1. Data Controller

The data controller for XP One is LeadsMind AI LTD, a company registered in England & Wales, United Kingdom. Throughout this policy, "we", "us" and "our" refer to LeadsMind AI LTD. "You" refers to any person or company using XP One ("the Service").

If you are a customer of XP One and you upload contact data about third parties (your prospects), you act as the data controller for that data and we act as the data processor, governed by our Data Processing Addendum (available on request to [email protected]).

2. What we collect

We collect only what we need to deliver the Service:

  • Account information — name, email, company, password hash, billing address, payment method (handled by Stripe; we never see card numbers).
  • Integration tokens — OAuth or session tokens you authorize for LinkedIn, Gmail, Outlook, WhatsApp Business, your CRM. Stored encrypted at rest.
  • Lead data — the prospects you import, enrich or generate inside XP One (name, role, company, email, LinkedIn URL, signals).
  • Usage logs — pages visited, features used, agent runs, error traces. Used to debug and improve the product.
  • Support correspondence — when you email us or chat with support.

We do not collect special categories of data (health, religion, politics, sexual orientation, etc.) and you should not upload such data into XP One.

3. Why we collect it

We process your personal data on the following legal bases under GDPR Article 6:

  • Contract (Art. 6.1.b) — to provide, maintain and support the Service.
  • Legitimate interest (Art. 6.1.f) — to improve the product, prevent abuse, secure the platform.
  • Legal obligation (Art. 6.1.c) — to comply with tax, accounting and law-enforcement obligations.
  • Consent (Art. 6.1.a) — for non-essential marketing communications. You can withdraw consent at any time.

4. Storage & security

Your data is stored on AWS EU (Frankfurt, eu-central-1) by default. We never replicate customer data outside the EU/UK without an appropriate transfer mechanism (Standard Contractual Clauses) and a clear notice to you.

Security measures include:

  • TLS 1.3 in transit · AES-256 at rest
  • OAuth tokens encrypted with envelope encryption (KMS)
  • Role-based access control · principle of least privilege
  • SOC 2 Type II audit in progress (target Q4 2026)
  • Daily encrypted backups · 30-day retention
  • Mandatory MFA for all employees with production access

5. Retention

We retain your data while your account is active, and for 30 days after you cancel — to allow recovery in case of accidental cancellation. After 30 days, all customer data (account, leads, sequences, integration tokens, logs containing PII) is permanently and irreversibly deleted from primary storage. Encrypted backups are purged within 90 days.

Aggregated, fully anonymized usage statistics may be kept indefinitely for product analytics.

If you need immediate deletion before the 30-day window, write to [email protected] and we will action it within 7 days.

6. Your rights

Under GDPR (Articles 15–22) and UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you (Art. 15).
  • Rectification — ask us to correct inaccurate data (Art. 16).
  • Erasure — ask us to delete your data ("right to be forgotten", Art. 17).
  • Portability — receive your data in a structured, machine-readable format (Art. 20).
  • Object — object to processing based on legitimate interest (Art. 21).
  • Restrict — restrict processing in certain circumstances (Art. 18).
  • Withdraw consent — at any time, where processing is based on consent.
  • Lodge a complaint — with the UK Information Commissioner's Office (ICO) or your local EU data protection authority.

Under CCPA (California residents), you additionally have the right to know what categories of personal information we collect, the right to delete, the right to opt out of "sale" of personal information (we do not sell personal information), and the right to non-discrimination for exercising these rights.

To exercise any right, email [email protected]. We respond within 30 days.

7. Cookies and tracking technologies

We use two categories of cookies and tracking technologies on xp-one.io:

Essential (no consent required)

  • Session — to keep you signed in when using app.xp-one.io.
  • Preferences — to remember your UI choices (theme, language, consent decision).
  • Cloudflare — basic infrastructure cookies for security and DDoS protection.

Analytics and advertising (require your explicit consent)

The following tools are loaded only after you click "Accept all" on the cookie banner. They do not run if you choose "Essential only" or have not yet made a decision.

  • Microsoft Clarity — session recordings, heatmaps and behavioral analytics. Provider: Microsoft Corporation (USA), under EU-US Data Privacy Framework. Retention: 12 months. IP addresses are anonymized. Microsoft Privacy Statement.
  • Meta Pixel — measures conversions from Facebook and Instagram advertising and enables retargeting. Provider: Meta Platforms Ireland Ltd. Retention: up to 180 days for advertising data. Cookie names include _fbp, _fbc. Meta Privacy Policy.
  • Meta Conversions API (CAPI) — server-side mirror of Meta Pixel events. When you accept tracking, our server (Cloudflare Pages Functions) sends a copy of the same conversion event to Meta with hashed identifiers (SHA-256 of email, phone) and your IP/User-Agent. This improves conversion measurement quality and partly compensates for browser tracking restrictions (iOS 14+, ad blockers). All hashing happens server-side; we never store raw PII. Retention and processing follow the same Meta policy.
  • Google Analytics 4 (when active) — pageviews, traffic sources, conversion funnel. Provider: Google Ireland Ltd. IP anonymization enabled. Retention: 14 months. Google Privacy Policy.

Your consent — how to change it

When you first visit xp-one.io, a banner asks you to choose between:

  • Accept all — enables analytics and advertising trackers above.
  • Essential only — blocks all non-essential trackers. The site remains fully functional.

Your choice is stored locally in your browser for 365 days, then we ask again. You can revoke or change your consent at any time by clicking Reset cookie preferences (this reloads the page and re-displays the banner).

We do not use ad-network cookies, browser fingerprinting, or cross-site identifiers beyond what is explicitly listed above.

8. Sub-processors

To deliver the Service we share limited data with carefully vetted sub-processors, each bound by Data Processing Agreements:

  • AWS (Frankfurt) — infrastructure hosting
  • Stripe — payment processing
  • Postmark / SendGrid — transactional email
  • Anthropic / OpenAI — large-language-model inference (zero retention agreements in place)
  • Sentry — error monitoring (EU region)

The current sub-processor list is maintained at [email protected] on request. We will notify customers in writing before adding any new sub-processor with access to customer data.

9. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email at least 30 days before taking effect. The "Last updated" date at the top of this page always reflects the current version.

10. Contact

Privacy questions, data requests, DPA requests, or complaints:

  • Email: [email protected]
  • Postal: LeadsMind AI LTD, United Kingdom (full address provided on request)
  • UK supervisory authority: Information Commissioner's Office (ICO) — ico.org.uk