GDPR & Data Protection
Understanding Your Role
You (Customer) = Data Controller (responsible for legal basis and end-user rights)
Quickest Leads = Data Processor (processes data on your behalf)
Form Visitors = Data Subjects (people whose data is collected)
The General Data Protection Regulation (GDPR) is an EU law that protects personal data. It applies to any business that collects data from EU residents, regardless of where the business is located.
⚠️ Even if you're not in the EU, if you collect leads from EU visitors, GDPR applies to you!
When you use Quickest Leads to collect leads, you are the data controller. This means:
✅ You MUST have a Privacy Policy
Your website must clearly state:
- What data you collect (name, email, phone, etc.)
- Why you collect it (to contact them about inquiries)
- Who processes it (mention Quickest Leads as processor)
- How long you keep it
- Their rights (access, deletion, etc.)
✅ You MUST have Legal Basis (Article 6 GDPR)
Choose one:
- Consent: "By submitting this form, you agree..." (checkbox required)
- Contract: Data needed to fulfill a service/purchase
- Legitimate Interest: Following up on inquiries (risky, consult lawyer)
💡 We recommend using consent with an unchecked checkbox.
✅ You MUST inform users about data processing
Add text near your form:
✅ You MUST honor data subject rights
End-users can request:
- Access: "Show me my data" (you must provide within 30 days)
- Deletion: "Delete my data" (right to be forgotten)
- Portability: "Export my data in readable format"
- Rectification: "Fix my email address"
Contact us at contact@quickestleads.com to request data deletion from our systems.
Quickest Leads commits to:
- Process data only on your documented instructions
- Implement appropriate security measures (encryption, access controls)
- Assist with data subject requests (we can delete data on request)
- Notify you of data breaches within 48 hours
- Use only approved sub-processors (Supabase, Stripe, Telegram)
- Delete or return data upon account termination
- Provide Data Processing Agreement (DPA) - see /dpa
| Data Type | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Customer Account Email, password | Provide service, authentication | Contract | While active + 30 days |
| Telegram ID User ID, chat ID | Send notifications | Contract | While connected |
| Payment Info Stripe customer ID | Process payments | Contract | 10 years (tax law) |
| Lead Data Name, email, phone | Deliver to customer | Your legal basis | While subscribed + 30 days |
| Metadata IP, timestamp | Security, fraud prevention | Legitimate interest | 30 days |
We use these trusted partners to deliver our service:
| Provider | Purpose | Location | GDPR Compliance |
|---|---|---|---|
| Supabase | Database, authentication | USA (AWS) | ✅ DPA, SCCs |
| Stripe | Payment processing | USA | ✅ DPA, PCI-DSS |
| Telegram | Notification delivery | UAE/Germany | ⚠️ No DPA (public API) |
| Netlify | Website hosting | USA | ✅ DPA, SCCs |
| Meta/Facebook | Lead Ads (optional) | USA | ✅ DPA |
Note: Data transfers to USA are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.
We implement industry-standard security:
- Encryption in Transit: HTTPS/TLS for all connections
- Encryption at Rest: Database encryption (AES-256)
- Password Security: Bcrypt hashing (cannot be reversed)
- Access Control: Row-Level Security (RLS) in database
- Regular Backups: Automated daily backups (30-day retention)
- Monitoring: Real-time alerts for suspicious activity
- Updates: Regular security patches and dependency updates
In case of a personal data breach, we will:
- Notify You (Customer): Within 48 hours via email
- Notify Affected Users: Within 72 hours if high risk to rights/freedoms
- Notify Authorities: Report to Polish UODO (data protection authority) within 72 hours
- Document: Keep records of breach, impact, and remediation
- Remediate: Fix vulnerability and prevent future incidents
Your obligation: If we notify you of a breach affecting your end-users, you must notify them according to GDPR requirements.
We transfer data to USA (Supabase, Stripe, Netlify). These transfers are legal under GDPR because:
- Standard Contractual Clauses (SCCs): EU-approved contracts with providers
- Adequacy Decision: Some providers certified under EU-US Data Privacy Framework
- Technical Safeguards: Encryption, access controls, audit logs
For Customers (Your Data)
You can email contact@quickestleads.com to:
- Access your data (account export)
- Correct inaccurate data
- Delete your account
- Export data (JSON format)
- Object to processing
For End-Users (Lead Data)
End-users should contact you (the data controller) first. If they contact us, we'll forward the request to you. You must respond within 30 days.
We can assist with technical deletion from our systems upon your request.
If you have concerns about data protection, you can complain to:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2
00-193 Warszawa, Poland
Website: uodo.gov.pl
Email: kancelaria@uodo.gov.pl
Before using Quickest Leads, make sure you:
Copy this text near your form:
How we use your data:
Your personal data (name, email, phone) will be processed to respond to your inquiry. We use Quickest Leads as a data processor to deliver your message. Your data will be stored until we resolve your inquiry or you request deletion. You have the right to access, correct, or delete your data. For details, see our Privacy Policy.
Not Legal Advice
This information is provided for educational purposes. We are not lawyers. For specific legal advice about GDPR compliance, consult a qualified attorney specializing in data protection law.
Questions about data protection or GDPR compliance?
Email: quickestleads@gmail.com
Quickest Leads • Poland