leadiosa.
Start free
Legal · GDPR

GDPR

How Leadiosa complies with the General Data Protection Regulation — our roles, our subprocessors, how to exercise data-subject rights, and where to find our DPA.

Last updated · 2026-05-12/privacy@leadiosa.com

Draft — pending legal review. This document is a starting point written from the product's actual architecture. It has not yet been reviewed by a lawyer and should not be relied on as a complete or binding statement of our obligations until that review is complete.

01 — Overview

The General Data Protection Regulation gives people in the European Economic Area, the United Kingdom, and Switzerland real control over how their personal data is collected and used. Leadiosa was designed with those rights as a default rather than a checkbox.

This page summarises the GDPR-specific commitments that sit on top of our regular Privacy Policy. If you're an enterprise buyer doing a vendor review, this is the page you'll want.

02 — Our role under GDPR

Leadiosa plays two different roles depending on whose data we're processing:

  • Controller — for the personal data of the operators who sign in to a workspace (your team), and for workspace owners' account / billing data. We decide what to collect about you and why, within the bounds of this policy.
  • Processor — for the personal data of the visitors who type into the chat widget on your site. You (the workspace operator) are the controller of that data; we act on your behalf to receive, store, and route it.

Splitting the roles this way matches how the service actually works: you choose what to ask your visitors, what to retain, when to delete it. We give you the tools and stay out of the way.

03 — Data Processing Agreement

A standard Data Processing Agreement is incorporated into our Terms of Service by reference. It covers the requirements of Article 28 of GDPR, the UK GDPR, and the Swiss FDPA, including Standard Contractual Clauses for transfers outside the EEA.

Pending — DPA PDF download. A signable PDF copy of the DPA will be linked here once finalised with our legal counsel. In the interim, enterprise customers can request the current text via legal@leadiosa.com.

04 — Subprocessors

The full subprocessor list is maintained on the Privacy Policy. Conditional subprocessors (the LLM and embedding providers) are only engaged when the workspace operator turns on the corresponding AI feature.

SubprocessorPurposeRegionStatus
OpenRouterLLM routing for AI featuresUnited StatesConditional
OpenAILLM and embedding providerUnited StatesConditional
AnthropicLLM providerUnited StatesConditional
DeepSeekLLM providerChina / globalConditional
Jina AI · Voyage · CohereEmbeddingsUnited States / EUConditional
FreemiusBilling & tax complianceUnited StatesAlways (paid workspaces)
ThemeREX hosting (Coolify)Application + DB hostingPendingAlways
Email deliveryTransactional emailPendingAlways

We give at least 30 days' notice before adding a new subprocessor or changing the region of an existing one. You can object to a new subprocessor by writing to privacy@leadiosa.com; if we can't accommodate the objection, you can terminate the affected workspaces.

05 — Data-subject rights

For operators on workspaces under your control, you can fulfil access / rectification / erasure / portability requests directly from the dashboard. For visitor data, the workspace operator is the controller — we provide the tooling, the operator handles the policy:

  • Access and portability — operators can export workspace data as JSON from Settings → Data.
  • Erasure — Contacts → Erase. The action is audit-logged and cascades through messages, attachments, AI summaries, embeddings, and the RAG index.
  • Rectification — operators edit contact records directly in the dashboard.
  • Restriction and objection — currently handled via email to privacy@leadiosa.com.

Visitor requests sent to us are forwarded to the relevant workspace operator within seven days. The operator must respond within the GDPR-mandated thirty-day window.

06 — International transfers

Where personal data leaves the EEA — most often when a workspace uses a US-based LLM provider — the transfer relies on the European Commission's Standard Contractual Clauses (2021 modules) and on any additional safeguards the provider offers (e.g. OpenAI's Zero-Data-Retention API, where applicable).

Workspaces with strict residency requirements can pick EU-only embeddings (Cohere) and avoid enabling non-EU LLM providers. Talk to us if you need a more constrained configuration than the dashboard allows.

07 — Retention and deletion

Retention periods are detailed on the Privacy Policy. Two GDPR-relevant points to highlight:

  • Workspaces can configure a conversation retention window in Settings — anything older than the window is automatically erased.
  • Backups are rolling 30 days. Data that has been erased on the live system is also pruned from backups within that window.

08 — Breach notification

If we become aware of a personal-data breach that meets the GDPR notification threshold, we will:

  • Notify affected workspace controllers without undue delay and in any case within 72 hours of becoming aware of the breach.
  • Notify supervisory authorities where required.
  • Provide a description of the breach, the categories of data and people affected, the likely consequences, and the steps we are taking to contain and remediate.
  • Publish a post-incident summary on the status page once the incident is fully resolved.

The single channel for breach reports and security concerns is security@leadiosa.com.

09 — DPO and contact

Given Leadiosa's current scale, we are not formally required to appoint a Data Protection Officer under Article 37, but someone in the team owns this work end-to-end and is the single point of contact for privacy matters.