Privacy Policy | Lead Seeker

Understand how Lead Seeker protects your data. Our privacy policy details data collection, GDPR compliance, and your rights. Learn more today.

Last updated: July 6, 2026

Overview

Lead Seeker's privacy policy covers the account, billing, usage, customer, and prospect data we process; the GDPR legal bases we rely on; our Controller and Processor roles; sub-processors and international transfers under SCCs / UK IDTA; retention by data category; GDPR, CCPA / CPRA, and Virginia / Colorado / Connecticut / Utah / Texas / Oregon rights; the prospect-data opt-out path; automated decision-making; security; and how to reach privacy@theleadseeker.com.

This policy explains what personal information Lead Seeker collects, how we use it, the legal bases we rely on, who we share it with, where it is stored, how long we keep it, and the rights you have over it.

Lead Seeker (“we”, “us”, “our”) operates theleadseeker.com and the Lead Seeker product (the “Service”). This Privacy Policy describes how we handle personal information that you provide to us, that we collect automatically when you use the Service, and that we compile about prospects on behalf of our customers. It is written for a global B2B audience and is designed to be consistent with the EU and UK General Data Protection Regulation (GDPR / UK GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA / CPRA), and the comparable consumer-privacy laws in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other US states with similar rules in force.

Who we are and scope

Definitions

Data we collect

How we use data and the legal bases we rely on

Our role: Controller, Processor, and Prospect Data

Sharing and sub-processors

International data transfers

How long we keep data

Your rights and how to exercise them

California and US state-specific notices

Notice for prospects whose data appears in the Service

Automated decision-making and profiling

Security

Children

Changes to this policy

Contact, EU and UK representatives

Informational notice

Lead Seeker is a B2B prospect-intelligence platform. We surface fresh signals about accounts and their decision makers so revenue teams know who to reach out to and why, backed by a dossier and a recommended first message. This policy covers personal information processed through the public marketing site at theleadseeker.com, the signed-in product, our APIs, our outbound sales communications, and our customer support channels.

It does not cover websites or services operated by third parties even if they are linked from the Service. Their privacy practices are governed by their own policies. For a higher-level view of our compliance posture, how we source Prospect Data, supplier due diligence, and the sensitive categories we never collect, see Trust & Compliance.

Customer. A business that has signed up for the Service, including its Affiliates and Authorized Users.

Authorized User. A natural person whom a Customer has invited to use the Service under the Customer’s account, including employees, contractors, and consultants.

Personal Data. Information that identifies, relates to, or could reasonably be linked to an identified or identifiable natural person, including the categories that GDPR calls “personal data” and that CCPA / CPRA calls “personal information”.

Customer Data. Personal Data and other content that a Customer or Authorized User uploads, syncs, or otherwise submits to the Service (for example, an imported CRM list, a target-account file, or notes added inside the product).

Prospect Data. Business-context information about decision makers and the companies they work for that we compile from public sources and licensed providers — for example, a work email address, role title, employer, and operational signals such as a recent funding round or a key hire.

Service Data. Operational, telemetry, log, and aggregated usage data that the Service generates as it runs (latency, error rates, feature-usage counters, billing meter events).

Sub-processor. A third-party vendor that processes Personal Data on our behalf to deliver the Service (for example, our cloud host, our email-delivery vendor, and our payment processor).

Account information. When you sign up we collect your name, business email address, company name, role, and authentication credentials. If you sign in through a third-party identity provider, we receive the identifiers and profile fields that provider releases to us under your consent.

Billing information. If you subscribe to a paid plan or to the $99 pilot, our payment processor (Stripe) collects billing details on our behalf. We receive a tokenized reference, the last four digits of the card, the card brand, the billing country and postal code, and the invoices and receipts associated with your account. We do not store full card numbers or CVV values.

Usage and telemetry data. We log device, browser, IP address, approximate (city-level) geolocation derived from IP, pages viewed, features used, search queries inside the product, API requests, error events, and timestamps. We use this to operate, secure, debug, and improve the Service.

Workspace and product activity. When you use the signed-in product we collect and store the workspace setup details you provide (your company URL, your ideal-customer profile, the prompts and search filters you write), saved searches, the prospect records returned to you, dossiers you open or generate, exports you create, exclusion and suppression lists you upload, team invitations and seat assignments, plan and Lead Unit usage, support requests, in-product operational events, and product analytics about how the workspace is used.

