Privacy Policy
Version 2.0 — Last updated: 03 May 2026
Lead IP GmbH — leadlex.com / app.leadlex.com
Lead IP GmbH ("Lead IP", "we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose and safeguard personal data in connection with our website at https://leadlex.com (the "Website") and the LeadLex platform at https://app.leadlex.com (the "Platform" and, together with the Website, the "Services").
This Policy is structured around the different categories of individuals whose personal data we process (each a "data subject"), because our role and lawful basis differ depending on who you are and how you interact with us. Please refer to the section that applies to you. If you have any questions, contact us at lexi@leadlex.com.
Quick guide. If you are:
- A visitor to leadlex.com → see Section 5;
- An administrator or authorised user of a Customer account → see Section 6;
- A prospect, business contact or company representative whose information appears in our Lead Database → see Section 7 (this is our Article 14 GDPR notice for indirectly collected data);
- A recipient of outreach sent through LeadLex by one of our customers → see Section 8;
- An applicant, partner, vendor representative or other contact → see Section 9.
1. Controller and Data Protection Officer
Controller. The controller within the meaning of Article 4(7) GDPR (and equivalent terms under the UK GDPR, Swiss FADP, the CCPA/CPRA and other Applicable Data Protection Laws) is:
Lead IP GmbH Trogerstraße 50, 81675 Munich, Germany Commercial Register: Amtsgericht München, HRB 263320 VAT ID: DE340540578 Managing Directors: Alexander Messerer, Winston Schultze Email: lexi@leadlex.com | General: lexi@leadlex.com
Data Protection Officer / Data Protection Contact. You can reach our data protection contact at lexi@leadlex.com. Where appointment of an external Data Protection Officer is required by mandatory law, the contact will be published at https://leadlex.com/privacy and updated as necessary.
EU/UK Representative. Where required by Article 27 GDPR or UK GDPR, our representative will be designated and published at https://leadlex.com/privacy. Lead IP is established in the EU; a UK representative will be appointed if and when required by the UK GDPR.
2. Definitions
- "Applicable Data Protection Laws" means the GDPR; the German Federal Data Protection Act (BDSG); the German Telecommunications-Telemedia Data Protection Act (TDDDG, formerly TTDSG); the EU ePrivacy Directive 2002/58/EC as transposed in EU member states; the UK GDPR and the UK Data Protection Act 2018 (PECR for cookies/marketing); the Swiss Federal Act on Data Protection (FADP); the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA") and analogous U.S. state privacy laws (Colorado CPA, Connecticut CTDPA, Virginia VCDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Montana CDPA and others, collectively the "U.S. State Privacy Laws"); Canada's PIPEDA and CASL; and any successor or equivalent laws.
- "Customer" means a business that subscribes to or uses the Platform under our Terms of Service.
- "Lead Database" means the database of business-to-business contact, company, firmographic, technographic and intent data that Lead IP compiles and makes available to Customers through the Platform.
- "Personal Data" means any information relating to an identified or identifiable natural person, including "personal information" as defined under U.S. State Privacy Laws.
- "Process(ing)" means any operation performed on Personal Data, whether or not by automated means, including collection, recording, storage, use, transmission, disclosure and deletion.
- "Sub-Processor" means a third party engaged by Lead IP to process Personal Data; the current list is published at https://leadlex.com/subprocessors.
3. Scope and Our Roles
Our role under data-protection law depends on the processing in question. To make this transparent, we set out our role for each category below:
- Visitors to leadlex.com — Controller (see Section 5).
- Account administrators and Authorised Users of a Customer account — Controller (for account administration, billing, security, support and product analytics) and Processor (when processing Customer Data on behalf of the Customer under our DPA). See Section 6.
- Customer Data uploaded by a Customer to the Platform (e.g. CRM contacts, prospects imported, AI prompts, drafts) — Processor on behalf of the Customer (Customer is controller). Governed by our DPA. See Sections 6 and 8.
