Privacy Policy
Version 17 April 2026 · Applies to all use of LeadGrid.io
1. Who we are
LeadGrid.io (“LeadGrid”, “we”, “our”) is a trade name of Triad B.V., a Dutch private limited company registered with the Netherlands Chamber of Commerce under number 42034623, with its registered office at Parallel Boulevard 17 A, 2202 HK Noordwijk, the Netherlands.
For the personal data you upload into LeadGrid (your candidates, leads, contacts, notes), you are the controller and Triad B.V. acts as processor on your behalf under a Data Processing Agreement (see section 11). For the personal data we collect about you as a customer (account, billing, usage), Triad B.V. is the controller — this policy describes that processing.
2. Personal data we process
When you sign up and use LeadGrid, we process:
- Account data — name, email, password hash, workspace name, role, authentication sessions
- Billing data — company name, billing address, VAT ID, payment-method identifiers (held by Stripe, never stored on our servers), invoices
- Usage data — IP address, user agent, pages visited, timestamps, error logs, feature-use telemetry
- Content you upload — candidate/lead records, CV files, email threads you forward into LeadGrid, notes, flow definitions. You control this data; it is covered by the DPA
- AI-assisted content — when you use the AI summary or extract-contact features, the relevant CV text or email body is sent to OpenAI for processing. OpenAI does not use this data to train models (see section 5)
- API logs — for our public REST API we log the API key identifier, endpoint, status code and response time
3. Purposes and legal bases
- Providing the Service — performance of the contract (Art. 6(1)(b) GDPR). Without this data you cannot use LeadGrid
- Billing and tax — legal obligation (Art. 6(1)(c)) and contract performance
- Security, fraud prevention, abuse detection — legitimate interest (Art. 6(1)(f))
- Product improvement and aggregated analytics — legitimate interest; we use only aggregated, non-identifying metrics for this
- Transactional email (signup confirmation, invoices, password resets, service notifications) — contract performance
We do not sell your personal data. We do not use it for third-party advertising. We do not profile users for automated decisions that have legal effect.
4. Subprocessors
We rely on a short list of carefully selected subprocessors. Each is bound by a data-processing agreement with equivalent GDPR obligations.
| Subprocessor | Purpose | Region |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (Ireland) |
| Vercel Inc. | Application hosting and edge network | EU + global edge |
| Stripe Payments Europe, Ltd. | Subscription billing and payment processing | EU (Ireland) / US parent |
| OpenAI, L.L.C. | AI-assisted CV summaries, rejection drafts, contact extraction. Data is not used to train models. | US (SCCs) |
| Resend, Inc. | Outgoing transactional email and inbound-email parsing | US (SCCs) |
We will notify customers at least 30 days before adding or replacing a subprocessor. If you object, you may terminate your subscription for cause.
5. International transfers
OpenAI and Resend are US-based. When personal data is transferred outside the EEA, the transfer is covered by the European Commission’s Standard Contractual Clauses (2021/914) or an equivalent lawful mechanism. Supabase stores customer data in the EU (Ireland) region.
6. Retention
- Account data — for as long as your workspace is active, plus up to 30 days after cancellation to allow restore
- Billing records and invoices — 7 years (Dutch tax law, art. 52 AWR)
- Content you upload — retained until you delete it, or up to 30 days after you cancel your subscription. You may export your data at any time via the public REST API
- Access and error logs — 90 days rolling
- AI request metadata — we do not store the request body. We log only the feature used, token count and timestamp (14 days)
7. Security
We use Supabase row-level security policies so each workspace can only access its own data. Passwords are hashed (bcrypt). Traffic is served over TLS. The REST API uses hashed keys with per-key rate limits. Webhooks are signature-verified. We apply Content-Security-Policy, HSTS, strict cookie flags and standard browser hardening headers.
8. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict, object to processing, and to data portability for your personal data. You also have the right to withdraw consent where applicable and to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
To exercise any of these rights, email privacy@leadgrid.io. We will respond within 30 days.
9. Cookies
LeadGrid uses only strictly necessary cookies: an authentication session cookie and a theme preference cookie. We do not use tracking or advertising cookies.
10. Changes to this policy
We may update this policy to reflect changes in our service or legal requirements. The version date at the top reflects the most recent update. Material changes will be announced by email at least 14 days before they take effect.
11. Data Processing Agreement
For the personal data you upload into LeadGrid, a Data Processing Agreement (DPA) conforming to Art. 28 GDPR is available at leadgrid.io/dpa. It forms an integral part of our Terms when you process personal data of third parties (candidates, leads, contacts) through the Service.
12. Contact
Triad B.V. (trading as LeadGrid.io)
Parallel Boulevard 17 A
2202 HK Noordwijk
The Netherlands
KvK: 42034623
Email: privacy@leadgrid.io