01 — Overview
The General Data Protection Regulation gives people in the European Economic Area, the United Kingdom, and Switzerland real control over how their personal data is collected and used. Leadiosa was designed with those rights as a default rather than a checkbox.
This page summarises the GDPR-specific commitments that sit on top of our regular Privacy Policy. If you're an enterprise buyer doing a vendor review, this is the page you'll want.
02 — Our role under GDPR
Leadiosa plays two different roles depending on whose data we're processing:
- Controller — for the personal data of the operators who sign in to a workspace (your team), and for workspace owners' account / billing data. We decide what to collect about you and why, within the bounds of this policy.
- Processor — for the personal data of the visitors who type into the chat widget on your site. You (the workspace operator) are the controller of that data; we act on your behalf to receive, store, and route it.
Splitting the roles this way matches how the service actually works: you choose what to ask your visitors, what to retain, when to delete it. We give you the tools and stay out of the way.
03 — Data Processing Agreement
A standard Data Processing Agreement is incorporated into our Terms of Service by reference. It covers the requirements of Article 28 of GDPR, the UK GDPR, and the Swiss FDPA, including Standard Contractual Clauses for transfers outside the EEA.
04 — Subprocessors
The full subprocessor list is maintained on the Privacy Policy. Conditional subprocessors (the LLM and embedding providers) are only engaged when the workspace operator turns on the corresponding AI feature.
| Subprocessor | Purpose | Region | Status |
|---|---|---|---|
| OpenRouter | LLM routing for AI features | United States | Conditional |
| OpenAI | LLM and embedding provider | United States | Conditional |
| Anthropic | LLM provider | United States | Conditional |
| Freemius | Billing & tax compliance | United States | Always (paid workspaces) |
| Hetzner | Application + DB hosting | Helsinki (FI) & Nuremberg (DE) — EU | Always |
| Resend | Transactional email | United States | Always |
| Cloudflare (R2) | Encrypted backup storage | United States / global | Always |
We give at least 30 days' notice before adding a new subprocessor or changing the region of an existing one. You can object to a new subprocessor by writing to legal@leadiosa.com; if we can't accommodate the objection, you can terminate the affected workspaces.
05 — Data-subject rights
For operators on workspaces under your control, you can fulfil access / rectification / erasure / portability requests directly from the dashboard. For visitor data, the workspace operator is the controller — we provide the tooling, the operator handles the policy:
- Access and portability — operators can export the full workspace data as JSON from Settings → Privacy & GDPR. Visitors can request their own data directly from the chat widget.
- Erasure — Contacts → Erase. The action is audit-logged and cascades through messages, attachments, AI summaries, embeddings, and the RAG index.
- Rectification — operators edit contact records directly in the dashboard.
- Restriction and objection — currently handled via email to legal@leadiosa.com.
Visitor requests sent to us are forwarded to the relevant workspace operator within seven days. The operator must respond within the GDPR-mandated thirty-day window.
06 — International transfers
Where personal data leaves the EEA — most often when a workspace uses a US-based LLM provider — the transfer relies on the European Commission's Standard Contractual Clauses (2021 modules) and on any additional safeguards the provider offers (e.g. OpenAI's Zero-Data-Retention API, where applicable).
The application and its databases are hosted in the EU — Hetzner data centres in Helsinki, Finland and Nuremberg, Germany. Workspaces with strict residency requirements can keep AI features disabled, in which case conversation content is not sent to any LLM provider. Talk to us if you need a more constrained configuration than the dashboard allows.
07 — Retention and deletion
Retention periods are detailed on the Privacy Policy. Two GDPR-relevant points to highlight:
- Workspaces can configure a conversation retention window in Settings — anything older than the window is automatically erased.
- Backups are rolling 30 days. Data that has been erased on the live system is also pruned from backups within that window.
08 — Breach notification
If we become aware of a personal-data breach that meets the GDPR notification threshold, we will:
- Notify affected workspace controllers without undue delay and in any case within 72 hours of becoming aware of the breach.
- Notify supervisory authorities where required.
- Provide a description of the breach, the categories of data and people affected, the likely consequences, and the steps we are taking to contain and remediate.
- Publish a post-incident summary on the status page once the incident is fully resolved.
The single channel for breach reports and security concerns is legal@leadiosa.com.
09 — DPO and contact
Given Leadiosa's current scale, we are not formally required to appoint a Data Protection Officer under Article 37, but someone in the team owns this work end-to-end and is the single point of contact for privacy matters.
For privacy and data-subject requests, DPA and contract questions, and security or breach reports, write to legal@leadiosa.com.
You also have the right to lodge a complaint with a supervisory authority. As we are established in Cyprus, our lead supervisory authority is the Office of the Commissioner for Personal Data Protection (Cyprus). You can equally contact the data protection authority of the EEA country where you live or work.
10 — CCPA / CPRA
This page is written around the GDPR, but we respect the requirements of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), in the same spirit. California residents get the same access, deletion, correction, portability and non-discrimination treatment described above.
We do not sell personal data. We also do not "share" personal data for cross-context behavioural advertising in the CPRA sense: there are no advertising trackers in the product, and neither account data nor conversation data is ever exchanged for money or other consideration. To exercise any California privacy right, write to legal@leadiosa.com.