Privacy Policy

1. Who we are

Hilead Ltd
71-75 Shelton Street, Covent Garden
London WC2H 9JQ, United Kingdom
Companies House Number: 17205087
Privacy contact: hello@hilead.co

For the purposes of UK GDPR and EU GDPR, Hilead Ltd is the data controller of personal data described in this policy, except where stated otherwise.

We will appoint an EU representative under Article 27 GDPR where required by applicable law. Contact details will be updated in this policy once appointed.

2. Categories of personal data we process

We process personal data in three distinct contexts:

2.1 Account data (about our customers)

When you sign up and use the Service, we process:

• Identity: name, email address, professional role.
• Account credentials: hashed password, authentication tokens.
• Billing data: company name, billing address, VAT number, payment status. Actual payment card details are processed directly by Lemon Squeezy as Merchant of Record and never reach our systems.
• Communications: emails you send to us, support tickets, feedback.
• Usage data: pages viewed, features used, IP address, browser type, device information, timestamps, referrer URL.

2.2 Prospect data (about business contacts in our database)

To provide the Service, we maintain a database of business-to-business professional contacts compiled from publicly available sources, including business directories, professional networks, company websites, and public corporate filings.

This data may include:

• Full name.
• Professional email address.
• Professional phone number, where available.
• Job title, seniority, department.
• Employer name, industry, headcount, location.
• Professional social profile URLs.
• Public professional history.
• Publicly available business signals (funding rounds, hiring activity, technology stack, news mentions, and similar).

This data relates to individuals acting in their professional capacity. We do not knowingly collect or process sensitive personal data, consumer data, or data relating to minors.

2.3 Outreach data (about our customers’ campaigns)

When customers use the Service to run outbound campaigns, we process on their behalf:

• Campaign content (templates, sequences, copy).
• Lists of selected prospects.
• Engagement signals (opens, replies, opt-outs).
• Suppression lists.

For this category, we act as a data processor on behalf of our customers, who act as data controllers.

3. Legal bases and how we use personal data

3.1 Account data

3.2 Prospect data

We process prospect data on the basis of legitimate interest under Article 6(1)(f) UK/EU GDPR: the legitimate interest of our customers and ourselves in enabling targeted business-to-business communications.

We have conducted a documented Legitimate Interest Assessment (LIA) which considers:

• The professional, non-consumer nature of the data.
• The reasonable expectations of business professionals to be contacted in their professional capacity.
• The data minimisation principle (we hold only data needed for B2B identification).
• The safeguards in place (opt-out mechanisms, suppression lists, deletion requests, retention limits).

The LIA is reviewed periodically and updated as our processing evolves. You may object to this processing at any time (see Section 8).

3.3 Outreach data

We process outreach data as a processor on behalf of our customers under contract performance terms. Customers determine the content, recipients, and frequency of their communications and are responsible for the lawful basis of their processing.

4. How we obtain prospect data

We obtain prospect data through:

• Publicly available sources: company websites, public business directories, professional networks where information is published by individuals or their employers, public corporate filings, and public press.
• Vetted third-party data providers that contractually warrant lawful collection of the data they supply.
• Inference and enrichment based on combining publicly available signals.

We do not purchase data from sources known to obtain it unlawfully, and we require our suppliers to provide written warranties to that effect.

5. How we share personal data

We do not sell personal data within the meaning of UK/EU GDPR. We do not sell personal data within the meaning of CCPA/CPRA, except to the extent that providing prospect data to our customers as part of the Service may constitute a “sale” or “share” under California law. California residents have the right to opt out of any such sale or share (see Section 9).

We share personal data in the following circumstances:

5.1 Service providers (processors)

We use carefully selected providers to operate the Service. The categories include:

• Payments and Merchant of Record: Lemon Squeezy LLC.
• Hosting and infrastructure: Hetzner Online GmbH (Germany), and other infrastructure providers as needed.
• Email infrastructure: Resend (transactional email).
• Analytics and monitoring.
• Customer support tools.
• Data sources and enrichment providers.

A current list of subprocessors and their locations is available on request at hello@hilead.co. These providers process personal data only on our instructions and under data processing agreements that meet UK/EU GDPR requirements.

5.2 Hilead customers

Prospect data made available within the Service is accessible to our customers, who become independent controllers for their own outreach activities. Customers are contractually required, through our Terms of Service and DPA, to comply with applicable data protection law and to honour opt-out and deletion requests.

