1. Summary
Leafer is a sales copilot. We process two clearly separate categories of personal data: customer data (the people who use Leafer to run outreach) and lead data (the publicly available business contacts Leafer surfaces and helps customers reach). The legal posture is different for each, so this policy treats them separately throughout.
At a glance:
- We keep customer data in the European Union (Frankfurt, eu-central-1) and never sell it.
- We process lead data on instructions from our customers, who act as the Data Controller. Leafer acts as the Data Processor.
- Every outbound message includes a one-click unsubscribe link. Opt-outs are honoured forever and propagate across every channel.
- You can exercise any of your rights — access, correction, deletion, portability, objection — by writing to privacy@leafer.io. We reply within thirty days.
2. Who we are
Leafer is operated by Leafer Ltd., a company registered in Istanbul, Türkiye. References to we, us, and our in this policy refer to Leafer Ltd.
Our registered office and contact details are listed in the contact section below. Our Data Protection Officer can be reached at dpo@leafer.io.
3. Definitions
We try to avoid jargon, but a few terms have specific legal meanings worth defining once.
- Personal data. Any information that identifies a living individual, directly or indirectly — name, work email, IP address, behavioural identifiers.
- Processing. Any action performed on personal data — collection, storage, transmission, analysis, deletion.
- Data Controller. The party that decides why and how personal data is processed. When Leafer reaches prospects on a customer’s behalf, the customer is the Controller.
- Data Processor. The party that processes personal data on the Controller’s instructions. Leafer is the Processor for lead data.
- Lead data. Publicly available business-contact information (name, role, work email, company) that Leafer surfaces from public web sources.
- Customer data. Information about the person or company using Leafer — account details, billing, usage analytics, support correspondence.
- Sub-processor. A third-party service that processes personal data on our behalf to help us deliver the service. The current list is published at /trust/subprocessors.
4. What we collect
4.1 Customer data
When you create an account, run campaigns, or contact support, we collect:
- Identity. Name, work email address, organisation name, optional role and avatar.
- Authentication. Hashed credentials managed by our identity provider. We never see or store passwords in plaintext.
- Billing. Card brand, last four digits, billing address, VAT number. Payment cards are tokenised by our payment processor; we never see the full PAN.
- Usage. Pages visited, features used, error logs, performance traces. Used to operate, secure, and improve the service.
- Support correspondence. Anything you send us by email, in-app message, or on a call.
4.2 Lead data
When you run discovery or signal mining on Leafer, we process publicly available business-contact data on your behalf:
- Name and role of the prospect at their employer.
- Work email address, work LinkedIn profile, business phone number where available.
- Company name, industry, headcount, and other firmographic attributes.
- Public posts, comments, and reviews the prospect has authored on Reddit, X, LinkedIn, G2, Capterra, or Google Maps where those signals indicate buying intent.
- Engagement history with messages you have sent through Leafer (opened, clicked, replied, bounced).
We do not knowingly process special categories of personal data (race, ethnicity, religion, health, sexual orientation, political opinions, trade-union membership, biometric or genetic data) and we do not target consumer-facing email addresses.
5. How we use it
5.1 Customer data
- To provide the service you signed up for.
- To bill you accurately and stay in good standing with payment regulators.
- To diagnose issues, run security operations, and improve the product.
- To send you transactional emails (account changes, billing, security alerts). You can opt out of non-transactional marketing email at any time.
5.2 Lead data
- To execute the discovery, enrichment, scoring, and outreach instructions you give us as the Data Controller for that data.
- To run compliance preflight checks (suppression list, country routing, IYS registry checks for Turkish recipients) so that messages we help you send respect every applicable rule.
- To maintain an audit log of sends, replies, and opt-outs sufficient to satisfy regulator requests for the retention period below.
We do not use lead data to train models that benefit other customers, we do not sell it, and we do not combine it across customer workspaces.
6. Lawful basis
The legal basis we rely on depends on the jurisdiction of the data subject and the data category.
6.1 GDPR / UK-GDPR (EU + UK)
- Customer data. Performance of a contract (Art. 6(1)(b)) — we cannot deliver the service without it. Where we use customer data to improve the product, our basis is legitimate interest (Art. 6(1)(f)), balanced against your reasonable expectations.
- Lead data. Legitimate interest (Art. 6(1)(f)). Each campaign you run on Leafer is documented with a Legitimate Interest Assessment. The platform produces a draft LIA per campaign which you review and sign.
6.2 KVKK (Türkiye)
Our basis under KVKK is the meşru menfaat (legitimate interest) ground in Art. 5(2)(f) for both lead data and analytical use of customer data, and contract performance (Art. 5(2)(c)) for service delivery. All commercial email sent to Turkish recipients is checked against the IYS (İleti Yönetim Sistemi) registry before despatch.
6.3 CCPA / CPRA (California)
We are a business under the CCPA when handling customer data and a service provider when processing lead data on our customers’ instructions. We do not sell or share personal information as those terms are defined under CCPA. Californian residents have the right to know, to delete, to correct, to opt out of sale/share (we do not sell or share), and to limit the use of sensitive personal information.
