Privacy Policy
Last updated: 11 May 2026This Privacy Policy explains how Leadex ("we", "us", "our") collects, uses, shares, and protects personal data when you visit getleadex.com (the "Site") or use our application at app.getleadex.com (the "Service"). We comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and applicable Portuguese data protection law.
1. Data controller
The data controller responsible for your personal data is:
Leadex
Lisbon, Portugal
Email: hello@getleadex.com
2. What we collect and why
2.1 Marketing website (getleadex.com)
- Essential technical data - IP address, user-agent, referrer, requested URL. Used to serve the site, detect abuse, and maintain security. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
- Analytics (Google Analytics 4) - if you consent, we use Google Analytics 4 to measure aggregated usage (pages viewed, session duration, device/country). IPs are anonymised. Legal basis: consent (Art. 6(1)(a) GDPR).
- Behavioural analytics (Microsoft Clarity) - we use Microsoft Clarity to capture how you interact with the site through behavioural metrics, heatmaps, and session recordings (mouse movements, clicks, scrolls). This helps us understand and improve the site, and supports fraud/security purposes. Data is captured using first- and third-party cookies and similar technologies. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). For more information on how Microsoft collects and uses data, see the Microsoft Privacy Statement.
- Contact email - if you email hello@getleadex.com, we process your email address and the contents of your message to reply. Legal basis: legitimate interest or, where applicable, steps prior to entering a contract (Art. 6(1)(b) & (f) GDPR).
2.2 Service (app.getleadex.com)
- Account data - name, work email, hashed password or SSO identifier. Legal basis: contract (Art. 6(1)(b) GDPR).
- Usage data - prompts, research plans, approvals, generated lists, logs. Used to deliver the Service, debug, and improve quality. Legal basis: contract and legitimate interest.
- Third-party contact data - publicly available business contact information (company name, role, work email) that the Service collects from the open web and enrichment providers on your instruction. You act as the controller of this data for your own outbound activities; we process it as processor on your behalf.
- Billing data - if applicable, processed by our payment provider; we do not store card details.
3. How we share data
We do not sell personal data. We share limited data with trusted service providers acting as processors under contracts that meet GDPR Article 28 requirements:
- Hosting & infrastructure - operators of our servers and CDN in the EU.
- Analytics - Google Ireland Ltd. / Google LLC (Google Analytics 4), only if you consent.
- Behavioural analytics - Microsoft Corporation (Microsoft Clarity). Processes interaction data (session recordings, heatmaps) on our behalf under legitimate interest. See the Microsoft Privacy Statement.
- Email delivery - our email provider for transactional messages.
- Enrichment & search providers - used by the Service to resolve public business data (e.g., contact look-ups, company search). These providers process business contact data on your instruction.
- CRM integrations - when you connect a CRM (e.g., HubSpot), data you direct us to export is transmitted to that CRM under its own terms and privacy policy.
4. International transfers
Some processors may be located outside the EEA (notably in the United States). Where that is the case, we rely on the European Commission's Standard Contractual Clauses and, where available, the EU-US Data Privacy Framework, together with supplementary safeguards as needed.
5. Retention
- Server logs: up to 30 days.
- Google Analytics: 14 months (Google default).
- Email correspondence: as long as reasonably needed to handle your enquiry or maintain our relationship, then archived or deleted.
- Account data: for the life of your account and up to 24 months afterwards, then deleted or anonymised, unless a longer period is required by law (e.g., accounting: 10 years under Portuguese law).
6. Your rights under GDPR
You have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase your data ("right to be forgotten"), subject to legal retention obligations;
- Restrict or object to processing based on legitimate interest;
- Withdraw consent at any time, without affecting the lawfulness of prior processing;
- Data portability - receive your data in a structured, machine-readable format;
- Lodge a complaint with the Portuguese data protection authority, CNPD, or your local supervisory authority.
To exercise any of these rights, email hello@getleadex.com. We will respond within one month as required by Art. 12(3) GDPR.
7. Cookies
We use a minimal set of cookies and similar technologies.
| Cookie | Purpose | Category | Duration |
|---|---|---|---|
leadex-consent (localStorage) | Remembers your cookie choice. | Strictly necessary | Persistent |
_ga, _ga_* | Google Analytics - measure aggregated usage. | Analytics (consent-based) | Up to 24 months |
_clck | Microsoft Clarity - stores a unique user ID and session preferences. | Analytics (legitimate interest) | 1 year |
_clsk | Microsoft Clarity - groups page views into a single session recording. | Analytics (legitimate interest) | 1 day |
CLID | Microsoft Clarity - identifies first-time vs returning visitors. | Analytics (legitimate interest) | 1 year |
MUID | Microsoft - identifies unique browsers visiting Microsoft sites; used by Clarity for session correlation. | Analytics (legitimate interest) | 1 year |
MR, ANONCHK, SM | Microsoft Clarity / Bing - session state and cross-subdomain synchronisation cookies. | Analytics (legitimate interest) | Session - 10 min |
Strictly necessary cookies are required for the site to function and do not need consent. Analytics cookies are only set after you click "Accept all". You can change your mind at any time via the "Cookie preferences" link in the footer.
We use Google Consent Mode v2: analytics is blocked by default until you consent.
8. Security
We use TLS in transit, encrypted backups, access controls, and principle-of-least-privilege for staff. No system is perfectly secure; we will notify affected users and the competent authority of any personal data breach likely to result in a risk to rights and freedoms, in line with Art. 33-34 GDPR.
9. Children
The Service is for business users. It is not intended for children under 16, and we do not knowingly collect their data.
10. Changes to this policy
We may update this policy from time to time. Material changes will be announced on this page with a revised "Last updated" date. Where changes are significant, we will notify account holders by email.
11. Contact
Questions, requests, or complaints: hello@getleadex.com.