Data Processing Addendum

Data processing addendum.

Version 1.5 · 4 June 2026

Short version

This Data Processing Addendum (“DPA”) sets out the processor terms between you (the customer, acting as data controller) and Lead Source (acting as your processor) when Lead Source processes personal data on your behalf through the service.

It auto-applies to every customer whose use of the service involves personal data. You don’t need to sign it separately. Accepting our Terms of Service incorporates this DPA by reference. EU/UK customers and customers with specific procurement requirements can request a signable counterpart from privacy@leadsource.co.

The architecture matters. Our tracking script uses no cookies, no client-side storage, and no fingerprinting. That places the script outside ePrivacy/PECR storage-and-access scope. See Annex IV.

1. Parties and application

This DPA is entered into between Leftleads Pty Ltd trading as Lead Source, ABN [CONFIRM], registered in Victoria, Australia (“Lead Source,” “we,” “us,” “processor”) and the customer identified in the account record at app.leadsource.co (“customer,” “you,” “controller”).

This DPA is incorporated into and forms part of the Lead Source Terms of Service (the “agreement”). It applies whenever Lead Source processes personal data on the customer’s behalf in the course of providing the service.

This DPA takes effect on the date the customer accepts the agreement, or, for existing customers, on the date this DPA is first published at leadsource.co/dpa, whichever is later.

2. Definitions

Capitalised terms not defined here have the meanings given in the agreement, in applicable data protection law, or in the standard contractual clauses where those clauses apply.

  • Applicable data protection law means all laws and regulations relating to the processing of personal data that apply to the customer’s use of the service, including the GDPR, the UK GDPR, the UK Data Protection Act 2018, the Australian Privacy Act 1988 and the Australian Privacy Principles (“APPs”), the California Consumer Privacy Act as amended by the CPRA, and any other applicable national, state, or supranational privacy law.
  • Controller, processor, sub-processor, data subject, personal data, processing, and personal data breach have the meanings given in Article 4 of the GDPR (and, where applicable data protection law is not the GDPR, the equivalent terms under that law).
  • Customer personal data means personal data that Lead Source processes on the customer’s behalf in the course of providing the service, as further described in Annex I.
  • SCCs means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • UK IDTA means the International Data Transfer Agreement issued by the UK Information Commissioner, or the International Data Transfer Addendum to the SCCs, as applicable.
  • Service generated data or SGD has the meaning given in section 4A.

3. Roles and scope of processing

3.1 Roles. The parties agree that, for the purposes of customer personal data processed under the agreement, the customer is the controller and Lead Source is the processor. Where the customer is itself a processor acting on behalf of a third-party controller, this DPA applies as between the customer and Lead Source as if the customer were the controller, and the customer warrants it has the third-party controller’s authority to instruct Lead Source on the terms set out here.

3.2 Documented instructions. Lead Source will process customer personal data only on the customer’s documented instructions, including with regard to transfers of personal data to a third country, unless required to do so by law to which Lead Source is subject. The agreement, this DPA, the customer’s use of the service’s features and configurations, and any written instructions the customer provides via authorised channels together constitute the customer’s documented instructions.

3.3 Notification of conflict with law. If Lead Source is required by law to process customer personal data otherwise than on the customer’s instructions, Lead Source will inform the customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.4 Scope. The subject matter, duration, nature and purpose of the processing, the categories of data subjects, and the categories of personal data are set out in Annex I.

3.5 Customer responsibilities. The customer is responsible for the lawfulness of the customer personal data and the lawfulness of the instructions it gives to Lead Source, including ensuring it has a valid legal basis for the processing, providing all required notices to data subjects, and obtaining all required consents. The customer’s obligations as a website operator are set out in section 4 of the Terms of Service.

