How we treat your data
Leadsment was built from day one for European B2B. That means GDPR as a baseline rather than a compliance layer bolted on, EU data residency by default, and a visitor-identification model that never touches personal data.
Your data lives in the EU
All Leadsment data — visitor identifications, company records, contact enrichment, account settings — is stored in EU data centres. Our primary database (Supabase) runs in the EU region; application hosting (Vercel) runs on EU edge infrastructure. We do not copy customer data across the Atlantic in normal operation.
Where a sub-processor has global reach (e.g. Stripe for payments), we use the EU-data-residency configuration where one is offered, and rely on Standard Contractual Clauses where cross- border transfers are unavoidable.
Company-level identification — no PII tracking
On every page where the Leadsment tracking snippet runs, we record the visitor's IP address, the page viewed, and a timestamp. The IP is immediately matched against a B2B company-IP database and discarded; what persists is the resulting company record — name, domain, industry, country, employee range — not the raw IP.
We do not set cookies on the browsers of visitors to your site. We do not track individuals across sessions or across sites. We do not capture form contents, mouse movements, keystrokes, or any other personal data from visitors.
Contact enrichment — surfacing the decision-makers at identified companies — is a separate operation that runs against lawful-basis-compliant business data sources. We enrich role, work email, and LinkedIn handle. We do not enrich personal email addresses, mobile numbers, or home addresses.
The vendors we rely on
Our current sub-processors are listed below. We notify customers of changes ahead of time via email and the Changelog.
| Sub-processor | Purpose | Region | Policy |
|---|---|---|---|
| Supabase | PostgreSQL database, authentication, and object storage. | EU (Frankfurt) | View |
| Vercel | Web application hosting and edge delivery. | EU edge regions | View |
| Resend | Transactional email delivery (account emails, digests). | EU | View |
| Stripe | Payment processing for subscriptions. | EU + global payment network | View |
Lawful basis, DPA, and your rights
For visitor identification,we process no personal data — company-level IP-to-company matching falls outside GDPR's personal-data scope.
For contact enrichment, our lawful basis is legitimate interest (GDPR Article 6(1)(f)) for the processing of publicly-available business contact data. Enrichment targets named roles at businesses, not individuals in a personal capacity.
A Data Processing Agreement is available on request at Konsta@leadsment.com. Done-for-You customers receive the DPA automatically as part of onboarding. We do not negotiate substantive DPA terms on a case-by-case basis for standard-tier customers; the standard DPA covers the vast majority of EU B2B requirements.
Data-subject rights requests (access, deletion, portability) can be submitted via email. We route them through Konsta directly and respond within 30 days, typically much sooner.
Engineering hygiene, not buzzwords
Encryption in transit: TLS 1.2+ on every endpoint. HSTS enforced. No plaintext HTTP fallback.
Encryption at rest: AES-256 on all stored data, inherited from Supabase-managed PostgreSQL.
Access control: Principle of least privilege inside the team. Row-level security on every customer-scoped table in the database. Platform-admin access is gated and logged.
Audit logging: Sensitive events (tier changes, data exports, admin actions) are captured to an append-only audit log with actor, timestamp, and affected record.
Secrets management:No secrets in source control. Environment variables live in the deploy platform's managed secret store and rotate on schedule.
Vulnerability disclosure and breach notification
If you believe you've found a security vulnerability in Leadsment, please email Konsta@leadsment.com with the details. We commit to:
- Acknowledging receipt within one business day.
- Giving you a status update within three business days.
- Working in good faith on a fix without legal action against responsible disclosure.
In the event of a personal-data breach affecting customers, we commit to 72-hour notification to affected customers and their regulators as required by GDPR Article 33, with details of scope, impact, and mitigation.
Talk to us directly
Konsta answers security and GDPR questions personally. Expect a thorough reply inside one business day.