Privacy Policy

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

The responsible entity is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.

Supervisory authority: Office of the Commissioner for Personal Data Protection (Cyprus)

This Privacy Policy applies to all Leadmatix websites and services. We act in different roles:

The following overview summarizes the types of data processed and the purposes of their processing:

Categories of personal data

• Account and contract data (e.g. names, email, company data)
• Communication data (e.g. inquiries, support tickets)
• Payment and billing data (via Stripe, we do not store card details)
• Content and analytics data (URLs, page content, comments)
• Usage, device, and telemetry data (IP, browser, session data)
• Marketing communication (optional)

Categories of data subjects

• Business and contractual partners
• Prospects
• Communication partners
• Customers (B2B)
• Users (e.g. website visitors, users of online services)

Purposes of processing

• Provision of our online offering and user-friendliness
• Contact requests and communication
• Security measures
• Reach measurement and analysis
• Contractual services and customer service
• Administration and response to inquiries

Below you will find an overview of the legal bases under the GDPR on which we process personal data:

• Consent (Art. 6 (1) (a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps prior to entering into a contract.
• Legal obligation (Art. 6 (1) (c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 (1) (f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Leadmatix uses AI technologies to improve our services. The following principles apply:

• No training of public models: Customer-specific content is not used to train public AI models.
• Pseudonymization: For internal quality purposes, data is only used in pseudonymized or aggregated form.
• No automated individual decisions: No decisions with legal consequences under Art. 22 GDPR are made without human review.
• Subprocessors: AI providers are contractually bound and subject to the EU Standard Contractual Clauses.

In accordance with statutory requirements and taking into account the state of the art, we implement appropriate technical and organizational measures in line with Art. 32 GDPR:

• Role-based access controls
• Encryption (SSL/TLS for data transmission)
• Least-privilege principle
• Secure secret management
• Network segmentation
• Logging and monitoring
• Regular backups
• Vendor assessments

SSL/TLS encryption: This site uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content. You can recognize an encrypted connection by the change from "http://" to "https://" in the browser address bar and the lock icon in your browser line.

In the course of our processing of personal data, data is transferred to the following categories of recipients:

• Hosting, cloud, and CDN providers
• Email services
• Stripe (independent controller for payment data)
• AI and technology providers
• Support and success tools
• Consulting and tax advisors

If we process data in a third country (i.e., outside the European Union (EU) or European Economic Area (EEA)), this is only done in compliance with statutory requirements.

We use EU Standard Contractual Clauses (SCC) and additional security measures for third-country transfers. Transfer Impact Assessments are carried out where required.

The data we process is deleted in accordance with statutory requirements as soon as the consents permitting processing are withdrawn or other authorizations cease to apply.

Retention periods

• Contract data: Contract term plus statutory retention obligations
• Analytics/content: Until deleted by the user or account termination
• Logs/telemetry: 90–365 days
• 10 years: Commercial and tax retention obligation (§ 257 HGB, § 147 AO)
• 6 years: Commercial letters and business documents (§ 257 HGB)
• 3 years: Standard limitation period for civil claims

As a data subject, you have various rights under the GDPR:

• Right of access (Art. 15 GDPR): You have the right to obtain information about the data stored concerning you.
• Right to rectification (Art. 16 GDPR): You have the right to have inaccurate data corrected.
• Right to erasure (Art. 17 GDPR): You have the right to have your data erased.
• Right to restriction (Art. 18 GDPR): You have the right to restrict processing.
• Right to data portability (Art. 20 GDPR): You have the right to receive your data in a machine-readable format.
• Right to object (Art. 21 GDPR): You have the right to object to processing.
• Right to withdraw consent (Art. 7 (3) GDPR): You have the right to withdraw consent at any time.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, in particular in the member state of your residence, place of work, or place of the alleged infringement. You may also contact the Cypriot supervisory authority or any other EU supervisory authority.

Cookies are small text files that are stored on your device.

Strictly necessary cookies

These cookies are strictly necessary for the operation of the site and are set without consent. For example, they enable security-related functionality such as session management.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest) and § 25 TDDDG

Non-essential cookies

All other cookies (analytics, marketing) require your consent under Art. 6 (1) (a) GDPR and § 25 TDDDG. You can withdraw your consent at any time via our cookie banner.

Affiliate tracking cookies

As part of our partner program we set two functional first-party cookies that are used to attribute referrals to our affiliate partners.

• lm_ref — Stores the referral token of the affiliate whose link you used to reach the site. Lifetime: 90 days. HTTPOnly, SameSite=Lax. Evaluated exclusively server-side to correctly attribute the commission on a later registration.
• lm_recruiter_ref — Stores the recruitment token if you reached the partner program via a sub-affiliate link. Lifetime: 180 days. HTTPOnly, SameSite=Lax. Only evaluated when you enroll as an affiliate yourself in order to establish the tier-2 relationship.

Legal basis: Art. 6 (1) (b) GDPR (performance of affiliate-program contract) and Art. 6 (1) (f) GDPR (legitimate interest in correct commission accounting).

When you register for a customer account, the data you provide is stored and used for performance of the contract and customer support.

Legal basis: Art. 6 (1) (b) GDPR (performance of contract) and Art. 6 (1) (c) GDPR (legal obligation)

Electronic invoices are created and sent via Stripe Invoicing.

For German business customers we provide EN 16931 compliant e-invoices (Factur-X/ZUGFeRD) upon request.

Leadmatix is directed exclusively at businesses (B2B). We do not knowingly process personal data of minors. If we become aware that data of minors has been collected without parental consent, such data will be deleted without delay.

When using our SaaS platform Leadmatix for WhatsApp Business communication, the following data is processed:

Processed data

• Contact data of your end customers (name, phone number)
• Communication content (messages via WhatsApp)
• Platform usage data
• Log data for support and troubleshooting

Data processing on behalf

Where we process personal data on your behalf, we conclude a data processing agreement with you in accordance with Art. 28 GDPR. In this case, you act as the controller and we act as the processor.

WhatsApp Business API

WhatsApp communication is handled via the official WhatsApp Business API from Meta. Meta processes data in accordance with its own privacy policy. We recommend that you inform your end customers about the use of WhatsApp for business communication.

Sharing and invitation function

When you send invitations to team members or external users, you as the customer determine the recipients and are responsible for the appropriate legal basis. We process the email addresses for sending and access management. Invitations are logged.