Privacy Policy
LeadFlow (operated by KSTUDIO SIA)
Controller: KSTUDIO SIA (Reg. No. 40203140189, VAT LV40203140189)
Address: Skolas iela 36-5, Jurmala, LV-2016, Latvia
Email (privacy inquiries): [email protected]
Last updated: 2026-02-16
This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our website or use the LeadFlow platform (the "Service"). It also explains your privacy rights and how to contact us.
1. Scope and Roles
This Privacy Policy applies when KSTUDIO SIA acts as a data controller, including when you:
- visit or interact with our website;
- create an account or use the Service as an authorized user;
- purchase credits or interact with billing pages;
- contact support or otherwise communicate with us; and
- receive transactional emails from us (e.g., magic-link sign-in, confirmations, security notices).
When we process lead data on behalf of our Customers as part of lead generation and/or enrichment services ("Customer Data"), we act as a data processor. That processing is governed by our Data Processing Addendum ("DPA") with the relevant Customer. If you are included in a lead list generated for a Customer, the Customer is the data controller for that processing and is responsible for providing the required notices (including GDPR Article 14) and handling data subject requests.
2. Personal Data We Collect
We may collect the following categories of personal data:
2.1 Account and Profile Data
Name, business email address, login credentials, company name, job title, and other information you provide during sign-up or when updating your profile.
2.2 Company and Billing Data
Company details (legal name, address, VAT number), purchase records, invoices, and billing-related data. Payment card details are processed by our payment provider (e.g., Stripe) and are not stored by us.
2.3 Usage, Device and Log Data
Information about how you use the Service, including IP address, device and browser information, approximate location (country), page views, timestamps, and diagnostic logs.
2.4 Support and Communications
Information you provide when you contact us, such as messages, attachments, and feedback.
2.5 Cookies and Similar Technologies
We use cookies and similar technologies for essential site functionality, security, analytics, and marketing (where enabled). See Section 4 for details and how to manage your preferences.
3. How We Use Personal Data and Legal Bases
We process personal data for the purposes below. Where required, we rely on the following legal bases under GDPR: contract (Article 6(1)(b)), legal obligation (Article 6(1)(c)), legitimate interests (Article 6(1)(f)), and consent (Article 6(1)(a)).
- Provide and operate the Service: Contract; Legitimate interests (service security and improvement).
- Account creation, authentication, and customer support: Contract; Legitimate interests.
- Billing, payments, and fraud prevention: Contract; Legal obligation; Legitimate interests.
- Website security and abuse prevention (e.g., bot detection): Legitimate interests.
- Analytics: Consent where required (depending on jurisdiction and configuration).
- Marketing communications about our Service: Consent or legitimate interests (depending on jurisdiction); you can opt out at any time.
- Compliance, legal claims, and enforcement of our Terms: Legal obligation; Legitimate interests.
4. Cookies and Similar Technologies
We use cookies and similar technologies on our website and within the Service. Depending on your location and settings, we will request consent before setting non-essential cookies.
Cookie categories we use may include:
- Strictly necessary cookies: required for core functionality, security, and account access.
- Analytics cookies: help us understand usage and improve the Service (e.g., Google Analytics).
- Marketing cookies: help measure and optimize advertising (e.g., Meta/Facebook Pixel) where enabled.
We implement consent controls (including Google Consent Mode v2 where applicable) to help ensure analytics/marketing technologies operate in accordance with your preferences.
You can manage your preferences at any time via our cookie settings interface (available on the website). For a detailed list of cookies (name, provider, purpose, and retention), please refer to our Cookie Settings/Cookie Policy.
5. Information for Individuals Included in Lead Data (Business Contacts)
LeadFlow is designed for business-to-business (B2B) use. Our Customers may use the Service to generate and/or enrich lead lists for purposes such as B2B sales, marketing, recruiting, or business intelligence.
When we generate/enrich lead lists for a Customer, we process business contact data on the Customer's behalf as a processor. The Customer is the controller for that processing and is responsible for determining the lawful basis (commonly legitimate interests) and for providing required notices to individuals (including GDPR Article 14 where applicable).
Business contact data processed may include:
- Name, job title/seniority, and employer/company details;
- Business email address and verification status;
- Business phone number (where available);
- Location (country/region/city where available);
- Public professional profile links and publicly available professional information (where available).
Sources of lead data may include publicly available business directories and professional networks, and commercial B2B data providers and enrichment tools used under the Customer's instructions.
If you believe you have been included in a lead list and you wish to exercise your rights (access, deletion, objection to marketing, etc.), please contact the organization that contacted you, as it is the controller. If you contact us at [email protected], we will use reasonable efforts to direct your request to the relevant Customer and/or assist the Customer as required under our DPA.
We (and/or our Customers) may maintain a suppression record (e.g., your email address) solely for the purpose of respecting your objection/unsubscribe request and preventing re-contact.
6. Sharing and Disclosure
We may share personal data with service providers that help us operate the Service (e.g., hosting, database, workflow automation, email delivery, payments, analytics, and security providers). We may also disclose data where required by law, to protect rights and safety, or as part of corporate transactions.
For transparency, we maintain an up-to-date list of key service providers/sub-processors at: https://leadflow.lv/subprocessors.
7. International Transfers
Some providers may process data outside the EEA (for example, in the United States). Where required, we use appropriate safeguards such as adequacy decisions, EU Standard Contractual Clauses (SCCs), and/or reliance on the EU–U.S. Data Privacy Framework where applicable.
8. Data Retention
We keep personal data only as long as necessary for the purposes described in this Privacy Policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.
Typical retention periods may include:
- Account data: for as long as the account is active, and typically up to 12 months after account closure for security, dispute resolution, and compliance.
- Lead request results (stored in Customer accounts): typically up to 90 days from completion of a request (or such shorter period as configured), after which results are deleted or anonymised; backups may retain data for a limited period (typically up to 60 days).
- Billing and invoice records: retained for at least 5 years (or longer where required) to comply with applicable Latvian accounting and tax obligations.
- Support communications: retained as needed to resolve inquiries and improve support quality.
- Logs and security records: retained for a limited period, then deleted or anonymised.
- Cookie preferences: retained according to cookie settings and durations.
9. Your Rights and Complaints
Depending on your location, you may have the right to request access, rectification, deletion, restriction, portability, or to object to processing of your personal data. You also have the right to withdraw consent (where processing is based on consent).
You have the right to object to the processing of your personal data for direct marketing purposes at any time. If you object, the personal data shall no longer be processed for such purposes.
To exercise your rights in relation to personal data for which we are the controller, contact us at [email protected].
You also have the right to lodge a complaint with a supervisory authority. In Latvia, the supervisory authority is the Data State Inspectorate (Datu valsts inspekcija, "DVI"): Elijas iela 17, Riga, LV-1050, Latvia; email: [email protected]; website: www.dvi.gov.lv.
10. AI-Assisted Scoring / Automated Processing
The Service may include AI-assisted analysis and scoring features to help Customers evaluate lead quality (e.g., informational lead scoring). Such scoring is intended to be informational and does not by itself produce legal or similarly significant effects on individuals.
11. Security
We implement appropriate technical and organisational measures to protect personal data. No method of transmission or storage is 100% secure; however, we work to maintain safeguards appropriate to the risks.
12. Children
The Service is intended for business users and is not directed to children. We do not knowingly collect personal data from children.
13. Changes
We may update this Privacy Policy from time to time. We will post the updated version on our website and update the "Last updated" date.