4. Processor obligations

Lead Source will:

  • process customer personal data only on the customer’s documented instructions as set out in section 3;
  • ensure that persons authorised to process customer personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • implement and maintain the technical and organisational measures set out in Annex II, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing;
  • engage sub-processors only in accordance with section 5;
  • taking into account the nature of the processing, assist the customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the customer’s obligation to respond to data subject requests as set out in section 8;
  • assist the customer in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (or equivalent provisions of other applicable data protection law), taking into account the nature of processing and the information available to Lead Source;
  • at the customer’s choice, delete or return all customer personal data after the end of the provision of the service, as set out in section 11;
  • make available to the customer all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits as set out in section 10.

4A. Service generated data

4A.1 Definition.Service generated data” (“SGD”) means data that Lead Source generates from operating the service across its customer base in aggregated and de-identified form, including performance metrics, attribution model inputs, abuse-detection signals, capacity-planning data, product analytics, and aggregated benchmarks. SGD does not contain customer personal data and is not attributable to any individual data subject, customer, or website.

4A.2 Aggregation threshold. Before any data set is treated as SGD, it is aggregated to a minimum group size of k = 5 (no metric is published, exposed, or used outside production operations where the underlying group has fewer than five distinct contributing customers or data subjects). Any direct identifiers and pseudonymous identifiers (IP addresses, user-agent strings, email addresses, names, phone numbers, free-text fields) are removed or replaced with non-reversible hashes prior to aggregation. Re-identification of SGD is prohibited and Lead Source takes reasonable measures to prevent it.

4A.3 Permitted uses. Lead Source may use SGD for: (a) providing, maintaining, securing, and improving the service; (b) developing new features and products; (c) producing aggregated industry benchmarks and research; (d) abuse and fraud detection; and (e) internal business operations. Lead Source will not sell SGD, and will not disclose SGD to third parties in a form that identifies, or could reasonably be used to identify, any customer, data subject, or website.

4A.4 Carve-out. The parties agree that Lead Source’s processing of SGD is outside the scope of this DPA and is not processing on the customer’s behalf. To the extent SGD contains any personal data after the measures in section 4A.2, Lead Source is an independent controller for that personal data and processes it in accordance with the Lead Source Privacy Policy. This section reflects the parties’ agreed allocation of roles for service generated data and is not intended to give rise to a joint controllership relationship.

4A.5 Opt-out. The customer may opt its account out of contributing to certain SGD uses via the SGD toggle in the application. Opting out does not affect SGD already generated, and does not affect SGD used for service operation, security, or abuse detection.

4B. Outbound sending and AI-generated messages

This section applies whenever the customer enables outbound sending features of the service (template-based first-touch, AI-generated replies, or any other feature that sends email from a connected mailbox).

4B.1 Documented instructions. By enabling an outbound sending feature, the customer instructs Lead Source to: (a) connect to the mailbox the customer authorises via OAuth (and to refresh that connection as required); (b) send outbound email messages from that mailbox to the recipients the customer or the customer’s configured workflow identifies; (c) on the AI tier, read inbound replies received in the connected mailbox and process those replies, lead metadata, and conversation history through the AI sub-processor identified in Annex III to generate further outbound messages; and (d) maintain a per-account suppression list and the logs described in section 4B.4. These activities together are the customer’s documented instructions for the outbound sending and AI features.

4B.2 Customer as sender. Each outbound message is sent by the customer, from the customer’s mailbox, in the customer’s name, to advance the customer’s business. Lead Source operates as processor only. Section 4 of the Terms of Service sets out the customer’s warranties about lawful permission basis, mailbox authority, and content responsibility for these messages.

4B.3 AI sub-processor. On the AI tier, the customer authorises the use of Anthropic, PBC as a sub-processor for AI inference (drafting outbound replies). Anthropic processes inbound reply content, lead metadata, and conversation history on Lead Source’s behalf under contractual terms that prohibit Anthropic from using customer personal data to train its general-purpose models. Anthropic is listed in Annex III.

