GDPR & data protection

Last updated: 12 May 2026

Document status: Being finalized alongside our DPA. The summary below reflects how we actually operate today. For a copy of our Data Processing Agreement, or for a formal data-subject request, contact support@onlyleads.ai.

Our position

OnlyLeads is a B2B outreach platform. We take privacy seriously because our customers care about their reputation, and because B2B outreach done badly is bad for everyone — senders, recipients, and the wider ecosystem.

Roles under GDPR

Depending on the type of data, we act in different roles:

  • Data Controller for our customers' account data, billing data, and platform usage logs.
  • Data Processor for prospect data that our customers process through the platform. Our customers are the Data Controllers for that data.

Legal basis for processing prospect data

Our customers typically rely on legitimate interests as the legal basis for processing professional contact data of B2B prospects, in line with ICO and EDPB guidance for B2B outreach. Key conditions:

  • The data is limited to professional context (work email, job title, company, public professional profile).
  • The communication is relevant to the recipient's professional role.
  • An easy opt-out is provided in every message.
  • A documented Legitimate Interests Assessment (LIA) is in place.

OnlyLeads supports each of these conditions in how the platform is designed and used.

Data subject rights

Under UK GDPR and EU GDPR, data subjects have the right to:

  • Access — request a copy of personal data we hold about them.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion ("right to be forgotten").
  • Object — object to processing based on legitimate interests.
  • Restriction — limit how we process their data.
  • Portability — receive data in a portable format.
  • Complaint — lodge a complaint with their supervisory authority.

Data subjects who have received an OnlyLeads-powered message can request any of these rights by contacting either the sender or us directly at support@onlyleads.ai. We respond within 30 days.

Data Processing Agreement (DPA)

For our customers processing EU/UK personal data, we provide a DPA that includes:

  • Standard Contractual Clauses (SCCs) for international transfers
  • Sub-processor list and notification commitments
  • Security measures (encryption in transit and at rest, access controls, audit logging)
  • Breach notification commitment (72 hours)
  • Audit and inspection rights
  • Data return and deletion commitments on termination

To request a DPA, email support@onlyleads.ai.

Sub-processors

We use a small set of carefully chosen sub-processors:

  • Clerk (US, SCCs in place) — authentication
  • Unipile (EU) — LinkedIn API integration
  • Anthropic (US, SCCs in place) — AI processing. Anthropic does not train on API data by default.
  • Railway (US/EU regions) — infrastructure hosting

We will provide at least 30 days' notice of any new sub-processor before they begin processing personal data on our behalf.

Data location and transfers

Primary data storage is in the EU (Railway EU-West region). Some sub-processors (Clerk, Anthropic) process data in the United States. Transfers are protected by Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

Security

  • All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls with role-based permissions and audit logs
  • No production database access from outside the application layer except for break-glass scenarios, which are logged
  • Regular dependency and security scanning
  • Secrets managed via the Railway secrets vault, never committed to source

Breach notification

In the event of a personal data breach affecting your data, we will notify you without undue delay and within 72 hours of becoming aware of the breach, in line with Article 33 of the GDPR.

Contact

For DPA requests, data subject requests, or GDPR-related questions: support@onlyleads.ai.