LeadderLeadder

Last updated:

Privacy Policy

GDPR · UK GDPR · CCPA/CPRA · KVKK Compliant Effective Date: May 6, 2026 | Last Updated: May 6, 2026

1. Introduction and Scope

This Privacy Policy ("Policy") explains how Leadder ("leadder.co", "Platform", "we", "us", "our") collects, uses, processes, discloses, and protects personal information of our users ("User", "you", "your") in connection with our services.

Leadder is a Software-as-a-Service (SaaS) platform that enables advertisers, agencies, and businesses to: (i) create, manage, and optimize advertising campaigns on Meta Platforms (Facebook, Instagram), Google Ads, TikTok Ads, and LinkedIn Ads; (ii) collect and centrally manage lead form responses from these advertising platforms; (iii) track and optimize conversion events across web and mobile properties; (iv) execute growth campaigns aimed at customer acquisition, revenue growth, user growth, retention, and similar business objectives; (v) plan, monitor, and report on advertising budgets and performance.

This Policy is designed to comply with applicable data protection laws globally, including but not limited to the GDPR, UK GDPR, CCPA/CPRA, VCDPA, Colorado Privacy Act, Connecticut DPA, Texas DPSA, Utah CPA, and the Turkish Personal Data Protection Law No. 6698 (KVKK).

By using the Platform, registering an account, or accessing our services, you acknowledge that you have read, understood, and agreed to this Policy.

2. Controller and Contact Information

The data controller responsible for processing your personal information is:

  • Legal Entity: CZ Partners Reklam Teknoloji Eğitim Danışmanlık Ltd Şti
  • Mersis Number: 0216154593500001
  • Tax ID: 2161545935
  • Registered Address: Esentepe Mah. Büyükdere Cad. Levent 199 No: 199 İç Kapı No: 6 Şişli/İstanbul, Türkiye
  • General Contact: support@leadder.co
  • Privacy / Data Protection: privacy@leadder.co
  • Data Protection Officer (DPO): dpo@leadder.co
  • Website: https://leadder.co

3. Definitions

  • Personal Data / Personal Information: Any information relating to an identified or identifiable natural person.
  • Sensitive Personal Information: Special categories of data including racial/ethnic origin, religious beliefs, health data, sexual orientation, biometric/genetic data.
  • Controller / Business: The entity that determines the purposes and means of processing personal data.
  • Processor / Service Provider / Contractor: An entity that processes personal data on behalf of the Controller.
  • Lead Data: Personal information collected from third parties (end users) via lead generation forms.
  • End User: A third-party natural person who responds to a User's advertisement or fills out a lead form.
  • Conversion Event: User-defined actions tracked on the User's website or app.
  • Advertising Platform: Third-party advertising services including Meta, Google, TikTok, and LinkedIn.

4. Controller / Processor Role Allocation

4.1. User Account Data

With respect to data you provide when registering for and using your Leadder account (name, email, billing details, account preferences), Leadder acts as the Data Controller.

4.2. Lead Data and Conversion Data

With respect to End User data collected by you through your advertising campaigns:

  • YOU (the User) are the Data Controller / Business. You determine the purposes and means of processing.
  • LEADDER is the Data Processor / Service Provider. We process this data only on your documented instructions.

All obligations toward End Users under GDPR Articles 13–14, CCPA, and KVKK Article 10 — including obtaining consent, responding to data subject access requests, and registering as a data controller — rest with you.

4.3. Data Processing Agreement (DPA)

The scope of our Processor relationship is governed by our Data Processing Agreement (DPA), which is incorporated into and forms part of our Terms of Service.