- Prospects whose information is in our Lead Database — Independent Controller (until import into a Customer workspace; once imported, the Customer is controller for its own use of the record). See Section 7.
- Recipients of outreach campaigns sent through LeadLex by a Customer — Processor on behalf of the Customer for the act of sending; the Customer is controller of the campaign and recipient list. See Section 8.
- Applicants, partners, vendor contacts and other business contacts — Controller (see Section 9).
4. Categories of Personal Data We Process (Summary)
Depending on the section that applies to you, we may process the categories of Personal Data listed below. Detailed disclosures (purposes, legal basis, retention) appear in the section that applies to you.
- Identification and contact data: name, business email, business phone, job title, employer, work address, professional social profile (e.g., LinkedIn).
- Account data: login credentials (passwords stored as salted hashes), authentication tokens, multi-factor authentication settings, role/permissions, preferences.
- Communication data: emails, chats, support tickets, voice recordings (where supported and lawfully made), AI prompts and drafts.
- Usage and device data: IP address, device identifiers, browser type/version, operating system, language, time zone, referrer, pages visited, click events, session metadata.
- Billing and commercial data: company billing details, VAT/tax IDs, payment-method tokens (we do not store full card numbers — handled by our PCI-DSS-compliant payment processors), order and invoice history.
- Marketing data: subscription status, campaign engagement (opens, clicks where lawful), preferences, suppression status.
- Lead Database data (about prospects): name, business contact data, employer, role, industry, firmographics, technographics and inferred intent signals; sources are described in Section 7.
- Recruitment data (if you apply for a role with us): CV/résumé, cover letter, qualifications, references, communications.
Special categories. We do not knowingly collect special categories of Personal Data (Article 9 GDPR — e.g., health, racial/ethnic origin, political/religious beliefs, sexual orientation, biometric data) or criminal-conviction data. Please do not provide such data to us through any free-text fields.
Children. The Services are not directed to individuals under 18, and we do not knowingly collect Personal Data from children. See Section 20.
5. Website Visitors (leadlex.com)
This section applies if you visit our Website. We process the following Personal Data:
- Operating, securing and stabilising the Website (server logs: IP, timestamp, requested resource, user agent, referrer). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing a secure and functional website); § 25(2)(2) TDDDG for technically necessary access. Retention: 7 days for IP addresses; 90 days for aggregated logs.
- Responding to enquiries via contact form, chat or email. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) (legitimate interest in answering enquiries). Retention: up to 24 months after the last interaction, unless retained for accounting/legal reasons.
- Newsletter and marketing emails (where you opt in). Legal basis: Art. 6(1)(a) GDPR; § 7(2)(3) UWG / Art. 13 ePrivacy Directive. Retention: until you unsubscribe; suppression list kept indefinitely to honour opt-outs.
- Cookies and similar technologies (analytics, preference, marketing — only with consent). Legal basis: Art. 6(1)(a) GDPR; § 25(1) TDDDG; Art. 5(3) ePrivacy Directive; PECR (UK). Retention: see cookie tool; typically 1 day to 24 months — full table in cookie banner / Section 10.
- Detecting and defending against attacks (e.g., bot mitigation, WAF). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security). Retention: up to 12 months for security event records.
- Compliance with legal obligations (e.g., responding to lawful requests). Legal basis: Art. 6(1)(c) GDPR. Retention: as required by law.
5.1 Cookies. Section 10 contains the detailed cookie disclosure. Strictly necessary cookies are placed without consent under § 25(2) TDDDG; all other categories require your consent, which you can grant or withdraw at any time via our cookie management tool.
5.2 Provision of data. Provision of Personal Data is generally voluntary. Some data (e.g., IP address, device info) is technically necessary to deliver a webpage to you and is processed on a legitimate-interest basis. Without it, we cannot deliver the Website.
6. Customer Account Administrators and Authorised Users (Platform)
This section applies if you register for, administer or use the LeadLex Platform on behalf of a Customer.
