Data controller and service description
ExpressLeads360 is a software-as-a-service (SaaS) platform that helps businesses generate and manage leads, enrich contact data, and support email-based outreach workflows.
For the purposes of the EU General Data Protection Regulation (“GDPR”) and similar laws, the data controller for personal data processed through expressleads360.com and portal.expressleads360.com is:
ExpressLeads360
Operated by a sole proprietor established in Finland
Email:
When this Privacy Policy applies
This Privacy Policy applies when you:
- Visit our marketing site at https://expressleads360.com.
- Use our SaaS platform at https://portal.expressleads360.com.
- Interact with us via email, support forms, or other communication channels.
- Access other online resources that link to this Privacy Policy.
It explains what personal data we collect, how and why we use it, how long we keep it, with whom we share it, and what rights you have under applicable law.
Types of personal data we process
We collect only the personal data that is necessary to operate the Service, maintain security, measure marketing performance, and support you as a user.
-
Data you provide directly
Such as your name, email address, business or company name (if provided), password (stored only in hashed form), billing-related information, and any content you upload or enter into the ExpressLeads360 platform. -
Platform usage and log data
Such as IP address, device and browser information, login timestamps, pages and features used, feature actions, and error logs. This helps us maintain security, detect abuse, and improve performance. -
Communication data
Such as emails you send us, support requests, and notes or information we create when assisting you. -
Cookies, analytics, and advertising data
On expressleads360.com, we may use cookies and similar technologies to understand website usage, improve user experience, and measure the performance of our advertising campaigns. This includes tools such as Google Analytics, Google Ads (including conversion tracking and remarketing), and Meta Ads platforms (e.g. Facebook and Instagram Ads, including the Meta Pixel). Where required by law, non-essential cookies and advertising pixels are only used with your consent and can be managed via our cookie banner or your browser settings.
Why we process personal data and on what grounds
We process personal data only when we have a valid legal basis under the GDPR or other applicable laws. This table summarises our main purposes and legal bases:
| Purpose | Examples of processing | Legal basis (GDPR) |
|---|---|---|
| Providing the Service | Creating and managing user accounts, authenticating logins, enabling access to dashboards and lead generation tools, and maintaining core functionality of the platform. |
Contract performance (Art. 6(1)(b)) Legitimate interests (Art. 6(1)(f)) in providing a stable and reliable service. |
| Billing and subscription management | Processing subscription payments, communicating about billing, and maintaining invoices and payment records through our payment provider. |
Contract performance (Art. 6(1)(b)) Legal obligations (Art. 6(1)(c)) related to accounting and tax. |
| Customer support | Responding to support requests, troubleshooting technical issues, and providing onboarding or guidance about the Service. |
Contract performance (Art. 6(1)(b)) Legitimate interests (Art. 6(1)(f)) in maintaining effective customer service. |
| Security and abuse prevention | Monitoring login activity, detecting suspicious behaviour, preventing misuse of the platform, and enforcing our terms of use. |
Legitimate interests (Art. 6(1)(f)) in protecting the Service, our users, and our business. Legal obligations (Art. 6(1)(c)) where applicable. |
| Service improvement, analytics & advertising performance | Analysing aggregated usage patterns, measuring feature adoption, improving performance and usability of the website and platform, and understanding how effective our Google Ads and Meta Ads campaigns are (for example through conversion measurement and, where enabled, remarketing audiences). |
Legitimate interests (Art. 6(1)(f)) in developing and improving the Service and our marketing, while respecting your
privacy. Consent (Art. 6(1)(a)) for non-essential cookies/analytics and advertising pixels where required by law. |
| Optional marketing | Sending product updates, educational content, or announcements, subject to your preferences and applicable marketing rules. We may also use high-level audience information from tools such as Google Ads and Meta Ads to reach people who are likely to be interested in our Service, in compliance with consent and preference settings. |
Consent (Art. 6(1)(a)) where required by law. Legitimate interests (Art. 6(1)(f)) where direct marketing is allowed, subject to your right to opt out at any time. |
Your leads and third-party personal data
When you use ExpressLeads360, you may upload, generate, or manage personal data about third parties, such as sales prospects or business contacts (“Lead Data”).
For such Lead Data:
- You act as the data controller for that personal data.
- ExpressLeads360 acts as your data processor / service provider, processing Lead Data only on your instructions.
- You are responsible for ensuring you have a lawful basis to process Lead Data (for example, legitimate interests or consent where required) and for complying with applicable laws.
Our obligations and limitations when processing Lead Data on your behalf may be further described in a separate Data Processing Agreement (DPA) or equivalent contractual terms, where applicable.
Who we work with and why
We use a small number of trusted third-party providers to help us operate the Service. These providers act as data processors and may process personal data on our behalf only for the purposes we specify.
