This Data Processing Addendum (“DPA”) sets out the processor terms between you (the customer, acting as data controller) and Lead Source (acting as your processor) when Lead Source processes personal data on your behalf through the service.
It auto-applies to every customer whose use of the service involves personal data. You don’t need to sign it separately. Accepting our Terms of Service incorporates this DPA by reference. EU/UK customers and customers with specific procurement requirements can request a signable counterpart from privacy@leadsource.co.
The architecture matters. Our tracking script uses no cookies, no client-side storage, and no fingerprinting. That places the script outside ePrivacy/PECR storage-and-access scope. See Annex IV.
This DPA is entered into between Leftleads Pty Ltd trading as Lead Source, ABN [CONFIRM], registered in Victoria, Australia (“Lead Source,” “we,” “us,” “processor”) and the customer identified in the account record at app.leadsource.co (“customer,” “you,” “controller”).
This DPA is incorporated into and forms part of the Lead Source Terms of Service (the “agreement”). It applies whenever Lead Source processes personal data on the customer’s behalf in the course of providing the service.
This DPA takes effect on the date the customer accepts the agreement, or, for existing customers, on the date this DPA is first published at leadsource.co/dpa, whichever is later.
Capitalised terms not defined here have the meanings given in the agreement, in applicable data protection law, or in the standard contractual clauses where those clauses apply.
3.1 Roles. The parties agree that, for the purposes of customer personal data processed under the agreement, the customer is the controller and Lead Source is the processor. Where the customer is itself a processor acting on behalf of a third-party controller, this DPA applies as between the customer and Lead Source as if the customer were the controller, and the customer warrants it has the third-party controller’s authority to instruct Lead Source on the terms set out here.
3.2 Documented instructions. Lead Source will process customer personal data only on the customer’s documented instructions, including with regard to transfers of personal data to a third country, unless required to do so by law to which Lead Source is subject. The agreement, this DPA, the customer’s use of the service’s features and configurations, and any written instructions the customer provides via authorised channels together constitute the customer’s documented instructions.
3.3 Notification of conflict with law. If Lead Source is required by law to process customer personal data otherwise than on the customer’s instructions, Lead Source will inform the customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.4 Scope. The subject matter, duration, nature and purpose of the processing, the categories of data subjects, and the categories of personal data are set out in Annex I.
3.5 Customer responsibilities. The customer is responsible for the lawfulness of the customer personal data and the lawfulness of the instructions it gives to Lead Source, including ensuring it has a valid legal basis for the processing, providing all required notices to data subjects, and obtaining all required consents. The customer’s obligations as a website operator are set out in section 4 of the Terms of Service.
Lead Source will:
4A.1 Definition. “Service generated data” (“SGD”) means data that Lead Source generates from operating the service across its customer base in aggregated and de-identified form, including performance metrics, attribution model inputs, abuse-detection signals, capacity-planning data, product analytics, and aggregated benchmarks. SGD does not contain customer personal data and is not attributable to any individual data subject, customer, or website.
4A.2 Aggregation threshold. Before any data set is treated as SGD, it is aggregated to a minimum group size of k = 5 (no metric is published, exposed, or used outside production operations where the underlying group has fewer than five distinct contributing customers or data subjects). Any direct identifiers and pseudonymous identifiers (IP addresses, user-agent strings, email addresses, names, phone numbers, free-text fields) are removed or replaced with non-reversible hashes prior to aggregation. Re-identification of SGD is prohibited and Lead Source takes reasonable measures to prevent it.
4A.3 Permitted uses. Lead Source may use SGD for: (a) providing, maintaining, securing, and improving the service; (b) developing new features and products; (c) producing aggregated industry benchmarks and research; (d) abuse and fraud detection; and (e) internal business operations. Lead Source will not sell SGD, and will not disclose SGD to third parties in a form that identifies, or could reasonably be used to identify, any customer, data subject, or website.
4A.4 Carve-out. The parties agree that Lead Source’s processing of SGD is outside the scope of this DPA and is not processing on the customer’s behalf. To the extent SGD contains any personal data after the measures in section 4A.2, Lead Source is an independent controller for that personal data and processes it in accordance with the Lead Source Privacy Policy. This section reflects the parties’ agreed allocation of roles for service generated data and is not intended to give rise to a joint controllership relationship.