Customer Content. Material that you upload or push into the Service — for example, a CSV of target accounts, sequences you draft, or notes attached to a prospect record. We process Customer Content on your behalf and under your instructions.

Prospect Data. Business-context information about decision makers and their companies that we compile from publicly available sources (company websites, regulatory filings, press releases, hiring boards, public APIs of professional networks) and from licensed B2B data providers. This is generally limited to professional contact information (work email, role title, employer, role-based phone) and operational signals.

Communications. If you contact us by email or through a form, we receive your message, your contact details, and the metadata of the message (timestamps, technical headers).

Cookies and similar technologies. Cookie consent on theleadseeker.com is managed by Termly, which auto-blocks non-essential third-party tags until you consent and publishes the live cookie inventory. See the Cookie Policy & Data Security page for an overview and the link to the Termly-hosted cookie list, and use the “Manage cookie preferences” button on that page to change your choices at any time.

For users in the EEA, UK, or Switzerland, GDPR requires us to identify a legal basis for each processing purpose. We rely on the bases shown in bold below.

To provide the Service to you (Contract — Art. 6(1)(b) GDPR). Creating and authenticating your account, delivering dossiers, signals, exports, and the features your plan includes.

To bill you and meet our tax and accounting obligations (Contract and Legal Obligation — Art. 6(1)(b) and (c) GDPR). Charging cards, sending invoices, retaining records for tax and audit.

To run, secure, and improve the Service (Legitimate Interests — Art. 6(1)(f) GDPR). Monitoring uptime, debugging errors, preventing fraud and abuse, measuring feature usage to prioritise improvements. Our interest in keeping the Service reliable and secure is balanced against your privacy interest, and we minimise the data used for this purpose.

To send you operational and security communications (Contract — Art. 6(1)(b) GDPR). Billing notices, downtime alerts, security advisories, and changes to these legal pages. These are not marketing and you cannot unsubscribe from them while the account is active.

To send you product marketing where permitted (Consent or Legitimate Interests — Art. 6(1)(a) or (f) GDPR; CAN-SPAM in the US). Newsletters, product announcements, and educational content. Every marketing email contains a one-click unsubscribe link and we honour opt-outs promptly.

To compile and maintain Prospect Data (Legitimate Interests — Art. 6(1)(f) GDPR). We rely on the legitimate interest of B2B sellers in identifying companies and decision makers who are likely to benefit from their products. We limit Prospect Data to professional context (work email, role, employer, public operational signals), source it from publicly available or lawfully licensed information, give prospects clear ways to see, correct, or remove their entry, and do not include sensitive categories of personal data. We have completed a balancing assessment that documents this and update it as the Service evolves.

To comply with law (Legal Obligation — Art. 6(1)(c) GDPR). Responding to lawful requests from regulators, courts, or tax authorities; meeting record-keeping rules; and enforcing our Terms.

We are the Controller for account, billing, usage, telemetry, marketing, and support data — we decide why and how that data is processed.

We are a Processor for Customer Content. We process it on your documented instructions, only to provide the Service to you, and we make a Data Processing Addendum (DPA) available on request to Customers who need one to satisfy their own GDPR obligations.

For Prospect Data, we act as an independent Controller to the extent we independently compile the data from public and licensed sources, decide on its structure, and make it available through the Service. Where applicable law treats us and a Customer as joint controllers in respect of a particular processing activity (for example, certain enrichment workflows), we will agree the allocation of responsibilities required by GDPR Art. 26 with that Customer in writing. In any event, when a Customer uses Prospect Data to send outreach, the Customer is the Controller of that outbound communication and is responsible for its compliance with applicable anti-spam, telemarketing, and privacy law. The Service does not send outbound messages on the Customer’s behalf.

We share Personal Data with vetted Sub-processors who help us run the Service. Categories include:

Cloud infrastructure and hosting (compute, storage, managed databases).

Email delivery for transactional, billing, and marketing messages.

Product analytics and tag management (delivered via Google Tag Manager and gated by the Termly consent banner — see the Cookie Policy & Data Security).

Error and performance monitoring, and logging / observability.

Customer support and ticketing.

Payment processing (Stripe).

Identity, authentication, fraud, and abuse prevention.

Search, enrichment, and B2B data providers used to compile and refresh Prospect Data.

AI providers used for summarisation, ranking, dossier generation, draft messages, and live research.