- Account creation, identity verification, KYC/AML and fraud prevention. Legal basis: Art. 6(1)(b) (contract performance); Art. 6(1)(c) (legal obligations); Art. 6(1)(f) (fraud prevention legitimate interest). Retention: duration of account + retention for legal obligations (up to 10 years for accounting; up to 6 years for tax under § 147 AO / § 257 HGB).
- Authentication, session management and account security (incl. MFA, session tokens, audit logs). Legal basis: Art. 6(1)(b); Art. 6(1)(f) (security legitimate interest). Retention: audit logs 12 months; longer where reasonably required for security investigations.
- Provision of the Platform and processing of Customer Data on behalf of the Customer. Legal basis: Art. 6(1)(b) with Customer; Art. 28 GDPR processor relationship governed by the DPA at https://leadlex.com/dpa. Retention: per DPA / Customer instruction; default 30-day post-termination export window then deletion (subject to legal retention).
- Customer support, troubleshooting, account management. Legal basis: Art. 6(1)(b); Art. 6(1)(f). Retention: up to 24 months after closure of the support case.
- Service quality, reliability, debugging and product analytics (using usage data and aggregated metrics). Legal basis: Art. 6(1)(f) (legitimate interest in improving the Service). Retention: aggregated/de-identified data retained indefinitely; raw event logs typically 13 months.
- Billing, invoicing, payment processing and dunning. Legal basis: Art. 6(1)(b); Art. 6(1)(c). Retention: up to 10 years for accounting records (German tax/commercial law).
- Service announcements, security and outage notices, transactional emails. Legal basis: Art. 6(1)(b); Art. 6(1)(f). Retention: until account termination.
- Marketing communications to the administrator's business email about new features/upsell (subject to opt-out). Legal basis: Art. 6(1)(f) GDPR; § 7(3) UWG (where the conditions of existing customer relationship are met). Retention: until you opt out; suppression list kept thereafter.
- Compliance with legal obligations and exercise/defence of legal claims. Legal basis: Art. 6(1)(c); Art. 6(1)(f). Retention: as required by law / for the duration of any claim period.
6.1 Provision of data. Account-creation data is required to enter into and perform the contract for the Platform; without it, we cannot provide an account.
6.2 Customer Data. When you upload, create or transmit Personal Data to the Platform that relates to third parties (e.g., your prospects, contacts or end-recipients), the Customer is the controller and Lead IP is the processor; processing is governed by our Data Processing Addendum at https://leadlex.com/dpa. The Customer is responsible for the lawful basis and information notices required for those individuals.
7. Prospects in our Lead Database — Article 14 GDPR Notice
This section is our notice under Article 14 GDPR (and equivalent transparency obligations under the UK GDPR, Swiss FADP and U.S. State Privacy Laws) for individuals whose business contact data is included in our Lead Database. We have not collected this information directly from you; we collected it from publicly available business sources or licensed third-party data providers as set out below.
7.1 Categories of Personal Data. Business identification (full name, professional/business title), business contact (work email, work phone where available), employer, employer industry and size, work location (city/country), public professional profile URLs, and inferred B2B signals such as technologies used by the employer or job-change signals. We focus on data relevant in a professional capacity; we do not seek to collect personal phone numbers, home addresses or special-category data.
7.2 Sources. We obtain Lead Database data from: (a) publicly available business sources, including company websites, professional networking sites (used in compliance with their applicable terms of service), public registers, news and press releases; (b) licensed third-party data providers and enrichment partners under written agreements requiring lawful sourcing; (c) opt-in submissions from Customers and partners; and (d) inferences derived by us from the foregoing (e.g., role classification, intent scoring). The current list of categories of sources is at https://leadlex.com/data-sources.
7.3 Purposes. We process Lead Database data to (a) compile and maintain a B2B prospecting database, (b) make the database available to Customers for their B2B sales, marketing, recruiting and CRM purposes, (c) verify, deduplicate, classify and enrich records for accuracy, (d) detect fraudulent, malicious or unlawful records, and (e) comply with our legal obligations and respond to data-subject requests.