4A.5 Opt-out. The customer may opt its account out of contributing to certain SGD uses via the SGD toggle in the application. Opting out does not affect SGD already generated, and does not affect SGD used for service operation, security, or abuse detection.
This section applies whenever the customer enables outbound sending features of the service (template-based first-touch, AI-generated replies, or any other feature that sends email from a connected mailbox).
4B.1 Documented instructions. By enabling an outbound sending feature, the customer instructs Lead Source to: (a) connect to the mailbox the customer authorises via OAuth (and to refresh that connection as required); (b) send outbound email messages from that mailbox to the recipients the customer or the customer’s configured workflow identifies; (c) on the AI tier, read inbound replies received in the connected mailbox and process those replies, lead metadata, and conversation history through the AI sub-processor identified in Annex III to generate further outbound messages; and (d) maintain a per-account suppression list and the logs described in section 4B.4. These activities together are the customer’s documented instructions for the outbound sending and AI features.
4B.2 Customer as sender. Each outbound message is sent by the customer, from the customer’s mailbox, in the customer’s name, to advance the customer’s business. Lead Source operates as processor only. Section 4 of the Terms of Service sets out the customer’s warranties about lawful permission basis, mailbox authority, and content responsibility for these messages.
4B.3 AI sub-processor. On the AI tier, the customer authorises the use of Anthropic, PBC as a sub-processor for AI inference (drafting outbound replies). Anthropic processes inbound reply content, lead metadata, and conversation history on Lead Source’s behalf under contractual terms that prohibit Anthropic from using customer personal data to train its general-purpose models. Anthropic is listed in Annex III.
4B.4 Logs for abuse, deliverability, and audit. For each outbound message and each AI action, Lead Source retains: the source lead; the lead’s permission-basis metadata; the thread classification; the prompt inputs (AI tier); the model output (AI tier); any human approval or edits; the sent message; delivery / bounce / unsubscribe status; and subsequent deletion status. These logs are used for: (a) operating the per-account suppression list; (b) abuse and fraud detection; (c) deliverability monitoring; (d) model evaluation (AI tier); (e) responding to data-subject and customer audit requests; and (f) incident response. The parties acknowledge that the legal-role status of Lead Source’s processing for purposes (b), (c), (d), and (f), specifically whether those purposes give rise to an independent-controller role for Lead Source for some or all of the relevant log data, is subject to ongoing assessment. Where Lead Source determines it acts as an independent controller for a defined log dataset, it will process that dataset in accordance with the Lead Source Privacy Policy and update Annex I accordingly.
4B.5 Suspension for risk. Lead Source may suspend outbound sending features (or AI-tier features specifically) for an account where Lead Source identifies a pattern that creates legal, regulatory, deliverability, or reputational risk for Lead Source, its other customers, or its sub-processors, as further set out in section 11.6 of the Terms of Service.
The parties acknowledge that, when Lead Source reads inbound replies as part of the AI tier, recipients may volunteer special category personal data (within the meaning of Article 9 of the GDPR or equivalent provisions of other applicable data protection law) in free-text replies, even though Lead Source does not solicit such data and the service is not designed to process it.
4C.1 No solicitation. Lead Source does not prompt for, suggest, or design AI outputs that seek special category data. The customer warrants it will not configure the service in a way that solicits special category data from recipients.
4C.2 Detection and minimisation. Where reasonably practicable, Lead Source will operate detection and quarantine measures to identify and pause AI processing of threads containing apparent special category data. Where detection occurs, the affected thread is flagged for human handoff and AI processing of that thread is suspended pending the customer’s review.
4C.3 No Article 9 condition created by this DPA. The customer remains responsible for identifying a lawful Article 9 condition (or equivalent under other applicable data protection law) for any subsequent processing of special category data received in a reply, including any further use of that data in the customer’s own CRM or business workflows. Nothing in this DPA creates or supplies an Article 9 condition on the customer’s behalf.
4C.4 Deletion on request. The customer may request deletion of specific replies or threads containing special category data via the deletion tools in the application, or by writing to privacy@leadsource.co.
5.1 General authorisation. The customer gives Lead Source general written authorisation to engage sub-processors to process customer personal data on the customer’s behalf. The sub-processors authorised at the effective date of this DPA are listed in Annex III.
5.2 Change notification. Lead Source will give the customer at least thirty (30) days’ prior notice of any intended changes concerning the addition or replacement of sub-processors, by updating Annex III and notifying customers by email or in-product notice.
