Privacy Policy

Detailed privacy policy covering data categories, lawful basis, retention, subprocessors, GDPR rights, and compliance commitments.

🛡️ Your data stays yours. Period.

Here's what LeadMiner protects for you:

💰 We don't sell anything — neither your data nor your contacts'
👤 Your contacts belong to you — we never reach out to them without you
🔒 Strict confidentiality — your data leaves your account only for actions you initiate
🇪🇺 Everything stays in Europe — 100% European hosting and processing
⏱️ Full control — deletion, export, objection, anytime

For any questions or to exercise your rights: [email protected] (or via the Do Not Mine Me page).

1. Scope and purpose

This policy explains how leadminer.io collects, uses, secures, and retains personal data when delivering contact mining, enrichment, and activation services.

It applies to platform users, prospects, imported contacts, and website visitors.

2. Data controller and contact

ankaboot.io, publisher of leadminer.io, acts as data controller for this website and product operations described here.

Depending on the context, we act:

as a data controller for our website, accounts, and product operations; and/or
as a data processor when customers use the platform to process contact data for their own purposes.

For privacy requests:

Email: [email protected]
General contact: [email protected]

3. Categories of data processed

Depending on your usage, we may process:

Account data: name, business email, technical identifiers.
Contact data: name, email, company, role, phone when available.
Context data: conversation metadata (date, sender, subject), campaign engagement signals (opens, clicks, replies).
Technical/security data: logs, IP addresses, browser details, security traces.

We aim to limit data collection to what is necessary for the service.

4. Processing purposes

We process data to:

Deliver core leadminer.io capabilities (extraction, cleanup, enrichment, export).
Enable user-configured email and SMS campaign activation.
Ensure platform security, abuse prevention, and operational continuity.
Produce aggregated product analytics to improve service quality.
Comply with legal and regulatory obligations.

5. Lawful basis

Depending on context, processing relies on:

Contract performance (providing subscribed services).
Legitimate interest (security, fraud prevention, product improvement).
Consent where legally required.
Legal obligations (accounting, regulatory response, mandated retention).

Customers remain responsible for determining their own lawful basis for outreach activities performed through the platform.

We do not sell personal data.

Data may be processed by essential subprocessors under contractual confidentiality and data protection obligations.

Subprocessors

Provider	Role	Purpose	Data involved (examples)	Location / transfers
DigitalOcean	Hosting	Application hosting, storage, backups	Account data, contact data, technical data	Hosted in Europe; transfers outside the EEA not sought
PostHog (Cloud EU)	Product analytics	Measure product usage and improve the service	Usage events, technical data/cookies (where applicable)	Processing in the European Union
Google	Account access	Connect to Google accounts and access data needed for features	OAuth tokens, mailbox-related data depending on integration	May involve transfers outside the EEA depending on operations; GDPR safeguards apply
Microsoft	Account access	Connect to Microsoft accounts and access data needed for features	OAuth tokens, mailbox-related data depending on integration	May involve transfers outside the EEA depending on operations; GDPR safeguards apply
Debounce / Mailercheck / Zerobounce	Email validation	Validate deliverability / risk of email addresses	Email addresses to validate (minimal metadata)	Providers may be outside the EEA; transfers covered by GDPR safeguards
OpenRouter	AI (signature extraction)	Extract/structure information from email signatures	Content needed for extraction (e.g., signature)	Data may transit outside the EEA depending on models/providers; transfers covered by GDPR safeguards

If transfers outside the EEA are required, we implement appropriate safeguards (such as SCCs and supplementary measures as needed).

7. Retention policy

Retention is limited to what is necessary:

Active account data: for the duration of the contractual relationship.
Operational contact data: based on customer configuration and purpose, with periodic cleanup.
Security logs: retained for investigation and compliance needs.
Deleted data: logical deletion followed by physical purge according to technical cycles.

Unless legal obligations require otherwise, some data may be retained up to 36 months maximum or less if deletion is requested earlier.

8. Security measures

We apply a security-by-design approach including:

Encryption in transit.
Encryption at rest.
Least-privilege access controls.
Logging and active monitoring.
Environment segregation and configuration reviews.
Regular SAST and DAST security testing.
Incident response procedures and notification workflows where applicable.

More details: /en/about#security (short URL: /about#security).

Subject to applicable law, you may request:

Access
Rectification
Erasure
Restriction
Objection
Portability
Withdrawal of consent (where processing is based on consent)

You also have the right to lodge a complaint with the CNIL (France) or your local supervisory authority.

To exercise rights, contact [email protected] with sufficient identifying information. Identity verification may be required to prevent unauthorized disclosure.