7.4 Legal basis. We rely on legitimate interests (Article 6(1)(f) GDPR; equivalent provisions under the UK GDPR and Swiss FADP) to compile and offer a B2B prospecting database. Our legitimate interest is to enable lawful B2B sales, marketing, recruiting and account research; the European Commission and the GDPR (Recital 47) recognise direct marketing as a legitimate interest, and B2B contact data is widely accepted to fall within this where the data is limited to professional-capacity information and where data-subject rights (in particular the right to object — Art. 21 GDPR) are honoured. We have conducted and document a Legitimate Interests Assessment (LIA) balancing our interest against your fundamental rights and freedoms; you may request a summary by writing to lexi@leadlex.com.
7.5 Recipients. Lead Database records are made available to our Customers within the Platform. The current list of Sub-Processors that host or operate parts of the Lead Database (e.g., infrastructure, search, enrichment partners) is at https://leadlex.com/subprocessors.
7.6 International transfers. Where we transfer Lead Database data outside the EEA, UK or Switzerland to a country without an adequacy decision, we rely on the EU Standard Contractual Clauses (Module One — Controller to Controller — for our independent-controller transfers, or other applicable modules), the UK Addendum and the Swiss-recognised SCCs, with supplementary measures as required (Section 13).
7.7 Retention. We retain Lead Database records for as long as the data is reasonably current, accurate and useful for B2B prospecting and is not the subject of a deletion or objection request. We periodically review and remove records that are stale (typically after 36 months without confirmation) or that we have a reasonable basis to believe are inaccurate. Where you object or request deletion under Section 17, we suppress your record and (where feasible) delete it.
7.8 Your rights — easy opt-out. You can object to all processing of your Personal Data in our Lead Database, request access to your record, request correction or deletion at any time, free of charge, by writing to lexi@leadlex.com or by using the self-service form at https://leadlex.com/privacy/opt-out. We will action verifiable requests within 30 days (extendable as permitted by law). When we suppress or delete your record, we communicate that suppression to Customers who have imported your record, requesting they cease processing.
7.9 Profiling and inferred data. We may classify, score or rank Lead Database records based on inferred B2B intent (e.g., role seniority, employer technology use, job-change signals). This profiling is performed for the purpose of helping Customers find relevant B2B contacts; it does not produce legal or similarly significant effects on you within the meaning of Article 22 GDPR. You have the right to object to this profiling under Section 17.
7.10 No special-category processing. We do not include special-category Personal Data (Article 9 GDPR) in our Lead Database.
8. Recipients of Outreach Sent Through LeadLex by Our Customers
This section applies if you have received an email, message or call sent through the LeadLex Platform by one of our Customers (the "Sender").
8.1 Roles. The Sender is the controller of the campaign and the recipient list. Lead IP processes recipient data on behalf of the Sender (as processor) for the purpose of delivering the message. Lead IP also processes deliverability and abuse-prevention metadata as an independent controller for the limited purpose of protecting the integrity of our infrastructure (e.g., spam suppression lists, abuse signals).
8.2 Where to direct your request. If you received outreach through LeadLex and want to (a) understand why you were contacted, (b) be removed from the campaign, (c) exercise other data-subject rights, please use the unsubscribe link in the message and/or contact the Sender directly using the contact details in the message footer. The Sender, as controller, is primarily responsible for responding.
8.3 Lead IP's assistance. If you cannot identify or reach the Sender, or if you wish to report a suspected violation of our Acceptable Use Policy (e.g., spam, harassment, impersonation), contact us at lexi@leadlex.com or lexi@leadlex.com. We will (a) globally suppress your address from outreach sent through the Platform across all Customers, (b) where we can identify the Sender, route your data-subject request to them and assist them in compliance, and (c) take appropriate action against the Sender under our Terms of Service if a violation is confirmed.