6.4 CASL (Canada)
Cold commercial email to Canadian recipients is permitted only with prior express consent or a documented existing business relationship within the previous twenty-four months. Leafer’s country router blocks sends to Canadian addresses by default unless one of those conditions is recorded for the recipient.
7. Sharing & sub-processors
We share personal data with three categories of recipient, and only as needed.
- Sub-processors. Third-party vendors that help us deliver the service — infrastructure, payments, observability, support tooling. The complete and current list, with each sub-processor’s purpose and location, is published at /trust/subprocessors. We give customers thirty days’ notice before any material change to that list.
- Authorities. Where compelled by valid legal process. We notify the affected customer unless prohibited by law.
- Successor. In the event of a merger, acquisition, or asset sale, personal data may be transferred to the acquiring entity, which must honour the commitments in this policy.
We never sell personal data, we do not place it in advertising auctions, and we do not enrich it with data from data brokers other than the verified-email enrichment vendors used to confirm work-email validity during discovery.
8. International transfers
Customer data is stored in the European Union (Frankfurt, eu-central-1). Where personal data is transferred outside the EU / UK / Türkiye, we rely on the Standard Contractual Clauses adopted by the European Commission and supplementary measures (encryption in transit and at rest, audit logging, restricted access) to ensure an equivalent level of protection.
Each sub-processor on our list carries either an adequacy decision (where applicable) or executed SCCs in their contract with us. You can request the executed SCCs by writing to privacy@leafer.io.
9. Retention periods
We keep personal data only for as long as it is necessary for the purpose it was collected. The specific retention periods are:
| Category | Retention |
|---|---|
| Customer account data | For the life of the account, then 30 days after deletion |
| Billing records | 7 years (tax and accounting law) |
| Audit log (sends, blocks, opt-outs) | 7 years (GDPR statute-of-limitations parity) |
| Lead data (in your workspace) | On your instruction; default 24 months from last activity |
| Suppression list entries (hashed) | Indefinite — required to honour opt-out |
| Support correspondence | 2 years |
| Backups | 30 days rolling, encrypted at rest with AES-256 |
10. Your rights
Depending on where you are, you have some or all of the following rights:
- Access. Ask whether we hold personal data about you and receive a copy.
- Correction. Have inaccurate data corrected.
- Deletion. Have your data deleted, subject to legal retention obligations.
- Portability. Receive your data in a machine-readable format.
- Objection. Object to processing based on legitimate interest, including direct marketing.
- Restriction. Ask us to stop processing while we investigate a dispute.
- Withdraw consent. Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of past processing.
- Complaint. Lodge a complaint with your data protection authority — KVKK in Türkiye, your national supervisory authority in the EU, the ICO in the UK, the California Attorney General in the US.
Send a Data Subject Access Request to privacy@leafer.io. We confirm receipt within 72 hours and respond within 30 calendar days. If your request is exceptionally complex we may extend the response by a further 60 days and will tell you why.
11. Security measures
We treat security as an engineering concern rather than a paragraph in a policy. The headline controls:
- All data in transit is encrypted with TLS 1.2 or higher.
- All data at rest is encrypted with AES-256. Personally identifiable fields receive an additional layer of field-level encryption.
- Access to production systems is restricted to a small named set of engineers and is fully logged.
- Multi-factor authentication is enforced on every Leafer account and every internal admin surface.
- We run quarterly internal penetration tests and an annual external test by an independent firm. The summary report is available under NDA.
- We maintain a public security disclosure address at security@leafer.io and respond to reports within one business day.
12. Cookies & tracking
We use a small number of strictly necessary cookies to keep you signed in and to remember your theme preference. We do not place advertising cookies and we do not run cross-site trackers. Our product analytics are first-party and run with personally identifiable fields stripped at collection time.
Where the law requires explicit consent for non-essential cookies, we present a cookie banner with a clear accept / reject choice. The choice is honoured for twelve months or until you change it, whichever comes first.
13. Children’s data
Leafer is a business-to-business product. We do not target or knowingly collect personal data from individuals under the age of sixteen. If we discover we have inadvertently collected such data, we delete it immediately. If you believe we hold data on a child, please contact privacy@leafer.io.
14. Changes to this policy
We update this policy when our processing changes or when a new legal requirement takes effect. The “Last updated” date at the top of the page reflects the most recent revision. For material changes (new sub-processor categories, new international transfers, changes to retention) we notify registered customers by email at least thirty days before the change takes effect.
Previous versions of this policy are archived and available on request.
15. Contact
Data protection questions, DSARs, and complaints: privacy@leafer.io.
Security disclosures: security@leafer.io.
General contact and pre-sales: hello@leafer.io.
Postal: Leafer Ltd., Beşiktaş, İstanbul, Türkiye.
Related documents: the sub-processor list, the Data Processing Addendum, the terms of service, and the full trust centre.