Privacy Policy
This Privacy Policy explains how Webleadr ("we", "us", "our") collects, uses, discloses, and protects your personal information when you use our service. This policy is written in compliance with the General Data Protection Regulation (GDPR) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.
1. Data Controller
Webleadr is a sole proprietorship registered in Belgium. We act as the data controller for the personal information processed through this service within the meaning of Article 4(7) of the GDPR.
For any privacy-related inquiries or to exercise your data protection rights, contact us at: amin@webleadr.com.
Upon a formal request, we will provide the full identity and contact details of the data controller as required by Article 13 of the GDPR.
2. Personal Data We Collect
We collect the following categories of personal data:
2.1 Account Data
- Identity Data: Email address
- Authentication Data: Password (hashed using bcrypt), OAuth tokens (if using Google or GitHub sign-in)
- Profile Data: API key, referral code
- Referral Data: Referral codes you use or share, referral history
2.2 Usage Data
- Business Searches: Search queries, geographic areas selected, business categories
- Lead Data: Businesses you save, notes you add, custom lead statuses you create
- Transaction Data: Credit purchases and history (processed via Paddle, see Section 5.2)
- Newsletter Consent: Your opt-in status and timestamp for marketing emails
2.3 Technical Data
- Device Data: Browser type, operating system, device type (collected by PostHog analytics)
- Log Data: IP address, access times, pages viewed
- Cookie Data: Session tokens, consent preferences, analytics identifiers
2.4 Business Data (About Third-Party Businesses)
When you use our service to find businesses, we collect and store data about those businesses. This data is sourced from publicly available sources and may include:
- Business Identity: Business name, category/type, Google Maps listing URL, photo
- Contact Information: Website URL, phone number, email address (discovered through enrichment), social media links (Facebook, Instagram, TikTok)
- Location Data: Street address, city, country code
- Google Maps Data: Star rating, number of reviews, opening hours
- Website Analysis: Whether the website is a dedicated site, website reachability status, final URL after redirects
- Web Health Report: Overall health score and grade, SSL certificate status and expiry, server response time, security headers presence (HSTS, CSP, X-Frame-Options, etc.), meta tag information, identified issues
- AI-Generated Evaluations: Website quality score (1-10) with reasoning based on visual design and visible content density
- User Annotations: Lead status and notes you add to each business
Important: When the contact details of a business belong to a natural person (e.g., a sole trader, freelancer, or individual), that data qualifies as personal data under the GDPR. We process such data based on legitimate interest (see Section 3). See Section 2.5 for more details.
2.5 Data About Businesses as Data Subjects
Some businesses listed in our service are operated by natural persons (sole traders, freelancers, independent professionals). In these cases, the business contact information (email address, phone number, social media profiles) is personal data of that natural person under the GDPR.
This data is collected from publicly available sources (Google Maps listings, publicly accessible websites, publicly visible social media profiles). We do not directly collect this data from the individuals themselves.
If you are a business owner or individual whose data appears in our service and you wish to exercise your GDPR rights (access, rectification, erasure), please contact us at amin@webleadr.com. We will respond within 30 days and take appropriate action, including removing your data from our platform upon verified request.
3. Legal Basis for Processing (GDPR)
We process personal data based on the following legal grounds under Article 6 of the GDPR:
| Processing Purpose | Data Subjects | Legal Basis |
|---|---|---|
| Account creation and authentication | Registered users | Contract performance (Art. 6(1)(b)) |
| Providing core services (lead generation, business search) | Registered users | Contract performance (Art. 6(1)(b)) |
| Collecting and displaying business data from public sources | Businesses / natural persons | Legitimate interest (Art. 6(1)(f)) |
| Enriching business data (emails, social links, web health, AI evaluations) | Businesses / natural persons | Legitimate interest (Art. 6(1)(f)) |
| Payment processing | Registered users | Contract performance (Art. 6(1)(b)) |
| Sending marketing emails | Registered users | Consent (Art. 6(1)(a)) |
| Product analytics and service improvement | Registered users | Legitimate interest (Art. 6(1)(f)) |
| Fraud prevention and security | Registered users | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance and regulatory obligations | All data subjects | Legal obligation (Art. 6(1)(c)) |
3.1 Legitimate Interest Assessment
For processing activities based on legitimate interest (Art. 6(1)(f)), we have performed and documented a Legitimate Interest Assessment (LIA). The key findings are:
- Purpose: To provide our users (primarily web designers and agencies) with actionable leads by discovering businesses that may benefit from web design services, using data that is already publicly available.
- Necessity: Processing publicly available business data is necessary to deliver the core service. There is no less intrusive way to achieve this purpose.
- Balance of interests: The interests of our users in accessing business information are weighed against the interests of the data subjects. Since the data is already publicly available (Google Maps, public websites, public social media profiles), the impact on data subjects is limited. Data subjects retain the right to request erasure at any time (see Section 8).