5.3 Objection. The customer may object to a proposed change on reasonable data-protection grounds by writing to privacy@leadsource.co within the thirty-day notice period. If the parties cannot agree on a resolution within a further thirty days, the customer may terminate the agreement for convenience by written notice to Lead Source, in which case Lead Source will refund any prepaid fees covering the remainder of the subscription term following termination.
5.4 Sub-processor obligations. Lead Source will impose data-protection obligations on each sub-processor that are substantially the same as those imposed on Lead Source under this DPA, by way of a written contract. Lead Source remains liable to the customer for the performance of each sub-processor’s obligations.
6.1 Transfer mechanisms. Where Lead Source or any sub-processor processes customer personal data outside the country in which the customer is established, the parties acknowledge that an adequate transfer mechanism may be required under applicable data protection law.
6.2 EEA transfers. Where customer personal data of data subjects in the European Economic Area is transferred to Lead Source or a sub-processor in a country that has not received an adequacy decision under Article 45 of the GDPR, the parties agree to be bound by the SCCs as set out in Annex V, with the customer as the data exporter and Lead Source as the data importer, on Module 2 (controller-to-processor) terms.
6.3 UK transfers. Where customer personal data of data subjects in the United Kingdom is transferred to Lead Source or a sub-processor in a country that has not received UK adequacy regulations, the parties agree to be bound by the UK IDTA as set out in Annex V.
6.4 Onward transfers. Lead Source will ensure that any onward transfer of customer personal data by a sub-processor is subject to an adequate transfer mechanism.
6.5 Australian transfers. Lead Source is established in Australia. For Australian customers, transfers to overseas sub-processors are subject to APP 8 and Lead Source takes reasonable steps to ensure each overseas recipient handles the data in a manner consistent with the APPs.
Lead Source implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex II. The customer acknowledges that Lead Source may update the measures from time to time, provided that the updates do not materially reduce the level of protection.
8.1 Direct requests to Lead Source. If Lead Source receives a request from a data subject in relation to customer personal data, Lead Source will, without undue delay, redirect the data subject to the customer and notify the customer of the request, unless prohibited by law from doing so. Lead Source will not respond substantively to the request itself unless instructed by the customer or required by law.
8.2 Assistance to the customer. Taking into account the nature of the processing, Lead Source will assist the customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the customer’s obligation to respond to requests from data subjects to exercise their rights of access, rectification, erasure, restriction of processing, objection, and data portability. Lead Source provides export and deletion tools within the application that the customer can use to honour those requests.
8.3 Costs. Lead Source provides the standard self-service tools described above at no additional cost. For non-standard assistance requested by the customer, Lead Source may charge a reasonable fee based on time and materials, on prior written notice.
9.1 Notification. Lead Source will notify the customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a personal data breach affecting customer personal data.
9.2 Information. The notification will describe, to the extent known: (a) the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects; and (d) the contact point at Lead Source where more information can be obtained. Where, and insofar as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
9.3 Cooperation. Lead Source will cooperate with the customer and provide reasonable assistance with the customer’s investigation of, and notification obligations relating to, the personal data breach.
9.4 No admission. A notification of, or response to, a personal data breach under this section is not an acknowledgement by Lead Source of any fault or liability with respect to the personal data breach.
10.1 Information. Lead Source will make available to the customer all information reasonably necessary to demonstrate compliance with this DPA, including responses to reasonable security and privacy questionnaires, and copies of relevant policies and certifications (where available).
10.2 Audits. The customer may, no more than once in any twelve-month period (except where required by a supervisory authority or by applicable data protection law), conduct an audit of Lead Source’s compliance with this DPA. The audit must be: (a) conducted on at least thirty days’ prior written notice; (b) conducted during normal business hours; (c) subject to reasonable confidentiality obligations; (d) conducted in a manner that does not unreasonably interfere with Lead Source’s operations; and (e) at the customer’s expense.
10.3 Third-party auditor. The customer may use an independent third-party auditor for the audit, provided the auditor is not a competitor of Lead Source and is bound by appropriate confidentiality obligations.
10.4 Reports. Lead Source may satisfy its audit obligations under this section by providing the customer with a copy of a then-current third-party audit report (for example, a SOC 2 Type II report) where such a report is available and addresses the customer’s audit objectives.
11.1 During the term. The customer may export or delete customer personal data at any time during the term of the agreement using the tools available in the application.