5. Categories of Personal Information We Process

5.1. Information We Collect Directly From You

  • Identity Information: First name, last name, username, profile photo (optional)
  • Contact Information: Email address, phone number, billing/business address
  • Company Information: Company name, tax ID, industry, employee count, website URL
  • Account Credentials: User ID, hashed password, account preferences
  • Financial Information: Billing details, payment method (card details processed through PCI-DSS certified processors — not stored by Leadder)
  • Usage Data: Session logs, IP address, device/browser information, click behavior
  • OAuth Authorization Tokens: Access tokens and refresh tokens from Meta, Google, TikTok, LinkedIn (encrypted at rest)
  • Communications: Support tickets, email correspondence, chat transcripts

5.2. Information Pulled from Advertising Platforms

Under your express authorization via OAuth, we retrieve and present:

  • Ad account data, campaign structures, creative assets
  • Performance metrics (impressions, clicks, conversions, spend, ROAS)
  • Lead form responses
  • Conversion/event data including hashed identifiers (email, phone, External ID)
  • Custom and lookalike audience data

Lead and conversion data is stored with AES-256 encryption at rest.

5.3. Information Collected Automatically

Log records, device/browser information, approximate location (country/city level via IP), cookies.

| Purpose | Legal Basis | |---|---| | Account creation, billing, service delivery | Performance of contract (GDPR Art. 6(1)(b)) | | Tax/accounting records, legal requests | Legal obligation (GDPR Art. 6(1)(c)) | | Security, fraud prevention, analytics | Legitimate interests (GDPR Art. 6(1)(f)) | | Marketing communications, non-essential cookies | Consent (GDPR Art. 6(1)(a)) |

7. How We Share Personal Information

7.1. Service Providers and Sub-Processors

We engage sub-processors under written DPAs:

  • Cloud Infrastructure: Supabase, Inc.; Vercel Inc.; Cloudflare, Inc.
  • Advertising Platform APIs: Meta Platforms, Inc.; Google LLC; TikTok / ByteDance; LinkedIn Corporation
  • Payment Processors: Stripe, Inc. (PCI-DSS certified)
  • Email/Communication: Resend
  • Analytics/Error Monitoring: Sentry, PostHog

Full list: leadder.co/sub-processors

When required by law, court order, or to protect safety.

7.3. Business Transfers

In connection with a merger, acquisition, or sale of assets.

We do NOT sell your personal information for monetary consideration.

8. International Data Transfers

8.1. Transfer Mechanisms

  • EU/EEA and UK: Standard Contractual Clauses (Decision 2021/914, Modules 2 and 3), UK Addendum, and EU-U.S. Data Privacy Framework where applicable
  • Türkiye: KVKK Article 9 (as amended by Law No. 7499 / January 28, 2024) via Turkish Personal Data Protection Authority Standard Contracts, notified within 5 business days
  • Other Jurisdictions: Binding contractual safeguards or explicit consent

9. Data Retention

| Data Category | Retention Period | |---|---| | Account Data | While active + 10 years after closure | | Billing Records | 10 years (VUK and applicable foreign tax law) | | Traffic and Operation Logs | 2 years (Türkiye Law No. 5651) | | Lead Data (as Processor) | Duration of subscription; deleted within 30 days after account closure | | Marketing Data (Consent-Based) | Until consent withdrawn | | Support Tickets | 3 years after ticket closure |

10. Your Rights — GDPR / UK GDPR

You have the right to:

  • Access (Art. 15) — obtain a copy of your personal data
  • Rectification (Art. 16) — correct inaccurate data
  • Erasure (Art. 17) — request deletion ("right to be forgotten")
  • Restrict Processing (Art. 18)
  • Data Portability (Art. 20)
  • Object (Art. 21)
  • Withdraw Consent at any time
  • Lodge a Complaint with your supervisory authority

11. Your Rights — U.S. State Privacy Laws

Applies to residents of California, Virginia, Colorado, Connecticut, Texas, Utah, and other applicable U.S. states.

Rights include: Right to Know/Access, Right to Delete, Right to Correct, Right to Data Portability, Right to Opt-Out of Sale/Sharing, Right to Opt-Out of Targeted Advertising, Right to Non-Discrimination, Right to Appeal.

We honor the Global Privacy Control (GPC) browser signal as an opt-out.

We do not knowingly collect personal information from individuals under 16 years of age.