4. How We Use Your Data
We use personal data of registered users to:
- Create, authenticate, and manage your account
- Provide lead generation and business discovery services
- Process payments for credit purchases via Paddle
- Send transactional emails (account verification, password reset, receipts)
- Send marketing emails only if you explicitly opted in (see Section 11)
- Analyze usage patterns to improve our service via PostHog analytics
- Manage the referral program (credit rewards, referral tracking)
- Prevent fraud and ensure platform security
- Comply with legal obligations
We use business data (about third-party businesses) to:
- Display business listings, contact details, and enrichment results to our users
- Enrich business profiles with social media links, email addresses, and web health reports
- Generate AI-based website quality evaluations
- Allow users to organize, annotate, and export their leads
5. Third-Party Services and Data Processors
We share personal data with the following third-party processors. Each processor is bound by a Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR.
5.1 Supabase (Database, Authentication, and Edge Functions)
- Purpose: User authentication, data storage, real-time features, serverless functions for data processing
- Data: Email, hashed password, account data, business leads, enrichment results, referral data
- Location: EU (Frankfurt, Germany)
- Policy: supabase.com/privacy
5.2 Business Data Collection and Enrichment
- Purpose: Collecting publicly available business listings from Google Maps, discovering contact details and emails from business websites, finding email addresses from public Facebook pages, capturing website screenshots, generating website health reports
- Data: Business names, addresses, phone numbers, emails, social media links, website content, screenshots, web health reports
- Location: US (with EU data residency options)
5.3 OpenAI (AI-Powered Analysis)
- Purpose: Filtering relevant business results, detecting dedicated websites, verifying social media profiles, evaluating website quality via screenshot analysis, geocoding location queries, cleaning business names
- Model: GPT-4o-mini
- Data sent: Business names, website URLs, website screenshots (base64 images), website HTML content summaries, search engine results. No user account data or passwords are sent.
- Data use: Data sent to OpenAI is not used to train OpenAI models (per OpenAI's API data usage policy). API data is retained for up to 30 days for abuse monitoring and then deleted.
- Location: US
- Policy: openai.com/policies
5.4 Serper.dev (Google Search API)
- Purpose: Querying Google search results to find social media profiles of businesses without dedicated websites
- Data: Business names and locations (input); organic search results with URLs and snippets (output)
- Location: US
- Policy: serper.dev/privacy
5.5 Paddle (Payment Processing)
- Purpose: Payment processing, invoicing, tax compliance (acting as Merchant of Record)
- Data: Email, payment details, transaction history
- Location: UK/US
- Policy: paddle.com/privacy
5.6 Resend (Email Service)
- Purpose: Transactional emails (account verification, password reset) and marketing emails (only for opted-in users)
- Data: Email address, feedback messages (for support emails). Marketing audience data is only stored for users who explicitly consented.
- Location: US
- Policy: resend.com/privacy
5.7 PostHog (Product Analytics)
- Purpose: Product analytics, page view tracking, user behavior insights
- Data: Page views, navigation events, device information, user identifiers (for authenticated users)
- Location: EU (PostHog EU instance, hosted in eu.posthog.com)
- Policy: posthog.com/privacy
5.8 Cloudflare (Hosting and CDN)
- Purpose: Application hosting (Cloudflare Workers), content delivery network, image optimization (Cloudflare R2)
- Data: HTTP request data (IP addresses, user agents, URLs) processed transiently at the edge. No personal data is persistently stored by Cloudflare on our behalf.
- Location: Global edge network (default deployment)
- Policy: cloudflare.com/privacypolicy
5.9 Google and GitHub (OAuth Authentication)
- Purpose: Optional OAuth sign-in for user authentication
- Data: Email address, profile name (if you choose OAuth sign-in)
- Location: US
- Policy: policies.google.com/privacy / github.com/privacy
6. Data Retention
We retain personal data for as long as necessary to fulfill the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Account data (profiles, authentication) | Until account deletion + 30 days |
| Business leads and enrichment data | Until account deletion + 30 days |
| AI-generated website evaluations | Until account deletion + 30 days |
| Web health reports | Until account deletion + 30 days |
| Referral data | Until account deletion + 30 days |
| Marketing consent records | Until consent withdrawal + 3 years (proof of consent) |
| Payment records | 7 years (legal requirement under Belgian tax law) |
| Analytics data (PostHog) | 13 months |
| Server and access logs | 90 days |
| OpenAI API data | Up to 30 days (retained by OpenAI for abuse monitoring, then automatically deleted) |
When you delete your account, your business leads, profile data, and enrichment results are permanently removed from our database. We also request deletion of your data from our analytics provider (PostHog) and email service (Resend). Payment records may be retained for the legally required period.
7. Data Transfers Outside the EEA
Some of our processors are established outside the European Economic Area (EEA). The following transfers take place:
| Processor | Destination | Safeguard |
|---|---|---|
| Supabase | EU (Frankfurt, Germany) | No transfer outside EEA |
| PostHog | EU (eu.posthog.com) | No transfer outside EEA |
| Paddle | UK / US | SCCs, DPA |
| Resend | US | SCCs, DPA |
| Business data collection provider | US | SCCs, DPA |
| OpenAI | US | SCCs, DPA |
| Serper.dev | US | SCCs, DPA |
| Cloudflare | Global (including US) | SCCs, EU Model Clauses |
| Google / GitHub | US | EU-US Data Privacy Framework |
To ensure adequate protection for these transfers, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our DPAs with each processor
- Data Processing Agreements (DPAs) with all processors, as required by GDPR Article 28
- Transfer Impact Assessments (TIAs) to evaluate the legal framework of the destination country, in accordance with the European Data Protection Board recommendations following the Schrems II ruling
- EU-US Data Privacy Framework for processors certified under this framework (Google, GitHub)
- Processor compliance with GDPR and applicable data protection laws
8. Your Rights Under GDPR
Under the General Data Protection Regulation, you have the following rights as a registered user:
- Right to Access (Art. 15): Request a copy of all personal data we hold about you
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
- Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten"). You can also delete your account directly via Settings > General > Danger Zone in the application.
- Right to Restriction (Art. 18): Request that we limit how we process your data
- Right to Data Portability (Art. 20): Request your data in a machine-readable format. You can export all your data (business leads, profile, credits, consent records) as JSON from Settings > Privacy.
- Right to Object (Art. 21): Object to processing based on legitimate interest
- Right to Withdraw Consent (Art. 7): Withdraw marketing consent at any time via Settings > Privacy, or unsubscribe via email links
- Right to Lodge a Complaint (Art. 77): Lodge a complaint with a supervisory authority (see Section 14)
For businesses and individuals whose data appears in our service: You also have the right to access, rectify, and request erasure of your personal data that is displayed in our platform. You can submit a removal request at webleadr.com/remove-my-data or contact us at amin@webleadr.com to exercise these rights. We will process verified requests within 30 days.
To exercise any of these rights, contact us at amin@webleadr.com. We will acknowledge your request within 10 working days and respond in full within 30 days. If we are unable to fulfill your request, we will explain why.
9. Cookies and Tracking Technologies
We use the following cookies on our website:
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
supabase-auth-token | Essential | Authentication session management | Session (refreshed by Supabase) |
webleadr-consent | Essential | Records your cookie consent preference | 1 year |
ph_* (PostHog cookies) | Analytics | Product analytics, session tracking, feature usage | 13 months |
Essential cookies are necessary for the service to function and cannot be disabled. Analytics cookies are used to understand how users interact with our service and improve it. When you visit our website for the first time, a cookie consent banner will inform you about the use of cookies.
10. Marketing Communications
We only send marketing emails if you have explicitly opted in. Marketing consent is collected in two ways:
- During sign-up: An optional checkbox on the registration form to receive product updates and feature announcements
- Newsletter form: A subscription form in the website footer with a required consent checkbox
Marketing emails may include:
- Product updates and feature announcements
- Tips and best practices for using the service
- Promotional offers
We do not sell or share your email address with third parties for marketing purposes. We do not send third-party promotional content.
You can unsubscribe at any time via the unsubscribe link included in every marketing email, by toggling the marketing emails switch in Settings > Privacy, or by contacting us at amin@webleadr.com.
11. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit (TLS 1.3) and at rest (AES-256, via Supabase)
- Row-level security (RLS) on database tables where applicable
- Application-layer access controls (user identity verification on all data operations)
- Secure password hashing (bcrypt)
- JWT-based authentication with refresh token rotation
- Webhook signature verification (Paddle payment webhooks)
- Cloudflare DDoS protection and edge security
- Regular dependency updates and security patches
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (the Belgian Data Protection Authority, Gegevensbeschermingsautoriteit) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by GDPR Article 34.
13. Data Protection Officer
We have not appointed a Data Protection Officer (DPO). Under GDPR Article 37, a DPO is only mandatory when core activities involve large-scale regular monitoring of individuals or large-scale processing of special categories of data. Since our processing activities do not meet these thresholds, appointment of a DPO is not required.
14. Children's Privacy
Our service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take immediate steps to delete that data. If you believe a child under 16 has provided us with personal data, please contact us at amin@webleadr.com.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice within our service. Continued use of the service after changes take effect constitutes acceptance of the updated policy.
We encourage you to review this page periodically to stay informed about how we protect your data. The date of the most recent revision is indicated at the bottom of this page.
16. Your Right to Complain
If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For Belgian residents, this is the Gegevensbeschermingsautoriteit (GBA), the Belgian Data Protection Authority. For residents of other EU member states, you may contact your national data protection authority.
Exercising your right to complain does not affect your right to seek a judicial remedy.
17. Contact Us
For any questions about this Privacy Policy, to exercise your data protection rights, or to request information about the data controller, contact us at:
Email: amin@webleadr.com
Last updated: April 8, 2026