4B.4 Logs for abuse, deliverability, and audit. For each outbound message and each AI action, Lead Source retains: the source lead; the lead’s permission-basis metadata; the thread classification; the prompt inputs (AI tier); the model output (AI tier); any human approval or edits; the sent message; delivery / bounce / unsubscribe status; and subsequent deletion status. These logs are used for: (a) operating the per-account suppression list; (b) abuse and fraud detection; (c) deliverability monitoring; (d) model evaluation (AI tier); (e) responding to data-subject and customer audit requests; and (f) incident response. The parties acknowledge that the legal-role status of Lead Source’s processing for purposes (b), (c), (d), and (f), specifically whether those purposes give rise to an independent-controller role for Lead Source for some or all of the relevant log data, is subject to ongoing assessment. Where Lead Source determines it acts as an independent controller for a defined log dataset, it will process that dataset in accordance with the Lead Source Privacy Policy and update Annex I accordingly.

4B.5 Suspension for risk. Lead Source may suspend outbound sending features (or AI-tier features specifically) for an account where Lead Source identifies a pattern that creates legal, regulatory, deliverability, or reputational risk for Lead Source, its other customers, or its sub-processors, as further set out in section 11.6 of the Terms of Service.

4C. Volunteered special category data

The parties acknowledge that, when Lead Source reads inbound replies as part of the AI tier, recipients may volunteer special category personal data (within the meaning of Article 9 of the GDPR or equivalent provisions of other applicable data protection law) in free-text replies, even though Lead Source does not solicit such data and the service is not designed to process it.

4C.1 No solicitation. Lead Source does not prompt for, suggest, or design AI outputs that seek special category data. The customer warrants it will not configure the service in a way that solicits special category data from recipients.

4C.2 Detection and minimisation. Where reasonably practicable, Lead Source will operate detection and quarantine measures to identify and pause AI processing of threads containing apparent special category data. Where detection occurs, the affected thread is flagged for human handoff and AI processing of that thread is suspended pending the customer’s review.

4C.3 No Article 9 condition created by this DPA. The customer remains responsible for identifying a lawful Article 9 condition (or equivalent under other applicable data protection law) for any subsequent processing of special category data received in a reply, including any further use of that data in the customer’s own CRM or business workflows. Nothing in this DPA creates or supplies an Article 9 condition on the customer’s behalf.

4C.4 Deletion on request. The customer may request deletion of specific replies or threads containing special category data via the deletion tools in the application, or by writing to privacy@leadsource.co.

5. Sub-processors

5.1 General authorisation. The customer gives Lead Source general written authorisation to engage sub-processors to process customer personal data on the customer’s behalf. The sub-processors authorised at the effective date of this DPA are listed in Annex III.

5.2 Change notification. Lead Source will give the customer at least thirty (30) days’ prior notice of any intended changes concerning the addition or replacement of sub-processors, by updating Annex III and notifying customers by email or in-product notice.

5.3 Objection. The customer may object to a proposed change on reasonable data-protection grounds by writing to privacy@leadsource.co within the thirty-day notice period. If the parties cannot agree on a resolution within a further thirty days, the customer may terminate the agreement for convenience by written notice to Lead Source, in which case Lead Source will refund any prepaid fees covering the remainder of the subscription term following termination.

5.4 Sub-processor obligations. Lead Source will impose data-protection obligations on each sub-processor that are substantially the same as those imposed on Lead Source under this DPA, by way of a written contract. Lead Source remains liable to the customer for the performance of each sub-processor’s obligations.

6. International transfers

6.1 Transfer mechanisms. Where Lead Source or any sub-processor processes customer personal data outside the country in which the customer is established, the parties acknowledge that an adequate transfer mechanism may be required under applicable data protection law.

6.2 EEA transfers. Where customer personal data of data subjects in the European Economic Area is transferred to Lead Source or a sub-processor in a country that has not received an adequacy decision under Article 45 of the GDPR, the parties agree to be bound by the SCCs as set out in Annex V, with the customer as the data exporter and Lead Source as the data importer, on Module 2 (controller-to-processor) terms.

6.3 UK transfers. Where customer personal data of data subjects in the United Kingdom is transferred to Lead Source or a sub-processor in a country that has not received UK adequacy regulations, the parties agree to be bound by the UK IDTA as set out in Annex V.

