We collect what we need to run the product. We don’t sell it, share it, or do anything weird with it. The full version is below.
Lead Source has two kinds of people whose data shows up in this policy: customers who sign up for the product, and website visitors whose form submissions are captured by customers using our tool. We treat those two groups very differently. And so does the law. So this policy is split clearly between them.
You created an account at app.leadsource.co. You’re our customer. We are the controller of your data and you have a direct relationship with us.
Jump to your section ↓A business that uses Lead Source captured your form submission. That business controls your data, not us. Here’s what we do with it on their behalf, and what your options are.
Jump to your section ↓This privacy policy explains how Lead Source handles personal data. It covers our website at leadsource.co, our application at app.leadsource.co, and the lead-source tracking script our customers install on their own websites.
Lead Source is operated by Leftleads Pty Ltd trading as Lead Source, ABN [CONFIRM], registered in Victoria, Australia. We serve customers globally.
Because the tool works by being installed on other people’s websites, this policy is unusual: it has to handle the data of two different groups of people. We’ve split it clearly so you can read the part that applies to you.
You signed up at app.leadsource.co. We are the controller of your personal data. Meaning we decide why and how it’s processed, and you can hold us directly accountable for it.
Account information. When you sign up, we collect your email address and a hashed version of your password. If you provide a name, company name, role, or phone number, we store those too. Billing information for paid plans is processed by our payment provider; we receive a token, never your card number.
Application usage. When you use app.leadsource.co, we collect standard log information: IP address, browser type, pages viewed, actions taken, and timestamps. We use this for security, debugging, and product improvement.
Communications. If you contact our support team, we keep a record of the conversation and any information you share with us in it.
Marketing data. If you visit leadsource.co before signing up, we may capture your visit through Google Analytics, Google Ads, and our own Lead Source script (we use our own tool on our own site. See “Tracking on leadsource.co” below).
We use customer data to:
Our legal basis for processing customer data, where GDPR or equivalent laws apply: performance of our contract with you (running the service), our legitimate interests (security, product improvement, marketing to existing customers), and your consent (marketing to prospects, optional features).
We don’t sell customer data. We don’t share it with anyone for their own marketing.
We do use third-party services to run the business. They handle data on our behalf as sub-processors, under contracts that require them to keep it confidential and only use it for the purposes we specify. See section 13 for the categories.
We will share customer data if required by law (subpoena, court order, regulatory request), if necessary to protect our rights or someone’s safety, or as part of a business transfer (merger, acquisition, sale. We’d notify you).
We may send you marketing emails about Lead Source if you signed up for them, or if you’re an existing customer (in which case you can unsubscribe any time using the link in every email).
A business that uses Lead Source has installed our tracking script on its website. When you submitted a form on that website, we captured information about the submission and made it available to that business. That business is the controller of your data; we are the processor acting on their instructions. What that means in practice is below.
When the Lead Source script runs on a customer’s website, it captures:
This is just as important. The Lead Source script does not:
If any of this changes in future, we’ll update this section and date the change.
The Lead Source tracking script does not use cookies. It captures source data from URL parameters and the referrer at the moment of form submission. No persistent identifiers are written to your browser by our script.
The website you visited may use its own cookies (analytics, marketing, functional). Those are governed by that website’s privacy and cookie policies, not ours.
You have rights over the personal data captured by Lead Source on a customer’s website. Because we are the processor and not the controller, the right way to exercise them depends on what you want:
The sections below apply to both tracks. Customer data and visitor data alike.
On our marketing website at leadsource.co (the site you’re reading right now), we use the following:
These tools may set cookies or similar identifiers when you visit leadsource.co. See our Cookie Policy for the full list, what each one does, and how to opt out. The tracking we do on our own website is separate from the tracking script our customers install on their websites.
