Privacy Policy – LeadScout

This privacy policy explains how personal data is processed when you visit our website (https://leadscout.dietrich-development.de) and use the LeadScout SaaS service. Personal data is processed only within the bounds of applicable law, in particular the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). The legally binding version is the German one (Datenschutzerklärung); this English version is provided for convenience.

1. Controller

The controller within the meaning of Art. 4(7) GDPR is: Dietrich Development Tobias Dietrich (sole proprietor) Alemannenstr. 14 72393 Burladingen Germany Email: [email protected] Web: https://dietrich-development.com We have not appointed an external data protection officer because the legal thresholds (§ 38 BDSG) are not met. Please send privacy-related requests directly to the email address above.

2. General notes on processing

We process personal data only insofar as necessary to provide a functioning website and our services. Legal bases include in particular Art. 6(1)(a) GDPR (consent), (b) (contract / pre-contractual measures), (c) (legal obligation) and (f) (legitimate interests). Data is stored only as long as required for the respective purpose or by statutory retention obligations.

3. Website provision and server logs

When you visit our website, your browser automatically transmits data to our server, which is temporarily stored in log files: • IP address (truncated where technically feasible) • Date and time of access • Referrer URL • Requested URL and HTTP status code • User agent (browser, OS) Purpose: ensuring operation, defending against attacks, and error analysis. Legal basis: Art. 6(1)(f) GDPR. The legitimate interest is the stable and secure operation of the website. Retention: typically max. 14 days; longer storage occurs only in case of security incidents for evidentiary purposes.

4. Hosting

Our servers are located in data centers within the European Union (Frankfurt am Main, Germany). A data processing agreement (DPA) under Art. 28 GDPR is in place with the hosting provider. Necessary technical processing includes serving content, logging, and backups. Legal basis: Art. 6(1)(b) and (f) GDPR.

5. Sign-up and user account

Using the service requires a user account. We process: • email address • password (stored only as a secure hash, never in clear text) • if you sign up via Google: your Google account ID, name, and email address as transmitted by Google • timestamps of registration and last login • IP address at registration (abuse prevention) • optional profile data (industry/ICP, target customer description) you provide yourself Purpose: providing the service, authentication, contract performance. Legal basis: Art. 6(1)(b) GDPR. For Google sign-in additionally Art. 6(1)(a) GDPR (consent through OAuth).

6. Authentication via Supabase

Authentication (sign-up, login, password reset, email confirmation) runs on Supabase, provided by Supabase Inc. Our Supabase instance is hosted in the EU region (Frankfurt). A data processing agreement under Art. 28 GDPR is in place. Data processed includes email address, password hash, session tokens, and authentication metadata (timestamp, IP, user agent). More info: https://supabase.com/privacy Legal basis: Art. 6(1)(b) GDPR.

7. Sign-in with Google (OAuth)

You may sign in with your Google account. Google handles the authentication and transmits the profile information needed (Google user ID, name, email) to us. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For data transfers to the United States, Google relies on the EU-US Data Privacy Framework and standard contractual clauses. More info: https://policies.google.com/privacy Legal basis: Art. 6(1)(a) and (b) GDPR.

8. Service usage (searches, analyses, outreach copy)

When you use LeadScout we process the following data, which you actively enter or which is generated by your use: • search parameters (postal code, radius, industry/category) • list of identified businesses (name, address, website, public contact data) • AI analysis results on websites, tech stack, SEO audit, social profiles, and lead scoring • generated outreach drafts • credit usage and audit logs This data is associated with your account so you can retrieve, export, and revisit it. Legal basis: Art. 6(1)(b) GDPR (contract performance).

9. Data about researched businesses and individuals contained therein

LeadScout exclusively accesses publicly available sources (Google Places API and the publicly accessible websites of the respective businesses, including imprint and contact pages). These may include personal data such as the name of an owner or a person named as responsible in the imprint. The processing of this data for surfacing it to you as a user is based on legitimate interests (research on B2B business partners, assessing digital maturity, efficiency over manual research). Legal basis: Art. 6(1)(f) GDPR. Data subjects can object to the processing at any time (see section 17). Legitimate objections will be acted on promptly. The substantive use of this data - in particular contacting the identified businesses - is your responsibility as a user (see Terms section 6 and 7). You are the controller within the meaning of the GDPR with respect to your outbound communication.

