Terms

Privacy Policy

How Leadey collects, uses, shares and protects personal data

Go back

Service: Leadey (www.leadey.ai and app.leadey.ai)

Data controller / operator: Octogle Technologies CO. L.L.C (Establishment No. 2881346; Trade Licence No. 1419977), Office 2020 Parklane Tower, Business Bay, Dubai, United Arab Emirates

Also subject to: UK GDPR, EU GDPR and the UAE PDPL (Federal Decree-Law No. 45 of 2021)

Privacy contact: legal@leadey.io · General: hello@leadey.ai

Version: 1.0 Effective date: 18 June 2026 Last reviewed: 18 June 2026

About this policy. This Privacy Policy explains how Octogle Technologies CO. L.L.C handles personal data in connection with the Leadey platform. It reflects the UK GDPR, the EU GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), the Data (Use and Access) Act 2025 (DUAA), the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and key United States privacy laws.

1. Who we are and what this policy covers

Leadey is an outbound sales platform that combines a power dialler, a CRM, multi-channel outreach sequences (calling, email, SMS, WhatsApp and LinkedIn), lead sourcing and contact enrichment in one application. Leadey is owned and operated by Octogle Technologies CO. L.L.C (“Leadey”, “we”, “us”, “our”), a company established in the United Arab Emirates with UAE establishment number 2881346 and trade licence number 1419977, with its registered office at Office 2020 Parklane Tower, Business Bay, Dubai, United Arab Emirates.

Although we are established in the United Arab Emirates, we offer the Leadey service to organisations and individuals in the United Kingdom and the European Economic Area. We therefore comply with the UK GDPR and the EU GDPR in addition to the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “UAE PDPL”). Where required, we appoint representatives in the UK and the EU under Article 27 of the respective GDPRs (see Section 18). This policy explains how we handle personal data when you visit our website, when you use the Leadey application, and when your information is otherwise processed by us.

Two different roles. Because of how Leadey works, we handle personal data in two distinct capacities, and your rights differ depending on which applies:

  • As a controller: for personal data about visitors to our website, the individuals who register for and administer Leadey accounts (our customers and their users), people who book demos or contact us, and our own marketing contacts. For this data, we decide why and how it is processed, and this policy governs it directly.
  • As a processor: for the personal data that our customers upload, import, scrape, enrich, dial, message or otherwise process about their own leads, prospects and contacts using the platform (“Customer Data”). For Customer Data, our customer is the controller and decides the purposes and means; we process it only on the customer’s documented instructions under our Data Processing Addendum (DPA). Section 13 explains what this means for individuals whose data is processed through Leadey by a customer.

If you are a lead, prospect or contact who has been contacted through Leadey and you want to understand or exercise rights over your data, the Leadey customer who contacted you is normally the controller. We will help route your request: see Section 13.

2. Key terms

  • Personal data: Any information relating to an identified or identifiable living individual.
  • Controller: The party that determines the purposes and means of processing personal data.
  • Processor: A party that processes personal data on behalf of, and on the instructions of, a controller.
  • Customer: An organisation (and its authorised users) that has registered for or subscribed to Leadey.
  • Customer Data: Personal data relating to a customer’s leads, prospects, contacts and end recipients that the customer processes using the platform, for which the customer is the controller and Leadey is the processor.
  • UK GDPR / EU GDPR: The retained UK General Data Protection Regulation, as amended (including by the DUAA), and Regulation (EU) 2016/679 respectively.
  • PECR: The Privacy and Electronic Communications (EC Directive) Regulations 2003, governing marketing calls, emails, SMS and cookies.
  • Sub-processor: A third party engaged by Leadey to process personal data in connection with the service.

3. The personal data we collect

3.1 Information you give us (as a customer or visitor)

  • Account and identity data: name, business email address, telephone number, job title, employer/organisation, username and authentication credentials (managed through our identity provider, Clerk), profile photo and time zone.
  • Billing and transaction data: billing name, billing email, billing address, VAT/tax identifiers, plan and seat information, and partial payment-card details and transaction records (full card data is collected and stored by our payment processor, Stripe, not by us).
  • Communications data: the content of messages, support tickets, demo-booking forms, survey responses and other correspondence you send to us.
  • Marketing data: your preferences for receiving marketing from us and your engagement with our marketing communications.

3.2 Information we collect automatically

  • Usage and device data: IP address, browser type and version, operating system, device identifiers, pages viewed, features used, referring URLs, session timestamps, and diagnostic and performance logs.
  • Cookies and similar technologies: as described in our Cookie Policy. See Section 7.