6.4 Onward transfers. Lead Source will ensure that any onward transfer of customer personal data by a sub-processor is subject to an adequate transfer mechanism.

6.5 Australian transfers. Lead Source is established in Australia. For Australian customers, transfers to overseas sub-processors are subject to APP 8 and Lead Source takes reasonable steps to ensure each overseas recipient handles the data in a manner consistent with the APPs.

7. Security

Lead Source implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex II. The customer acknowledges that Lead Source may update the measures from time to time, provided that the updates do not materially reduce the level of protection.

8. Data subject requests

8.1 Direct requests to Lead Source. If Lead Source receives a request from a data subject in relation to customer personal data, Lead Source will, without undue delay, redirect the data subject to the customer and notify the customer of the request, unless prohibited by law from doing so. Lead Source will not respond substantively to the request itself unless instructed by the customer or required by law.

8.2 Assistance to the customer. Taking into account the nature of the processing, Lead Source will assist the customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the customer’s obligation to respond to requests from data subjects to exercise their rights of access, rectification, erasure, restriction of processing, objection, and data portability. Lead Source provides export and deletion tools within the application that the customer can use to honour those requests.

8.3 Costs. Lead Source provides the standard self-service tools described above at no additional cost. For non-standard assistance requested by the customer, Lead Source may charge a reasonable fee based on time and materials, on prior written notice.

9. Personal data breach notification

9.1 Notification. Lead Source will notify the customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a personal data breach affecting customer personal data.

9.2 Information. The notification will describe, to the extent known: (a) the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects; and (d) the contact point at Lead Source where more information can be obtained. Where, and insofar as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

9.3 Cooperation. Lead Source will cooperate with the customer and provide reasonable assistance with the customer’s investigation of, and notification obligations relating to, the personal data breach.

9.4 No admission. A notification of, or response to, a personal data breach under this section is not an acknowledgement by Lead Source of any fault or liability with respect to the personal data breach.

10. Audit

10.1 Information. Lead Source will make available to the customer all information reasonably necessary to demonstrate compliance with this DPA, including responses to reasonable security and privacy questionnaires, and copies of relevant policies and certifications (where available).

10.2 Audits. The customer may, no more than once in any twelve-month period (except where required by a supervisory authority or by applicable data protection law), conduct an audit of Lead Source’s compliance with this DPA. The audit must be: (a) conducted on at least thirty days’ prior written notice; (b) conducted during normal business hours; (c) subject to reasonable confidentiality obligations; (d) conducted in a manner that does not unreasonably interfere with Lead Source’s operations; and (e) at the customer’s expense.

10.3 Third-party auditor. The customer may use an independent third-party auditor for the audit, provided the auditor is not a competitor of Lead Source and is bound by appropriate confidentiality obligations.

10.4 Reports. Lead Source may satisfy its audit obligations under this section by providing the customer with a copy of a then-current third-party audit report (for example, a SOC 2 Type II report) where such a report is available and addresses the customer’s audit objectives.

11. Deletion and return

11.1 During the term. The customer may export or delete customer personal data at any time during the term of the agreement using the tools available in the application.

11.2 After termination. On termination or expiry of the agreement, Lead Source will, at the customer’s choice (made within thirty days of termination or expiry), delete or return all customer personal data to the customer, and delete existing copies, unless retention is required by applicable law.

11.3 Default deletion. If the customer does not make a choice within thirty days of termination or expiry, Lead Source will delete all customer personal data within a further thirty days, except for backup copies, which will be deleted in the ordinary course of Lead Source’s backup-rotation schedule (typically within thirty further days).

11.4 Service generated data. This section 11 does not apply to service generated data, which is retained by Lead Source in accordance with section 4A.

12. Liability

Each party’s liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the agreement. For the avoidance of doubt, the liability cap and exclusions in the agreement apply to all claims under this DPA, except where applicable data protection law prohibits the limitation or exclusion of such liability.