12. Your Rights — Türkiye (KVKK)

Rights under KVKK Article 11: learn whether data is processed, request information, learn purposes and third parties, request correction, request deletion/destruction, object to automated processing, claim compensation.

Requests addressed within 30 days. Complaints: kvkk.gov.tr

13. How to Exercise Your Rights

  • Email: privacy@leadder.co
  • Online Form: https://leadder.co/privacy/data-request
  • Mail: CZ Partners Reklam Teknoloji, Esentepe Mah. Büyükdere Cad. Levent 199 No: 199 İç Kapı No: 6 Şişli/İstanbul, Türkiye

Response timeframes: 30 days (GDPR/KVKK); 45 days extendable by 45 days (CCPA). Requests are free of charge unless manifestly unfounded or excessive.

14. Data Security

Technical Measures: TLS 1.2+ in transit, AES-256 at rest, SHA-256 hashing, bcrypt/Argon2 passwords, OAuth tokens encrypted via vault/KMS, MFA, regular backups, RBAC, WAF, DDoS protection, penetration testing.

Organizational Measures: Confidentiality agreements, regular data protection training, DPAs with all sub-processors, data inventory, incident response plan.

14.1. Data Breach Notification

  • GDPR/UK GDPR: Supervisory authority within 72 hours; individuals without undue delay if high risk
  • CCPA/CPRA and U.S. state laws: Per applicable state breach notification statutes
  • KVKK: Authority and affected individuals within 72 hours where applicable
  • To Users (where Leadder is Processor): Within 24 hours of becoming aware

15. Cookies and Similar Technologies

The Platform uses cookies, local storage, pixels, and similar technologies. See Cookie Policy. Cookie consent banner presented on first visit.

16. Automated Decision-Making and Profiling

The Platform uses automated data analysis and ML models for advertising optimization, audience suggestions, and performance forecasting. These do not produce legal or similarly significant effects on you and are subject to your right to challenge and request human review.

17. Third-Party Services

Platform integrates with Meta, Google, TikTok, and LinkedIn via their APIs. Their privacy policies:

  • Meta: https://www.facebook.com/privacy/policy/
  • Google: https://policies.google.com/privacy
  • TikTok: https://www.tiktok.com/legal/privacy-policy
  • LinkedIn: https://www.linkedin.com/legal/privacy-policy

Leadder is not responsible for third-party platforms' data processing practices.

18. Account Closure and Data Deletion

  • T+0: All OAuth tokens revoked, integrations severed, account access disabled
  • 0–30 Days (Soft Delete): Data retained in recoverable state
  • Day 30 (Hard Delete): Permanently deleted. Confirmation email within 35 days

Legal Retention Exceptions: Tax records, traffic logs, and legal hold data retained under access isolation.

Meta Data Deletion Callback: Callback URL: https://leadder.co/api/meta/data-deletion Manual instructions: leadder.co/data-deletion

19. Children's Privacy

Platform not directed to children under 18. Contact privacy@leadder.co regarding minors' data.

20. Do Not Track Signals

DNT signals honored as opt-out for non-essential analytics and marketing. GPC signal honored as opt-out for sale/sharing under applicable U.S. state laws.

21. Changes to This Privacy Policy

Material changes communicated via email and/or in-Platform notification at least 30 days before taking effect. Past versions archived at https://leadder.co/privacy/archive.

22. Governing Law and Jurisdiction

Governed by the laws of the Republic of Türkiye. For consumer Users, mandatory local consumer protection rights prevail. EU and UK data subjects retain the right to bring proceedings in their local courts.

23. Contact Us

  • General Privacy: privacy@leadder.co
  • Data Protection Officer: dpo@leadder.co
  • Legal Notices: legal@leadder.co
  • Data Subject Requests: https://leadder.co/privacy/data-request
  • Mail: CZ Partners Reklam Teknoloji Eğitim Danışmanlık Ltd Şti, Esentepe Mah. Büyükdere Cad. Levent 199 No: 199 İç Kapı No: 6 Şişli/İstanbul, Türkiye