11.2 After termination. On termination or expiry of the agreement, Lead Source will, at the customer’s choice (made within thirty days of termination or expiry), delete or return all customer personal data to the customer, and delete existing copies, unless retention is required by applicable law.
11.3 Default deletion. If the customer does not make a choice within thirty days of termination or expiry, Lead Source will delete all customer personal data within a further thirty days, except for backup copies, which will be deleted in the ordinary course of Lead Source’s backup-rotation schedule (typically within thirty further days).
11.4 Service generated data. This section 11 does not apply to service generated data, which is retained by Lead Source in accordance with section 4A.
Each party’s liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the agreement. For the avoidance of doubt, the liability cap and exclusions in the agreement apply to all claims under this DPA, except where applicable data protection law prohibits the limitation or exclusion of such liability.
Lead Source may amend this DPA from time to time to reflect changes in applicable data protection law, the service, or the sub-processors engaged. Lead Source will give the customer reasonable prior notice of any material change by email or in-product notice, and the customer’s continued use of the service after the effective date of the change constitutes acceptance of the change. Where a material change to this DPA would, in the customer’s reasonable opinion, materially reduce the level of data protection afforded to customer personal data, the customer may terminate the agreement on the terms set out in section 5.3.
14.1 Precedence. In the event of any conflict or inconsistency between the provisions of this DPA and the rest of the agreement, this DPA prevails to the extent of the conflict in respect of customer personal data. In the event of any conflict or inconsistency between this DPA and the SCCs or the UK IDTA, the SCCs or the UK IDTA (as applicable) prevail.
14.2 Survival. The provisions of this DPA that, by their nature, are intended to survive termination, including sections 4A (service generated data), 9 (breach notification, in respect of breaches affecting data not yet deleted), 11 (deletion and return), and 12 (liability), survive termination of the agreement.
Data exporter (controller): the customer identified in the account record at app.leadsource.co.
Contact: as specified in the customer’s account.
Activities relevant to the data transferred: operation of the customer’s website(s) and use of the Lead Source service for marketing-attribution purposes.
Role: controller.
Data importer (processor): Leftleads Pty Ltd trading as Lead Source, ABN [CONFIRM], registered in Victoria, Australia.
Contact: privacy@leadsource.co.
Activities relevant to the data transferred: provision of the attribution, outbound-sending, and (on the AI tier) AI-assisted reply service described in the agreement.
Role: processor.
Categories of data subjects:
Categories of personal data:
Sensitive data: Lead Source does not require, invite, or solicit special category (sensitive) personal data. On the AI tier, recipients may volunteer such data in free-text replies; the parties’ treatment of that data is set out in section 4C of this DPA.
Frequency of transfer: continuous (each form submission, each outbound send, and each inbound reply on the AI tier triggers processing).
Nature of processing:
Purpose of processing: providing the lead-attribution, outbound-sending, and (on the AI tier) AI-assisted reply service described in the agreement, on the customer’s documented instructions.
Duration of processing: for the term of the agreement, plus the retention period set out in section 11.
For EEA data subjects: the supervisory authority of the EU member state where the data exporter is established, or, where the data exporter is not established in the EEA, the supervisory authority of the EU member state designated in accordance with clause 13 of the SCCs.
For UK data subjects: the UK Information Commissioner’s Office.
For Australian data subjects: the Office of the Australian Information Commissioner (OAIC).
As above (TLS 1.2+ for all transmissions involving customer personal data).
As above (AES-256 at rest for the production database; equivalent provider-managed encryption for backups).
Physical security of the production environment is the responsibility of the underlying infrastructure providers (AWS, Vercel, Supabase). The founder’s local development environment is secured by full-disk encryption and a strong account password.
Production configuration is managed through Vercel and Supabase project settings, with credentials stored in the providers’ respective secret-management facilities.
Lead Source does not, at the effective date of this DPA, hold an external information-security certification (ISO 27001, SOC 2, or equivalent). Lead Source intends to pursue an appropriate certification as the organisation matures.
The customer is responsible for the accuracy of the personal data submitted through the customer’s forms. Lead Source provides edit and deletion tools in the application to enable the customer to correct or remove inaccurate data.
Customer personal data is retained for the period configured by the customer, or, where no period is configured, for the duration of the agreement. After termination, the deletion timelines in section 11 apply.
Lead Source maintains records of processing activities as required by Article 30 of the GDPR (where applicable).
