Data Protection & Compliance

GDPR Compliance

LeadFlow is fully compliant with the General Data Protection Regulation (GDPR). We ensure:

  • Lawful basis for data processing (legitimate business interest)
  • Data minimization - we only collect necessary data
  • Right to access, rectification, and erasure
  • Data portability requests processed within 30 days
  • Data Processing Agreements available for customers
  • Privacy by design in all our systems

CCPA Compliance (California)

We comply with the California Consumer Privacy Act (CCPA) by providing:

  • Clear disclosure of data collection practices
  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of data sales (we do not sell data)
  • Non-discrimination for exercising CCPA rights

CAN-SPAM Act Compliance

All emails sent through LeadFlow comply with the CAN-SPAM Act:

  • Clear identification of the message as an advertisement
  • Honest subject lines
  • Physical postal address of sender included
  • Clear and conspicuous unsubscribe mechanism
  • Honor unsubscribe requests within 10 business days
  • Monitor third-party compliance

Email Warm-up & Sender Reputation

We implement automatic email warm-up to protect your sender reputation:

  • Gradual increase in sending volume over time
  • Spacing of emails to avoid spam filters
  • SPF, DKIM, and DMARC configuration support
  • Bounce rate monitoring and handling
  • Complaint rate tracking
  • Daily sending limits to maintain sender health

Web Scraping Ethics

Our lead scraping practices follow ethical guidelines:

  • Respect robots.txt and scraping policies
  • Only collect publicly available business data
  • No personal data collection unless publicly listed in job title
  • Comply with terms of service of scraped sources
  • Rate limiting to avoid server strain
  • Transparent about data sources to users

Data Retention

We retain your data as follows:

  • Account data: As long as account is active
  • Email logs: 2 years for compliance and analytics
  • Lead data: Until you delete or export
  • Opt-out lists: Indefinitely to prevent re-contact
  • Backups: 90 days after deletion
  • You can request data deletion at any time

Data Breach Notification

In the event of a data breach affecting your information, we will:

  • Notify you within 72 hours (GDPR requirement)
  • Provide details of the breach and affected data
  • Explain steps we're taking to resolve it
  • Offer free credit monitoring if appropriate
  • Report to relevant authorities as required

Security Practices

We maintain a secure environment through:

  • End-to-end encryption for sensitive data
  • Two-factor authentication for accounts
  • Regular security audits and penetration testing
  • Employee data handling training
  • Secure password storage with bcrypt hashing
  • Regular software updates and patches

Contact & Support

For compliance-related questions or data subject requests, contact:

Email: compliance@leadflow.io

Data Protection Officer: dpo@leadflow.io

We typically respond to data subject access requests within 30 days and deletion requests within 48 hours.