Legal

Privacy Policy

Effective date: 1 April 2026

1. Controller and contact

HeroLeads (“we”, “us”, or “our”) is the data controller responsible for the processing of personal data collected through the Service at heroleads.co.

For privacy-related inquiries, please contact us at: privacy@heroleads.co

Where required by GDPR, you have the right to contact our data protection officer at the same address.

2. What data we collect and why

2.1 Account data

When you register, we collect your email address and authentication credentials via Clerk (our authentication provider). This data is necessary to create and manage your account (legal basis: performance of a contract, Art. 6(1)(b) GDPR).

2.2 Billing data

Payment information is collected and processed by Stripe, Inc. We do not store full credit card details. We store a reference to your Stripe customer ID to manage your subscription and billing history (legal basis: performance of a contract, Art. 6(1)(b) GDPR).

2.3 Lead data you upload

You may upload CSV files containing personal data about third-party individuals (your prospective customers), including names, email addresses, job titles, company names, and LinkedIn profile URLs. This data is processed solely to deliver the Service to you. You are the data controller for this data; we act as a data processor on your behalf (legal basis: Art. 6(1)(b) GDPR — contract performance; you are responsible for your own legal basis for processing prospect data).

We do not use third-party lead data to train AI models or share it with any party other than the sub-processors listed in Section 4.

2.4 Company DNA and configuration

We store the Company DNA and ICP configuration you enter (company description, target criteria, etc.) to operate the Service. This data is tied to your account and is not shared externally except as required to generate outputs via AI APIs (see Section 4).

2.5 Usage data and logs

We collect standard server logs including IP addresses, timestamps, and API call logs to monitor service performance, diagnose errors, and ensure security. This data is retained for up to 90 days (legal basis: legitimate interests, Art. 6(1)(f) GDPR).

3. How we use your data

We use your data exclusively to:

  • Create and manage your account
  • Process your lead data through our research, scoring, and generation pipeline
  • Manage your subscription and billing
  • Provide customer support
  • Send transactional communications (account, billing, critical service updates)
  • Improve service reliability and performance through anonymised, aggregated analytics

We do not sell your personal data. We do not use your data for targeted advertising. We do not share your data with third parties except as described in Section 4.

4. Sub-processors and third parties

To deliver the Service, we use the following sub-processors who may process your data:

Clerk, Inc.

Authentication and user management

USA (EU-US Data Privacy Framework)

Stripe, Inc.

Payment processing and subscription management

USA (EU-US Data Privacy Framework)

Neon, Inc.

Database hosting (PostgreSQL)

EU region (AWS eu-central-1)

Vercel, Inc.

Application hosting and compute

USA/EU (Standard Contractual Clauses)

Google LLC (Gemini API)

AI model inference for research and email generation — lead data and prompts are sent to Google's API

USA (EU-US Data Privacy Framework / Standard Contractual Clauses)

Instantly.ai

Email sending infrastructure — qualified lead data is pushed to your Instantly.ai account

USA — your Instantly.ai account is subject to Instantly.ai's own privacy policy

Where data is transferred outside the European Economic Area (EEA), we rely on adequacy decisions, Standard Contractual Clauses (SCCs), or other appropriate safeguards under Chapter V GDPR.

5. Data retention

We retain your data for the following periods:

  • Account data: for the duration of your account, plus 90 days after deletion
  • Lead data: for the duration of your account; deleted within 30 days upon account deletion or written request
  • Billing records: retained for 10 years as required by German commercial law (HGB)
  • Server logs: 90 days maximum

6. Your rights under GDPR

If you are located in the EEA, you have the following rights:

  • Right of access (Art. 15): Request a copy of your personal data
  • Right to rectification (Art. 16): Request correction of inaccurate data
  • Right to erasure (Art. 17): Request deletion of your data (“right to be forgotten”)
  • Right to restriction (Art. 18): Request limitation of processing in certain circumstances
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@heroleads.co. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority — in Germany, the relevant authority is the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI).

7. Cookies

We use strictly necessary cookies for authentication and session management (set by Clerk). We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is shown because we do not set non-essential cookies.

8. Security

We implement appropriate technical and organisational measures to protect your data, including encrypted database connections (TLS), encrypted data at rest, access controls, and regular security reviews. However, no system is completely secure, and we cannot guarantee absolute security.

9. Children

The Service is intended for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. The current version is always available at heroleads.co/privacy.

11. Contact

For any data protection questions or to exercise your rights: privacy@heroleads.co