AI providers and what we send them

To deliver search, enrichment, dossiers, scoring, intent and operational signals, draft messages, and live research, we may send relevant prompts, workspace context, contact records, company information, and research requests to the AI, search, enrichment, email, billing, hosting, authentication, analytics, and observability providers that power the Service. We send only what each provider needs to perform the task. We do not authorise these providers to use customer-identifiable workspace data for their own marketing, and we do not authorise them — and we do not ourselves — to use customer-identifiable workspace data to train AI or machine-learning models without your separate written permission, whether the model belongs to us, to the provider, or to any third party.

Each Sub-processor is bound by a written contract that imposes confidentiality, security, breach notification, and data-protection obligations consistent with this policy and, where applicable, with GDPR Art. 28. We maintain a current list of Sub-processors and the data each one processes; Customers can request a copy by emailing privacy@theleadseeker.com. We give Customers reasonable advance notice of new Sub-processors that materially change the processing.

We may also share Personal Data:

With your Customer (the company on whose account you are an Authorized User), so the account administrator can manage seats, billing, and audit trails.

With professional advisers (lawyers, auditors, accountants) under confidentiality.

In a corporate transaction (merger, acquisition, financing, sale of assets, bankruptcy), in which case Personal Data may be transferred to the counterparty under equivalent protection.

When required by law, regulation, court order, or to protect the rights, property, or safety of Lead Seeker, our customers, or the public.

We do not sell Personal Data, and we do not share it with third parties for their own independent advertising or marketing.

Lead Seeker is operated from the United States. If you access the Service from outside the United States, Personal Data about you will be transferred to and processed in the United States and in any other country where our Sub-processors operate, including countries that may not provide the same level of data protection as your home country.

When we transfer Personal Data out of the EEA, the UK, or Switzerland, we rely on a valid transfer mechanism — the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), or the Swiss addendum, as applicable — and we conduct transfer-impact assessments where required. A copy of the relevant SCCs is available on request.

We retain account, billing, usage, workspace setup, prompts, saved searches, returned prospect records, dossiers, exports, exclusion lists, support, and operational data while we need it to provide the Service to you, meet our billing, tax, and compliance obligations, resolve disputes, secure the Service, and improve its reliability. We keep Personal Data only as long as we need it for the purpose it was collected for, and then for any period required by law. The default retention periods we apply are:

Account data — for the life of the account, then 30 days as a grace period before permanent deletion.

Billing, invoice, and tax records — for 7 years from the date of the transaction, or longer where local tax law requires.

Customer Content — for the life of the account, then 30 days as a grace period before permanent deletion. Customers can export their data during the grace period.

Usage and telemetry logs — typically 90 days for raw logs and up to 24 months in aggregated form.

Prospect Data — refreshed continuously from source. Records flagged by an opt-out, an unsubscribe, a deletion request, or a confirmed bounce are removed across the index and suppressed from re-collection.

Support tickets — for 24 months after the ticket is closed.

Marketing contacts — until you unsubscribe, then suppression-list-only retention so we do not contact you again.

Subject to local law, you have the following rights over your Personal Data.

GDPR (EEA, UK, Switzerland)

Access — confirm whether we process your data and receive a copy.

Rectification — correct inaccurate or incomplete data.

Erasure — delete data, subject to legal retention requirements.

Restriction — limit how we process your data while a question is resolved.

Portability — receive certain data in a structured, machine-readable format.

Objection — object to processing based on legitimate interests, including direct marketing.

Withdraw consent — at any time where we relied on consent, without affecting prior processing.

Lodge a complaint with your supervisory authority (in the UK, the ICO).

CCPA / CPRA (California) and other US states

Right to Know what categories and specific pieces of Personal Information we have collected about you, the sources, the business purposes, and the categories of recipients.

Right to Delete Personal Information we hold about you, subject to legal exceptions.

Right to Correct inaccurate Personal Information.

Right to Opt-Out of Sale or Sharing. We do not sell or share Personal Information for cross-context behavioural advertising.

Right to Limit Use of Sensitive Personal Information. We do not collect or use sensitive personal information beyond what is needed to provide the Service.

Right to Non-Discrimination for exercising any of these rights.

Comparable rights apply for residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other US states whose consumer-privacy laws are in force at the time of your request, including a right of appeal where state law provides one.

How to make a request

Email privacy@theleadseeker.com with the right you wish to exercise and enough detail to identify your records (the email address you use with the Service is usually enough; for prospects, the email address that appears in our index). We will acknowledge within 10 business days and respond on the merits within 30 days, with a possible extension to 45 days where the request is complex, in line with GDPR and CCPA timing rules.

