You Submit

Data you choose to import, connect, or create within the platform, such as:

• CRM records (contacts, companies, deals)
• Email content synchronized via integrations (Gmail, Outlook)
• Calendar events
• Documents and notes

Legal basis: Performance of the contract (Art. 6(1)(b) GDPR).

3.6 AI Processing Data

When you interact with Lexi, our AI assistant, the following data may be processed:

• Your prompts, queries, and instructions
• Relevant CRM data needed to generate responses
• Lexi's responses

This data is processed by Anthropic PBC (our AI infrastructure provider) in real time. Your data is never used to train or fine-tune any AI models. Anthropic processes data solely to generate the requested response and does not retain it beyond the session. LeadLex relies on Anthropic's contractual representations regarding data handling and non-retention. For Anthropic's current data processing policies, please refer to Anthropic's privacy documentation.

Legal basis: Performance of the contract (Art. 6(1)(b) GDPR).

4. How We Use Your Information

We use personal data for the following purposes:

| Purpose | Legal Basis | |---------|------------| | Providing and operating the Services | Art. 6(1)(b) — Contract performance | | Responding to inquiries and demo requests | Art. 6(1)(b) — Pre-contractual measures | | Account creation and management | Art. 6(1)(b) — Contract performance | | Sending service-related communications (e.g. updates, security alerts) | Art. 6(1)(b) — Contract performance | | Sending marketing communications | Art. 6(1)(a) — Consent (you can withdraw at any time) | | Improving the platform and developing new features | Art. 6(1)(f) — Legitimate interest | | Ensuring security and preventing fraud | Art. 6(1)(f) — Legitimate interest | | Complying with legal obligations (e.g. tax, regulatory) | Art. 6(1)(c) — Legal obligation | | Analyzing aggregated usage statistics | Art. 6(1)(f) — Legitimate interest |

5. Recipients and Sub-Processors

We share personal data with the following categories of recipients, each bound by contractual data protection obligations:

| Sub-Processor | Purpose | Location | Transfer Mechanism | |--------------|---------|----------|-------------------| | Vercel Inc. | Website hosting and CDN | USA | EU-US Data Privacy Framework (DPF) | | Supabase Inc. | Database, authentication | EU (Frankfurt) | Data processed within EU | | Anthropic PBC | AI processing (Claude) | USA | Standard Contractual Clauses (SCCs) | | Google LLC | Gmail and Calendar sync (OAuth) | USA | EU-US Data Privacy Framework (DPF) | | Microsoft Corp. | Outlook, Calendar, Teams, LinkedIn sync (OAuth) | USA | EU-US Data Privacy Framework (DPF) | | HubSpot Inc. | CRM synchronization | USA | EU-US Data Privacy Framework (DPF) | | Slack Technologies (Salesforce) | Messaging integration (beta) | USA | EU-US Data Privacy Framework (DPF) |

Note: Not all sub-processors apply to every user. Integrations are user-initiated and optional. Data is only shared with a sub-processor when you actively enable the corresponding integration.

We do not sell your personal data to third parties. We do not share your data for third-party advertising purposes.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), specifically the United States. Where such transfers occur, we ensure an adequate level of data protection through:

• EU-US Data Privacy Framework (DPF): For sub-processors certified under the DPF.
• Standard Contractual Clauses (SCCs): As adopted by the European Commission, for sub-processors not covered by an adequacy decision.
• Supplementary measures: Including encryption in transit (TLS 1.3) and at rest (AES-256), access controls, and contractual obligations prohibiting data access for surveillance purposes.

Our primary database infrastructure (Supabase) is hosted within the EU (Frankfurt, Germany).

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law:

| Data Category | Retention Period | |--------------|-----------------| | Website server logs | 90 days | | Form submissions (contact, demo, sales) | 12 months, or until the inquiry is resolved | | Account data | Duration of the contractual relationship | | Billing and invoice data | 10 years after end of contract (§ 147 AO, § 257 HGB) | | Usage analytics (aggregated) | 24 months | | AI interaction logs | Not retained by AI provider; platform logs retained for duration of account | | Consent records (form consent timestamps) | 3 years (for GDPR accountability and audit purposes) | | Data after account termination | Deleted within 30 days of contract termination, except where retention is required by law |

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15 GDPR)

You may request confirmation of whether we process your personal data and, if so, request a copy of that data along with information about the processing.

Right to rectification (Art. 16 GDPR)

You may request correction of inaccurate personal data or completion of incomplete data.

Right to erasure (Art. 17 GDPR)

You may request deletion of your personal data where the data is no longer necessary for its original purpose, you withdraw consent, or there is no overriding legal basis for the processing.

Right to restriction of processing (Art. 18 GDPR)

You may request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of disputed data.

Right to data portability (Art. 20 GDPR)

You may request to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where the processing is based on consent or a contract and is carried out by automated means.

Right to object (Art. 21 GDPR)

You have the right to object at any time to the processing of your personal data based on legitimate interests (Art. 6(1)(f) GDPR), including profiling. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims.

Right to withdraw consent (Art. 7(3) GDPR)

Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

How to exercise your rights

To exercise any of the above rights, please contact us at privacy@leadlex.com. We will respond to your request within one month. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request.

9. Automated Decision-Making and Profiling

LeadLex uses artificial intelligence (Lexi) to assist users with tasks such as prospecting, outreach drafting, and pipeline analysis. Lexi does not make automated decisions that produce legal effects or similarly significantly affect you within the meaning of Art. 22 GDPR. All AI-generated suggestions, recommendations, and outputs are presented to the user for review and independent decision-making.

Lexi's outputs should not be relied upon as legal advice. Users are solely responsible for verifying AI-generated content and for any decisions made based on such content.

Automated Monitoring and Alerting

The Services include automated monitoring features that process data from third-party sources and your CRM to generate alerts and insights. These may include:

• Patent and filing monitoring: Tracking patent office publications, trademark filings, and court records from public registries (EPO, USPTO, WIPO, and others).
• Leadership and contact change monitoring: Detecting when contacts change roles, companies, or titles based on publicly available professional data.
• Relationship and engagement tracking: Algorithmic analysis of communication patterns and deal activity to identify relationship trends and suggest follow-up actions.
• Competitive intelligence: Monitoring publicly available data about companies in your market for business development opportunities.

These features process publicly available information and data within your CRM. They generate suggestions and alerts for your review — no automated action is taken without your involvement. You can configure which monitoring features are active in your account settings.

10. Cookies

We use cookies and similar technologies on our website. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

11. Children

LeadLex is a business-to-business service and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@leadlex.com and we will promptly delete it.

12. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for Lead IP GmbH is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18 91522 Ansbach, Germany Website: www.lda.bayern.de

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. Where changes are material, we will notify registered users by email. Your continued use of the Services after changes have been published constitutes acceptance of the updated policy.