All systems operational
Lead Extract
Log in

Privacy & Legal

Data Processing Agreement

PERSONAL DATA PROCESSING AGREEMENT Introduction This Personal Data Processing agreement (” Agreement ”) shall be applied to all products and services...

DATA PROCESSING AGREEMENT (DPA)

Effective Date: This Agreement is effective as of the date Customer accepts these terms or begins using Lead Extract services.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Lead Extract Ltd ("Lead Extract", "we", "us") and the entity agreeing to these terms ("Customer", "you") and governs the processing of personal data in connection with our services.

1. DEFINITIONS

"Controller" means the entity that determines the purposes and means of processing Personal Data. For Customer Data, Customer is the Controller. For Enrichment Data, Lead Extract is the Controller or has obtained such data from third-party controllers.

"Processor" means the entity that processes Personal Data on behalf of a Controller.

"Customer Data" means Personal Data that Customer uploads, provides, or makes available to Lead Extract through the Services, including website visitor IP addresses and behavioral data collected via the tracking pixel.

"Enrichment Data" means Personal Data that Lead Extract provides to Customer, including company information, contact details, and person-level identification data sourced from Lead Extract' databases and third-party partners.

"Personal Data", "Processing", "Data Subject", "Personal Data Breach", and "Supervisory Authority" have the meanings given in the GDPR (EU Regulation 2016/679).

2. SCOPE AND ROLES

2.1 Customer Data (Lead Extract as Processor)

With respect to Customer Data, Customer is the Controller and Lead Extract acts as a Processor. Lead Extract will process Customer Data only in accordance with Customer's documented instructions and this DPA.

2.2 Enrichment Data (Lead Extract as Controller/Data Provider)

With respect to Enrichment Data, Lead Extract acts as an independent Controller or as a provider of data obtained from third-party sources. This data is licensed to Customer under the Terms of Service. Customer becomes a Controller of such data upon receipt and is solely responsible for its lawful use.

2.3 Regional Processing Differences

IMPORTANT: Our identification capabilities differ by region:

  • European Economic Area (EEA), UK, and GDPR-equivalent jurisdictions: We provide COMPANY-LEVEL identification only. We identify the organization/business associated with an IP address. We do NOT provide person-level identification in these regions. Contact details provided are publicly available business contacts suggested based on company information, NOT identified visitors.

  • United States and other non-GDPR jurisdictions: We may provide PERSON-LEVEL identification of website visitors through our opt-in partnership network. This data is collected with explicit consent from individuals who have opted in to cross-site tracking through partner websites offering free services. Customer acknowledges this data originates from consented sources.

3. CUSTOMER OBLIGATIONS AND WARRANTIES

Customer represents, warrants, and undertakes that:

  • (a) Customer has a valid legal basis under applicable data protection laws (including GDPR, CCPA, and other relevant regulations) for collecting visitor data through the Lead Extract tracking pixel on Customer's website;

  • (b) Customer's privacy policy adequately discloses the use of website visitor identification services and the potential sharing of data with third parties including Lead Extract;

  • (c) Customer has implemented appropriate cookie consent mechanisms where required by law (e.g., ePrivacy Directive);

  • (d) Customer will only use Enrichment Data for lawful B2B marketing and sales purposes and will not use such data in any manner that violates applicable law;

  • (e) Customer will not use the Services to identify, contact, or market to individuals for personal/consumer purposes unrelated to their professional role;

  • (f) Customer will promptly honor any opt-out, unsubscribe, or data deletion requests from Data Subjects contacted using data obtained from Lead Extract;

  • (g) Customer is solely responsible for determining the lawfulness of any outreach or marketing activities using data obtained through the Services.

4. HAPPIERLEADS OBLIGATIONS AS PROCESSOR

When processing Customer Data as a Processor, Lead Extract shall:

  • (a) Process Customer Data only on documented instructions from Customer, unless required by applicable law;

  • (b) Ensure that persons authorized to process Customer Data are bound by confidentiality obligations;

  • (c) Implement appropriate technical and organizational security measures as described in Annex 1;

  • (d) Only engage sub-processors in accordance with Section 6;

  • (e) Assist Customer in responding to Data Subject requests to the extent reasonably practicable;

  • (f) Notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data Breach affecting Customer Data;

  • (g) Delete or return Customer Data upon termination of the agreement, unless retention is required by law.

5. DATA ACCURACY AND DISCLAIMER

IMPORTANT DISCLAIMER:

  • (a) Enrichment Data is provided "AS IS" without warranties of any kind, express or implied, including but not limited to warranties of accuracy, completeness, or fitness for a particular purpose.

  • (b) While Lead Extract uses commercially reasonable efforts to maintain data accuracy, we cannot guarantee that all information is current, complete, or error-free. Company information, contact details, and person identification may contain inaccuracies.

  • (c) Customer acknowledges that IP-based company identification is probabilistic and may not always correctly identify the visiting organization.

