Compliance

GDPR & data subject rights

Our position

LeadPilot processes business contact data sourced from public listings — Google Places and Yelp Fusion. Under GDPR Article 6(1)(f) (legitimate interest) this is lawful for B2B outreach when balanced against data subjects' rights.

Data Processing Agreement (DPA)

We provide a click-through DPA on signup for paid plans. Beta users can request a standalone DPA at legal@leadpilot.app.

Sub-processors

See the Security page for our full sub-processor list. We give 30 days' notice via email before adding new sub-processors.

Data subject requests

If a prospect contacts you to exercise their GDPR rights:

  • Right to access: the lead in your dashboard contains every field we hold on them. Export to CSV from the My Leads page.
  • Right to erasure: hit POST /api/leads/opt-out with their email — they're removed across all users on the platform, immediately.
  • Right to object: the same opt-out endpoint serves this purpose.
  • Right to portability: CSV / XLSX export from the leads view.

Data residency

Today: US-region (Vercel us-east + Neon us-east-1). On the roadmap (Q4 2026): EU-region deployment for customers who require it.

Contact

GDPR queries: dpo@leadpilot.app.