5.3 Legal disclosures

We may disclose personal data if required by law, court order, or a valid request from a public authority, or to protect our rights, property, or safety, or that of our users or others.

5.4 Business transfers

If we are involved in a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected individuals where required by law.

6. International transfers

We are based in the United Kingdom, and our primary infrastructure is located in the European Economic Area (EEA), specifically Germany. Some of our service providers are located outside the UK and EEA, including in the United States.

When personal data is transferred outside the UK or EEA, we rely on appropriate safeguards, including:

• Adequacy decisions issued by the UK or EU.
• Standard Contractual Clauses (SCCs) approved by the European Commission.
• UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs.

Where required, we conduct transfer impact assessments to verify that recipient countries provide an essentially equivalent level of protection.

7. Retention

We retain personal data only as long as necessary for the purposes set out in this policy:

• Account data: for the duration of your subscription, plus up to 6 years after account closure for legal, tax, and accounting obligations under UK law.
• Prospect data: until removed at the request of the data subject, or until our internal review identifies the record as no longer relevant for legitimate B2B targeting (typically reviewed at least annually).
• Outreach data: in line with our customers’ instructions, typically for the duration of their subscription plus a short transition period of up to 90 days.
• Logs and security data: typically up to 12 months, longer if needed for security investigations or legal obligations.
• DSAR records: up to 3 years from the date of request.

When retention periods expire, we delete or irreversibly anonymise the relevant personal data.

8. Your rights under UK and EU GDPR

Subject to applicable law, you have the following rights:

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct inaccurate or incomplete data.
• Erasure (“right to be forgotten”): request deletion of your data, subject to applicable exceptions.
• Restriction: ask us to limit processing in certain circumstances.
• Objection: object to processing based on legitimate interests, including processing for direct marketing or for inclusion in our prospect database.
• Data portability: receive your data in a structured, commonly used, machine-readable format.
• Withdraw consent: where processing is based on consent, withdraw it at any time.
• Lodge a complaint: with a supervisory authority. In the UK, the Information Commissioner’s Office (ICO) at ico.org.uk. In the EU, your local Data Protection Authority.

To exercise any of these rights, contact us at hello@hilead.co. We will respond within one month as required by law (extendable by two further months for complex requests, with notice). We may need to verify your identity before processing certain requests.

8.1 Quick removal from our prospect database

If you are a business professional and wish to be removed from our prospect database:

1. Send an email to hello@hilead.co with the subject line “Remove me from prospect database”.
2. Include the email address(es) and, if possible, the LinkedIn or company URL associated with your record.
3. We will action the request within 30 days, at no charge.
4. We will add your details to a suppression list to prevent re-collection.

9. California (CCPA/CPRA) rights

If you are a California resident, you have the following additional rights:

• Right to know the categories and specific pieces of personal information we have collected about you.
• Right to delete personal information.
• Right to correct inaccurate personal information.
• Right to opt out of the “sale” or “sharing” of personal information.
• Right to limit the use and disclosure of sensitive personal information (we do not knowingly process sensitive personal information).
• Right not to be discriminated against for exercising your rights.

To exercise these rights, email hello@hilead.co with the subject line “California Privacy Request”. We will verify your request as required by law and respond within statutory timeframes.

10. Cookies and tracking technologies

We use a limited set of cookies and similar technologies on hilead.co:

• Strictly necessary cookies: required for the Service to function (session, authentication).
• Analytics cookies: to understand how visitors use our website (subject to your consent where required).
• Functional cookies: to remember preferences.

We do not use advertising cookies or cross-site tracking. You can manage your cookie preferences via your browser settings or our cookie banner where applicable.

11. Security

We apply commercially reasonable technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS) and at rest where appropriate.
• Access controls and authentication.
• Regular review of security practices.
• Subprocessor due diligence.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we work to protect your data and will notify affected individuals of significant breaches as required by law.

12. Children

The Service is not intended for individuals under 18, and we do not knowingly process personal data of minors. If we learn that we have collected data from a minor, we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will update the “Last updated” date and, where changes are material, notify you by email or through the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact us

For privacy questions, requests, or concerns, contact us at:

hello@hilead.co

Hilead Ltd
71-75 Shelton Street, Covent Garden
London WC2H 9JQ, United Kingdom