Legal

Data Protection

How we protect your data and what tools process it — in full compliance with GDPR.

1. Our Commitment

Leagent is operated from the Netherlands and is subject to the General Data Protection Regulation (GDPR) as implemented under Dutch law. We are committed to processing all personal data lawfully, transparently, and securely.

We apply the principle of data minimisation — we only collect and process what is strictly necessary for the purpose stated.

2. Data Controller

Leagent acts as the data controller for all personal data collected through this website and through the client onboarding process.

For data protection inquiries: privacy@leagent.io

3. Third-Party Tools & Data Processors

Leagent operates using a set of third-party tools. Each tool processes data only as instructed and under a Data Processing Agreement (DPA) where required by GDPR. Below is our full processor register:

Tool
Purpose
Data Processed
Location
Anthropic Claude
AI content generation and intelligence layer
Content prompts, niche data — no personal client data
USA (SCCs apply)
Make
Workflow automation backbone
Workflow data, API payloads
EU
HeyGen
AI video generation
Text scripts — no personal data
USA (SCCs apply)
Creatomate
Video formatting and rendering
Video files, JSON templates — no personal data
EU
Metricool
Social media publishing and analytics
Content files, publishing schedules, analytics data
EU (Spain)
ManyChat
Instagram DM automation and lead capture
Instagram usernames, message content of leads
USA (SCCs apply)
Systeme.io
Landing page, funnel, and lead capture
Lead email addresses, conversion data
EU (France)
Google Analytics 4
Website traffic and conversion analytics
Anonymised usage data, IP addresses (anonymised)
USA (SCCs apply)
Hostinger
Website hosting
Website files, server logs
EU

4. Security Measures

We implement the following technical and organisational measures to protect personal data:

  • All data transmitted via HTTPS (TLS encryption)
  • Access to client data restricted to authorised personnel only
  • API keys and credentials stored securely — never exposed in client-facing code
  • Regular review of third-party processor security practices
  • No sensitive financial data stored on our systems

5. Data Breach Procedure

In the event of a personal data breach, we will:

  • Assess the risk to affected individuals within 24 hours of discovery
  • Notify the Autoriteit Persoonsgegevens within 72 hours if the breach poses a risk to individuals' rights and freedoms
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Document all breaches in our internal breach register regardless of notification obligation

6. Client Data Responsibilities

When Leagent operates the acquisition system on behalf of a client, the client is the data controller for their end customers' data. Leagent acts as a data processor in this context.

A Data Processing Agreement (DPA) is provided to all clients before the system goes live. This DPA defines:

  • The nature and purpose of processing
  • The type of personal data processed
  • The duration of processing
  • The obligations and rights of both parties

7. International Transfers

Several of our processors are located outside the EEA (primarily USA). All such transfers are covered by Standard Contractual Clauses (SCCs) as approved by the European Commission under Article 46 GDPR.

We do not transfer data to countries without an adequacy decision or appropriate safeguards.

8. Contact & Supervisory Authority

For any data protection concern, contact us at privacy@leagent.io.

You may also contact the Dutch supervisory authority directly:

  • Autoriteit Persoonsgegevens
  • Website: autoriteitpersoonsgegevens.nl
  • Phone: +31 (0)88 1805 250
  • Address: Hoge Nieuwstraat 8, 2514 EL Den Haag, Netherlands