Skip to content
THELEADS.APP
[ Home ] CS
// LEGAL

GDPR Compliance

Last updated: 2026-05-04

1. Scope

This page explains how THELEADS.APP, operated by [Operator Name], complies with Regulation (EU) 2016/679 (GDPR) and the Czech Act No. 110/2019 Coll. on Personal Data Processing. It supplements our Privacy Policy.

2. Roles

  • Account & usage data: we are the controller.
  • Lead data scraped via the Service: you are the controller; we act as processor.
  • Reply / inbox content: joint or independent controllership depending on the message.

3. Data Processing Agreement (DPA)

A DPA is offered to all paying customers and forms part of these Terms when accepted. If you require a countersigned DPA before processing begins, contact [contact@your-domain].

4. Sub-processors

Current sub-processors are listed in our Privacy Policy and may include:

  • Supabase (database and authentication) — EU/US.
  • Cloudflare (edge hosting, DNS) — global.
  • Resend (email delivery) — EU/US.
  • Google Cloud / OpenAI (AI generation) — US.
  • Stripe / Paddle (payments) — EU/US.

We notify you of new sub-processors with at least 30 days' notice. You may object in writing.

5. Your rights as a data subject

  1. Access (Art. 15)
  2. Rectification (Art. 16)
  3. Erasure / "right to be forgotten" (Art. 17)
  4. Restriction of processing (Art. 18)
  5. Data portability (Art. 20)
  6. Object to processing (Art. 21)
  7. Not be subject to solely automated decision-making (Art. 22)
  8. Withdraw consent (Art. 7(3))
  9. Lodge a complaint (Art. 77)

To exercise any right, email [contact@your-domain]. We respond within 30 days.

6. Recipients of outreach emails

Recipients may always reply STOP, click an unsubscribe link, or contact us at [contact@your-domain] to be added to a global suppression list. The sender (the account that initiated the outreach) is the primary contact for data-subject requests; we will route requests we receive to the appropriate sender and assist as processor.

7. International transfers

Transfers outside the EEA rely on Standard Contractual Clauses (Module 2/3) and supplementary measures (encryption in transit and at rest, access controls, audit logging).

8. Breach notification

In the event of a personal data breach affecting Customer Data, we will notify affected customers without undue delay and in any case within 72 hours of becoming aware, with the information required by Art. 33(3) GDPR.

9. Supervisory authority

In the Czech Republic, the supervisory authority is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů — uoou.cz).