We may need to verify your identity before acting on a request. Authorised agents must provide written permission and we may contact you directly to confirm. If we deny a request in whole or in part, we will explain why and, where state law provides one, tell you how to appeal to privacy@theleadseeker.com. We do not charge a fee for legitimate requests; we may charge a reasonable fee or refuse where requests are manifestly unfounded or excessive, as permitted by law.

Categories of Personal Information collected (CCPA / CPRA)

Identifiers — name, business email, IP address, account ID.

Customer records — billing contact, company name, role.

Commercial information — plan, transaction history, support requests.

Internet or other electronic activity — pages viewed, features used, error events.

Geolocation — approximate (city / region) location derived from IP.

Professional or employment-related information — job title, employer, role-based phone (this is the bulk of Prospect Data).

Inferences — model-derived signals such as buying-stage scores, derived from the categories above.

Sources. Directly from you, from your Customer, automatically through your use of the Service, and from publicly available or lawfully licensed third-party sources for Prospect Data.

Business purposes. Providing, securing, and improving the Service; billing; legal compliance; and the legitimate interests described in section 4.

Sensitive Personal Information. We do not knowingly collect sensitive personal information (such as government identifiers, precise geolocation, racial or ethnic origin, religious beliefs, union membership, health, sexual orientation, or contents of private communications) and we do not use any such information to infer characteristics about a consumer.

“Do Not Sell or Share My Personal Information”. We do not sell or share Personal Information for cross-context behavioural advertising and we have not done so in the preceding 12 months. There is therefore no opt-out toggle to display, but if you want a written confirmation, email privacy@theleadseeker.com and we will provide one. Where your browser sends a Global Privacy Control (GPC) signal, we treat it as an opt-out as described on the Cookie Policy & Data Security page.

If you are a prospect whose business contact information appears in the Service, you can ask us to confirm what we hold about you, correct it, or remove it. The fastest way is to email privacy@theleadseeker.com from the email address that is in our index, or to identify the company and role you want removed.

Confirmed deletion requests are honoured across all customer accounts and added to a suppression list so that the same record is not re-collected from public sources at the next refresh. If a customer subsequently uploads the same record into their own Customer Content, that copy lives inside the customer’s account and is governed by the customer’s own privacy practices; we will, on request, contact the customer about it.

Customers are independently responsible for honouring deletion, suppression, opt-out, and unsubscribe obligations in their own outreach campaigns and CRM systems, including for any records they have already exported, downloaded, or copied out of the Service.

The Service uses automation and AI to summarise public and licensed information, rank and score accounts, detect operational signals (a hire, a funding round, a stack change), generate dossiers, and draft suggested first messages. These outputs are B2B intelligence and recommendations to a human user; they are intended to support, not replace, human judgement.

They are not solely-automated decisions that produce legal or similarly significant effects on a person within the meaning of GDPR Art. 22. The Service is not designed for, and customers agree not to use it for, legally significant eligibility decisions about credit, housing, insurance, employment, education, healthcare access, tenant screening, or other consumer-eligibility decisions covered by the US Fair Credit Reporting Act or comparable laws.

We use encryption in transit (TLS 1.2+), encryption at rest, scoped role-based access controls, hardware-backed multi-factor authentication for production access, audit logging, daily backups with point-in-time recovery, and continuous monitoring. The full security summary is on the Cookie Policy & Data Security page. No system is perfectly secure; we will notify affected customers and authorities of material incidents within the timelines required by law.

The Service is intended for business use and is not directed to children under 16. We do not knowingly collect Personal Data from children. If you believe a child has provided us with Personal Data, please contact us and we will delete it.

We will post any changes to this policy on this page and update the “Last updated” date above. Material changes — for example, a new processing purpose, a new category of recipients, or a change in the legal basis we rely on — will be notified by email to active customers at least 30 days before they take effect.

Questions about this policy or your data? Contact us at privacy@theleadseeker.com. For security questions, write to security@theleadseeker.com.

If we are required to designate an EU representative under GDPR Art. 27 or a UK representative under the UK GDPR, the current designations will be published on this page. Until then, EEA and UK data subjects may contact us at privacy@theleadseeker.com and we will route their request appropriately.

This policy is provided as informational documentation for a B2B SaaS service that processes business contact information; it is not legal advice and does not create a contract on its own. We recommend a qualified attorney review it for your jurisdiction and risk profile before relying on it for compliance.