Privacy Policy
Effective date: April 10, 2026 | Last updated: April 10, 2026
1 — Who We Are
LeadOS is operated by Kristine Bjørgan Østby, a sole trader (enkeltpersonforetak) based in Norway. We are the data controller for personal data processed through this service.
Contact: hello@leados.tech
2 — Legal Basis for Processing (GDPR Article 6)
We process your personal data on the following legal bases:
- ·Contract performance (Art. 6(1)(b)) — processing your account data, ICP configuration, and leads is necessary to provide the service you signed up for.
- ·Legitimate interest (Art. 6(1)(f)) — usage analytics to improve the service.
- ·Legal obligation (Art. 6(1)(c)) — retaining transaction records for tax and accounting purposes.
- ·Consent (Art. 6(1)(a)) — cookies that are not strictly necessary.
3 — What Personal Data We Collect
Data you provide directly:
- ·Name and email address (account registration)
- ·Company URL and business description (onboarding)
- ·ICP configuration (target customer profile, signals, disqualifiers)
Data generated by the service:
- ·Lead records including company names, contact names, email addresses, phone numbers, and LinkedIn URLs sourced from third-party databases
- ·Outreach drafts you create
- ·Reply notes and pipeline status you set
Technical data collected automatically:
- ·IP address and browser/device information
- ·Pages visited and features used (analytics)
- ·Cookie identifiers (see Section 9)
4 — How We Use Your Data
- ·To create and manage your account
- ·To run the AI lead generation agent on your behalf
- ·To store and display your leads, pipeline, and outreach history
- ·To process payments and manage your subscription
- ·To send transactional emails (account confirmation, receipts)
- ·To improve and debug the service
- ·To comply with legal obligations
We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described in Section 5.
5 — Third-Party Data Processors
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Database and authentication | EU (West EU region) | GDPR compliant, DPA in place |
| Anthropic | AI processing of website content and lead scoring | USA | Standard Contractual Clauses (SCCs) |
| Vercel | Application hosting and edge delivery | USA/EU | Standard Contractual Clauses (SCCs) |
| Lemonsqueezy | Payment processing and subscription management | USA | Standard Contractual Clauses (SCCs) |
| Serper.dev | Google search API for lead discovery | USA | Standard Contractual Clauses (SCCs) |
| Apollo.io | Contact enrichment (email, phone, LinkedIn) | USA | Standard Contractual Clauses (SCCs) |
6 — International Data Transfers
Some of our processors are based in the United States. When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, specifically Standard Contractual Clauses (SCCs) as approved by the European Commission.
7 — Automated Decision-Making
LeadOS uses AI (Claude by Anthropic) to automatically score leads based on your ICP configuration. This constitutes automated processing under GDPR Article 22. However, this scoring is not a legally or similarly significant decision — it is an advisory ranking to help you prioritise outreach. You retain full control and can override or ignore any score. No leads are contacted without your explicit approval.
8 — Data Retention
- ·Account data — retained for the duration of your subscription and deleted within 30 days of account deletion.
- ·Lead data — retained for the duration of your subscription and deleted within 30 days of account deletion.
- ·Payment records — retained for 5 years to comply with Norwegian accounting law (Bokføringsloven).
- ·Backup data — may persist in encrypted backups for up to 90 days after deletion.
- ·Analytics data — retained in aggregate, anonymised form indefinitely.
9 — Cookies
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| Supabase auth token | Keeps you logged in | Strictly necessary | Session |
| Consent cookie | Remembers your cookie preferences | Strictly necessary | 1 year |
| Hotjar | User behaviour analytics | Analytics (requires consent) | 1 year |
You can withdraw consent for non-essential cookies at any time by clicking "Cookie settings" in the footer.
10 — Your Rights Under GDPR
- ·Right of access (Art. 15) — request a copy of all data we hold about you.
- ·Right to rectification (Art. 16) — request correction of inaccurate data.
- ·Right to erasure (Art. 17) — request deletion of your data (“right to be forgotten”).
- ·Right to restriction of processing (Art. 18) — request we limit how we use your data.
- ·Right to data portability (Art. 20) — receive your data in a machine-readable format.
- ·Right to object (Art. 21) — object to processing based on legitimate interest.
- ·Right to withdraw consent — where processing is based on consent, you can withdraw at any time.
To exercise any of these rights, email hello@leados.tech. We will respond within 30 days.
11 — Data Security
We implement appropriate technical and organisational measures to protect your data including:
- ·Encrypted data storage (Supabase with encryption at rest)
- ·HTTPS/TLS encryption in transit
- ·Row-level security on all database tables
- ·API keys stored as environment variables, never in code
- ·Access limited to the data controller only
12 — Children's Privacy
LeadOS is a B2B service intended for business use only. We do not knowingly collect data from anyone under the age of 18.
13 — Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you by email at least 14 days before any material changes take effect. Continued use of the service after that date constitutes acceptance of the updated policy.
14 — Complaints
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Norwegian data protection authority:
15 — Contact
For any privacy-related questions or to exercise your rights: hello@leados.tech