lead source

Legal

Data Processing Addendum

Version 1.4 · Last updated 18 May 2026.

This Data Processing Addendum (the "DPA") is part of our Terms of Service. It applies whenever Lead Source processes personal data on your behalf as your data processor — which, in practice, is whenever you have our tracking script installed on a website.

It exists because privacy law (GDPR, UK GDPR, the Australian Privacy Act, and similar regimes) requires controllers and processors to have a written contract that covers specific things. This is that contract. You don't have to sign it separately — it's automatically part of your agreement when you accept our Terms.

1. Background and definitions

This DPA is entered into between Leftleads Pty Ltd, ABN 27 653 931 107, a company registered in Victoria, Australia, trading as Lead Source ("Lead Source," "we," "us," "our") and you, the customer identified in your Lead Source account ("you," "your," the "customer").

Capitalised terms not defined here have the meanings in our Terms of Service. In addition:

  • "Applicable Data Protection Law" means any law on the protection of personal data that applies to the processing under this DPA, including the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the United Kingdom GDPR and the Data Protection Act 2018 ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the Australian Privacy Act 1988 (the "Privacy Act") including the Australian Privacy Principles ("APPs"), the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and any other comparable law that applies.
  • "Personal Data," "processing," "controller," "processor," "data subject," and "supervisory authority" have the meanings given in the GDPR, and equivalent terms in other Applicable Data Protection Law (including "personal information" under the Privacy Act) have the same meaning by analogy.
  • "Customer Personal Data" means personal data that we process on your behalf under our Terms of Service, including data captured by our tracking script on your websites and data submitted via our application.
  • "Service Generated Data" means aggregated, statistical, pseudonymised or de-identified data derived from our operation of the service, as described in section 4A.
  • "Subprocessor" means a third party we engage to process Customer Personal Data on our behalf.
  • "Standard Contractual Clauses" or "SCCs" means the Module 2 (controller-to-processor) and where relevant Module 3 (processor-to-processor) contractual clauses approved by the European Commission in Decision (EU) 2021/914 of 4 June 2021, as updated from time to time. "UK IDTA" means the United Kingdom International Data Transfer Addendum to the SCCs, issued by the UK Information Commissioner.

2. When this DPA applies

This DPA forms part of, and is incorporated by reference into, our Terms of Service. By accepting the Terms of Service (whether by signing up, clicking to accept, installing our tracking script, or otherwise using the service), you also accept this DPA.

This DPA applies for as long as we process Customer Personal Data on your behalf, and survives termination of the Terms of Service to the extent and for the period necessary to fulfil obligations that by their nature continue (for example, deletion confirmation, breach notification, audit cooperation).

If you are an enterprise customer that requires a counter-signed copy on a separate signature page, contact legal@leadsource.co. The substantive terms will be the same as on this page.

3. Roles of the parties

For Customer Personal Data:

  • You are the controller. You determine the purposes and means of the processing.
  • We are your processor. We process Customer Personal Data only on your documented instructions, which include the Terms of Service, this DPA, the configuration choices you make in our application, and our written records of any specific instructions you give us. The single exception is Service Generated Data, addressed separately in section 4A.

For Service Generated Data: Where we derive Service Generated Data in accordance with section 4A, we act as controller of that data. Because Service Generated Data is aggregated, statistical, or de-identified such that it cannot reasonably be used to identify an individual, it is generally outside the scope of "personal data" under Applicable Data Protection Law once derived.

For our own business processing: Where we process personal data for our own purposes — running our company, billing, fraud prevention, communications with you — we act as a controller, governed by our Privacy Policy, not this DPA.

4. Scope, nature, and purpose of processing

The details of the processing are set out in Annex I. Lead Source is a business-to-business service, sold only to business customers for their own business and marketing activities.

We process Customer Personal Data only for the purposes described in Annex I and the Terms of Service. We do not sell or trade Customer Personal Data, do not share it with any party other than as required to deliver the service to you, and do not use it to market to your visitors or leads.