To run Lead Source, we use third-party services that process data on our behalf, under contractual obligations that require them to keep it confidential and only use it as we direct. Our current sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | United States (US East / N. Virginia) |
| Vercel | Application hosting and edge network | United States (primary), global edge |
| Amazon Web Services | Underlying cloud infrastructure for Supabase and Vercel | United States (US East / N. Virginia) |
| Stripe | Subscription billing and payment processing (we never see your card) | United States |
| Twilio SendGrid | Transactional email (notifications, password resets, account emails) | United States |
| Unipile | Mailbox connectivity for outbound sending tiers (OAuth to Google Workspace / Microsoft 365, send and — on the AI tier — read of email) | France (EU) |
| Anthropic | AI inference for AI-tier outbound reply drafting (processes inbound reply content, lead metadata, and conversation history; contractually prohibited from using customer data for model training) | United States |
| GitHub | Source-code hosting (no production customer data) | United States |
| [CONFIRM: error monitoring vendor] | Application error monitoring and crash reports | [CONFIRM] |
| [CONFIRM: product analytics vendor] | Aggregated product usage analytics | [CONFIRM] |
The authoritative, versioned list of sub-processors is maintained in Annex III of our DPA. We’ll give existing customers at least 30 days’ notice of changes that materially affect data processing, and customers may object on reasonable data-protection grounds.
Lead Source serves customers globally. Our primary infrastructure is hosted in the United States (US East / N. Virginia), on Supabase (managed Postgres on AWS) and Vercel. Other sub-processors operate from:
Where data crosses a border that requires safeguards (most commonly: EEA/UK/Swiss data leaving for the US or other third countries), we rely on:
For Australian customers, transfers to overseas sub-processors are subject to APP 8 and we take reasonable steps to ensure each overseas recipient handles the data in a manner consistent with the Australian Privacy Principles.
You can request copies of the relevant transfer mechanisms from privacy@leadsource.co.
Customer account data: we keep account data for as long as your account is active. If you cancel, we delete account data within 30 days (with backup copies removed in our ordinary backup-rotation cycle within a further 30 days), except where retention is legally required (billing records for tax purposes, typically 7 years in Australia).
Lead-submission data captured for a customer: we keep this for the duration of the customer’s plan retention window. Customers can export their data any time and delete individual leads or all leads from the dashboard.
Marketing data on prospects: we keep prospect contact data for as long as it’s reasonable to expect a marketing relationship. We delete on request, and we delete automatically after a period of inactivity.
Logs: server logs are kept for security and debugging purposes for 90 days, then deleted or anonymised.
We use industry-standard security measures: TLS encryption in transit, encryption at rest for customer and visitor data, hashed passwords (we cannot read your password), access controls limited to a small number of authorised staff, regular security review, and audit logging of administrative actions.
No system is perfectly secure. If we discover a personal data breach affecting your data, we will notify you and the relevant authority as required by applicable law:
AI inference for the outbound sending feature. On our paid tiers that include outbound sending, customers may connect a mailbox and send first-touch emails from it. On our top (AI) tier, the service additionally reads inbound replies received in that mailbox and uses an AI sub-processor — currently Anthropic, PBC — to draft and send further outbound replies on the customer’s behalf, directed toward a goal the customer configures (for example, booking a meeting).
Personal data processed through this AI flow — including inbound reply content, lead metadata, and conversation history — passes through Anthropic in the United States under contractual terms that prohibit Anthropic from using it to train its general-purpose models. AI-tier customers are responsible for disclosing this AI processing in their own privacy notices and (where the law requires it) for capturing consent or another valid legal basis from the lead before the AI processing begins. We provide a customer-facing template notice that customers may adapt.
AI disclosure. Where applicable law requires disclosure that a message was generated by AI (including, from 2 August 2026, the EU AI Act Article 50 for recipients in the EU), the service injects a configurable AI-disclosure element into AI-generated outbound messages by default. Customers cannot disable this disclosure for recipients in jurisdictions where the law requires it.
No training on customer or lead data. We do not use customer data, website visitor data, lead data, or inbound reply content to train machine-learning or AI models. Our AI sub-processors are contractually prohibited from doing so on our behalf. We use service-generated data (see section 15A) for model evaluation, but only in aggregated and de-identified form.
Automated decisions. We do not make automated decisions that produce legal or similarly significant effects on individuals. The AI drafts and sends marketing emails on a customer’s behalf; it does not make legal commitments, set prices, agree to contracts, or make decisions about credit, eligibility, or any similar matter. The AI is configured to escalate (rather than respond autonomously) on threads involving pricing changes, contractual offers, regulated-product representations, complaints, disputes, or messages indicating recipient distress or vulnerability.
Volunteered sensitive data. The AI is not designed to solicit special category (sensitive) data. Where a recipient nevertheless volunteers such data in a reply, the service operates detection and quarantine measures to pause AI processing and flag the thread for human handoff. See DPA section 4C for the full treatment.