3.3 Customer Data processed on our customers’ instructions

When a customer uses Leadey, the platform processes personal data about that customer’s leads and contacts. Depending on how the customer configures the service, this may include: names; business and personal contact details (email addresses and telephone numbers); job titles and employer information; LinkedIn profile information; lead status, notes, tasks and pipeline information; call recordings, call transcripts and AI-generated call summaries; email, SMS, WhatsApp and LinkedIn message content and engagement metrics; and any custom fields the customer defines. We process this data as a processor on the customer’s behalf and do not use it for our own purposes (see Sections 1, 6.3 and 13, and the DPA).

3.4 Information from third parties

  • Enrichment and data-sourcing providers: where a customer uses our enrichment and lead-sourcing features, business-contact information (for example email addresses, phone numbers and job-posting data) may be obtained from our contact-enrichment and lead-sourcing providers and added to Customer Data on the customer’s instruction.
  • Integration partners: where a customer connects a third-party tool (for example a CRM, team-chat or LinkedIn tool you choose to connect), data may be exchanged with that tool under the customer’s configuration.
  • Service providers: our telephony provider (Twilio), identity provider (Clerk), payment provider (Stripe) and analytics providers may provide us with related information (for example call metadata, authentication events and aggregated usage statistics).

We do not knowingly collect special category data (such as health, racial or ethnic origin, or biometric data) and ask that customers do not upload such data into Leadey except where lawfully permitted and configured for that purpose.

4. How and why we use personal data (where we are the controller)

Under the UK and EU GDPR we must have a lawful basis for each processing activity. The DUAA introduced a new “recognised legitimate interests” basis and clarified the standard legitimate-interests assessment; where we rely on legitimate interests we have carried out (or will carry out) a balancing assessment and you may request a summary. The table below sets out our principal controller-side activities.

  • Create and administer your account; provide and operate the platform: Account, identity, usage data Performance of a contract (Art. 6(1)(b))
  • Take payment and manage billing, renewals and collections: Billing and transaction data Performance of a contract; legal obligation (Art. 6(1)(b),(c))
  • Provide support, respond to enquiries and demo requests: Communications, account data Contract; legitimate interests (Art. 6(1)(b),(f))
  • Secure the platform, prevent fraud and abuse, maintain logs: Usage, device, account data Legitimate interests; legal obligation (Art. 6(1)(f),(c))
  • Improve, debug and develop the service (using aggregated/de-identified data where possible): Usage and diagnostic data Legitimate interests (Art. 6(1)(f))
  • Send service and transactional messages (e.g. security, billing, outages): Account, contact data Contract; legitimate interests (Art. 6(1)(b),(f))
  • Send marketing about Leadey to business contacts and existing customers: Contact, marketing data Legitimate interests / consent as required by PECR (Art. 6(1)(f)/(a))
  • Comply with legal, tax, accounting and regulatory obligations: Account, billing data Legal obligation (Art. 6(1)(c))
  • Establish, exercise or defend legal claims; corporate transactions: As relevant Legitimate interests; legal obligation (Art. 6(1)(f),(c))

Withdrawing consent. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. Where we rely on legitimate interests, you have the right to object (see Section 11).

5. Marketing and electronic communications

We send marketing only in line with PECR and the GDPR. We rely on the “soft opt-in” for existing customers and on legitimate interests for corporate (business-to-business) marketing, and we obtain consent where the law requires it. Every marketing message contains an easy, free way to opt out, and we honour opt-out requests promptly. You can change your preferences at any time by using the unsubscribe link or by emailing legal@leadey.io. Opting out of marketing does not stop service or transactional messages that we must send to operate your account.

6. Who we share personal data with

We do not sell personal data. We share personal data only as described below and under appropriate contractual and security safeguards.

6.1 Service providers and sub-processors

We use carefully selected providers to deliver the platform. Each is bound by a written contract that meets Article 28 UK/EU GDPR and processes personal data only on our (or our customers’) instructions. Our principal sub-processors include:

  • Cloud hosting (EU: Frankfurt): Primary application and database hosting All hosted data; EU (Germany)
  • Twilio: Telephony, UK number provisioning, call connectivity and recording Call metadata, recordings, numbers; UK/EU/US
  • Clerk: User authentication and identity management Account/identity data; US/EU
  • Stripe: Payment processing and billing Billing and payment data; UK/EU/US
  • Lead-sourcing provider: Job-board lead sourcing Job-posting and company data; EU/US
  • Contact-enrichment provider: Contact enrichment Business-contact data; EU/US
  • Messaging integration provider: LinkedIn / messaging integration Account / message data; EU
  • CRM integrations you connect: Customer-enabled CRM integrations Customer-configured data; UK/EU/US
  • Team-chat integration you connect: Customer-enabled alert integration Notification data; US/EU
  • Scheduling provider: Demo scheduling Booking and contact data; EU/US
  • Analytics / error monitoring: Product analytics and diagnostics Usage and device data; EU/US

An up-to-date list of sub-processors is maintained and made available to customers on request via legal@leadey.io. We give customers advance notice of new sub-processors and an opportunity to object, as set out in the DPA.