4A. Service Generated Data

What Service Generated Data is. Service Generated Data is data we derive from the operation of the service that is aggregated, statistical, pseudonymised, or de-identified such that it cannot reasonably be used to identify any individual data subject. Examples include: counts of leads attributed to particular marketing channels; accuracy metrics for our attribution algorithms; aggregated patterns of feature use across customer accounts; security and fraud signals.

What we use Service Generated Data for. Improving attribution accuracy, improving product features, detecting fraud and security incidents, monitoring service health, and producing aggregated industry-level analyses (where no single customer or data subject is identifiable).

What we will not do. We will not re-identify any individual from Service Generated Data, combine it with other data to identify individuals, or share it in a form that identifies any individual, your business, or your competitors' businesses.

Opt-out. If you would prefer your account's data not to contribute to Service Generated Data, you can opt out in your account settings or by emailing privacy@leadsource.co. Opt-out applies going forward; aggregated metrics already derived may continue in existence in their aggregated form.

De-identification standard. Direct identifiers (name, email address, phone number) are removed or transformed before Customer Personal Data enters any analytics pipeline. Any aggregated metric we externalise reflects at least five distinct contributing data subjects or customer accounts (aggregations below that threshold are suppressed).

5. Our obligations as processor

We will:

  • Documented instructions. Process Customer Personal Data only on your documented instructions, except where required by law.
  • Confidentiality. Ensure that personnel authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality.
  • Security. Implement and maintain the technical and organisational measures set out in Annex II, appropriate to the size, resources, and operational maturity of Lead Source, consistent with Article 32 GDPR and APP 11 of the Privacy Act.
  • Subprocessor governance. Respect the conditions for engaging Subprocessors in section 9.
  • Assistance. Assist you with data-subject requests, security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities.
  • Deletion and return. At your choice, delete or return Customer Personal Data at the end of the provision of services, as set out in section 14.
  • Compliance demonstration. Make available to you all information reasonably necessary to demonstrate compliance with the obligations in this DPA, subject to the audit framework in section 15.

6. Your obligations as controller

You warrant and agree that you are a business entity using the service for your own business and marketing activities, and that:

  • Lawful basis. You have established and continue to maintain a valid lawful basis under Applicable Data Protection Law for the collection, the processing by us as your processor, and any onward use you make of the data.
  • Notice and transparency. You have provided to data subjects all notices, transparency information, and disclosures required by Applicable Data Protection Law, including any required statement that you use Lead Source to capture form-submission and attribution data.
  • Consent where required. Where consent is the lawful basis required by Applicable Data Protection Law, you have obtained that consent before our script captures the relevant data.
  • No infringing instructions. You will not instruct us to process Customer Personal Data in any way that infringes Applicable Data Protection Law.
  • No special-category use. You will not use the service to capture or process special-category personal data or sensitive information, except where you have implemented the additional required safeguards and given us advance written notice.

7. Confidentiality of personnel

We ensure that personnel authorised to process Customer Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality, receive appropriate training, and access Customer Personal Data only on a need-to-know basis.

8. Security measures

We implement and maintain technical and organisational measures appropriate to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access. Those measures are described in Annex II. We will keep those measures under review and will not materially decrease the overall level of protection during the term of your agreement.

9. Subprocessors

General authorisation. You give us general written authorisation to engage Subprocessors, provided each Subprocessor is bound by data-protection obligations no less protective than this DPA.

Current list. The Subprocessors we use as at the date of this DPA are listed in Annex III.

Changes. We will give you at least 14 days' advance notice of the addition or replacement of any Subprocessor by updating the public Subprocessor page.

Objections. You may object to a new or replacement Subprocessor on reasonable data-protection grounds within 7 days of our notice. If we cannot reach a resolution within 30 days, you may terminate the service for the affected processing without penalty. That termination right is your sole remedy for unresolved Subprocessor objections.

