GDPR & CCPA Compliance

Codas Labs, LLC, doing business as LeadTale takes data protection seriously. This page summarizes how LeadTale complies with the main data-protection frameworks that apply to our customers and to the professionals in our B2B database: the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and other US state privacy laws (VCDPA, CPA, CTDPA, UCPA, TDPSA, and equivalents).

This page is a plain-English summary. The legally-operative documents are the Privacy Policy, Data Processing Addendum, and Terms of Service. If the summary and those documents ever disagree, the documents govern.

Depending on where you live, you have rights you can exercise at any time. LeadTale honors these for both Customers and professionals whose information appears in the LeadTale database.

• Access — request a copy of the personal information we hold about you.
• Correction — update inaccurate information.
• Deletion — request removal from the LeadTale database and from active production systems. Submit at leadtale.com/privacy/remove.
• Portability — request a portable copy of the Customer Data you have uploaded.
• Restriction / objection — ask us to stop or limit certain processing, including direct marketing.
• Opt out of sale or sharing — see the “Do Not Sell or Share My Personal Information” link in the footer of every page. We also honor Global Privacy Control (GPC) signals as a universal opt-out.
• Limit use of sensitive personal information(CPRA § 1798.121) — our B2B database generally does not include sensitive personal information; contact us if you believe otherwise.
• Object to automated decision-making(GDPR Art. 22) — LeadTale’s verification and scoring outputs are informational signals used by Customers; we do not make automated decisions about individuals that produce legal or similarly significant effects.
• Withdraw consent — where processing is based on consent, you may withdraw at any time.
• File a complaint— with a supervisory authority in the EU/UK, or with your state’s attorney general in the US.

Submit rights requests to privacy@leadtale.com. We respond within 30 days under GDPR / UK GDPR, and within 45 days under CCPA / other US state privacy laws, with statutory extensions where permitted. We will not discriminate against you for exercising your rights.

We process personal data in two distinct roles, with different handling rules for each.

As a Data Processor (for Customer-uploaded data)

When Customers upload contact lists, CSVs, or CRM exports for enrichment or verification, we process that data on their behalf under the Data Processing Addendum. Customers are Controllers; we are Processors. We do not use that data for any other purpose and return or delete it on termination.

As a Data Controller (for the LeadTale database)

The LeadTale database contains professional business-contact information about individuals in their work capacity (name, job title, employer, work email, work phone, general location, professional profile links). We compile this from:

• Publicly available sources — company sites, press releases, public profiles, public filings.
• Licensed third-party data providers that represent their collection and provision as lawful.
• Signals contributed by Customers through enrichment features of the Service.

We do not include sensitive personal information, data about individuals under 16, or data about individuals acting in a non-business capacity.

• Legitimate interests (Art. 6(1)(f)) — for building and maintaining the B2B contact database for professional outreach, securing and improving the Service, preventing fraud, and conducting business-context direct marketing. Our Legitimate Interest Assessment (LIA) is available on request to privacy@leadtale.com.
• Contract (Art. 6(1)(b)) — to provide the Service to Customers and perform our contractual obligations.
• Consent (Art. 6(1)(a)) — for certain marketing communications and non-essential cookies; may be withdrawn at any time.
• Legal obligation (Art. 6(1)(c)) — to comply with law, court orders, and regulatory requirements.

For Article 14 GDPR (information obtained indirectly), we rely on the disproportionate-effort exception (Art. 14(5)(b)) and maintain this page + our Privacy Policy as publicly-available notice.

LeadTale is headquartered in the United States. Where required by law, we use the following transfer mechanisms to safeguard international transfers of personal information:

• EU → US: EU Standard Contractual Clauses (Module Two: Controller to Processor; Module Three: Processor to Processor, where applicable).
• UK → US: UK International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner.
• Switzerland → US: SCCs adapted to refer to the Swiss FADP, with the Swiss Federal Data Protection and Information Commissioner as competent authority.

Where required, we apply supplementary technical, organizational, and contractual measures to ensure an essentially equivalent level of protection. Full detail is in the Data Processing Addendum §9.

The current list of third parties that process Customer Personal Data on our behalf is published at leadtale.com/subprocessors. We provide at least 30 days’ advance notice of additions or replacements via a subscribable email list — contact privacy@leadtale.com to subscribe.

We apply administrative, technical, and physical safeguards including encryption in transit and at rest, least-privilege access controls, audit logging, dependency and secret scanning, and regular security reviews. Additional detail is on our Security page. Report security issues or suspected account compromise to security@leadtale.com.

Where required by Article 27 GDPR and Article 27 UK GDPR, LeadTale has appointed representatives in the European Union and the United Kingdom.

EU Representative: [Name and address — to be appointed]
UK Representative: [Name and address — to be appointed]

Data subjects in the EU or UK may contact the relevant representative on matters concerning the processing of their personal data, in addition to contacting LeadTale directly at privacy@leadtale.com.

Our website uses cookies and similar technologies for authentication, security, preferences, analytics, and marketing attribution. You can control cookies through your browser settings. We honor Global Privacy Control (GPC) signals as a universal opt-out of the sale or sharing of personal information — this applies both to the marketing site and to records in the LeadTale database. Full cookie detail in the Privacy Policy §6.

Summary of how long we keep information. Full detail in the Privacy Policy.

• Customer Account data: duration of the Account + up to 7 years for recordkeeping, tax, and legal-compliance purposes.
• Customer-uploaded data (processed on Customer’s behalf): typically deleted from active systems within 30 days after task completion unless the Customer directs longer retention. Backups expire within 90 days.
• LeadTale database records: as long as relevant and accurate, subject to updates, removal on request, or suppression-list retention (indefinite, to prevent re-inclusion).
• Logs and security data: typically up to 13 months, with longer windows only where required for legal, security-investigation, or compliance purposes.

• Privacy Policy — how we collect, use, share, and protect information (operative document for data subjects).
• Data Processing Addendum — GDPR Art. 28 contract governing our processing of Customer Personal Data (operative document for Customer contracts).
• Terms of Service — the commercial agreement governing your use of the Service.
• Subprocessors — current list of third-party processors.
• Security — technical and operational security practices.
• Remove my information — opt-out form for the LeadTale database.

For privacy questions or to exercise rights, email privacy@leadtale.com. Our Data Protection Officer can be reached at dpo@leadtale.com. For security matters, email security@leadtale.com.