Privacy Policy

Last updated: 12 May 2026

Document status: This policy is being finalized with our legal counsel. The substance below reflects our current practice. For specific questions or formal data subject requests, contact support@onlyleads.ai.

1. Who we are

OnlyLeads ("we", "us", "our") is a B2B outreach platform operated by the OnlyLeads team. Our principal place of business is in the United Kingdom. We act as a Data Controller for the data of our customers (users of the OnlyLeads platform), and as a Data Processor for prospect data that our customers upload, import, or otherwise process via our platform.

2. What data we collect

2.1 Account data

When you sign up, we collect your name, work email address, organization name, and authentication identifiers via our auth provider (Clerk). We do not store your password.

2.2 LinkedIn integration data

When you connect a LinkedIn account, our integration partner (Unipile) handles authentication. We receive: a non-credential session identifier, your account ID, your LinkedIn profile metadata, and authorization to send messages on your behalf. We never receive or store your LinkedIn password.

2.3 Prospect data

Through the platform, you may upload prospect lists or surface prospects via LinkedIn engagement signals. This data may include: name, job title, company, public LinkedIn profile, and engagement signal metadata. We process this data only on your instructions.

2.4 Usage data

We collect technical logs (IP, browser, timestamps, page views) to operate, secure, and improve the service. We do not sell this data and do not use it for cross-site advertising.

3. How we use your data

  • To provide the service — authenticate you, surface prospects, draft messages, send messages via your LinkedIn account, and surface replies.
  • To improve the service — measure performance, debug failures, and refine our AI scoring and drafting systems. We do not train external AI models on your prospect data.
  • To communicate with you — product updates, billing, support, and (occasionally) feature announcements. You can opt out of non-essential communications at any time.
  • For legal and security purposes — to comply with our obligations, detect abuse, and protect the rights of our users.

4. Legal basis (UK/EU)

We rely on the following legal bases under UK GDPR and EU GDPR:

  • Contract — to deliver the service you signed up for.
  • Legitimate interests — to operate, secure, and improve the platform, and to enable our customers to conduct B2B outreach in a compliant manner.
  • Consent — where required (e.g. certain cookies, marketing emails).
  • Legal obligation — to comply with applicable laws.

5. Who we share data with

We share data only with sub-processors necessary to deliver the service:

  • Clerk — authentication and identity management
  • Unipile — LinkedIn API integration
  • Anthropic — AI message drafting and scoring (note: Anthropic does not train on API inputs by default)
  • Railway — hosting infrastructure
  • Postgres — managed database

We do not sell your data. We do not share data with advertisers. Each sub-processor is contractually bound to handle data only on our instructions and in line with applicable privacy law.

6. Where we store data

Primary storage is in the European Union (EU). Some sub-processors (notably Anthropic and Clerk) may process data in the United States under appropriate transfer safeguards (Standard Contractual Clauses, EU-US Data Privacy Framework where applicable).

7. How long we keep data

  • Account data: for the duration of your subscription, plus 12 months for tax and audit obligations.
  • Prospect data: retained while you actively use the platform. You can request deletion at any time. Soft-deleted records are purged within 30 days.
  • System logs: 90 days.

8. Your rights

Under UK GDPR and EU GDPR, you have the right to:

  • Access the data we hold about you
  • Correct inaccurate data
  • Delete data ("right to be forgotten") subject to legal retention obligations
  • Object to processing or restrict it
  • Port your data to another provider
  • Lodge a complaint with your supervisory authority (in the UK, the ICO; in the EU, your national DPA)

To exercise any of these rights, email support@onlyleads.ai. We respond within 30 days.

9. Cookies

We use a minimal set of cookies for authentication and essential platform function. See our Cookie Policy for details.

10. Children

OnlyLeads is a B2B service intended for business users. We do not knowingly process data of anyone under 18.

11. Changes to this policy

We will notify you of material changes via email and via an in-app banner. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

For any privacy questions or to exercise your rights: support@onlyleads.ai.