-
Hosting provider(s)
To host the application, databases, and related infrastructure for portal.expressleads360.com and ensure availability and performance. -
Content delivery network (CDN)
To deliver content efficiently and improve performance and resilience. This typically involves processing IP addresses and basic technical metadata. -
Payment processor
To manage subscription payments and billing. Payment card information is handled directly by the payment processor and is not stored by us. -
Analytics and advertising providers
To understand how visitors use expressleads360.com and how our campaigns perform, we may use tools such as Google Analytics, Google Ads, and Meta Ads platforms (e.g. Facebook/Instagram Ads, Meta Pixel). These tools help us measure conversions, optimise our marketing, and, where enabled, build remarketing or lookalike audiences. Use of non-essential analytics and advertising cookies or pixels is based on your consent where required and can be adjusted via our cookie settings and your browser or platform ad preferences.
All such providers are bound by confidentiality obligations and data protection agreements. We do not grant them permission to use your personal data for their own independent purposes.
Transfers outside the EU/EEA
The ExpressLeads360 application backend may be hosted or supported by providers located outside the European Economic Area (“EEA”), including the United States. This means personal data may be transferred to and processed in countries that do not always provide the same level of data protection as in the EEA.
When we transfer personal data outside the EEA or the UK, we take steps to ensure an appropriate level of protection, which may include:
- Using providers in countries recognised as offering adequate protection by the European Commission; and/or
- Entering into Standard Contractual Clauses (SCCs) or equivalent contractual safeguards; and
- Implementing additional technical and organisational measures to protect personal data.
You can contact us if you would like more information about international transfers and the safeguards we use.
How long we keep your personal data
We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law (for example, for tax or accounting reasons).
-
Account and profile data
Kept for the lifetime of your account and for a limited period after your account is closed, for example to handle queries, maintain accurate records, or comply with legal obligations. -
Billing and transaction data
Retained for the duration required by applicable accounting and tax laws. -
Support and communication records
Retained for a reasonable period for quality assurance, dispute resolution, and record-keeping. -
Analytics and log data
Retained only as long as needed for security, troubleshooting, improving the Service, and measuring advertising performance, and then deleted or anonymised. -
Lead Data you control
Retained according to your settings and instructions as controller. When you delete such data within the Service, it is removed from active systems and then from backups in line with our technical retention schedules.
When data is no longer needed, we will delete it or irreversibly anonymise it, unless we are legally required to retain it for a longer period.
How we protect your information
We use appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or destruction. These measures may include:
- Encrypted connections (HTTPS) between your browser and our services.
- Secure storage of authentication data, including hashing of passwords.
- Access controls and role-based limitations for administrative accounts.
- Infrastructure-level security protections provided by our hosting partners.
- Monitoring and logging to help detect unusual or malicious activity.
No online service can guarantee absolute security, but we work to keep risk at a reasonable level given the nature of the data and the Service. If we become aware of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant authorities in accordance with applicable laws.
Data protection rights under GDPR
If you are located in the EU/EEA or the UK, you have several rights in relation to your personal data, subject to legal conditions and exceptions:
- Right of access – to obtain confirmation as to whether we process your personal data and to receive a copy.
- Right to rectification – to have inaccurate or incomplete personal data corrected.
- Right to erasure – to request deletion of your personal data in certain circumstances (“right to be forgotten”).
- Right to restriction – to request limitation of processing in specific situations.
- Right to data portability – to receive certain personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
- Right to object – to object to processing based on our legitimate interests, including direct marketing.
- Right to withdraw consent – where processing is based on consent, you can withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, please contact us at: . We may need to verify your identity before responding. We aim to respond within the time limits set by applicable law.
You also have the right to lodge a complaint with your local data protection authority if you believe that our processing of your personal data violates applicable data protection law. We would, however, appreciate the opportunity to address your concerns directly first.
Summary of CCPA/CPRA-related rights
If you are a resident of California, you may have certain rights under the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), in relation to personal information we collect in our capacity as a business. These may include:
- Right to know the categories of personal information we collect, use, disclose, and retain.
- Right to access specific pieces of personal information we hold about you.
- Right to delete personal information, subject to certain exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of the sale or sharing of personal information for cross-context behavioural advertising (we do not sell your personal information).
- Right to non-discrimination for exercising your CCPA/CPRA rights.
To exercise your rights under the CCPA/CPRA, you can contact us at: . We may need to verify your identity and residency before fulfilling your request and may decline it where an exception applies.
Service intended for adults in a business context
Our Service is designed for business use and is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors.
If you believe that a person under 18 has provided personal data to us, please contact us so that we can take appropriate steps to delete such information from our systems.
How we will notify you about changes
We may update this Privacy Policy from time to time to reflect changes in our Service, in applicable law, or in our internal practices.
When we make material changes, we will:
- Update the “Last updated” date at the top of this page; and
- Provide additional notice via the Service or by email where required by law.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.
How to contact us about privacy
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of personal data, you can contact:
ExpressLeads360 – Privacy
Email:
We will do our best to respond promptly and handle your request in accordance with applicable data protection laws.