Privacy Policy

Account information. When you register we collect your name, email address, and a hashed password. If you subscribe to a paid plan we also collect billing details processed by Stripe — we never store raw card numbers.

Usage data. We log the pages you visit, search queries you run, leads you unlock or export, and feature interactions. This data is used to operate and improve the platform.

Integration credentials. When you connect a CRM or email tool we store the OAuth tokens or API keys required to push data on your behalf. These are encrypted at rest and never shared.

Lead database. We maintain a database of business contact records (names, job titles, business emails, phone numbers, company details). This data is described in detail in Section 2 below.

Our lead database contains approximately 26 million business contact records and 4 million company records. This data is compiled from the following sources:

• Publicly available sources. Business information published on company websites, professional networking sites, government filings, press releases, and other public records.
• Licensed data providers. Third-party data vendors who compile and license business contact information.
• User contributions. Information submitted or enriched by LeadLeap users in the course of using the platform.

The lead database contains professional/business information only: names, job titles, business email addresses, business phone numbers, company names, industry, company size, location, and LinkedIn profile URLs.

We do not intentionally collect sensitive personal data such as race, ethnicity, religious beliefs, health information, sexual orientation, or biometric data.

For registered users (account holders):

• Provide, maintain, and secure the LeadLeap platform.
• Process payments and send transactional emails (receipts, alerts).
• Improve search quality, feature relevance, and platform performance.
• Send product updates and announcements (you may opt out at any time).
• Comply with legal obligations and enforce our Terms of Service.

For individuals in our lead database:

• Make business contact information searchable by our registered users for B2B sales and marketing purposes.
• Enrich and verify business data for accuracy.
• Display data in search results with contact details masked until unlocked by a paying user.

Our lawful basis for processing lead data under GDPR is legitimate interest (Article 6(1)(f)) — specifically, the interest in enabling business-to-business communications. We have conducted a Legitimate Interest Assessment and concluded that providing professional contact data for B2B outreach does not override the rights of data subjects, given the professional nature of the data and the opt-out mechanisms we provide.

We share data only in the following circumstances:

• With our users. When a registered user searches for and unlocks a lead record, they receive the contact information contained in that record. Users are contractually obligated to use this data lawfully.
• Connected integrations. When a user pushes leads to a CRM or email platform, data is transmitted to that service per their instructions.
• Payment processor. Billing details are handled by Stripe (PCI-compliant). We receive only a token and subscription status.
• Legal requirements. We may disclose information if required by law, court order, or to protect the rights and safety of LeadLeap and its users.

We do not sell your account information. For information about how we handle lead database records under California law, see Section 8: Do Not Sell or Share.

LeadLeap operates as a data broker under certain state laws, including the California Consumer Privacy Act (CCPA/CPRA) and similar legislation. This means we collect and make available personal information about individuals with whom we do not have a direct relationship.

We are registered as a data broker with the California Privacy Protection Agency as required under California Civil Code Section 1798.99.80 et seq.

If you are a person whose information appears in our lead database and you have not created a LeadLeap account, you have the right to:

• Request to know what data we hold about you.
• Request deletion of your data from our database.
• Opt out of the sale or sharing of your personal information.

To exercise these rights, visit our Privacy Request Center or email [email protected].

If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation:

• Right of access (Art. 15) — Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) — Request deletion of your personal data from our systems.
• Right to restrict processing (Art. 18) — Request that we limit how we use your data while a complaint is being resolved.
• Right to data portability (Art. 20) — Receive your data in a structured, commonly used format.
• Right to object (Art. 21) — Object to our processing of your data based on legitimate interest. Upon receiving an objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to lodge a complaint — You may file a complaint with your local Data Protection Authority.

We will respond to verified requests within 30 days. To submit a request, visit our Privacy Request Center.

