Privacy Policy

Last Updated: January 20, 2026

1. Introduction

LeadDeus.io ("we", "us", "our") is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy explains how we collect, use, process, and protect your personal data when you use our email outreach platform.

IMPORTANT: LeadDeus.io acts as a Data Processor for your email campaigns. You (the User) are the Data Controller for any recipient data you upload. This means you are responsible for ensuring compliance with GDPR and other laws when handling recipient personal data.

2. Data Controller vs. Data Processor

2.1 We are the Data Controller for:

  • Your account data: Name, email, password, billing information
  • Platform usage data: Login history, feature usage, analytics
  • Support communications: Help desk tickets, emails

2.2 We are the Data Processor for:

  • Email recipient data: Email addresses, names, custom fields you upload
  • Email content: Subject lines, email bodies, attachments
  • Campaign data: Sending statistics, open/click tracking

For data we process on your behalf, see our Data Processing Agreement (DPA).

3. Personal Data We Collect

3.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Password (encrypted)
  • Company name (optional)
  • Country

3.2 Gmail Integration Data

When you connect Gmail accounts:

  • Gmail email address
  • OAuth access tokens (encrypted)
  • Refresh tokens (encrypted)
  • Account status and health metrics

Note: We never store your Gmail password. Authentication uses OAuth 2.0.

3.3 Payment Information

  • Billing address
  • Payment method type
  • Transaction history

Note: Credit card details are processed by our payment provider and never stored on our servers.

3.4 Usage Data

  • IP address
  • Browser type and version
  • Device information
  • Login timestamps
  • Feature usage statistics
  • Campaign performance metrics

3.5 Recipient Data (Processed on Your Behalf)

Data you upload about your email recipients:

  • Email addresses
  • Names (first name, last name)
  • Custom fields (company, title, etc.)
  • Email interaction data (opens, clicks, replies)
  • Unsubscribe status

4. How We Use Your Data

4.1 Account Data (We are the Controller)

Legal Basis: Contract performance, Legitimate interest

  • To create and manage your account
  • To authenticate you when you log in
  • To process payments and issue invoices
  • To provide customer support
  • To send service notifications (downtime, updates)
  • To improve our Platform and develop new features
  • To detect and prevent fraud or abuse

4.2 Recipient Data (We are the Processor)

Legal Basis: Your instructions as Data Controller

  • To send emails on your behalf
  • To track email performance (opens, clicks, replies)
  • To manage unsubscribes and bounces
  • To generate campaign analytics

Important: We only process recipient data according to your instructions. You are responsible for obtaining proper consent from recipients.

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We share data with trusted providers who help us operate the Platform:

  • Google (Gmail API): Email sending and OAuth authentication
  • Cloud hosting provider: Data storage and infrastructure
  • Payment processors: Billing and subscription management
  • Analytics providers: Platform usage analytics
  • AI providers (OpenRouter, Anthropic): Email content generation

All providers are GDPR-compliant and have signed Data Processing Agreements (DPAs) with us.

5.2 Legal Requirements

We may disclose your data if required by:

  • Court order or subpoena
  • Legal obligation under EU or German law
  • Law enforcement requests (with valid legal basis)
  • To protect our rights, property, or safety

5.3 Business Transfers

If we are acquired or merge with another company, your data may be transferred. You will be notified of any such change.

5.4 We Never:

  • Sell your data to third parties
  • Use recipient data for our own marketing
  • Share data with advertisers
  • Transfer data outside the EU without proper safeguards

6. Data Security

We implement industry-standard security measures:

  • Encryption: All data in transit (TLS 1.3) and at rest (AES-256)
  • Access controls: Role-based access, multi-factor authentication
  • Regular audits: Security assessments and vulnerability scans
  • Data backups: Regular encrypted backups with 30-day retention
  • Incident response: Breach notification within 72 hours (GDPR requirement)
  • OAuth security: Tokens encrypted and stored securely

7. Data Retention

7.1 Account Data

  • Active accounts: Retained while your account is active
  • Closed accounts: Deleted within 30 days of closure
  • Backups: Deleted from backups within 90 days

7.2 Recipient Data

  • Retained as long as you keep campaigns active
  • Deleted when you delete campaigns
  • Automatically deleted 30 days after account closure

7.3 Legal Retention

  • Billing records: 7 years (tax law requirement)
  • Consent records: 3 years after last contact
  • Support tickets: 2 years

8. Your Rights Under GDPR

As an EU data subject, you have the following rights:

8.1 Right of Access (Art. 15)

Request a copy of your personal data we hold.

8.2 Right to Rectification (Art. 16)

Correct inaccurate or incomplete data.

8.3 Right to Erasure (Art. 17) - "Right to be Forgotten"

Request deletion of your personal data (with certain exceptions).

8.4 Right to Restriction (Art. 18)

Restrict processing of your data under certain circumstances.

8.5 Right to Data Portability (Art. 20)

Receive your data in a machine-readable format (CSV, JSON).

8.6 Right to Object (Art. 21)

Object to processing based on legitimate interest.

8.7 Right to Withdraw Consent

Withdraw consent at any time (does not affect prior processing).

8.8 Right to Lodge a Complaint

File a complaint with your local data protection authority.

To exercise your rights: Email us at privacy@leaddeus.io or use the data export/deletion tools in your account settings.

9. Cookies and Tracking

9.1 Essential Cookies

Required for Platform functionality:

  • Session cookies (authentication)
  • Security cookies (CSRF protection)
  • Preference cookies (language, timezone)

9.2 Analytics Cookies

Help us improve the Platform (with your consent):

  • Usage statistics
  • Feature adoption tracking
  • Error logging

9.3 Email Tracking

For emails sent through our Platform:

  • Open tracking (invisible pixel)
  • Click tracking (link wrapping)
  • Recipients can disable tracking in their email client

10. International Data Transfers

Your data is primarily stored in the European Union (EU).

If we transfer data outside the EU, we ensure:

  • Standard Contractual Clauses (SCCs) are in place
  • Adequate protection under GDPR Art. 46
  • Compliance with EU-US Data Privacy Framework (if applicable)

11. Children's Privacy

Our Platform is not intended for children under 16 years of age. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us immediately.

12. Changes to This Policy

  • We may update this Privacy Policy from time to time
  • Material changes will be notified via email or Platform notification
  • Continued use after changes constitutes acceptance
  • Previous versions will be archived and available upon request

13. Contact Information

For privacy-related questions or to exercise your rights:

EU Data Protection Authority: If you are not satisfied with our response, you can lodge a complaint with your local supervisory authority.

Related Documents: