1. Our Commitment to GDPR
LeadQC, operated by Zeplinix Technologies Private Limited, is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page outlines how we meet GDPR requirements as both a data controller (for account data) and data processor (for lead data you upload).
2. Lawful Basis for Processing
We process personal data under the following lawful bases:
| Data Type | Lawful Basis | Purpose |
|---|
| Account data | Contract performance | Providing the Service |
| Uploaded lead data | Legitimate interest / Contract | Lead validation as instructed by customer |
| Usage analytics | Legitimate interest | Service improvement and security |
| Marketing communications | Consent | Product updates and offers |
3. Data Subject Rights
Under GDPR, individuals whose data is processed through LeadQC have the following rights:
- Right of Access (Art. 15): Request a copy of personal data we hold
- Right to Rectification (Art. 16): Request correction of inaccurate data
- Right to Erasure (Art. 17): Request deletion ("right to be forgotten")
- Right to Restrict Processing (Art. 18): Request limitation of processing
- Right to Data Portability (Art. 20): Receive data in machine-readable format
- Right to Object (Art. 21): Object to processing based on legitimate interest
To exercise these rights, contact our Data Protection team at dpo@leadqc.io. We respond to all requests within 30 days.
4. Data Processing Agreement (DPA)
LeadQC acts as a data processor when handling lead data uploaded by customers. Our customers act as the data controller. We offer a Data Processing Agreement (DPA) to all customers that includes:
- Defined scope and purpose of processing
- Obligations of both controller and processor
- Sub-processor notification and approval procedures
- Data breach notification commitments (within 72 hours)
- Data deletion upon contract termination
- Audit rights for the controller
To request a copy of our DPA, email legal@leadqc.io.
5. Technical and Organizational Measures
We implement the following measures as required by GDPR Article 32:
5.1 Encryption
- TLS 1.2+ for all data in transit
- AES-256 encryption for all data at rest
- Encrypted database connections and backups
5.2 Access Control
- Role-based access control (RBAC) for all platform users
- Multi-factor authentication for admin accounts
- IP whitelisting to restrict platform access
- Google reCAPTCHA to prevent unauthorized bot access
- Automated session expiry and activity logging
5.3 Infrastructure Security
- Cloud-hosted on SOC2-compliant infrastructure
- Auto-scaling with 99.9% uptime SLA
- Regular penetration testing and vulnerability scanning
- Firewall protection and intrusion detection systems
5.4 Organizational Measures
- Employee data protection training
- Confidentiality agreements for all team members
- Documented incident response procedures
- Regular privacy impact assessments
6. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33)
- Notify affected data controllers (our customers) without undue delay
- Notify affected individuals if the breach poses a high risk to their rights (Article 34)
- Document the breach, its effects, and remedial actions taken
7. International Data Transfers
When personal data is transferred outside the European Economic Area (EEA), we ensure compliance through:
- Standard Contractual Clauses (SCCs): EU-approved contractual safeguards with all sub-processors
- Adequacy Decisions: Where applicable, transfers to countries with recognized adequate protection
- Transfer Impact Assessments: Evaluation of data protection standards in recipient countries
8. Sub-Processors
We use a limited number of sub-processors to deliver our Service. All sub-processors are bound by data processing agreements that meet GDPR requirements. We maintain an up-to-date list of sub-processors available upon request.
We notify customers of any changes to sub-processors at least 30 days in advance, providing an opportunity to object.
9. Data Protection Impact Assessment (DPIA)
We conduct Data Protection Impact Assessments for high-risk processing activities, including:
- Large-scale processing of B2B contact data
- Automated decision-making in lead validation
- Cross-referencing data with external sources
10. Privacy by Design and Default
LeadQC is built with privacy at its core (Article 25):
- Data Minimization: We only process data necessary for validation
- Purpose Limitation: Data is used solely for the stated validation purpose
- Storage Limitation: Automated data deletion after retention period
- No External Platform Credentials Required: We never access user-level third-party platform accounts
- Backend Processing: All validation happens through secure server-side integrations
11. Suppression and Compliance Features
LeadQC includes built-in compliance features:
- Suppression List Validation: Cross-reference leads against your suppression/unsubscribe lists
- CAN-SPAM Compliance: Ensure outreach data meets CAN-SPAM requirements
- Restricted Contact Detection: Automatically flag or remove contacts that should not be contacted
12. Customer Responsibilities
As the data controller, our customers are responsible for:
- Ensuring they have a lawful basis to process the lead data they upload
- Maintaining their own privacy policies and data subject communication
- Handling data subject access requests related to their own data collection
- Using validated output data in compliance with GDPR and applicable laws
13. Data Protection Officer
For GDPR-related inquiries, contact our Data Protection team:
Zeplinix Technologies Private Limited
Data Protection Officer
Email: dpo@leadqc.io
Response time: Within 30 days
14. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.