8.4 Categories. Recipient data may include your business email address, work phone, name, title, employer and any inferred information uploaded or imported by the Sender, as well as engagement metadata (e.g., delivery, open and click events) where lawfully captured.
8.5 Retention. Lead IP retains recipient data on the Sender's behalf for the duration of the Sender's subscription and the Sender's configured retention. Lead IP retains global suppression-list data indefinitely (limited to email address hash and minimal metadata) to honour opt-outs across the Platform.
9. Applicants, Partners, Vendors and Other Business Contacts
9.1 Applicants. If you apply for a role with Lead IP, we process your application data (CV, cover letter, qualifications, references, communications, interview notes) under Art. 6(1)(b) GDPR (pre-contractual measures); § 26 BDSG (employment-relationship-related processing under German law); Art. 6(1)(f) GDPR (our legitimate interest in evaluating candidates and defending against discrimination claims); and, where applicable, Art. 6(1)(a) GDPR (consent to retain your data in our talent pool). Application data is retained for up to 6 months after the position is filled (to defend against AGG/anti-discrimination claims), and longer with your consent for talent-pool inclusion.
9.2 Vendor and partner contacts. Where you are the contact person for one of our vendors, partners, advisors or service providers, we process your business contact data and communications under Art. 6(1)(b) (where you are personally a party) and Art. 6(1)(f) (where the contract is with your employer and we have a legitimate interest in dealing with the appropriate contact person), for the duration of the relationship and applicable retention periods.
10. Cookies and Similar Technologies
10.1 What we use. We use cookies and similar technologies (e.g., local storage, pixels, SDKs) on the Website and within the Platform. Cookies fall into the following categories:
- Strictly necessary: required to deliver the page or core platform functionality (e.g., session, CSRF, load balancing, login). Set without consent under § 25(2)(2) TDDDG / Art. 5(3) ePrivacy Directive.
- Functional: remember preferences and improve usability (e.g., language, interface state). Set with consent.
- Analytics/performance: measure aggregated usage and improve the Service (e.g., self-hosted Matomo with IP anonymisation; or pseudonymised Google Analytics if enabled). Set with consent.
- Marketing: support advertising/retargeting where used (e.g., LinkedIn Insight Tag, Meta Pixel) — only set with explicit consent.
10.2 Consent. All non-strictly-necessary cookies require your consent under § 25(1) TDDDG, Art. 5(3) ePrivacy Directive and PECR. You can grant, refuse or withdraw consent at any time via our cookie banner / preference centre. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. The full, current cookie list (provider, purpose, duration) is available via the cookie banner and at https://leadlex.com/cookies.
10.3 Do Not Track / Global Privacy Control. We honour Global Privacy Control (GPC) signals where required by U.S. State Privacy Laws (e.g., California). Browser-based DNT signals are not standardised and are not honoured automatically; please use our cookie preference centre.
11. AI Features and Anthropic Processing
11.1 What AI Features do. The Platform offers AI Features that use machine-learning models to assist Customers (e.g., drafting outreach messages, summarising conversations, classifying or scoring leads, conversational assistance). AI Features may process Personal Data contained in Customer Data, prompts, prospect records and AI Output.
11.2 Anthropic as Sub-Processor. Lead IP integrates with Anthropic, PBC (USA) via API to access the Claude family of large language models. When AI Features are invoked, the relevant inputs are transmitted to Anthropic for inference and the output is returned to the Platform. Anthropic acts as a Sub-Processor.
11.3 No training on your data. Lead IP does not use Customer Data, prompts or AI Output to train, fine-tune or improve any general-purpose AI model. Lead IP has contracted with Anthropic on the basis that Anthropic does not train its foundation models on inputs or outputs submitted via the commercial API. Where supported by Anthropic, Lead IP applies a zero-data-retention configuration for AI inference; otherwise, inference data is retained by Anthropic only for the limited period and purposes set out in our DPA (e.g., short-term abuse monitoring) and is not used for training.
