Privacy Policy
1. Privacy at a Glance
The following information gives an overview of what personal data is processed when you use our website and the LeadTS platform (SaaS). Processing is carried out in accordance with the General Data Protection Regulation (GDPR) and applicable national law (e.g. German Federal Data Protection Act, BDSG).
2. Data Controller
The data controller responsible for processing is:
LeadTS GmbH
[Address]
Email: hello@leadts.com
3. Personal Data Collected – Overview
Data is partly provided by you (e.g. registration, contact form, lead entries) and partly collected automatically when you visit (e.g. browser, operating system, time of access). Details on categories are set out in the following sections.
4. User Data (Registration and Login)
When you register and use the LeadTS platform we process: email address (required), password (stored in hashed form only), display name or full name (optional), profile picture URL, and language preference (e.g. en/de). When you sign in with Google OAuth, we also use profile data provided by Google (name, email, profile picture). Legal basis: contract performance (Art. 6(1)(b) GDPR). Implemented via Supabase Auth and the profiles table.
5. Lead Data (Core Platform Functionality)
As part of lead management we process per lead, among other things: name, email, phone, external lead ID, and optionally revenue, source, due date, job title, and custom fields. Lead data may come from various sources: Facebook Lead Ads (webhook), Google Sheets, CSV import, manual entry, webhooks. Legal basis: contract performance and, where applicable, the customer’s legitimate interests (LeadTS acts as processor). Data is stored in the database (Supabase), in the leads table and related event/ingest structures.
6. Payment Data (Stripe)
We use Stripe for subscriptions. We only store Stripe customer ID, subscription ID, email (for matching), product/price IDs, subscription status, and billing period. Card or other payment details are not stored by LeadTS and are processed solely by Stripe. Legal basis: contract performance (Art. 6(1)(b) GDPR). Stripe privacy policy: https://stripe.com/privacy
7. Third Parties and Recipients
The following services process data in connection with our website and platform:
• Supabase: database, authentication, edge functions; privacy: https://supabase.com/privacy
• Vercel: hosting of the marketing website, analytics; privacy: https://vercel.com/legal/privacy-policy
• Stripe: payment processing and subscription management; privacy: https://stripe.com/privacy
• Resend: email delivery (automations, password reset); privacy: https://resend.com/legal/privacy-policy
• Nango: OAuth connections (e.g. Slack); tokens are managed by Nango, not stored by us.
• Google: OAuth sign-in and Google Sheets import; privacy: https://policies.google.com/privacy
• Meta/Facebook: lead capture via Lead Ads, and where applicable Conversion API; privacy: https://www.facebook.com/privacy/explanation
8. Purposes and Legal Bases
Processing purposes: provision of the LeadTS platform, lead management, subscription management, client portal, security and fraud prevention, improvement and troubleshooting, usage analytics (e.g. Vercel Analytics). Legal bases: contract performance (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR), and where applicable consent (Art. 6(1)(a) GDPR) for optional marketing cookies or emails.
9. Transfers Outside the EU
Some processing takes place with services located or with servers outside the EU (e.g. USA). Where required, we use standard contractual clauses (Art. 46 GDPR) and/or other approved safeguards. You can check the region of your Supabase project in the dashboard; EU regions are available.
10. Retention
Personal data is generally retained only as long as necessary for the purposes above or for legal retention periods. When an account is deleted, related data (e.g. leads, subscriptions) is deleted in line with technical cascade rules. Specific retention periods per category can be provided on request.
11. Your Rights (Data Subject Rights)
You have the right to access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR), and to object (Art. 21 GDPR). To exercise these rights contact: hello@leadts.com. Account deletion is supported via the platform and our "delete-account" edge function.
12. Access, Erasure and Objection in Detail
Access: You can request free information on the origin, recipients, purpose and duration of storage of your data. Erasure: You can request erasure of data that is processed unlawfully or no longer necessary; account deletion triggers deletion of related data. Objection: You may object to processing based on legitimate interests; we will then review whether we continue the processing.
13. Security Measures
We use technical and organisational measures: row-level security (RLS) in the database so users only access their own data; authentication via Supabase Auth (JWT, hashed passwords); encrypted transmission (HTTPS, HSTS); Content-Security-Policy and other security headers; rate limiting on webhooks and password-reset emails.
14. Cookies and Local Storage
On the marketing website the cookie NEXT_LOCALE is used for language preference. In the app we use, among other things, Supabase auth tokens (localStorage/sessionStorage), workspace_settings for preferences, trialBannerDismissed for the trial notice, and temporarily nango_oauth_state/nango_oauth_workspace during the OAuth flow. Where not strictly necessary, you can restrict such storage in your browser settings.
15. Hosting (Marketing Website)
The marketing website is hosted by Vercel Inc. This may involve IP addresses, page views and performance metrics. Vercel Analytics is enabled. Details: https://vercel.com/legal/privacy-policy
16. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority (e.g. your local data protection authority). For Baden-Württemberg: https://www.baden-wuerttemberg.datenschutz.de/