Privacy Policy

Leadreferral is a trading name of a private limited company registered in England and Wales. We act as the data controller for personal data we collect about our customers (the businesses that buy our software) and as a data processor for personal data those customers upload about their own members and guests.

• Account information (name, work email, business name).
• Member and guest data uploaded by you, including names, contact details, and referral activity.
• ID verification (KYC) information collected by Stripe Connect Express on our behalf when a member is paid in cash. We do not store the underlying ID documents.
• Service usage data (timestamps, IP, device fingerprint) used for fraud signals and security.
• Billing data, processed by Stripe.

• To provide the Service and process payouts.
• To detect, prevent, and investigate fraud.
• To comply with legal and regulatory obligations.
• To improve the product, on aggregated, de-identified data.
• To communicate operationally about your account.

We process personal data on the bases of: contract performance (Article 6(1)(b)); legitimate interests (Article 6(1)(f)) — for fraud detection, product analytics, and service security; legal obligation (Article 6(1)(c)); and, where applicable, consent (Article 6(1)(a)).

We share personal data with sub-processors who help us run the Service. The current list includes Supabase (hosted database), Netlify (hosting), Stripe (payments, KYC), Postmark (transactional email), and Sentry (error monitoring). A full sub-processor list is available on request.

Some sub-processors are based outside the UK. Where personal data is transferred outside the UK, we rely on the UK International Data Transfer Agreement, the UK Addendum to the EU SCCs, or an adequacy decision, as applicable.

We retain account data for the life of the contract and for up to seven years after termination to meet UK accounting and tax obligations. Member and guest data uploaded by you is retained on your instructions and deleted on request within 30 days of contract end.

Under UK GDPR you have rights of access, rectification, erasure, restriction, portability, and objection. To exercise these rights, email privacy@leadreferral.io. If you are unhappy with our response, you may complain to the Information Commissioner’s Office at ico.org.uk.

Personal data is encrypted in transit (TLS 1.2+) and at rest. Access is controlled by row-level security (RLS) per Workspace. We log every administrative action with an actor, a timestamp, and a reason.

We use a minimum of session cookies necessary to operate the Service and to keep you signed in. We do not use third-party advertising cookies on apex marketing pages.

Privacy questions: privacy@leadreferral.io. Our registered company address will be published here at general availability.