11.4 Quality and safety telemetry. We may use limited, aggregated or de-identified telemetry (e.g., latency, error rates, structural metadata about prompts) to monitor the safety, reliability and performance of AI Features. We do not use the substantive content of Customer prompts or AI Output for that purpose unless it has been effectively de-identified or aggregated such that it does not constitute Personal Data.
11.5 International transfer. AI inference involves transfers to the United States. We rely on the EU Standard Contractual Clauses, UK Addendum and the Swiss-recognised SCCs, supplemented by Anthropic's technical and organisational measures and our supplementary measures (Section 13).
11.6 Limitations of AI Output. AI Output is generated probabilistically and may contain errors, omissions or fabricated facts. Customers must review AI Output before relying on it for any decision producing legal or similarly significant effects. AI Features do not, in themselves, take automated decisions producing legal or similarly significant effects on individuals within the meaning of Article 22 GDPR (Section 16).
12. Recipients and Disclosure of Personal Data
We disclose Personal Data only as needed for the purposes set out in this Policy and only to the categories of recipients below:
- Sub-Processors and processors (Article 28 GDPR engagements; full list at https://leadlex.com/subprocessors).
- Other Customers — only insofar as a Customer has imported your Lead Database record into their workspace. After import, the Customer becomes the controller for its own use of that record (Section 7).
- Professional advisors under confidentiality.
- Authorities, regulators, courts and law-enforcement agencies where required by law, court order or to defend legal claims.
- Acquirers in a corporate transaction, subject to appropriate confidentiality and Applicable Data Protection Laws.
- With your consent or at your direction.
Selling and sharing of Personal Data. We do not sell or share (as defined under the CCPA/CPRA) Personal Data of California consumers, and we do not engage in "targeted advertising" within the meaning of Colorado, Connecticut, Virginia, Texas, Oregon or other U.S. State Privacy Laws. To the extent that making the Lead Database available to Customers as part of a B2B subscription is treated as a "sale" or "sharing" under any U.S. State Privacy Law, we honour applicable opt-out rights under Section 18.
13. International Data Transfers
Lead IP is established in the EU. Some Sub-Processors and integrations may process Personal Data outside the EEA, UK or Switzerland (e.g., in the United States, Canada, the United Kingdom or other jurisdictions). For transfers to a country without an adequacy decision, we rely on the following safeguards:
- EU Standard Contractual Clauses 2021/914 (Module Two — Controller to Processor — and where relevant Module One or Three);
- UK Addendum to the EU SCCs (or the UK International Data Transfer Agreement, where applicable);
- Swiss FDPIC-recognised SCCs for transfers from Switzerland;
- EU-U.S. Data Privacy Framework (DPF) where the recipient is certified under the DPF;
- Supplementary technical and organisational measures (e.g., encryption in transit and at rest, pseudonymisation where feasible, access controls, contractual restrictions on government-access requests);
- Transfer Impact Assessments (TIAs) for material transfers, available on request to lexi@leadlex.com.
Copies. You may request a copy of the relevant safeguards and the redacted SCC text by writing to lexi@leadlex.com. The current list of Sub-Processors, including country and applicable safeguard, is at https://leadlex.com/subprocessors.
14. Retention of Personal Data
We retain Personal Data only as long as necessary for the purposes for which it was collected, including for the purposes of satisfying any legal, accounting or reporting requirements, and for the establishment, exercise or defence of legal claims. The principal retention periods are summarised below; specific retention is detailed in Sections 5–9.
- Server logs / IP addresses (Website): 7 days.
- Aggregated/anonymised usage analytics: up to 24 months.
- Account data: duration of account + legal retention periods.
- Customer Data (in Customer workspace): per Customer instruction; default 30-day post-termination export window then deletion (subject to legal retention).
- Lead Database records: while reasonably current and not opted-out; reviewed at least every 36 months.
- Suppression / opt-out lists: indefinitely (limited to identifier hash and minimal metadata) to honour your opt-out.