13. Changes to this DPA

Lead Source may amend this DPA from time to time to reflect changes in applicable data protection law, the service, or the sub-processors engaged. Lead Source will give the customer reasonable prior notice of any material change by email or in-product notice, and the customer’s continued use of the service after the effective date of the change constitutes acceptance of the change. Where a material change to this DPA would, in the customer’s reasonable opinion, materially reduce the level of data protection afforded to customer personal data, the customer may terminate the agreement on the terms set out in section 5.3.

14. Precedence and survival

14.1 Precedence. In the event of any conflict or inconsistency between the provisions of this DPA and the rest of the agreement, this DPA prevails to the extent of the conflict in respect of customer personal data. In the event of any conflict or inconsistency between this DPA and the SCCs or the UK IDTA, the SCCs or the UK IDTA (as applicable) prevail.

14.2 Survival. The provisions of this DPA that, by their nature, are intended to survive termination, including sections 4A (service generated data), 9 (breach notification, in respect of breaches affecting data not yet deleted), 11 (deletion and return), and 12 (liability), survive termination of the agreement.

Annex I: Details of processing

A. List of parties

Data exporter (controller): the customer identified in the account record at app.leadsource.co.
Contact: as specified in the customer’s account.
Activities relevant to the data transferred: operation of the customer’s website(s) and use of the Lead Source service for marketing-attribution purposes.
Role: controller.

Data importer (processor): Leftleads Pty Ltd trading as Lead Source, ABN [CONFIRM], registered in Victoria, Australia.
Contact: privacy@leadsource.co.
Activities relevant to the data transferred: provision of the attribution, outbound-sending, and (on the AI tier) AI-assisted reply service described in the agreement.
Role: processor.

B. Description of transfer

Categories of data subjects:

  • Website visitors: visitors to the customer’s website(s) who submit forms on those website(s).
  • Leads as outbound recipients: persons to whom outbound emails are sent from the customer’s connected mailbox (a subset of website visitors, plus any additional recipients the customer adds to the workflow).
  • Leads as inbound senders (AI tier): recipients who reply to outbound messages, whose replies are read by the service.
  • Customer personnel: users of the customer who authenticate to the Lead Source application and whose mailboxes may be connected to the service.

Categories of personal data:

  • Form-submission data captured by the script: data the visitor enters into a form on the customer’s website, which may include name, email address, phone number, company name, job title, and any other field the customer has configured in the form. The categories captured depend entirely on the form fields the customer chooses to use.
  • Attribution metadata captured at form submission: referrer URL, UTM parameters, landing page, in-session page sequence, IP address (used for geolocation and de-duplication), user-agent string, timestamp.
  • Permission-basis metadata: form text shown at collection, checkbox / opt-out state, timestamp, page URL, source page, and the legal basis the customer indicates it will rely on (express consent, soft opt-in, CASL inquiry, requested response, or other).
  • Outbound email content: subject line, body, sender identity, recipient address, send timestamp, and (where applicable) the template version or AI prompt that generated the message.
  • Inbound email content (AI tier): free-text reply content received in the connected mailbox, including any personal data the recipient volunteers in the reply (which may, on occasion and without solicitation, include special category data, see section 4C).
  • AI processing artefacts (AI tier): prompt inputs, model outputs, escalation decisions, human approvals or edits.
  • Delivery and engagement data: delivery status, bounce, open, click, reply, unsubscribe, and suppression-list entries.
  • Mailbox connection metadata: OAuth tokens (held by the mailbox-connectivity sub-processor), the connected mailbox address, the named user authorising the connection.
  • Account data: name, email address, hashed password, and role of personnel the customer authorises to access the application.
  • Support and billing data: contact details and correspondence with Lead Source.

Sensitive data: Lead Source does not require, invite, or solicit special category (sensitive) personal data. On the AI tier, recipients may volunteer such data in free-text replies; the parties’ treatment of that data is set out in section 4C of this DPA.

Frequency of transfer: continuous (each form submission, each outbound send, and each inbound reply on the AI tier triggers processing).

