Data protection and GDPR

Contract enters into force as of September 12th, 2025

1. Detailed specification of exportable data categories and digital assets

Leadoo provides a comprehensive capability to export customers’ personal and non-personal data, covering the following categories: end-user, marketing, operational and analytical data. This data is stored in the Amazon Web Services (AWS) infrastructure.

The company offers a wide selection of standard export formats: CSV (default export format from the user interface), JSON (default API format), XLSX.

Personal data is processed in accordance with the data processing agreement. This includes, among others: first and last name, email, phone number, Contact ID, IP address (only network masked as /24, not unique address), location and online behavioral data, which can be classified as basic contact data, location data, purchasing preferences, and behavioral data.

Additionally, Leadoo offers the option to export data and resources beyond the standard scope available from the application. Such extended or custom exports are carried out based on individual pricing, tailored to the specific requirements of the client and the scope of the data.

Data / asset category	Location	Export format	Export method	Comment
Lead contact data	AWS	CSV, JSON, XLSX	UI/API	Personal and contact data of customers (leads)
Visitor Profiles	AWS	JSON	API (Manually on demand)	Fetch several visitor profiles with details
Journey insights	AWS	JSON	API (Manually on demand)	Journey insights for provided profiles IDs
Organization profiles	AWS	JSON, CSV, XLSX	UI/API	Fetch several organization profiles with contact details.

2. Detailed specification of data categories specific to the internal functioning of the data processing service provider, which are excluded from the exportable data

As a provider of a comprehensive conversion platform, Leadoo understands the key importance of providing our clients with full control over their data and the freedom to choose a service provider. In accordance with the requirements of the Data Act, we make every effort to ensure the data export process is transparent, effective and uninterrupted.

At the same time, to protect our innovations and competitive advantage, it is necessary to precisely define those categories of data which, constituting the exclusive intellectual property and trade secret of Leadoo, are excluded from the export mechanism. Below, we present a detailed specification of these categories, while guaranteeing that their exclusion will in no way hinder or delay our clients’ process of switching providers and that all data necessary to continue their operations will remain fully exportable.

Data / asset category	Example of data / assets	Justification
Data concerning the internal system architecture and infrastructure	Detailed database schemas, network diagrams, server configurations, data routing algorithms, hardware and software specifications used internally to provide the service, including application code.	Disclosure of this information could give Leadoo’s market competitors access to key know-how concerning the platform’s optimization, scalability, and security, constituting a competitive advantage. Additionally, it could also create potential security vulnerabilities.
Unique algorithms and data models (including proprietary implementations of existing ones)	All AI/ML algorithms, predictive models, data compression algorithms, data transmission algorithms, resource optimization algorithms (e.g., allocation of virtual machines) that have been created by and are the intellectual property of the provider. This also applies to database schemas designed internally for storing and processing data in a unique, optimized way.	The algorithms and data models developed by Leadoo are the result of years of research and development, which constitute our technological advantage and service efficiency. Disclosure of this information could allow Leadoo’s market competitors to copy these solutions without incurring the costs of their development.
Internal performance monitoring and management tools	Specific tools and methodologies used for internal monitoring of our systems’ performance, anomaly detection, load management, problem-solving, and resource optimization.	These tools are an integral part of the organization’s ability to maintain high availability and performance of services. Their specifics and mode of operation constitute valuable operational knowledge.
Data concerning internal operational and security processes	Detailed incident response procedures, internal security audits, specific internal authentication and authorization protocols, business continuity and disaster recovery plans (unless they directly concern client data).	Data in this category is classified as critical for maintaining the security and reliability of the services provided. Disclosure of this information could create security vulnerabilities or enable sabotage.

3. Procedures for switching data processing service providers

Leadoo enables the free migration of client data to other service providers through simple and effective export mechanisms. Users can export data and resources through both the application interface (UI) and via API, in popular formats such as CSV, JSON, and XLSX. Leadoo monitors technical export limits, such as single export file size restrictions and an API request limit of 500 requests per minute, to ensure optimal infrastructure performance.

Migration procedure / method	Availability	Technical limitations	Comments / notes
Data export via UI	YES	Maximum export file size, Maximum date period	CSV/XLSX export
Data export via API (JSON)	YES	API request limit/minute	Client integration required
Migration between other providers	NO	–	Not possible due to costs

4. Register of data structures, formats, and interoperability standards for exportable data

In accordance with interoperability requirements, Leadoo provides a public register of technical information for exportable data that can be transferred when switching a data processing service provider. The register contains detailed information about:

data structures used for export (e.g.,leads, customer profiles, organization profiles),
available formats (CSV, JSON, XLSX),
open standards and technical specifications used to ensure interoperability,
validation standards used in the Leadoo API (in accordance with v3/v2 documentation).

By using commonly accepted formats (RFC, ISO, JSON Schema, OpenAPI), the data can be reused in CRM, ERP, marketing automation or BI systems.

Data / asset category	Export format	Interoperability standards and specifications
Leads data	CSV, JSON, XLSX	– RFC 882 (Email) – ietf.org- RFC 4122 (UUID) – ietf.org- ISO 8601 (dates) – iso.org- ISO 3166-1 (countries) – iso.org- RFC 4180 (CSV) – ietf.org
Analytical reports	JSON	– ISO 8601, UUID
Visitor profiles, organization profiles	JSON, CSV, XLSX	– RFC 4122 (UUID) – ietf.org- ISO 8601 (dates) – iso.org- ISO 3166-1 (countries) – iso.org- RFC 4180 (CSV) – ietf.org

5. General description of technical, organizational, and contractual measures adopted by the data processing service provider to prevent international government access or transfer of non-personal data stored in the European Union

General policy on the security of personal data and IT systems
Procedures for reporting breaches
Periodic reviews of internal procedures

Procedure for handling abuse
Data Protection Officer
Issuance of authorizations for personal data processing
Training in personal data protection
Declarations of confidentiality regarding personal data
Restricted access to IT systems and networks (using logins, passwords, separate networks for third parties).
Procedure for granting and revoking access rights to IT systems
Password policy
Use of secure network connections, e.g., VPN
High Availability Cluster
Measures to ensure event logging, e.g., Microsoft Clarity, Internal logging system
Anti-DDoS system, e.g., Cloudflare
Conducting quarterly vulnerability tests of IT systems
Conducting penetration tests of IT systems
Antivirus software
Cybersecurity training
Procedure for verifying service providers for regulatory compliance and adequate security measures
Cyclical risk analysis of the violation of rights and freedoms of individuals whose data is processed
Security and privacy risk analysis carried out at least once a year
Procedures for applying the privacy by design principle in software development
Standard for maintaining the privacy by default principle in the design phase
Use of cryptographic measures for personal data protection, e.g., SSL protocol [TLS 1.2 – 1.3 + SHA256]
Securing data transmission with the HTTPS protocol
Use of multi-factor user authentication in the ICT system
User identification and authorization measures, e.g., oAuth 2.0
Audit logs for mass data modification actions on the platform
Individual login indicators
Personal Data Processing Agreement, including a contractual prohibition on transferring personal data outside the European Economic Area without the controller’s consent
Confidentiality Agreement

6. Information on services whose migration is particularly difficult or costly

The current architecture of the Leadoo system does not have significant technical or organizational limitations that would hinder migration to another service provider. All client data is fully exportable through the available UI and API mechanisms. There are no complex technological dependencies that could prevent or significantly hinder such a migration. The company uses open standards and popular export formats, thereby minimizing the risk of vendor lock-in.

Component / service	Migration difficulty	Export capabilities	Notes
Lead contact data	Easy	CSV, JSON, XLSX	Export available via UI/API
Visitor Profiles	Medium	JSON	Export available via API
Organization Profiles	Easy	CSV, JSON, XLSX	Export available via UI/API
Journey insights	Medium	JSON	Export available via API

Appendices