6.2 Other recipients

  • Professional advisers (lawyers, accountants, auditors, insurers) under duties of confidentiality.
  • Authorities and regulators where we are required to disclose by law, court order or a valid legal request, or to protect our rights, users or the public.
  • Corporate transactions , in connection with a merger, acquisition, financing or sale of assets, subject to confidentiality and continued protection of personal data.

6.3 Customer Data

Where we process Customer Data as a processor, we share it only as directed by the relevant customer (for example with that customer’s authorised users and chosen integrations), as required to provide the platform, or as required by law. We do not use Customer Data to train generative-AI models for cross-customer purposes, and we do not sell or share it for our own commercial benefit.

7. Cookies and similar technologies

We and our providers use cookies and similar technologies on our website to operate the site, remember preferences, measure performance and (with consent) support marketing. Where required by PECR and the GDPR, non-essential cookies are set only after you consent through our cookie banner, and you can change your choices at any time. Full details are in our Cookie Policy.

8. International data transfers

Our primary application data is hosted in the EU (Frankfurt, Germany). Some of our sub-processors are located in, or transfer personal data to, countries outside the UK and EEA (including the United States). Where we transfer personal data internationally, we put appropriate safeguards in place, which may include:

  • transfers to countries covered by a UK adequacy regulation or an EU adequacy decision;
  • the EU Standard Contractual Clauses together with the UK International Data Transfer Addendum (or the UK IDTA), supplemented by a transfer risk assessment and additional technical measures where needed; and
  • where applicable, certification of the relevant US recipient under the EU–US Data Privacy Framework and the UK Extension.

You can request more information about the safeguards that apply, or a copy of the relevant transfer mechanism, by emailing legal@leadey.io.

9. How long we keep personal data

We keep personal data only for as long as necessary for the purposes set out in this policy, after which we delete it or irreversibly anonymise it. Indicative periods:

  • Account and profile data: For the life of the account, then up to 90 days after closure (longer if needed for disputes)
  • Billing, tax and accounting records: 6 years from the end of the relevant tax year (UK legal requirement)
  • Call recordings, transcripts and AI summaries: Controlled by the customer; default retention configurable, then deleted on the customer’s schedule or on account closure
  • Support and correspondence: Up to 3 years from last contact
  • Marketing data: Until you opt out, then suppression-list retention only
  • Website usage and analytics logs: Up to 26 months (or shorter where set in the Cookie Policy)
  • Security and audit logs: Up to 24 months

10. How we protect personal data

Our information security management system is certified to ISO/IEC 27001:2022 (certificate number GH30XXIV62024802, issued by Globus Certifications Private Limited and accredited by the United Accreditation Foundation). We maintain technical and organisational measures appropriate to the risk, including: encryption of data in transit (TLS) and at rest; access controls, least-privilege and role-based permissions; multi-factor authentication for administrative access; network and application security controls; logging and monitoring; secure software-development practices; vendor due diligence; staff confidentiality obligations and training; and backup and disaster-recovery procedures. No system is perfectly secure, but we work to protect personal data and to detect, investigate and respond to incidents. Where we are required to do so by law, we will notify the ICO (or relevant supervisory authority) and affected individuals of a personal-data breach within the applicable timeframes.

11. Your rights (UK and EU)

Subject to the conditions and exemptions in the UK and EU GDPR, you have the right to:

  • be informed about how your personal data is used (this policy);
  • access a copy of your personal data;
  • rectification of inaccurate or incomplete data;
  • erasure (“right to be forgotten”) in certain circumstances;
  • restrict processing in certain circumstances;
  • data portability for data you provided, where processing is automated and based on consent or contract;
  • object to processing based on legitimate interests, and to object at any time to direct marketing;
  • not be subject to a decision based solely on automated processing that produces legal or similarly significant effects, except as permitted by law (see Section 12);
  • withdraw consent at any time where processing is based on consent.

To exercise any right, email legal@leadey.io. We will respond within one month (extendable by two further months for complex requests). We do not charge a fee unless a request is manifestly unfounded or excessive. We may need to verify your identity. If your request concerns data we process as a processor on a customer’s behalf, we will refer you to, or assist, the relevant customer (see Section 13).

Complaints. In line with the DUAA, you can raise a data-protection complaint with us directly using legal@leadey.io, and we will acknowledge and respond. You also have the right to complain to the ICO (ico.org.uk, helpline 0303 123 1113) or, if you are in the EEA, to your local supervisory authority. We would, however, appreciate the chance to address your concerns first.