10. International data transfers

Customer Personal Data may be processed in the country where you are located, in the United States (primary database, US East / N. Virginia), and in any other country where we or our Subprocessors operate.

Where a transfer from the EEA, UK, or Switzerland to a country without an adequacy decision requires additional safeguards, the Standard Contractual Clauses (Module 2) are hereby incorporated into this DPA. The UK IDTA is incorporated by reference for UK transfers. For Australian transfers (APP 8), we take reasonable steps to ensure Subprocessors do not breach the APPs.

11. Assistance with data-subject rights

We will provide you with the tools, information, and reasonable assistance you need to respond to data-subject requests under Applicable Data Protection Law, including access, rectification, erasure, restriction, portability, and objection.

Our standard self-service tools allow you to search, export, correct, and delete Customer Personal Data through our application. If a data subject contacts us directly, we will refer them to you.

12. Assistance with DPIAs and consultations

We will provide reasonable assistance to help you meet your obligations under Articles 32 to 36 of the GDPR and their equivalents, including data protection impact assessments and prior consultations with supervisory authorities.

13. Personal data breach notification

If we become aware of a personal data breach affecting Customer Personal Data, we will notify you without undue delay, and in any event within 72 hours of becoming aware, by email to the security or primary contact on your account.

The notification will include: the nature of the breach; the likely consequences; the measures taken or proposed; and the name and contact details of the person from whom further information can be obtained.

14. Deletion and return of data

At your choice, we will delete or return all Customer Personal Data at the end of our provision of the service, and delete any remaining copies, unless storage is required by a law that applies to us.

By default, after your account is closed or subscription ends, we keep Customer Personal Data in active systems for 45 days, during which you can request immediate deletion or export by emailing privacy@leadsource.co. After that, active data is hard-deleted. Backup copies expire on a rolling 7-day cycle.

On request, we will provide written confirmation that deletion has been completed.

15. Audits and inspections

We will make available to you all information reasonably necessary to demonstrate compliance with this DPA. Where documentation is insufficient, you may request a focused audit, subject to: 30 days' advance written notice; no more than once in any twelve-month period (other than following a personal data breach); an independent, qualified, and confidentiality-bound auditor; and reasonable scope proportionate to the nature of our processing and the size of our business. You bear the costs of the audit unless it identifies a material non-compliance by us.

16. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions in the Terms of Service, in particular the Limitation of liability and Indemnity sections. The liability cap applies to claims under this DPA and the Terms of Service in the aggregate.

17. Order of precedence

If there is a conflict, the following order of precedence applies (highest first): (1) the Standard Contractual Clauses and UK IDTA, for cross-border transfers; (2) this DPA; (3) the Terms of Service.

18. Changes to this DPA

We may update this DPA from time to time to reflect changes in Applicable Data Protection Law or operational changes that don't materially reduce your protections. For material changes, we will give you reasonable advance notice by email. If a change materially reduces your protections, you may terminate the service for the affected processing within 30 days of our change notice.

19. Governing law

This DPA is governed by the law of Victoria, Australia, except that the Standard Contractual Clauses are governed by the law specified within them, and the UK IDTA is governed by the laws of England and Wales.

Annex I — Details of processing

Data exporter (controller): The customer, identified in the customer's Lead Source account.
Data importer (processor): Leftleads Pty Ltd, trading as Lead Source.

Categories of data subjects: Visitors to the customer's websites where the tracking script is installed; persons who submit forms on those websites; other persons whose personal data the customer uploads or processes through the service.

Categories of personal data: Form-submission data (name, email, phone, company, and any other form fields); attribution data (referrer URL, UTM parameters, landing page, in-session page sequence); technical session data (IP address, user-agent, approximate geolocation from IP, timestamp); customer-uploaded data.

Special categories: None by design. The customer is responsible for not configuring the service to capture special-category data on its forms or pages.