10. AI-powered analyses (LLM gateway, model providers)

To produce analyses and outreach copy, content (website text, tech-stack indicators, SEO data) is sent to large-language-model providers. Processing runs through OpenRouter (OpenRouter, Inc., USA), which routes requests to the configured model provider. Currently configured providers: • DeepSeek (DeepSeek, Hangzhou, People's Republic of China) – used for the lower-cost quality tiers. • Anthropic (Anthropic PBC, USA) – used for the premium tier. A data processing arrangement with OpenRouter and standard contractual clauses under Art. 46(2)(c) GDPR are in place. Transfers to the USA are additionally based on the EU-US Data Privacy Framework where the respective provider is certified. IMPORTANT NOTE - third-country transfer without adequacy decision: There is no adequacy decision by the EU Commission for the People's Republic of China. DeepSeek is used only because no personal data of registered users (e.g. your name or email) is sent to it; only publicly accessible content of researched businesses and your technical search parameters are transmitted. Data sent there may be accessed by state authorities and data subjects may not enjoy a level of protection equivalent to EU law. If you do not want this transfer, you can select a higher quality tier in your account that uses only USA-/EU-based providers, or refrain from using the service. Legal basis: Art. 6(1)(b) GDPR (contract performance) and, for the third-country transfer, Art. 49(1)(b) GDPR (necessity for performance of the contract). More info: • OpenRouter: https://openrouter.ai/privacy • Anthropic: https://www.anthropic.com/legal/privacy • DeepSeek: https://chat.deepseek.com/downloads/DeepSeek%20Privacy%20Policy.html

11. Location data via Google Places API

To identify local businesses based on your search parameters (postal code + radius + industry) we use the Google Places API. Provider: Google Ireland Limited; transfers to the USA are safeguarded by the EU-US Data Privacy Framework and standard contractual clauses. Only technical search parameters are transmitted; your account data is not transferred to Google. More info: https://policies.google.com/privacy Legal basis: Art. 6(1)(b) GDPR.

12. Payment processing via Stripe

For paid plans (Hobby, Pro) and credit packages (top-ups) we use the payment service provider Stripe. For customers in the European Economic Area, the provider is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. When you trigger a payment, you enter your payment data (e.g. card number, bank/SEPA data, name, billing address) directly with Stripe. This data is processed only by Stripe and is not transmitted to us in clear text. We receive only: • Stripe customer ID and subscription ID • payment/subscription status (e.g. "active", "canceled") • amount paid, currency, invoice PDF link • country / VAT status (for Stripe Tax, where enabled) • the last four digits and card brand (for display in your account) A data processing agreement with Stripe is in place. Transfers to the USA are safeguarded by the EU-US Data Privacy Framework and standard contractual clauses. More info: https://stripe.com/privacy Legal bases: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal retention obligations).

13. Transactional emails

We only send contract-relevant emails (sign-up confirmation, magic links, password reset, billing notifications, security notifications). They are sent through the infrastructure of our authentication provider (Supabase) or our payment provider (Stripe). We do not send marketing newsletters without prior explicit consent. Legal basis: Art. 6(1)(b) GDPR.

14. Cookies and similar technologies

We only use technically necessary cookies and comparable technologies. Specifically: • Session cookies and HTTP-only tokens for authentication (via Supabase) - login is technically impossible without them. • Local storage (sessionStorage) to cache UI state, e.g. a plan selected before login. No tracking, advertising, or profiling cookies are used. We do not run a third-party web analytics tool that uses cookies or fingerprinting. Legal basis: § 25(2)(2) TDDDG (necessity) and Art. 6(1)(b) and (f) GDPR.

15. Automated decisions / profiling

Within the application, the AI models above compute a "lead score" per researched business (digital maturity assessment, outreach recommendation). This automated processing only assists your decision-making as a user; it has no legal effect on the businesses or persons evaluated and no similarly significant impact within the meaning of Art. 22 GDPR. There is no exclusively automated decision-making with legal consequences for data subjects.

16. Retention and deletion

We store personal data only as long as necessary for the purposes stated in this policy or until statutory retention obligations end. • account and usage data: for the duration of the contractual relationship. • server logs: typically max. 14 days. • searches and analysis results: until you delete them or your account is deleted. • accounting-relevant data (invoices, Stripe transaction data): 10 years per §§ 147 AO, 257 HGB. • other tax-relevant records: 6 years per § 147(3) AO. After cancellation or deletion of the account, all personal data not subject to retention obligations is deleted or anonymized within 30 days.

17. Your rights as a data subject

You have the right at any time to • access information about the data stored about you (Art. 15 GDPR) • rectification of inaccurate data (Art. 16 GDPR) • erasure ("right to be forgotten", Art. 17 GDPR) • restriction of processing (Art. 18 GDPR) • data portability (Art. 20 GDPR) • object to processing based on legitimate interests (Art. 21 GDPR) • withdraw consent with effect for the future (Art. 7(3) GDPR) You can delete your account and all associated data yourself at any time under: Settings → Account → "Delete account". Self-deletion permanently removes searches, analyses, outreach drafts, company profiles, credit balance, and the user account; active subscriptions are cancelled. Accounting-relevant records (invoices) are retained at Stripe for 10 years per § 257 HGB / § 147 AO. For any further requests, write to [email protected].

18. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority - in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement (Art. 77 GDPR). Competent authority for the controller: Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg Lautenschlagerstraße 20, 70173 Stuttgart, Germany https://www.baden-wuerttemberg.datenschutz.de

19. Data security

We use customary technical and organizational measures (TOMs) to protect your data: TLS encryption of all traffic, hashed passwords (secure hashing algorithm), role-based access to databases, EU-based backups, and regular updates of the components in use.

20. Changes to this policy

We will adapt this privacy policy if features, processors, or the legal landscape change. The version published on this page applies. Material changes are announced to registered users by email in advance where legally required.