Nature of processing:

  • Attribution: collection at point of form submission, server-side storage, attribution analysis, presentation in the application, notification by email.
  • Outbound sending: connection to the customer’s mailbox via OAuth, message generation (template or AI), injection of compliance footer elements, sending from the connected mailbox, delivery and bounce tracking, suppression-list management.
  • AI-assisted reply (AI tier only): reading of inbound replies, processing of reply content and conversation history through the AI sub-processor identified in Annex III, generation of outbound reply drafts, escalation rules, optional human approval, logging.
  • Retention and deletion: in accordance with the customer’s configuration, sections 4B.4 and 11 of this DPA, and customer instruction.

Purpose of processing: providing the lead-attribution, outbound-sending, and (on the AI tier) AI-assisted reply service described in the agreement, on the customer’s documented instructions.

Duration of processing: for the term of the agreement, plus the retention period set out in section 11.

C. Competent supervisory authority

For EEA data subjects: the supervisory authority of the EU member state where the data exporter is established, or, where the data exporter is not established in the EEA, the supervisory authority of the EU member state designated in accordance with clause 13 of the SCCs.

For UK data subjects: the UK Information Commissioner’s Office.

For Australian data subjects: the Office of the Australian Information Commissioner (OAIC).

Annex II: Technical and organisational measures

Sole-founder stage disclosure. Lead Source is, at the effective date of this DPA, a single-founder company at the viability-testing stage. The measures below reflect the actual controls in place. Where a measure depends on a third party (for example, a managed-service provider), the responsibility for that measure is identified as such. Lead Source will update this annex as the organisation matures.

1. Pseudonymisation and encryption

  • Encryption in transit: all customer personal data transmitted between the customer’s website, the customer’s browser, and the Lead Source service is protected by TLS 1.2 or higher.
  • Encryption at rest: customer personal data is stored in Supabase (Postgres on AWS, US East / N. Virginia region) with disk-level encryption (AES-256) provided by AWS.
  • Password hashing: user passwords are hashed using a salted, computationally expensive hash (bcrypt or equivalent, as managed by Supabase Auth).

2. Confidentiality, integrity, availability, and resilience

  • Access controls: production access is restricted to the founder and any explicitly authorised contractors, secured by strong unique passwords and multi-factor authentication where supported by the underlying provider.
  • Tenant isolation: customer data is logically separated by account-scoped row-level security policies in the database.
  • Network controls: the application is hosted on Vercel and Supabase, both of which provide DDoS protection, WAF features, and infrastructure-level network controls.
  • Resilience: the underlying providers (Vercel, Supabase) operate redundant infrastructure with documented availability targets.

3. Restoration of availability

  • Backups: the production database is backed up daily by Supabase with point-in-time recovery available within the retention window provided by Supabase’s current plan.
  • Recovery testing: recovery procedures are tested on an ad-hoc basis during development of the staging environment.

4. Regular testing and evaluation

  • Dependency monitoring: production dependencies are monitored for known vulnerabilities.
  • Code review: changes to the production codebase are reviewed before deployment.
  • Penetration testing: Lead Source has not, at the effective date of this DPA, commissioned an independent penetration test. Lead Source intends to commission one as the organisation matures.

5. User identification and authorisation

  • End-user authentication: users of the application authenticate via email and password through Supabase Auth.
  • Role-based access: within a customer account, users are assigned roles that determine which data and actions they can access.
  • Session management: sessions are managed by Supabase Auth using short-lived access tokens and refresh tokens.

6. Protection during transmission

As above (TLS 1.2+ for all transmissions involving customer personal data).

7. Protection during storage

As above (AES-256 at rest for the production database; equivalent provider-managed encryption for backups).

8. Physical security

Physical security of the production environment is the responsibility of the underlying infrastructure providers (AWS, Vercel, Supabase). The founder’s local development environment is secured by full-disk encryption and a strong account password.

9. Event logging

  • Application logs: the application emits structured logs for significant events, including authentication, data export, and deletion.
  • Audit trail: sensitive actions in the application (acceptance of terms, role changes, data exports, deletions) are recorded with timestamp and actor.

10. System configuration

Production configuration is managed through Vercel and Supabase project settings, with credentials stored in the providers’ respective secret-management facilities.