- Billing / accounting records: up to 10 years (German tax/commercial law: §§ 147 AO, 257 HGB).
- Support tickets: up to 24 months after closure.
- Audit logs and security event records: typically 12 months; longer where reasonably required for security investigations.
- Application data (job applicants): 6 months after position fill (or longer with consent for talent pool).
15. Security of Personal Data
We implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, including:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
- Role-based access controls, least-privilege access and multi-factor authentication for personnel access to production systems.
- Network and host hardening, vulnerability management and patching.
- Centralised logging, monitoring and anomaly detection.
- Secure software-development practices including code review, dependency scanning and pre-deployment security testing.
- Regular penetration testing and remediation.
- Personnel screening, security training and confidentiality obligations.
- Physical security through enterprise cloud providers in the EU (e.g., AWS in Frankfurt or equivalent EU region).
- Business continuity and disaster-recovery procedures.
Despite our efforts, no security measures are perfect. We will notify the competent supervisory authority and, where required, affected data subjects of personal data breaches in accordance with Articles 33–34 GDPR (and equivalent obligations under other Applicable Data Protection Laws).
16. Automated Decision-Making and Profiling
We use AI Features and inferred data to perform profiling — for example, classifying or scoring B2B prospects (Section 7.9), drafting outreach (Section 11), or detecting fraud and abuse. We do not make decisions based solely on automated processing that produce legal effects concerning you, or similarly significantly affect you, within the meaning of Article 22(1) GDPR. Where a Customer configures an autonomous AI Agent within their workspace to send communications without per-message human review, the Customer remains the controller and is responsible for compliance with Article 22 GDPR; Lead IP processes those communications on the Customer's behalf.
You have the right to object at any time to profiling under Section 17 / 18.
17. Your Rights (EEA, UK, Switzerland)
If you are in the EEA, the United Kingdom or Switzerland, you have the following rights, subject to the conditions and limitations set out in Applicable Data Protection Laws:
- Right of access: to obtain confirmation of whether we process your Personal Data and a copy of that data (Art. 15 GDPR; equivalent provisions UK GDPR / FADP).
- Right to rectification: to correct inaccurate or incomplete Personal Data (Art. 16 GDPR).
- Right to erasure: to obtain deletion in certain circumstances (Art. 17 GDPR).
- Right to restriction: to limit our processing in certain circumstances (Art. 18 GDPR).
- Right to data portability: to receive Personal Data you have provided in a structured, commonly used, machine-readable format and to transmit it to another controller (Art. 20 GDPR).
- Right to object: to processing based on legitimate interests, including profiling on that basis (this applies in particular to our Lead Database — Section 7), and to object to direct marketing absolutely (Art. 21 GDPR).
- Right to withdraw consent: at any time, without affecting prior lawfulness (Art. 7(3) GDPR).
- Rights related to automated decision-making: (Art. 22 GDPR; Section 16).
- Right to lodge a complaint: with a supervisory authority (Art. 77 GDPR; Section 23).
How to exercise. Contact lexi@leadlex.com from the email address associated with your Account or the email address you wish to assert rights over. We may need to verify your identity. We respond within 30 days (extendable by 60 days for complex requests, with notice). Requests are free of charge unless manifestly unfounded or excessive.
18. Your Rights (United States — California, Colorado, Connecticut, Virginia, Utah and others)
If you are a resident of a U.S. state with a comprehensive privacy law, you may have the following rights under that state's law (terminology varies):
- Right to know / access: to confirm whether we process your personal information and to obtain a copy.
- Right to correct: to correct inaccurate personal information.
- Right to delete: to delete personal information collected from you, subject to exceptions.
- Right to portability: to receive your personal information in a portable format.
- Right to opt out of sale or sharing: we do not sell or share personal information for cross-context behavioural advertising. To the extent any disclosure is treated as a sale or sharing, you may opt out at https://leadlex.com/privacy/opt-out or by enabling Global Privacy Control.