If you are a California resident, the California Consumer Privacy Act (as amended by CPRA) grants you the following rights:

• Right to know — Request what personal information we have collected, the sources, the business purpose, and the categories of third parties we share it with.
• Right to delete — Request deletion of your personal information from our systems.
• Right to correct — Request correction of inaccurate personal information.
• Right to opt out of sale/sharing — Direct us to stop selling or sharing your personal information. See Do Not Sell or Share My Personal Information.
• Right to non-discrimination — We will not deny you services, charge different prices, or provide a different level of quality because you exercised your privacy rights.

Categories of personal information collected: Identifiers (name, email, phone), professional information (job title, company), geolocation data (city, state, country), internet activity (usage logs for account holders).

Categories of personal information sold or shared: Identifiers and professional information from our lead database are made available to registered users for B2B outreach purposes.

We will respond to verified requests within 45 days (with a possible 45-day extension if needed, with notice).

Under the CCPA/CPRA, making business contact information available to our registered users may constitute a “sale” or “sharing” of personal information. You have the right to opt out.

To opt out, you may:

• Visit our Do Not Sell or Share My Personal Information page.
• Submit a request through our Privacy Request Center.
• Email [email protected] with the subject line “Do Not Sell.”
• Enable the Global Privacy Control (GPC) signal in your browser. We honor GPC as a valid opt-out request.

Once we process your opt-out, your information will be added to our global suppression list and excluded from all future search results. This typically takes effect within 10 business days.

We recognize and honor the Global Privacy Control (GPC) signal as a valid opt-out of sale/sharing request under CCPA/CPRA. When we detect the Sec-GPC: 1 header or equivalent browser signal, we treat it as a request to opt out of the sale or sharing of personal information associated with that browser or device.

Learn more about GPC at globalprivacycontrol.org.

Whether or not you have a LeadLeap account, if your personal information appears in our lead database, you can request:

• Data access — see what information we hold about you.
• Data deletion — permanent removal from our database.
• Opt-out of sale — exclude your record from search results.

Submit requests via our Privacy Request Center or email [email protected].

When we process a deletion request, we add your email to a permanent global suppression list to ensure your data is not re-imported in future data refreshes. Your information will be removed from active search results and excluded from all exports.

API keys, OAuth tokens, and other credentials you provide to connect third-party services are:

• Encrypted at rest using industry-standard AES-256 encryption.
• Never logged, printed to application logs, or included in error reports.
• Never shared with any party other than the integration service you authorized.
• Deleted immediately when you disconnect an integration or close your account.

Account data (profile, usage history, unlocked leads) is retained while your account is active. If you delete your account, we permanently remove your personal data within 30 days, except where retention is required by law (e.g., billing records for tax purposes, retained for up to 7 years).

Lead database records are retained until the data subject requests deletion or we determine the record is no longer accurate. We periodically review and purge stale records.

Suppression list entries are retained indefinitely to prevent re-import of opted-out records.

Privacy request audit logs are retained for 3 years to demonstrate compliance with GDPR and CCPA.

We apply industry-standard security measures including TLS in transit, encrypted storage for sensitive credentials, and access controls that limit data exposure to authorized personnel only. No system is perfectly secure; if you discover a vulnerability please disclose it responsibly to [email protected].

Our servers are located in North America. If you are accessing LeadLeap from outside this region, your data may be transferred to and processed in the United States or Canada. We take reasonable steps to ensure your data receives an adequate level of protection regardless of where it is processed.

For EEA/UK residents, transfers are conducted based on our legitimate interest assessment and applicable legal mechanisms. You may contact us for more information about the safeguards in place.

LeadLeap is a B2B platform intended for business professionals. We do not knowingly collect personal data from anyone under the age of 18. If we learn that we have collected data from a minor, we will promptly delete it. If you believe a minor's information is in our database, contact us at [email protected].

We use only essential session cookies required for authentication and basic site functionality. We do not use advertising, tracking, or third-party analytics cookies.

If we add non-essential cookies in the future, we will update this policy and provide a cookie consent mechanism before deploying them.

We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or by a notice on the platform at least 14 days before taking effect. The “Last updated” date at the top reflects the current version.

For privacy-related questions, data requests, or concerns, reach us at: