Privacy Policy
Last updated: 22 Sep, 2025
1. Introduction
At Express Leads, we value transparency, trust, and the responsibility that comes with handling personal data. Whether you are visiting our website, using our Services, or your business information appears in our databases, your privacy matters.
This Privacy Notice explains how Lead Reach Limited (trading as Express Leads) collects, uses, stores, shares, and protects personal data, and the rights available to you under applicable laws, including:
- UK General Data Protection Regulation (UK GDPR)
- EU General Data Protection Regulation (EU GDPR)
- UK Data Protection Act 2018 (DPA)
- California Consumer Privacy Act (CCPA/CPRA)
- Other data protection laws that may apply based on your location
This Notice applies to:
- Visitors to our websites (including expressleads.io and related subdomains)
- Customers using our Services
- Business contacts and prospects included in our B2B database
- Partners, suppliers, and their representatives
When we say “we”, “us”, or “our”, we mean Lead Reach Limited, trading as Express Leads. When we say “you”, we mean the individual interacting with us directly or indirectly. Our goal is to keep this Notice clear and readable, without compromising legal robustness.
2. About Us
Express Leads is a trademark and product of Lead Reach Limited, a private limited company registered in England and Wales.
| Field | Details |
|---|---|
| Company name | Lead Reach Limited |
| Product/brand | Express Leads |
| Company number | 14834089 |
| Registered office | Suite 608, Cumberland House, 80 Scrubs Lane, London, United Kingdom, NW10 6RF |
Express Leads provides B2B prospecting and outreach software that enables sales and marketing teams to:
- Find companies and decision-makers with advanced filters
- Access business contact details such as work emails and phone numbers
- Export leads to CSV or sync with CRMs
- Run outreach campaigns via integrated tools
- Operate without usage caps through an “unlimited” model
Depending on context, we act as a Data Controller (e.g., website visitors, customer accounts, our own prospect databases) and as a Data Processor (e.g., where we process data inside integrated client systems under their instructions).
3. Definitions
Key terms used in this Privacy Notice:
| Term | Definition |
|---|---|
| Personal Data | Information that identifies, or can reasonably be used to identify, a living individual (e.g., name, business email, phone number, job title). |
| Processing | Any operation on personal data, including collection, storage, use, analysis, disclosure, or deletion. |
| Controller | The entity that determines the purposes and means of processing personal data. For most activities, this is Lead Reach Limited (Express Leads). |
| Processor | An entity that processes personal data on behalf of a Controller (e.g., cloud hosting providers). |
| Consumer (CCPA) | A natural person who is a California resident, as defined by the CCPA/CPRA. |
| Business (CCPA) | A legal entity that determines the purposes for processing California residents’ personal information for commercial purposes. |
| Sale/Sharing (CCPA) | Broadly defined under CCPA/CPRA to include transfers for monetary or other valuable consideration or cross-context behavioral advertising. |
| Legitimate Interest (GDPR) | A lawful basis allowing processing necessary for a legitimate purpose, provided it does not override individuals’ rights and freedoms. |
4. Data We Collect
We collect personal data from multiple sources and for different purposes. The categories below describe the typical information we handle.
4.1 Data You Provide to Us Directly
- Name and surname
- Job title, role, or position
- Company name and industry
- Business email address and telephone number
- Business mailing address
- Login credentials (username and password)
- Communication preferences (e.g., marketing opt-ins)
- Billing and payment details (processed securely by third-party providers)
- Support requests, correspondence, and feedback
4.2 Data Collected Automatically
- IP address, device type, operating system, and browser information
- Log data (time of access, pages viewed, features used)
- Usage data (search history, export counts, campaign metrics)
- Cookies and similar technologies (see Cookies section)
4.3 Data Obtained from Third Parties
- Public websites and directories
- Regulatory filings and business registers
- Licensed data vendors and partners
- Professional networking platforms (where lawfully permitted)
- Business publications and news sources
4.4 Business & Transactional Data
- Payment details (handled by PCI-compliant providers)
- Transaction records, invoices, and receipts
- Subscription plan and lifecycle events
4.5 Communications Data
- Emails and metadata exchanged with our teams
- Chat logs (live chat, in-app messaging, support channels)
- Survey responses, webinar registrations, testimonials
5. How We Collect Data
We obtain personal data through direct interactions, automated technologies, trusted partners, and publicly available sources. We apply compliance checks across all sources to ensure lawful collection and fair processing.
| Source | What We Collect | Examples |
|---|---|---|
| Direct interactions | Contact details, account info, preferences, support history | Sign-ups, contact forms, demos, events, support tickets |
| Automated technologies | Usage data, device/browser info, logs, cookies/SDK signals | IP address, pages viewed, search/export counts, campaign metrics |
| Third-party providers | Business contact data, firmographics, updates | Licensed data vendors, enrichment services, integrations |
| Public sources | Publicly available professional/business information | Company sites, business registers, directories, lawful professional platforms |
Where required, we provide just-in-time notices and obtain consent (e.g., for certain cookies/marketing). We do not intentionally collect sensitive categories of personal data.
6. Lawful Bases for Processing (GDPR)
Under UK/EU GDPR, we rely on specific legal bases depending on purpose. We balance our legitimate interests against your rights and expectations and offer opt-outs where appropriate.
| Purpose | Examples | Lawful Basis |
|---|---|---|
| Provide & operate Services | Account setup, authentication, search/export, outreach tools | Contract (Art. 6(1)(b)) |
| B2B database & enrichment | Adding/maintaining business contact details, firmographics | Legitimate interests (Art. 6(1)(f)) |
| Product improvement & analytics | Usage analysis, feature performance, anti-abuse monitoring | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications | Newsletters, offers, product updates (subject to your choices) | Consent (Art. 6(1)(a)) or Legitimate interests |
| Billing & compliance | Invoices, tax, regulatory disclosures, legal requests | Legal obligation (Art. 6(1)(c)) |
| Security & fraud prevention | Threat detection, abuse prevention, incident response | Legitimate interests (Art. 6(1)(f)) |
Where we rely on consent, you can withdraw it at any time. Where we rely on legitimate interests, you can object and we will assess your request under GDPR Article 21.
7. Purposes of Processing
We process personal data to deliver value to our customers while respecting privacy. Below are our main purposes, described in plain English.
- Service delivery: to create and manage accounts, authenticate users, enable prospecting features, exports, and outreach tools.
- B2B contact discovery: to compile and maintain business contact details and company information for lawful prospecting.
- Customer support: to respond to enquiries, troubleshoot issues, and improve onboarding and adoption.
- Product development: to analyse feature usage, run experiments, and improve performance and reliability.
- Marketing (choice-based): to send relevant updates and offers, respecting your preferences and applicable laws.
- Security & integrity: to detect abuse, prevent fraud, protect accounts, and secure our infrastructure.
- Legal & compliance: to meet regulatory obligations, manage disputes, and respond to lawful requests.
We do not profile individuals in a way that produces legal or similarly significant effects without appropriate safeguards. We do not knowingly collect or use sensitive categories of personal data.
8. Disclosure & Data Sharing
We share personal data only when necessary and under appropriate safeguards. We require recipients to protect data in line with applicable laws and our contractual standards.
| Recipient Category | Why We Share | Safeguards |
|---|---|---|
| Service providers (processors) | Hosting, storage, communications, analytics, payments, support | DPAs, confidentiality, security controls, limited purpose access |
| Business customers (controllers) | Access to business contact data for lawful B2B prospecting | Contractual terms, compliance obligations, opt-out handling |
| Partners & resellers | Go-to-market collaboration, referrals, integrations | Agreements with privacy and security commitments |
| Authorities & regulators | Compliance with legal obligations and lawful requests | Verified lawful basis, narrow scope, documented handling |
| Corporate transactions | Mergers, acquisitions, financing, or asset transfers | Diligence controls, confidentiality, continued protection post-transfer |
We do not sell personal data in the traditional sense. Under CCPA/CPRA, certain disclosures for cross-context behavioral advertising may be considered “sharing”; where applicable, we honour opt-out signals and provide mechanisms to exercise your rights.
9. International Data Transfers
We operate globally. Your personal data may be transferred and processed outside the UK/EU (for example, where our service providers host systems). When we do, we implement lawful transfer mechanisms and safeguards to protect your information.
| Mechanism | What It Means | When We Use It |
|---|---|---|
| Adequacy decisions | Transfers to countries deemed to offer essentially equivalent protection. | Where the destination country is recognised by the UK/EU as adequate. |
| Standard Contractual Clauses (SCCs)/IDTA | Contractual commitments that bind recipients to GDPR-level protections. | Most transfers to non-adequate countries (incl. US-based processors). |
| Supplementary measures | Encryption, access controls, data minimisation, and audits. | Applied alongside SCCs/IDTA based on transfer risk assessments. |
We conduct transfer risk assessments and review vendor practices periodically to ensure continued compliance and protection.
10. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Notice, or as required by law. Retention periods vary by data category and context.
| Data Category | Typical Retention | Purpose / Rationale |
|---|---|---|
| Account & profile data | Subscription term + up to 6 years | Provide services, manage accounts, resolve disputes, audit. |
| Prospecting database (B2B contacts) | Ongoing refresh cycle | Maintain accuracy and relevance; remove when outdated or upon request. |
| Billing & transactional records | 6–7 years (jurisdiction dependent) | Accounting, tax, and legal obligations. |
| Marketing preferences & logs | Until you opt out / withdraw consent | Honour choices and demonstrate compliance. |
| Cookies & analytics identifiers | 12–24 months (type dependent) | Improve site performance, measure usage; see Cookies section. |
When data is no longer required, we securely delete or anonymise it. In some cases, we may retain minimal information (e.g., suppression lists) to ensure your preferences are respected.
11. Data Security
We implement technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. While no system is completely secure, we continuously improve our controls.
- Encryption: Data encrypted in transit (TLS) and at rest (where applicable).
- Access controls: Role-based access, least-privilege, multi-factor authentication for sensitive systems.
- Segmentation & monitoring: Network segmentation, logging, anomaly detection, and alerting.
- Vendor diligence: Security and privacy assessments for processors; contractual safeguards (DPAs/SCCs).
- Development practices: Secure SDLC, change controls, vulnerability management, periodic penetration tests.
- Training & policies: Employee confidentiality agreements and ongoing security/privacy training.
- Incident response: Documented procedures for detection, containment, investigation, and notification.
If you suspect any unauthorised activity relating to your account or our Services, please contact us immediately using the details in the Contact section.
13. Your Rights Under GDPR
If you are located in the UK or EU, you have rights under GDPR regarding your personal data. We will honour these rights and respond to valid requests within one month, unless an extension is permitted.
| Right | Description |
|---|---|
| Access | You can request confirmation of whether we process your personal data and obtain a copy. |
| Rectification | You may ask us to correct or complete inaccurate or incomplete data. |
| Erasure (“Right to be Forgotten”) | You can request deletion of your data where it is no longer necessary, consent is withdrawn, or unlawful processing occurs. |
| Restriction | You can request limited use of your data in certain cases (e.g., while accuracy is being verified). |
| Portability | You can receive your data in a machine-readable format and transmit it to another controller. |
| Object | You can object to processing based on legitimate interests or direct marketing, and we will comply unless we demonstrate compelling grounds. |
| Withdraw Consent | Where processing is based on consent, you can withdraw it at any time without affecting prior lawful use. |
To exercise these rights, please contact us using the details in the Contact section. We may request proof of identity before fulfilling your request.
14. Your Rights Under CCPA/CPRA
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), as amended by the CPRA. These rights apply to “personal information” as defined by California law.
| Right | Description |
|---|---|
| Right to Know | You can request disclosure of categories and specific pieces of personal information we have collected, used, shared, or disclosed about you. |
| Right to Delete | You can request that we delete your personal information, subject to certain legal exceptions (e.g., compliance, security, transactions). |
| Right to Opt Out of Sale/Sharing | You can direct us not to “sell” or “share” your personal information as defined under the CCPA/CPRA. |
| Right to Correct | You may request correction of inaccurate personal information maintained by us. |
| Right to Non-Discrimination | We will not discriminate against you for exercising your privacy rights (e.g., denying Services, charging different prices). |
We do not sell personal information in the conventional sense, but certain disclosures may constitute “sharing” under CPRA. We provide opt-out mechanisms and honour Global Privacy Control (GPC) signals.
15. Exercising Your Rights
To exercise your GDPR or CCPA rights, please submit a request via email or postal mail using the contact details provided in Section 19. We will verify your identity before processing requests to protect your data.
- We may ask for proof of identity or account ownership.
- We aim to respond within one month (GDPR) or 45 days (CCPA), with possible lawful extensions.
- For CCPA requests, you can designate an authorised agent to act on your behalf with appropriate documentation.
If we cannot fulfil your request, we will explain why (e.g., legal obligation, inability to verify identity). You may also have the right to escalate complaints to regulators.
16. Data of Children
Our Services are intended for business professionals. We do not knowingly collect or process personal data of children under 16 (or under 13 in certain jurisdictions). If you believe a child’s data has been provided to us, please contact us immediately so we can investigate and remove it.
17. Links to Third-Party Websites
Our website and Services may contain links to third-party websites, plug-ins, or applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.
We are not responsible for the privacy practices, content, or security of those external sites. We encourage you to read the privacy notices of any site you visit outside of Express Leads.
18. Changes to This Notice
We may update this Privacy Notice from time to time to reflect changes in law, technology, or our practices. When we make material changes, we will notify you by:
- Posting an updated version on this page with a new “Last updated” date.
- Sending a direct communication (e.g., email) where appropriate.
- Providing in-product or site-wide notifications if significant changes affect your rights.
We recommend reviewing this page regularly to stay informed about how we protect your personal data.
19. Contact Information
If you have questions about this Privacy Notice, want to exercise your rights, or need to raise a concern, please contact us:
| Contact Method | Details |
|---|---|
| privacy@expressleads.io | |
| Postal Address | Suite 608, Cumberland House, 80 Scrubs Lane, London, United Kingdom, NW10 6RF |
| Company Details | Lead Reach Limited Company number: 14834089 Express Leads is a trademark and product of Lead Reach Limited |
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority:
- UK: Information Commissioner’s Office (ICO) – www.ico.org.uk
- EU: Your local supervisory authority.
- California: Office of the Attorney General – oag.ca.gov/privacy
