1. Who we are
Controller: LeadKing Ltd (Company No. pending · ICO reg pending).
Contact: [email protected] (or [email protected] pre-launch).
2. Data we collect & why
Waitlist data
Email (required), company name (optional), revenue band (optional), IP hash, user agent, timestamps.
- Lawful basis: legitimate interest (notify about product launch)
- Retention: 24 months post-confirm
Account data (post-launch)
Email, password hash, org data, ICP descriptions, marked outcomes, usage logs.
- Lawful basis: contract (service delivery) + legitimate interest (improving service)
- Retention: 7 years post-account-closure (UK accounting minimum)
Cookie data
See /cookies.
3. How we use your data
- Notify you when early access opens
- Deliver the LeadKing service
- Improve scoring accuracy (aggregated, de-identified)
- Billing + invoicing (via Stripe)
- Fraud prevention (IP hash)
- Communicate service updates (transactional only)
4. Data about third parties (lead subjects)
LeadKing processes public UK data about businesses (not individual consumer data). Sources: Companies House, public job boards, public news, public social, SERP.
Legal basis for processing business contacts: UK GDPR Art 6(1)(f) legitimate interest + PECR B2B exemption.
Data subjects can request access (DSAR, Art 15), rectification (Art 16), erasure (Art 17, subject to legal retention requirements), or object (Art 21). Request email: [email protected].
5. Sub-processors
DPAs in place with all sub-processors. Full DPA available on request to UK business customers.
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon (Postgres) | Primary database | EU (Frankfurt) |
| Fly.io | Application hosting | EU (LHR London) |
| Cloudflare | CDN, DNS, WAF, Turnstile | Global (UK POPs) |
| Bird (MessageBird) | Transactional email | EU |
| Stripe | Payment processing | UK + EU + US (SCCs) |
| OpenRouter | AI inference | US (with EU preference) |
| Langfuse | LLM observability | EU (self-hosted on Fly) |
| Grafana Cloud | Metrics + logs | EU |
| Sentry | Error tracking | EU |
6. International transfers
OpenRouter US: Standard Contractual Clauses in place; inference routed to EU providers where available. Stripe US: SCCs; payment data minimised. All other sub-processors: UK/EU only.
7. Security
- Envelope encryption (AES-256-GCM) for sensitive fields
- HTTPS only, HSTS, HSTS preload
- Access control: role-based, audit logged
- Incident response: ICO notification within 72h of confirmed personal data breach
8. Your rights (UK GDPR Arts 15–22)
Access, rectify, erase, restrict processing, data portability, object, withdraw consent, not be subject to solely-automated decisions.
Exercise via [email protected]. Response within 1 month (extendable to 3 months for complex requests).
ICO complaint right: ico.org.uk/make-a-complaint.
9. Automated decisions + AI
LeadKing uses AI (LLMs) to score leads. Scoring is not an "automated decision producing legal effects" under Art 22 — it is advisory, not auto-executed. Users retain full control.
10. Data retention
| Data | Retention | Basis |
|---|---|---|
| Waitlist | 24 months post-confirm | Legitimate interest |
| Account data | 7 years post-closure | UK accounting regs |
| Billing data | 7 years post-closure | HMRC VAT records |
| Lead data | 90 days post-run OR account closure | Service minimum |
| Log data | 30 days | Security + debug |
11. Children
LeadKing is not directed to children. We don't knowingly collect data from under-18s.
12. Changes to this policy
Material changes: 30 days notice + email to active users. Minor changes: last-updated date refresh.
13. Contact & DPA
Email: [email protected]. DPA available on request to UK business customers. ICO complaint: ico.org.uk/make-a-complaint.