11. Internal IT and security governance

  • The founder is responsible for security decisions and reviews them on an ongoing basis.
  • A formal information-security policy will be adopted as the organisation hires its first employees.

12. Certification and assurance

Lead Source does not, at the effective date of this DPA, hold an external information-security certification (ISO 27001, SOC 2, or equivalent). Lead Source intends to pursue an appropriate certification as the organisation matures.

13. Data minimisation

  • The tracking script captures only the metadata listed in Annex I and the form fields the customer has chosen to use.
  • The script does not set cookies, does not use client-side storage, and does not perform device fingerprinting. See Annex IV.

14. Data quality

The customer is responsible for the accuracy of the personal data submitted through the customer’s forms. Lead Source provides edit and deletion tools in the application to enable the customer to correct or remove inaccurate data.

15. Limited retention

Customer personal data is retained for the period configured by the customer, or, where no period is configured, for the duration of the agreement. After termination, the deletion timelines in section 11 apply.

16. Accountability

Lead Source maintains records of processing activities as required by Article 30 of the GDPR (where applicable).

17. Portability and erasure

The application provides export tools (CSV) and deletion tools that the customer can use to fulfil portability and erasure requests from data subjects.

Annex III: Authorised sub-processors

The sub-processors below are authorised at the effective date of this DPA. Lead Source will update this list and notify customers of changes in accordance with section 5.

Sub-processor Service Location of processing
Supabase, Inc. Database, authentication, storage United States (US East / N. Virginia)
Vercel, Inc. Application hosting, edge network United States (primary), global edge
Amazon Web Services, Inc. Underlying cloud infrastructure for Supabase and Vercel United States (US East / N. Virginia)
Stripe, Inc. Subscription billing and payment processing United States
Twilio SendGrid, Inc. Transactional email (notifications, password resets) United States
Unipile SAS Mailbox connectivity for outbound sending tiers (OAuth to Google Workspace / Microsoft 365, send and, on the AI tier, read of email) France (European Union)
Anthropic, PBC AI inference for AI-tier outbound reply drafting (processes inbound reply content, lead metadata, and conversation history). Anthropic is contractually prohibited from using customer personal data to train its general-purpose models. United States
GitHub, Inc. Source-code hosting (no production customer data) United States
[CONFIRM: error monitoring vendor] Application error monitoring [CONFIRM]
[CONFIRM: product analytics vendor] Application product analytics [CONFIRM]

Annex IV: Tracking Technology Statement

This statement describes the technical operation of the Lead Source tracking script for the purposes of ePrivacy / PECR analysis and customer privacy-notice drafting.

What the script does

The Lead Source script is a first-party JavaScript snippet hosted on the customer’s domain. When a visitor submits a form on the customer’s website, the script reads the form payload and, at the moment of submission only, sends that payload together with attribution metadata to the Lead Source server. The attribution metadata consists of: the page’s referrer URL, any UTM parameters present on the landing page, the landing page URL, the sequence of pages the visitor viewed in the current browser session, the visitor’s IP address (read server-side from the request), the user-agent string (read server-side from the request), and the timestamp of the submission.

What the script does not do

  • No cookies. The script does not set, read, or modify any cookie on the visitor’s device.
  • No client-side storage. The script does not write to localStorage, sessionStorage, IndexedDB, the Cache API, or any other client-side persistent or session-scoped storage facility.
  • No device fingerprinting. The script does not collect or derive characteristics of the visitor’s device (canvas fingerprints, font enumeration, plugin enumeration, audio fingerprints, hardware concurrency, etc.) for the purpose of identifying the device across sites or sessions.
  • No cross-site tracking. The script operates only on the customer’s own domain. There is no third-party identifier and no mechanism by which the script can link a visitor’s activity across different customers’ websites.
  • No background data exfiltration. The script transmits data only at the point of form submission. It does not transmit page-view data, mouse movements, scroll depth, or any other behavioural signal independent of a form submission.
  • In-session page sequence is held in memory only. The sequence of pages a visitor views during the current browser session is held in JavaScript memory and is transmitted only if and when a form is submitted in that session. It is not persisted on the visitor’s device.

ePrivacy / PECR analysis

Article 5(3) of the ePrivacy Directive (and regulation 6 of the UK PECR) applies to the “storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user.” Because the Lead Source script does not store information in, and does not access information stored in, the visitor’s terminal equipment, the storage-and-access rule in Article 5(3) / regulation 6 does not apply to the operation of the script.

