GDPR Compliance Statement

1. Our Commitment to GDPR

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. At Leadbunker, we take GDPR compliance seriously and have implemented measures to ensure that our services respect the rights and privacy of all individuals.

2. Data Processing Activities

2.1 Publicly Available Data

Leadbunker extracts contact information that is publicly available on the internet. Under GDPR Article 6(1)(f), processing of publicly available personal data is lawful when based on legitimate interests, provided it does not override the data subject's rights and freedoms.

2.2 Types of Data We Process

Through our service, we process the following types of publicly available data:

• Email addresses published on websites
• Phone numbers displayed publicly
• Social media profile links
• Business contact information
• Names and job titles (when publicly available)

2.3 Our Role as Data Processor

When you use Leadbunker to extract contact information, you act as the Data Controller, and we act as the Data Processor. This means:

• You determine the purposes and means of processing personal data
• We process data on your behalf according to your instructions
• You are responsible for ensuring your use of the data complies with GDPR
• We provide tools and support to help you maintain compliance

3. GDPR Rights We Support

Leadbunker supports all rights granted to individuals under GDPR:

3.1 Right to Access (Article 15)

Users can request access to their personal data that we hold. We provide this information within 30 days of the request.

3.2 Right to Rectification (Article 16)

If any personal data we hold is inaccurate or incomplete, users can request that we correct or complete it.

3.3 Right to Erasure / "Right to be Forgotten" (Article 17)

Users can request deletion of their personal data from our systems. We will comply unless we have a legal obligation to retain the data.

3.4 Right to Restrict Processing (Article 18)

Users can request that we limit the processing of their personal data under certain circumstances.

3.5 Right to Data Portability (Article 20)

Users can request their data in a structured, commonly used, and machine-readable format.

3.6 Right to Object (Article 21)

Users can object to the processing of their personal data based on our legitimate interests.

3.7 Rights Related to Automated Decision Making (Article 22)

Our AI validation is used to assess data quality, not to make decisions affecting individuals. Users are not subject to automated decision-making with legal or significant effects.

4. Legal Basis for Processing

Our data processing activities are based on the following legal grounds:

4.1 For User Account Data

• Contract (Article 6(1)(b)): Processing necessary to provide our services
• Consent (Article 6(1)(a)): Where you have given explicit consent
• Legal Obligation (Article 6(1)(c)): To comply with legal requirements

4.2 For Extracted Contact Data

• Legitimate Interest (Article 6(1)(f)): Processing publicly available data for business contact purposes
• Public Interest (Article 6(1)(e)): Data already made public by the data subject

5. Data Security Measures

In accordance with GDPR Article 32, we implement appropriate technical and organizational measures to ensure data security:

• Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Role-based access and multi-factor authentication
• Data Minimization: We collect only necessary data
• Pseudonymization: Personal identifiers are masked where possible
• Regular Audits: Security assessments and vulnerability testing
• Staff Training: Regular GDPR training for all personnel
• Incident Response: Procedures for data breach notification within 72 hours

6. Data Retention and Deletion

6.1 User Account Data

We retain user account data for as long as your account is active. Upon account deletion, we remove your data within 30 days.

6.2 Extracted Contact Data

Extracted contact data is stored for 30 days, after which it is automatically and permanently deleted from our servers. Users can manually delete data at any time before the 30-day period.

6.3 Backup Data

Backup copies are retained for disaster recovery purposes and are securely deleted after 90 days.

7. International Data Transfers

If we transfer data outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with all third-party processors
• Adequacy decisions where transfers are to approved countries

8. Third-Party Processors

We work with carefully selected third-party processors who are also GDPR compliant:

• Cloud Hosting: For infrastructure (GDPR-compliant data centers)
• Payment Processors: For cryptocurrency transactions (blockchain-based)
• Analytics: For service improvement (anonymized data only)

All third parties are bound by Data Processing Agreements (DPAs) that meet GDPR standards.

9. User Responsibilities Under GDPR

As a Data Controller when using Leadbunker, you must:

• Have a Legal Basis: Ensure you have a lawful reason to process the data you extract
• Respect Rights: Honor data subject rights (access, deletion, etc.)
• Obtain Consent: Get consent before sending marketing emails (where required)
• Provide Opt-Out: Include unsubscribe mechanisms in all communications
• Maintain Records: Document your data processing activities
• Report Breaches: Notify authorities of data breaches within 72 hours
• Conduct DPIAs: Perform Data Protection Impact Assessments when necessary

10. Data Protection Officer (DPO)

We have appointed a Data Protection Officer to oversee GDPR compliance:

• Email: dpo@leadbunker.com
• Responsibilities: Monitor compliance, advise on obligations, and serve as contact point for supervisory authorities

11. Supervisory Authority

If you are not satisfied with our response to a GDPR-related request or complaint, you have the right to lodge a complaint with your local supervisory authority.

For users in the EU, you can find your supervisory authority at:https://edpb.europa.eu/about-edpb/board/members_en

12. Transparency and Accountability

We maintain records of our data processing activities and regularly review our practices to ensure ongoing compliance. Documentation includes:

• Data processing inventories
• Data Protection Impact Assessments (DPIAs)
• Data Processing Agreements with processors
• Security policies and procedures
• Staff training records

13. Breach Notification

In the unlikely event of a data breach:

• We will notify the relevant supervisory authority within 72 hours
• Affected users will be informed without undue delay
• We will provide details about the breach and measures taken
• We will cooperate fully with authorities during investigations

14. Children's Data

Our services are not directed to children under 16. We do not knowingly collect or process data of children. If we become aware that we have collected data from a child, we will delete it immediately.

15. Updates to This Statement

We may update this GDPR Compliance Statement to reflect changes in our practices or legal requirements. Material changes will be communicated to users via email or website notice.

16. Exercise Your Rights

To exercise any of your GDPR rights, please contact us:

• Email: privacy@leadbunker.com or dpo@leadbunker.com
• Subject Line: "GDPR Request - [Your Right]"
• Include: Full name, email address, and details of your request

We will respond to all requests within 30 days (or 60 days for complex requests, with notification).