Skip to content
THELEADS.APP
[ Home ] CS
// LEGAL

Privacy Policy

Last updated: 2026-05-04

1. Controller

The data controller is [Operator Name], [Address], ID [Company ID / IČO], contact [contact@your-domain]. Where required, our data protection contact is [DPO Name & Email — if appointed].

2. What we collect

  • Account data: name, email, hashed password, language preference.
  • Usage data: campaigns you create, search keywords, lead datasets, outreach drafts and sends.
  • Technical data: IP address, user agent, basic event logs (sign-in, errors).
  • Billing data: handled by our payment processor; we receive limited information (subscription status, invoice metadata).
  • Communications: support tickets, replies received in your unified inbox.

3. Why we process it (legal bases)

  • Contract (Art. 6(1)(b) GDPR): to operate your account, deliver scraping, outreach, and billing.
  • Legitimate interest (Art. 6(1)(f)): service security, abuse prevention, product analytics in aggregate.
  • Legal obligation (Art. 6(1)(c)): tax records, responses to lawful requests.
  • Consent (Art. 6(1)(a)): non-essential cookies, marketing emails.

4. Lead data you collect via the Service

When you scrape Google Maps, the resulting business records may include personal data of natural persons (e.g., a sole trader's name on a listing). For that data you are the controller and we are a processor acting on your instructions. You must have a lawful basis under GDPR (typically legitimate interest with a balancing test) and must honour data-subject rights, opt-outs, and suppression requests.

5. Sharing & sub-processors

We share data with vetted sub-processors strictly to operate the Service:

  • Cloud hosting & database (Supabase / Cloudflare).
  • Email sending (e.g., Resend) for transactional and outreach emails you send.
  • AI providers for personalization (Google, OpenAI) — content is sent for generation only.
  • Payment processor (e.g., Stripe / Paddle) for billing.
  • Error and product analytics in anonymized or aggregated form.

6. International transfers

Some sub-processors are located outside the EEA. Transfers rely on European Commission Standard Contractual Clauses (SCCs) and additional safeguards where required.

7. Retention

  • Account data: while the account is active and 90 days after deletion.
  • Lead datasets: while the campaign exists, deleted with the campaign.
  • Billing records: as required by tax law (typically 10 years).
  • Logs: up to 30 days.

8. Your rights (EU/EEA/UK residents)

You have the right to access, rectify, erase, restrict or object to processing, data portability, and to withdraw consent at any time. Send requests to [contact@your-domain]. You may also lodge a complaint with your local supervisory authority (in the Czech Republic: ÚOOÚ — uoou.cz).

9. Security

We use industry-standard measures: encryption in transit (TLS), encryption at rest, role-based access, Row-Level Security on user data, audit logging, and least-privilege service keys.

10. Children

The Service is not directed to anyone under 16. We do not knowingly collect data from children.

11. Changes

We will notify you of material changes via the Service or email.

12. Contact

Privacy questions: [contact@your-domain]. Full domain: [your-domain.com].