The application provides export tools (CSV) and deletion tools that the customer can use to fulfil portability and erasure requests from data subjects.
The sub-processors below are authorised at the effective date of this DPA. Lead Source will update this list and notify customers of changes in accordance with section 5.
| Sub-processor | Service | Location of processing |
|---|---|---|
| Supabase, Inc. | Database, authentication, storage | United States (US East / N. Virginia) |
| Vercel, Inc. | Application hosting, edge network | United States (primary), global edge |
| Amazon Web Services, Inc. | Underlying cloud infrastructure for Supabase and Vercel | United States (US East / N. Virginia) |
| Stripe, Inc. | Subscription billing and payment processing | United States |
| Twilio SendGrid, Inc. | Transactional email (notifications, password resets) | United States |
| Unipile SAS | Mailbox connectivity for outbound sending tiers (OAuth to Google Workspace / Microsoft 365, send and, on the AI tier, read of email) | France (European Union) |
| Anthropic, PBC | AI inference for AI-tier outbound reply drafting (processes inbound reply content, lead metadata, and conversation history). Anthropic is contractually prohibited from using customer personal data to train its general-purpose models. | United States |
| GitHub, Inc. | Source-code hosting (no production customer data) | United States |
| [CONFIRM: error monitoring vendor] | Application error monitoring | [CONFIRM] |
| [CONFIRM: product analytics vendor] | Application product analytics | [CONFIRM] |
This statement describes the technical operation of the Lead Source tracking script for the purposes of ePrivacy / PECR analysis and customer privacy-notice drafting.
The Lead Source script is a first-party JavaScript snippet hosted on the customer’s domain. When a visitor submits a form on the customer’s website, the script reads the form payload and, at the moment of submission only, sends that payload together with attribution metadata to the Lead Source server. The attribution metadata consists of: the page’s referrer URL, any UTM parameters present on the landing page, the landing page URL, the sequence of pages the visitor viewed in the current browser session, the visitor’s IP address (read server-side from the request), the user-agent string (read server-side from the request), and the timestamp of the submission.
localStorage, sessionStorage, IndexedDB, the Cache API, or any other client-side persistent or session-scoped storage facility.Article 5(3) of the ePrivacy Directive (and regulation 6 of the UK PECR) applies to the “storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user.” Because the Lead Source script does not store information in, and does not access information stored in, the visitor’s terminal equipment, the storage-and-access rule in Article 5(3) / regulation 6 does not apply to the operation of the script.
The form payload is information the visitor actively submits to the customer through the customer’s form. Transmitting that payload to the customer’s chosen processor (Lead Source) is not “storage of, or access to, information in terminal equipment” for Article 5(3) purposes; it is processing of information the visitor has provided. The lawful basis for that processing is determined by the customer (the controller) under Articles 6 and (where applicable) 9 of the GDPR.
The attribution metadata (referrer, UTMs, landing page, in-session page sequence, IP address, user-agent, timestamp) is read server-side from the HTTP request or held in browser memory for the duration of the session. None of it is stored on the device by the script.
This analysis does not displace the customer’s obligation to obtain consent for the underlying processing where applicable data protection law requires consent (for example, where the customer relies on consent as its lawful basis under Article 6 of the GDPR, or where applicable national law imposes a consent requirement on the underlying marketing-attribution processing independent of Article 5(3)).
The customer should describe Lead Source in its privacy notice as a processor that receives form-submission data and the attribution metadata listed above. Suggested wording is available in the Lead Source Customer Privacy Notice Template (short and long variants), provided to the customer on request from privacy@leadsource.co.
The parties agree to the SCCs (Commission Implementing Decision (EU) 2021/914), Module 2 (controller to processor), as if executed by both parties, on the following terms:
The parties agree to the UK International Data Transfer Addendum to the EU SCCs (version B1.0, in force 21 March 2022) issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018, as if executed by both parties, on the following terms:
By accepting the agreement, the customer and Lead Source are deemed to have signed the SCCs and (where the UK IDTA applies) the UK IDTA on the terms set out above. No separate signature is required for the SCCs or the UK IDTA to take effect as between the parties.
For privacy or DPA-related questions, including requests for a signable counterpart:
privacy@leadsource.coFor legal questions: legal@leadsource.co
Postal address:
Leftleads Pty Ltd t/a Lead Source
[CONFIRM: street address]
[CONFIRM: suburb, postcode]
Victoria, Australia
ABN: [CONFIRM]