Logging. For each AI-generated message we log the source lead, the lead’s permission-basis metadata, the thread classification, the prompt inputs, the model output, any human approval or edits, the sent message, delivery / bounce / unsubscribe status, and subsequent deletion status. These logs are used for abuse detection, deliverability monitoring, model evaluation, customer audit, and incident response. Retention follows the schedule in section 13.
Separate from the customer data and visitor data described above, we generate aggregated, de-identified data from operating Lead Source across our customer base. This includes performance metrics, abuse-detection signals, capacity-planning data, and aggregated benchmarks.
Before any data is used as service-generated data, we remove direct identifiers (IP addresses, email addresses, names, free-text fields are stripped or replaced with non-reversible hashes) and we aggregate to a minimum group size of five — no metric is published or used outside production operations where the underlying group has fewer than five distinct contributing customers or data subjects.
We use service-generated data to: operate, secure, and improve the service; develop new features; produce aggregated industry benchmarks; and detect abuse. We do not sell service-generated data, and we do not disclose it to third parties in a form that identifies, or could reasonably be used to identify, any customer, data subject, or website. Customers can opt their account out of contributing to certain service-generated data uses via the toggle in the application.
The full terms governing service-generated data are in section 4A of our DPA.
Lead Source is a B2B product. We do not knowingly collect data from anyone under 16, and we do not direct our service to children. If you are a customer, you must not install our script on websites primarily directed at children, and you are responsible for compliance with children’s privacy laws (COPPA in the US, Article 8 GDPR in the EU, similar provisions elsewhere).
If you believe we hold data about a child, contact us at privacy@leadsource.co and we will delete it.
We extend the following rights to everyone whose data we process, regardless of where you live:
To exercise any of these rights, email privacy@leadsource.co or, if you’re a customer, use the controls in your account settings. We respond within 30 days, often faster, and we don’t charge for reasonable requests.
If you contact us about data captured on a customer’s website (Track B), we will route your request to the customer where appropriate, or facilitate directly if the customer is unresponsive.
The rights above are the universal floor. Some regions add specific extra rights or formalities:
Under GDPR, UK GDPR, and the Swiss FADP, you have all the rights listed above plus the right to restrict processing in some circumstances and the right not to be subject to solely automated decisions with legal effect (we don’t make any). You can complain to your national supervisory authority. For example, the ICO in the UK, CNIL in France, the Datenschutzbeauftragte in Germany, the FDPIC in Switzerland.
You have the right to know, correct, delete, and obtain a portable copy of your personal information. You can opt out of the “sale” or “sharing” of your personal information. we do not sell or share personal information as defined under CCPA, but if our practices change we’ll update this section. You can also limit our use of sensitive personal information (we don’t collect any). We honour the Global Privacy Control browser signal as a valid opt-out request. You may designate an authorised agent to make a request on your behalf.
If you live in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or another US state with a comprehensive privacy law, you have rights similar to those in California. To exercise any of them, email privacy@leadsource.co.
We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles. You have the right to access, correct, and complain about how we handle your personal information. If we’ve declined a request and you’re not satisfied with the response, you can complain to the Office of the Australian Information Commissioner (OAIC).
We comply with the Privacy Act 2020. Complaints can be made to the Office of the Privacy Commissioner.
We comply with PIPEDA. Complaints can be made to the Office of the Privacy Commissioner of Canada or to the relevant provincial commissioner.
Under the LGPD, you have rights similar to those under GDPR. Complaints can be made to the ANPD (Autoridade Nacional de Proteção de Dados).
We comply with POPIA. Complaints can be made to the Information Regulator of South Africa.
If your country’s law gives you privacy rights not specifically named above, we extend them in good faith. Email us and we’ll handle the request.
We’ll update this policy when our practices change or the law requires it. The “last updated” date at the top of this page shows when. For material changes affecting how we use existing customer data, we’ll notify customers by email or in-app before the change takes effect.
For privacy questions, data access requests, deletion, or anything else covered by this policy:
privacy@leadsource.coPostal address:
Leftleads Pty Ltd t/a Lead Source
[CONFIRM: street address]
[CONFIRM: suburb, postcode]
Victoria, Australia
ABN: [CONFIRM]