Privacy Policy

Last updated: April 9, 2026

1. Who We Are

LikesToLeads ("the Service", "we", "us") is operated from the United Kingdom. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), we are the data controller for the personal information we collect about you as a user of the Service.

For privacy-related enquiries, contact us at support@likestoleads.io.

2. Information We Collect

We collect the following categories of personal information:

  • Account information: Name, email address, and password when you create an account. If you sign in with Google, we receive your name, email address, and Google account ID from Google's OAuth service. We do not receive or store your Google password.
  • Billing information: Payment details are collected and processed directly by Stripe. We store your Stripe customer ID and subscription ID but never store your credit card number, expiry date, or CVC.
  • Usage data: Information about how you use the Service, including signals you create, credits consumed, credit usage logs, and feature interactions.
  • Lead data: Publicly available LinkedIn profile data collected through third-party data providers on your behalf. This includes names, headlines, job titles, company names, locations, connection counts, follower counts, industry, company size, and LinkedIn profile URLs of individuals who engage with monitored posts.
  • Session data: We store a session identifier containing your user ID, name, email, and a security token (CSRF token) to keep you logged in and protect against cross-site request forgery.

3. Legal Basis for Processing

Under UK GDPR and EU GDPR, we process your personal information on the following legal bases:

  • Performance of a contract: Processing your account information, billing data, and usage data is necessary to provide the Service under our Terms of Service.
  • Legitimate interests: We process usage data to improve the Service, detect abuse, and ensure security. Our legitimate interest is maintaining a reliable and secure Service. We have assessed that this processing does not override your rights and freedoms.
  • Legal obligation: We may process and retain certain data to comply with legal obligations, such as tax and accounting requirements.

Regarding lead data: We process publicly available LinkedIn profile data as a data processor acting on your instructions. You, as the user, are the data controller for lead data you obtain through the Service and are responsible for ensuring you have a lawful basis (such as legitimate interest) for processing that data.

4. How We Use Your Information

We use your information to:

  • Create and manage your account.
  • Provide the monitoring, enrichment, and lead delivery features of the Service.
  • Process payments and manage subscriptions via Stripe.
  • Send service-related communications (such as billing confirmations, plan changes, and important Service updates).
  • Track credit usage and enforce plan limits.
  • Maintain the security and integrity of the Service.
  • Comply with legal obligations.

We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects.

5. Third-Party Service Providers

We share personal information with the following third-party providers, who process data on our behalf:

  • Supabase (database hosting) — stores account data, signals, leads, and usage logs. Data is hosted in cloud infrastructure.
  • Stripe (payment processing) — processes subscription payments and stores payment methods. Stripe is PCI DSS Level 1 certified. Stripe's privacy policy.
  • Google (OAuth authentication) — processes sign-in requests if you choose to use Google sign-in. We receive your name, email, and Google ID. Google's privacy policy.
  • Third-party LinkedIn data providers (via RapidAPI) — used to retrieve publicly available LinkedIn profile and engagement data for lead enrichment.
  • Vercel (hosting) — hosts and serves the Service.

We do not sell, rent, or trade your personal information to third parties. We may disclose information to law enforcement or regulatory authorities when required by law, or to a successor entity in the event of a merger, acquisition, or sale of assets.

6. International Data Transfers

Some of our third-party service providers (including Supabase, Stripe, and Vercel) may process data outside the United Kingdom and European Economic Area. Where this occurs, we ensure appropriate safeguards are in place, such as the provider's adherence to the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or an adequacy decision. You can request details of the specific safeguards applied by contacting us.

7. Webhooks and Data Export

When you configure webhooks, lead data is delivered to the endpoint URL you specify. Webhook payloads are signed with HMAC-SHA256 so you can verify their authenticity. When you export data via CSV, the export may contain personal data of third parties (lead data).

Once data leaves the Service through webhooks or CSV export, you are the sole data controller for that data and are responsible for its security, storage, and lawful processing.

8. Cookies

We use only strictly necessary cookies to maintain your session and authentication state. These cookies:

  • Are essential for the Service to function and cannot be disabled.
  • Store your session identifier (which includes your user ID, name, email, and a CSRF security token).
  • Expire after 30 days of inactivity.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. Because we only use strictly necessary cookies, no cookie consent banner is required under UK or EU law.

9. Data Storage and Security

We implement appropriate technical and organisational measures to protect your personal information, including:

  • Passwords are hashed using bcrypt (we cannot see or recover your password).
  • CSRF token protection on all form submissions.
  • HTTPS encryption for all data in transit.
  • Row-level security policies in the database to isolate user data.
  • Webhook signatures (HMAC-SHA256) to ensure payload integrity.

No system is completely secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security.

10. Data Retention

We retain your data as follows:

  • Account data: Retained for as long as your account is active.
  • Lead data: Retained for the duration of your subscription. Lead data is preserved if you remove a signal or pause monitoring.
  • Credit usage logs: Retained for the duration of your subscription for billing and audit purposes.
  • Billing records: Retained as required by applicable tax and accounting laws (typically 6 years under UK law).

Upon account deletion, we will remove your personal data within 30 days, except where retention is required by law.

11. Your Rights

Under UK GDPR and EU GDPR, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data (subject to legal retention requirements).
  • Right to restrict processing: Request that we limit how we use your data in certain circumstances.
  • Right to data portability: Request your data in a structured, commonly used, machine-readable format. You can export your lead data at any time via CSV.
  • Right to object: Object to processing based on legitimate interests.

To exercise any of these rights, contact us at support@likestoleads.io. We will respond within one month, as required by law. We may ask you to verify your identity before processing your request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the United Kingdom (ico.org.uk) or your local supervisory authority if you are in the European Economic Area.

12. Children

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from someone under 18, we will take steps to delete that information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact

For privacy-related questions, data subject requests, or complaints, contact us at support@likestoleads.io.