12. Automated decision-making and AI features

Leadey includes AI features that automatically transcribe and summarise calls and that can suggest dispositions or next steps. These features support human users; they do not make decisions that produce legal or similarly significant effects about individuals without human involvement. Following the DUAA reforms to automated decision-making (UK GDPR Articles 22A–22D), where any solely automated decision-making with significant effects were to occur, we would implement the required safeguards, including meaningful information about the logic involved and the ability to obtain human review and to contest the outcome. AI-generated summaries and transcripts can contain errors and should not be relied on as a complete or accurate record without human verification.

13. If you have been contacted through Leadey (leads, prospects and contacts)

If you have received a call, email, SMS or LinkedIn message sent using Leadey, or you believe your personal data is held in a customer’s Leadey account, please note:

  • The Leadey customer is normally the controller of that data. They decide why they hold it and how they use it, and they are responsible for having a lawful basis, for transparency (including, where required, telling you where they obtained your data under Article 14 GDPR), and for honouring your rights and any objection or “do not contact” request.
  • We act as the processor and handle that data on the customer’s instructions. We cannot lawfully grant access, correction or deletion of customer-controlled data without the customer’s authorisation.
  • How to get help: contact the organisation that reached out to you and ask them to action your request. If you do not know who they are, or cannot reach them, email legal@leadey.io with any details you have (such as the phone number that called you or the sender’s name) and we will identify the relevant customer and forward your request, and we will act on our own obligations as processor without undue delay.

Do Not Call / opt-out. If you ask not to be contacted, tell the calling/sending organisation and, if you wish, also notify us so we can flag the request to the relevant customer. UK individuals can also register with the Telephone Preference Service (TPS) and corporate subscribers with the Corporate TPS (CTPS); our customers are contractually required to screen against these and to honour opt-out and suppression requests.

14. United States privacy rights

If you are a US resident, the following applies in addition to the rest of this policy where the relevant state law covers our processing of your personal information.

14.1 California (CCPA/CPRA)

In the preceding 12 months we may have collected the categories of personal information described in Section 3 (identifiers, contact and professional information, commercial/transaction information, internet activity, and audio information such as call recordings). We collect it for the business purposes described in Section 4 and share it with the categories of recipients in Section 6. We do not “sell” personal information and do not “share” it for cross-context behavioural advertising as those terms are defined under the CPRA. Subject to verification and legal exceptions, California residents may request to know, access, correct and delete their personal information, and may not be discriminated against for exercising these rights. To make a request, email legal@leadey.io. You may use an authorised agent. The CPRA’s business-to-business exemption has expired, so these rights may apply to business contacts.

14.2 Other US states

Residents of states with comprehensive privacy laws (for example Virginia, Colorado, Connecticut, Utah and Texas) may have rights to access, correct, delete and obtain a copy of their personal data, and to opt out of targeted advertising, sale, or certain profiling. We honour valid requests as required by applicable law using the same contact channel above.

14.3 Where we process US data for customers

Much US personal data in Leadey is Customer Data for which our customer is the business/controller. As with Section 13, please direct requests to the relevant customer; we will assist as a service provider/processor and will not retain, use or disclose such data except as permitted under our contract and applicable law.

15. Call recording and monitoring

Leadey can record and transcribe calls and generate AI summaries. Where we record calls (for example our own sales or support calls), we rely on legitimate interests supported by a documented Legitimate Interest Assessment, and we tell participants at the start of the call that it is being recorded and why. Where customers use Leadey to record their calls, the customer is the controller and is solely responsible for having a lawful basis, for notifying call participants before recording begins, for any consent required by the laws of the relevant jurisdiction (including “all-party consent” US states), and for secure handling and retention of recordings. Our Acceptable Use Policy and DPA set out these obligations.

16. Children

Leadey is a business tool not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe a child’s data has been provided to us, contact us and we will delete it. In line with the DUAA, where any service of ours is likely to be accessed by children we will take their needs into account in its design and operation.

17. Changes to this policy

We may update this policy from time to time. We will post the updated version with a new “Last reviewed” date and, where changes are material, take reasonable steps to notify you (for example by email or an in-app notice). Continued use of Leadey after an update constitutes acceptance of the revised policy where permitted by law.

18. How to contact us

  • Data controller: Octogle Technologies CO. L.L.C
  • Privacy enquiries / rights requests: legal@leadey.io
  • General / support: hello@leadey.ai
  • Telephone: +971 55 128 7871
  • Registered office: Office 2020 Parklane Tower, Business Bay, Dubai, United Arab Emirates
  • Privacy lead: legal@leadey.io
  • UK & EU enquiries: Data queries from the UK or EEA can be sent to legal@leadey.io
  • Supervisory authorities: UK: Information Commissioner’s Office (ico.org.uk); UAE: UAE Data Office; EEA: your local authority

Stop juggling five tools. Start booking meetings.

Start free trial
Book a demo

Explore

Pages
Buy