GDPR Compliance

1. Our Commitment to Data Protection

At LeadsEngage, we are committed to upholding the highest standards of privacy and data protection.

As a U.S.-based company providing an advanced, white-label engagement and automation platform, we empower businesses to manage communications and customer data responsibly under their own brand - while maintaining full compliance with the General Data Protection Regulation (GDPR) and UK GDPR.

This statement outlines how LeadsEngage ensures GDPR compliance. It should be read in conjunction with our [Privacy Policy] , which provides complete details about our data processing practices.

2. Our Role: Data Controller vs. Data Processor

Understanding our role in handling data is key to understanding our GDPR obligations:

LeadsEngage as a Data Controller

When you interact directly with LeadsEngage - for example, by visiting our website, creating an account, managing billing, or contacting our support team - LeadsEngage determines the purposes and means of processing your personal data. In this context, we act as the Data Controller.

LeadsEngage as a Data Processor

When you, as a client, use our Services to process, store, or analyze personal data belonging to your customers or end-users (“Client Data”), you act as the Data Controller and LeadsEngage acts as your Data Processor. We process Client Data only on your documented instructions and in accordance with our Data Processing Addendum (DPA), which incorporates the European Commission’s Standard Contractual Clauses (SCCs).

3. How We Adhere to GDPR Principles

LeadsEngage’s data protection practices are built upon the seven core principles of GDPR:

  • 1. Lawfulness, Fairness, and Transparency: We process personal data lawfully and transparently. Our Privacy Policy and this statement clearly explain what data we collect, why we collect it, and how it is used.
  • 2. Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes only. Any lead or user data processed through our platform is used solely to deliver our Services - never for model training, profiling, or resale.
  • 3. Data Minimization We collect and process only the data that is strictly necessary for the stated purpose.
  • 4. Accuracy We maintain accurate and up-to-date records of personal data and provide mechanisms for correction upon request.
  • 5. Storage Limitation We retain personal data only for as long as needed to fulfill the purpose for which it was collected.
  • Client data (e.g., leads, conversations) is periodically reviewed and securely deleted when no longer needed.
  • Account data is retained only for the duration of your active account or as required by law.
  • 6. Integrity and Confidentiality (Security): We employ strong technical and organizational security measures - including encryption (AES-256, TLS 1.2+), access control, employee security training, and incident response - to protect data from unauthorized access, alteration, or loss.
  • 7. Accountability​: We maintain detailed records of all data processing activities, perform regular audits, and provide Data Processing Agreements (DPAs) to formalize our processor commitments with clients.

4. Lawful Basis for Processing

LeadsEngage processes personal data only where a valid lawful basis exists, as defined under Articles 6 and 9 of the GDPR:

  • Performance of a Contract: To provide the LeadsEngage Services that you subscribe to and manage your account.
  • Legitimate Interests: To provide the LeadsEngage Services that you subscribe to and manage your account.
  • Consent: For sending newsletters, marketing updates, or product communications. You may withdraw consent at any time.

5. Your Data Subject Rights

If you are located in the EU, EEA, UK, or Switzerland, you have specific rights under the GDPR regarding your personal data. These include the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Correct any inaccurate or incomplete data.
  • Erasure (“Right to Be Forgotten”): Request deletion of your personal data where legally permissible.
  • Restriction: Request limitations on how your data is processed.
  • Portability: Receive your data in a structured, machine-readable format for transfer to another controller.
  • Objection: Object to certain processing activities (e.g., direct marketing).
  • Automated Decision-Making: Be free from decisions based solely on automated processing that produce legal or significant effects.

To exercise these rights, please contact us at:
Email: hello@leadsengage.com

We will respond to all valid requests within 30 days, as required by GDPR.

6. International Data Transfers

As a company based in the United States, LeadsEngage may transfer and process personal data on servers located in the U.S. or other jurisdictions. We ensure these transfers are lawful and secure through the use of:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK Addendum to SCCs for transfers from the United Kingdom
  • Additional organizational and technical safeguards, including encryption and restricted access controls

These measures ensure that data transferred outside the EEA or UK receives an equivalent level of protection.

7. Data Protection Impact Assessments (DPIAs)

LeadsEngage supports Data Controllers in fulfilling their GDPR obligations by cooperating in Data Protection Impact Assessments where required. Upon request, we provide information about our processing activities, technical measures, and sub-processors to facilitate compliance.

8. Sub-Processors and Transparency

LeadsEngage uses carefully selected third-party sub-processors (such as cloud hosting, analytics, and communication providers) to deliver our Services. All sub-processors are vetted for compliance with GDPR, security standards, and confidentiality obligations.

A current list of our sub-processors is available upon request by emailing hello@leadsengage.com

9. Data Breach Notification

In the unlikely event of a data breach involving personal data, LeadsEngage will:

  • 1. Promptly assess the nature and scope of the incident.
  • 2. Notify the relevant supervisory authority within 72 hours, when required.
  • 3. Notify affected Data Controllers and users without undue delay.
  • 4. Take corrective actions to mitigate the risk and prevent recurrence.

10. Contact & Data Processing Addendum (DPA)

If you have questions about GDPR compliance or wish to obtain a copy of our Data Processing Addendum (DPA) - which includes Standard Contractual Clauses (SCCs) - please contact our privacy team:

Email: hello@leadsengage.com

We are committed to working with clients and supervisory authorities to ensure full compliance with applicable data protection laws.

***

Last Updated: October 15, 2025