  • (d) Contact details provided as "suggested contacts" for identified companies are NOT necessarily the specific individuals who visited Customer's website. They are publicly available business contacts associated with the identified company.

  • (e) Customer is solely responsible for verifying the accuracy and appropriateness of any data before use.

6. SUB-PROCESSORS

Customer provides general authorization for Lead Extract to engage sub-processors. Lead Extract maintains a list of current sub-processors, which is available upon request. Lead Extract will notify Customer of any intended changes to sub-processors, and Customer may object within 14 days on reasonable grounds. Sub-processors are bound by data protection obligations equivalent to those in this DPA.

7. INTERNATIONAL DATA TRANSFERS

Where Customer Data is transferred outside the EEA/UK to countries not deemed adequate by the European Commission, Lead Extract ensures appropriate safeguards are in place, including:

  • EU-U.S. Data Privacy Framework certification (where applicable);

  • Standard Contractual Clauses (SCCs) approved by the European Commission;

  • UK International Data Transfer Agreement (IDTA) where required.

8. SECURITY MEASURES

Lead Extract implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256);

  • Access controls with multi-factor authentication;

  • Regular security assessments and vulnerability testing;

  • Employee security training and confidentiality agreements;

  • Secure AWS infrastructure with SOC 2 Type II certification.

9. DATA SUBJECT RIGHTS

Lead Extract will assist Customer in fulfilling Data Subject rights requests (access, rectification, erasure, restriction, portability, objection) to the extent the request relates to Customer Data. Customer is responsible for responding to such requests. Lead Extract will notify Customer promptly if it receives a request directly from a Data Subject, unless prohibited by law.

10. LIMITATION OF LIABILITY

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

  • (a) Lead Extract' total liability under this DPA shall not exceed the fees paid by Customer in the twelve (12) months preceding the claim;

  • (b) Lead Extract shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, revenue, data, or business opportunities;

  • (c) Lead Extract shall not be liable for any claims, damages, or losses arising from Customer's use of the Services in violation of applicable law, this DPA, or the Terms of Service;

  • (d) Lead Extract shall not be liable for any third-party claims against Customer arising from Customer's use of Enrichment Data;

  • (e) Lead Extract shall not be liable for data inaccuracies, as detailed in Section 5.

11. INDEMNIFICATION

Customer agrees to indemnify, defend, and hold harmless Lead Extract, its officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or related to:

  • (a) Customer's breach of this DPA or the Terms of Service;

  • (b) Customer's violation of any applicable data protection law in connection with the use of the Services;

  • (c) Customer's failure to obtain necessary consents, provide required disclosures, or maintain an adequate legal basis for processing;

  • (d) Any claims by Data Subjects or regulatory authorities arising from Customer's use of Enrichment Data;

  • (e) Customer's marketing, sales, or outreach activities using data obtained through the Services.

12. AUDIT RIGHTS

Upon reasonable request (no more than once per year) and with at least 30 days' written notice, Customer may request that Lead Extract provide documentation demonstrating compliance with this DPA. Lead Extract may satisfy audit requests by providing copies of certifications, audit reports, or other documentation. On-site audits require mutual agreement and Customer shall bear all costs associated with such audits.

13. TERM AND TERMINATION

This DPA shall remain in effect for the duration of Customer's use of the Services. Upon termination, Lead Extract will delete Customer Data within 30 days unless retention is required by law. Customer's obligations regarding the use of Enrichment Data survive termination.

14. GOVERNING LAW AND JURISDICTION

This DPA shall be governed by the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

15. MISCELLANEOUS

  • (a) This DPA, together with the Terms of Service, constitutes the entire agreement between the parties regarding data processing;

  • (b) Lead Extract may update this DPA from time to time. Material changes will be notified to Customer 30 days in advance;

  • (c) If any provision of this DPA is found unenforceable, the remaining provisions shall continue in effect;

  • (d) Failure to enforce any provision of this DPA does not constitute a waiver of that right.

ANNEX 1: PROCESSING DETAILS

A. Subject Matter and Purpose of Processing

Website visitor identification, company enrichment, lead generation, and analytics services.

B. Categories of Personal Data

  • IP addresses and derived geolocation data

  • Device and browser information

  • Website behavioral data (pages visited, session duration)

  • Company information (name, industry, size, location)

  • Business contact details (name, title, email, phone - where lawfully available)

  • Person-level identification data (US and non-GDPR regions only, collected with consent)

C. Categories of Data Subjects

Website visitors, business professionals, and corporate employees whose information is publicly available or obtained through consented channels.

D. Duration of Processing

For the term of Customer's subscription plus 30 days, unless Customer requests earlier deletion.

IMPORTANT LEGAL NOTICE

By using Lead Extract services, Customer acknowledges and agrees to this DPA. This DPA is designed to be signed electronically through acceptance of our Terms of Service. For enterprise customers requiring a separately executed DPA, please contact legal@leadextract.com.

Last Updated: January 2025

← Previous

Privacy Policy (for your website)