Privacy Policy

This Privacy Policy explains how One Stop Creative Agency Limited (company number 11417088, registered in England and Wales, with its registered office at 23 Prince Andrew Way, Ascot, England, SL5 8NQ), trading as Lead Cap (“we”, “us”, “our”), collects, uses, stores, and protects personal data when you use the Lead Cap platform (“Service”).

We are committed to protecting your privacy and the privacy of individuals whose data may be processed through the Service. This Policy is drafted in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you are using the Service on behalf of an organisation, you confirm you have the authority to accept this Policy on its behalf.

The data controller for the Service is:

In relation to Lead data (business contact information extracted from Captures), you — as the subscribing organisation — are the data controller, and we act as your data processor. Each subscribing organisation must provide its own data controller details (legal name, contact email, and ICO registration number) during onboarding. These details are used in the GDPR footer of generated email drafts and on opt-out pages.

We collect and process the following categories of data:

3.1 Account data

• Full name, email address, job title, phone number
• Organisation name, website URL, and data controller registration details
• Authentication credentials (encrypted; we never store plaintext passwords)
• Brand voice preferences and sample email content

3.2 Capture data

• Photographs of business signage uploaded by you
• Geolocation data (if provided with the capture)
• Device and metadata information associated with the capture
• Incidentally-captured personal data of third parties - for example, a passer-by in the background of a shopfront photograph. See section 3.5 below for how this is handled.

3.5 Third parties captured in uploaded images

3.3 Lead data

• Business names, addresses, phone numbers, email addresses, and website URLs extracted by AI
• Companies House data (company number, directors, SIC codes, incorporation date)
• Website quality scores and analysis results
• AI-generated email drafts and lead status history

3.4 Usage and technical data

• IP address, browser type, operating system, and device information
• Pages visited, features used, and interaction timestamps
• Push notification device tokens (for mobile app users)

We use your data for the following purposes:

• Providing the Service: Processing Captures through the AI pipeline, generating Leads and Email Drafts, and managing your account.
• GDPR compliance: Including Article 14 notices in first-contact Email Drafts, maintaining the suppression list, processing opt-out requests, and managing data retention schedules.
• Gamification features: Tracking leaderboard rankings, badges, capture streaks, and sending achievement notifications (in-app and push). Users can opt out of appearing on leaderboards.
• Security and audit: Maintaining audit logs of significant actions, enforcing rate limits, and detecting abuse.
• Service improvement: Analysing usage patterns to improve features and performance. We do not use your data to train AI models.
• Communications: Sending transactional emails (account verification, password resets) and, with your consent, marketing communications about the Service.

We process personal data under the following lawful bases as defined by UK GDPR Article 6(1):

• Contract (Article 6(1)(b)): Processing your account data and Captures is necessary to provide the Service you have subscribed to.
• Legitimate interest (Article 6(1)(f)): Processing publicly available business data for B2B prospecting purposes. The data subjects are businesses and sole traders who have made their contact information publicly visible through signage, websites, and public registers. We balance this against data subjects' rights by including Article 14 notices in first-contact drafts and providing a one-click opt-out mechanism.
• Consent (Article 6(1)(a)): For marketing communications about Lead Cap itself. You can withdraw consent at any time by contacting us or using the unsubscribe link in our emails.
• Legal obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations such as data retention requirements and responding to data subject access requests.

The Service uses artificial intelligence and third-party services to process your data. We have data processing agreements in place with each sub-processor. Your data is processed as follows:

Important: Your data is not used for AI model training. When your photographs and Lead data are sent to Anthropic for processing, they are used solely for the purpose of providing the Service. Anthropic does not use API inputs or outputs to train their models. We have confirmed this through Anthropic's data processing terms.

For transfers of personal data outside the UK, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) or its addendum, as applicable.

We do not sell your personal data. We share data only in the following circumstances:

• Within your Organisation: Leads and associated data are visible to members of your organisation in accordance with your team structure and role permissions. Leaderboard and profile data may be visible to other members of your organisation (users can opt out of leaderboard visibility).
• Sub-processors: As detailed in Section 6, to the extent necessary to provide the Service.
• Suppression list: When a prospective lead opts out, their email address is added to a cross-organisation suppression list. This ensures no Lead Cap user contacts them again. The suppression list contains only the email address and opt-out date — no other Lead data is shared between organisations.
• Legal requirements: We may disclose data if required by law, regulation, court order, or governmental authority.

We apply the following retention periods to Lead data. These are enforced automatically by the platform:

Account data is retained for the duration of your subscription and for 30 days following account termination, after which it is permanently deleted.

Photographs stored in Cloudflare R2 are deleted when the associated Lead (or all sibling Leads from the same capture) is deleted.

Audit logs are retained for 7 years to support legal and compliance requirements. Audit logs are append-only and cannot be modified or deleted.

Suppression list entries are retained indefinitely to ensure ongoing opt-out compliance.

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate data.
• Right to erasure: You may request deletion of your data, subject to legal retention requirements.
• Right to restrict processing: You may request that we limit how we process your data.
• Right to data portability: You may request your data in a structured, commonly used, machine-readable format.
• Right to object: You may object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

For prospective leads (data subjects whose information is processed through the Service): If you have received an email containing an Article 14 notice referencing Lead Cap, please note that the data controller is the organisation identified in the email footer, not Lead Cap itself. You may exercise your rights by contacting them directly, or by using the one-click opt-out link provided in the email, which will immediately suppress your data across all Lead Cap users.

To exercise any of these rights, contact us at hello@leadcap.co.uk. We will respond within 30 days.

The Service uses cookies and similar technologies for the following purposes:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled as the Service will not function without them.
• Preference cookies: Store your UI preferences such as sidebar state and theme settings.

We do not use third-party analytics or advertising cookies. Supabase authentication cookies are first-party and essential for the Service.

The Service is intended for business use by individuals aged 18 and over. We do not knowingly collect personal data from children under the age of 18. If we become aware that we have inadvertently collected data from a child under 18, we will take steps to delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Notify you via email or an in-app notification at least 14 days before the changes take effect.

Your continued use of the Service after the updated Policy takes effect constitutes your acceptance of the changes.

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Complaints to the ICO

If you are not satisfied with our response to your data protection enquiry or complaint, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

We encourage you to contact us first so that we have an opportunity to resolve your concern before escalating to the ICO.