Privacy Policy

1. Who we are

LocalLeads ("LocalLeads", "we", "us") is operated by EtherLabZ Technologies Private Limited, a company incorporated in India (the "Company"). LocalLeads is part of the PostOrbit Suite.

For the purposes of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and India's Digital Personal Data Protection Act 2023 ("DPDP Act"), EtherLabZ IT Solutions Private Limited is the data fiduciary / data controller for personal data we process about visitors to our website and customers of LocalLeads.

For lead data (business contact information about third parties, such as a restaurant owner's public phone number) that we collect from publicly available sources and make available to our customers, please see Section 6 below, which explains the specific legal posture for that data.

2. Information we collect about users of the service

When you visit our website or use LocalLeads as a customer, we collect:

• Account information: name, email address, organisation name, and (if you sign in with email/password) a hash of your password. If you sign in via a third-party single-sign-on provider, we receive the profile name, email and provider account identifier returned by that provider.
• Billing information: payment is processed by third-party payment processors operating under PCI DSS. We do not store full card numbers; we store transaction identifiers, the last 4 digits of cards (where returned), and billing email addresses. The applicable payment processor is disclosed at checkout.
• Usage data: search queries, saved searches, exports, credit consumption, API and MCP usage, and timestamps of activity inside the product.
• Device and log data: IP address, user agent, referrer, language, approximate location derived from IP, and standard web server logs.
• Support communications: messages you send us via email or live chat, and the metadata of those conversations.

3. How we use your information

We use the personal data described in Section 2 to:

• Provide, operate and maintain LocalLeads.
• Authenticate you and protect your account.
• Process payments and prevent fraud.
• Send transactional email (receipts, account notices, security alerts, password resets, and exported-data delivery).
• Send product email (new features, tips), which you can opt out of at any time. Marketing email is sent only with your consent or under a soft opt-in where permitted.
• Detect abuse, enforce our Terms, and protect the integrity of our systems and our other customers.
• Comply with legal obligations.

Our legal bases under the GDPR / UK GDPR are: performance of a contract (account, billing, product operation); legitimate interests (security, fraud prevention, product improvement); consent (marketing email, non-essential cookies); and legal obligation (tax, accounting, lawful requests).

4. Cookies and tracking

We use a small set of cookies and similar technologies:

• Essential: session cookies, CSRF protection, authentication tokens. Required for the product to work.
• Analytics: aggregate, first-party analytics to understand which features are used. Only set after you accept via the cookie banner.
• Live chat: our live- chat provider sets a cookie to identify your conversation with our support team.

You can control cookie preferences through our cookie consent banner or your browser settings. Declining non-essential cookies does not affect your ability to use LocalLeads.

5. Subprocessors and sharing

We use vetted third-party providers ("subprocessors") to run LocalLeads. They process personal data only on our instructions and under written contracts that impose confidentiality and security obligations.

The current categories of subprocessors are published and maintained at /subprocessors. The categories include data-sourcing partners, transactional- email infrastructure, payment processors, customer-support tooling, application-monitoring infrastructure, and hosting / database / content-delivery providers. A specific named list, with the identity and processing location of each provider, is available to customers under our Data Processing Addendum on request.

We do not sell your personal data as a customer of LocalLeads. Note: under the CCPA, certain analytics and advertising cookies may be considered a "sale" or "sharing" of personal information; California residents can opt out at /do-not-sell.

We may disclose information when required by law, to enforce our Terms, to protect rights, property or safety, or in connection with a corporate transaction (merger, acquisition, financing, sale of assets).

6. Lead data: how we collect business contact information

LocalLeads helps customers discover business contact information from publicly available online sources, including public business directories, public business profiles on social networking services, and the public websites of those businesses. We refer to this as "lead data".

Where lead data contains information that can identify a natural person (for example, a sole-proprietor's name and email at their own business), that lead data is personal data under applicable laws. For such personal data:

• Our legal basis for collection and limited storage is our legitimate interest in providing B2B lead-discovery services (GDPR Art. 6(1)(f)), balanced against the rights and interests of the data subject, who has chosen to publish that information on a business listing.
• Categories of data: business name, address, phone, email, website, public business category, public reviews count and rating, public social profile metadata.
• Source: publicly available business directories, public business pages on social networking services, and the businesses' own public websites, accessed through our data-sourcing partners.
• Retention: lead data is cached for service-quality purposes and refreshed periodically; we will delete or de-list specific records on request (see Section 9).
• Use by customers: our customers receive lead data under a contract that requires them to use it only for lawful B2B outreach, to honour opt-outs and applicable anti-spam, anti- telemarketing and data-protection laws, and to act as the controller of any personal data they download. See our Terms and Data Processing Addendum.

If you are a business owner whose information appears in our index and you would like it corrected or removed: please use our data-request form. We will action verified requests within 30 days.

7. International transfers

We are headquartered in India and our infrastructure providers operate globally. Personal data we process may be transferred to, and stored in, India, the United States and the European Economic Area, depending on the subprocessor.

For transfers of personal data out of the EEA or the United Kingdom we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), or another lawful transfer mechanism such as the EU-US Data Privacy Framework where the receiving organisation is self-certified. Copies of our SCCs are available to customers on request via privacy@postorbit.io.

8. Data retention

We retain account and billing data for as long as your account is active and for up to 7 years after closure to comply with Indian tax, accounting and anti-fraud obligations. Search and product usage data is retained for up to 24 months. Lead data is cached for service-quality purposes and refreshed periodically; specific records are deleted on verified request (see Section 9). Backups are rotated and may retain copies for up to 90 days after deletion in the live system.

9. Your rights

Depending on where you live, you have some or all of the following rights:

• Access a copy of the personal data we hold about you.
• Correct inaccurate or incomplete personal data.
• Delete personal data we hold about you.
• Object to or restrict our processing.
• Data portability (receive your data in a portable format).
• Withdraw any consent you previously gave.
• For California residents: opt out of the "sale" or "sharing" of personal information and limit the use of sensitive personal information.
• For Indian residents under the DPDP Act: nominate another individual to exercise your rights in case of death or incapacity, and lodge a grievance with our Grievance Officer.
• Lodge a complaint with a supervisory authority (e.g. the Information Commissioner's Office in the UK, the relevant EU Data Protection Authority, the California Privacy Protection Agency, or the Data Protection Board of India once constituted).

To exercise any of these rights, use our data-request form or email privacy@postorbit.io. We will respond within the timeframes required by applicable law (typically 30 days; we may extend by a further period where law permits and we will notify you if we do).

10. Security

We implement technical and organisational measures appropriate to the risk, including encryption in transit (TLS), encryption at rest for sensitive fields, modern memory-hard password hashing, role-based access controls, audit logging, regular backups, and incident response procedures. No internet transmission or storage system is 100% secure; we will notify affected users and regulators of a personal-data breach as required by applicable law.

11. Children

LocalLeads is a B2B service intended for use by adults. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Grievance Officer / Data Protection contact

Under the DPDP Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, we designate the following point of contact for grievances relating to processing of personal data:

• Grievance Officer: Privacy Team, EtherLabZ IT Solutions Private Limited
• Email: privacy@postorbit.io
• Address: EtherLabZ IT Solutions Private Limited, Jhansi, Uttar Pradesh, India

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the "Last updated" date. Where required by law, we will provide additional notice and, where required, seek your consent.

14. Contact us

General privacy questions: privacy@postorbit.io. Customer support: support@postorbit.io.