The form payload is information the visitor actively submits to the customer through the customer’s form. Transmitting that payload to the customer’s chosen processor (Lead Source) is not “storage of, or access to, information in terminal equipment” for Article 5(3) purposes; it is processing of information the visitor has provided. The lawful basis for that processing is determined by the customer (the controller) under Articles 6 and (where applicable) 9 of the GDPR.

The attribution metadata (referrer, UTMs, landing page, in-session page sequence, IP address, user-agent, timestamp) is read server-side from the HTTP request or held in browser memory for the duration of the session. None of it is stored on the device by the script.

This analysis does not displace the customer’s obligation to obtain consent for the underlying processing where applicable data protection law requires consent (for example, where the customer relies on consent as its lawful basis under Article 6 of the GDPR, or where applicable national law imposes a consent requirement on the underlying marketing-attribution processing independent of Article 5(3)).

Customer privacy-notice drafting

The customer should describe Lead Source in its privacy notice as a processor that receives form-submission data and the attribution metadata listed above. Suggested wording is available in the Lead Source Customer Privacy Notice Template (short and long variants), provided to the customer on request from privacy@leadsource.co.

Annex V: SCCs and UK IDTA

A. EU Standard Contractual Clauses (Module 2)

The parties agree to the SCCs (Commission Implementing Decision (EU) 2021/914), Module 2 (controller to processor), as if executed by both parties, on the following terms:

  • Module: Module 2 (transfer controller to processor).
  • Clause 7 (docking clause): applies.
  • Clause 9 (use of sub-processors): Option 2 (general written authorisation) applies. Minimum notice period for changes: thirty (30) days. Section 5 of this DPA describes the procedure.
  • Clause 11 (redress): the optional language allowing data subjects to lodge a complaint with an independent dispute-resolution body does not apply.
  • Clause 17 (governing law): Irish law.
  • Clause 18 (forum and jurisdiction): the courts of Ireland.
  • Annex I.A (list of parties): as set out in Annex I of this DPA.
  • Annex I.B (description of transfer): as set out in Annex I of this DPA.
  • Annex I.C (competent supervisory authority): as set out in Annex I of this DPA.
  • Annex II (technical and organisational measures): as set out in Annex II of this DPA.
  • Annex III (list of sub-processors): as set out in Annex III of this DPA.

B. UK International Data Transfer Addendum

The parties agree to the UK International Data Transfer Addendum to the EU SCCs (version B1.0, in force 21 March 2022) issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018, as if executed by both parties, on the following terms:

  • Table 1 (parties): as set out in Annex I of this DPA. Key contact for the importer: privacy@leadsource.co.
  • Table 2 (selected SCCs, modules, and selected clauses): the EU SCCs as set out in part A above.
  • Table 3 (appendix information): as set out in this DPA (Annex I = list of parties and description of transfer; Annex II = technical and organisational measures; Annex III = sub-processors).
  • Table 4 (ending the addendum when the approved addendum changes): the importer may end this addendum as set out in section 19 of the addendum.

C. Operative effect

By accepting the agreement, the customer and Lead Source are deemed to have signed the SCCs and (where the UK IDTA applies) the UK IDTA on the terms set out above. No separate signature is required for the SCCs or the UK IDTA to take effect as between the parties.

Questions about this DPA

For privacy or DPA-related questions, including requests for a signable counterpart:

For legal questions: legal@leadsource.co

Postal address:

Leftleads Pty Ltd t/a Lead Source
[CONFIRM: street address]
[CONFIRM: suburb, postcode]
Victoria, Australia
ABN: [CONFIRM]