Frequency: Continuous, for as long as the tracking script is installed and the account is active.

Nature: Collection, storage, organisation, structuring, attribution, retrieval, display, export, deletion, and transmission of Customer Personal Data to the customer's account, as necessary to provide the service.

Purpose: To provide the customer with attribution information about leads captured through forms on the customer's websites.

Duration: For the duration of the customer's subscription, plus the retention period set out in section 14 after termination.

Annex II — Security measures

Access control: Role-based access to production systems with the principle of least privilege; unique credentials per user; MFA required for administrative access to production infrastructure.

Encryption: TLS 1.2 or higher in transit; encryption at rest for the production database (provided by Supabase); key management by managed key services of hosting subprocessors.

Network and infrastructure security: Production infrastructure hosted with reputable cloud providers (Supabase, US East / N. Virginia; Vercel global edge); network segmentation between production and non-production environments; regular patching through managed services.

Application security: Authentication and session management following current best practices; input validation, output encoding, and parameterised queries; automated dependency vulnerability scanning; code review of significant changes prior to production deployment.

Logging and monitoring: Authentication and administrative actions are logged; logs retained for at least 90 days where infrastructure permits; alerting on basic operational anomalies.

Resilience: Automated backups of the production database performed by our managed database subprocessor; documented restoration procedures; basic disaster recovery appropriate to current scale.

Personnel: All personnel with production access are bound by written confidentiality undertakings; security and privacy awareness is part of onboarding; access revoked promptly on completion of engagement.

Vendor management: Subprocessors selected with regard to their published privacy and security posture; each engaged under data-protection terms substantively consistent with this DPA.

Incident response: Incident-response procedure documented internally; defined notification path to affected customers within 72 hours of becoming aware of a personal data breach.

Annex III — Subprocessors

| Subprocessor | Purpose | Data processed | Region | |---|---|---|---| | Supabase Inc. | Managed database and authentication | All Customer Personal Data; primary application database | United States (US East / N. Virginia) | | Vercel Inc. | Application hosting and edge delivery | Customer dashboard delivery; tracking script delivery | Global edge network | | SendGrid (Twilio Inc.) | Transactional email delivery | Notification emails, account emails, support replies | United States | | Stripe, Inc. | Payment processing | Billing data for paid plans (card data held by Stripe, not by us) | United States / Australia |

Named vendors and any changes are published at leadsource.co/subprocessors and updated in accordance with section 9.

Annex IV — Tracking Technology Statement

What the script does:

  • Reads URL parameters (including UTM parameters) and the document referrer from the page on which it is loaded;
  • Observes form-submission events on the page;
  • At the moment of form submission, sends the submitted form fields, the attribution data, and the requesting IP address and user-agent to our server.

What the script does not do:

  • Does not set, read, or modify cookies on the visitor's browser;
  • Does not write to localStorage or sessionStorage;
  • Does not perform device fingerprinting (no canvas, WebGL, font, audio, or hardware fingerprinting);
  • Does not generate or store any persistent client-side identifier;
  • Does not track activity across browser restarts or across different websites;
  • Does not record keystrokes, mouse movements, or session replays;
  • Does not read form field values the visitor typed but did not submit;
  • Does not scrape or inspect unrelated DOM content;
  • Does not send data to advertising networks or data brokers.

Implication for ePrivacy / PECR analysis. Because the script does not store or access information on the visitor's device, the storage-and-access requirements of the EU ePrivacy Directive, UK PECR, and equivalent regimes do not generally apply to the script itself. The customer's analysis still needs to address the processing of personal data on submission, which is governed by GDPR / UK GDPR / Privacy Act rather than ePrivacy / PECR.

Geolocation. IP-derived approximate geolocation is performed internally by Lead Source. No third-party enrichment service is used.

If any of the above changes — for example, if a future version of the script were to introduce cookies, client-side storage, or fingerprinting — we will update this Annex IV and notify customers in advance.

End of Data Processing Addendum.