- Right to opt out of targeted advertising: we do not engage in targeted advertising as defined under U.S. State Privacy Laws.
- Right to opt out of profiling for legally significant decisions: we do not engage in such profiling (Section 16).
- Right to limit use of sensitive personal information: we do not use sensitive personal information for purposes other than those expressly permitted.
- Right to non-discrimination: we do not discriminate against you for exercising your privacy rights.
- Right to appeal: if we deny your request, you may appeal by replying to our denial; we will respond within the timeframe required by the applicable state law (typically 45–60 days).
- Authorised agent: you may use an authorised agent to submit requests on your behalf, subject to verification.
Categories collected (CCPA notice). In the preceding 12 months, we have collected the categories of personal information described in Section 4 from the sources described in Sections 5–9, for the purposes described in this Policy. We have disclosed personal information to the categories of recipients in Section 12.
Shine the Light (California Civil Code § 1798.83). We do not disclose Personal Information to third parties for their direct marketing purposes.
How to exercise. Submit your request at https://leadlex.com/privacy/opt-out or by emailing lexi@leadlex.com. We will respond within the timeframes required by applicable law.
19. Your Rights (Other Jurisdictions)
If you are located in another jurisdiction (e.g., Canada under PIPEDA, Brazil under LGPD, Australia under the Privacy Act, or other), you may have similar or additional rights under your local law. Contact lexi@leadlex.com to exercise applicable rights; we will assess and respond as required by the law that applies to you.
20. Children
The Services are intended for use by businesses and professionals. We do not knowingly direct the Services to, or knowingly collect Personal Data from, individuals under the age of 18 (or under the age of 13 in the United States, except where higher protections apply). If you believe we have collected Personal Data from a child, contact lexi@leadlex.com so we can delete it.
21. Marketing Communications
21.1 Email marketing. We send marketing emails to (i) individuals who have opted in (Art. 6(1)(a) GDPR), and (ii) existing business customers about similar services (Art. 6(1)(f) GDPR; § 7(3) UWG, where the conditions are met). You can unsubscribe at any time using the link in any marketing email or by writing to lexi@leadlex.com. Suppression lists are kept indefinitely to honour your opt-out.
21.2 LinkedIn / professional outreach. Where we contact you on LinkedIn or other professional platforms, we rely on legitimate interests (Art. 6(1)(f)). You can opt out at any time by replying or by writing to lexi@leadlex.com.
22. Changes to This Policy
We may update this Policy from time to time to reflect legal, regulatory, technical or business changes. The current version, with the "Last Updated" date, will be published at https://leadlex.com/privacy. For material changes, we will notify you in advance by email or in-app notice where required. Continued use of the Services after the effective date of an update constitutes acknowledgement of the updated Policy, except where mandatory law requires explicit consent.
23. Complaints to Supervisory Authorities
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a competent supervisory authority. The lead supervisory authority for Lead IP is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18, 91522 Ansbach, Germany https://www.lda.bayern.de — Tel.: +49 (0) 981 180093-0
You may also contact the supervisory authority of your habitual residence, place of work or place of an alleged infringement. UK residents may complain to the UK Information Commissioner's Office (ICO). Swiss residents may contact the Federal Data Protection and Information Commissioner (FDPIC). U.S. residents may contact the relevant State Attorney General or, in California, the California Privacy Protection Agency (CPPA).
24. How to Contact Us
Lead IP GmbH Trogerstraße 50, 81675 Munich, Germany Commercial Register: Amtsgericht München, HRB 263320 VAT ID: DE340540578 Managing Directors: Alexander Messerer, Winston Schultze
- Privacy: lexi@leadlex.com
- Abuse / Outreach Complaints: lexi@leadlex.com
- Security: lexi@leadlex.com
- General: lexi@leadlex.com
- Web: https://leadlex.com | Platform: https://app.leadlex.com
© Lead IP GmbH. All rights reserved.