2. The categories of personal data we process

2. The categories of personal data we process

Privacy Policy – LeadPointsAi

Effective date: 28 November 2025

1. Who we are and how to contact us

LeadPointsAi is an AI automation agency currently in the process of incorporation in Mauritius.

Until registration is complete, we operate as a sole proprietorship in South Africa.


Data Protection Officer / Responsible person:

Email: privacy@leadpointsai.com

Privacy Policy – LeadPointsAi

Effective date: 28 November 2025

1. Who we are and how to contact us

LeadPointsAi is an AI automation agency currently in the

process of incorporation in Mauritius. Until registration is

complete, we operate as a sole proprietorship in

South Africa.


Data Protection Officer / Responsible person:

Email: privacy@leadpointsai.com

Category

What we collect

What we

collect

Where it comes from

Where it

comes from

Why we need it

Why we

need it

Website visitors &

analytics

Website

visitors &

analytics

IP address, browser

type, pages visited, time

spent, UTM parameters,

device info

IP address,

browser type,

pages visited,

time spent,

UTM

parameters,

device info

Framer (hosting),

Plausible / Google

Analytics (if enabled)

Framer

(hosting),

Plausible /

Google

Analytics

(if enabled)

Improve site

performance and user

experience

Improve site

performance

and user

experience

Contact / booking

inquiries

Contact /

booking

inquiries

Name, email, phone

(optional), company, role,

message content

Name, email,

phone

(optional),

company, role,

message

content

Contact form, Calendly

/ Cal.com booking

Contact form,

Calendly /

Cal.com

booking

Respond to you and

schedule your free audit

Respond to

you and

schedule

your free

audit

Lead generation

systems (for clients)

Lead

generation

systems (for

clients)

Business name, name,

job title, business email,

phone (if public),

company website data

Business name,

name, job title,

business email,

phone (if

public),

company

website data

Public sources: LinkedIn

profiles, Google Maps

listings, company websites,

public business directories

Public sources:

LinkedIn

profiles, Google

Maps listings,

company

websites, public

business

directories

Build lead lists for clients

(B2B only)

Build lead lists

for clients

(B2B only)

Cold outreach

campaigns (for clients)

Cold outreach

campaigns

(for clients)

Same as above + reply

behaviour (opens, clicks,

replies)

Same as above

+ reply

behaviour

(opens, clicks,

replies)

Same public sources +

campaign tracking pixels

Same public

sources +

campaign

tracking pixels

Run, optimise, and prove

results of outreach

campaigns

Run, optimise,

and prove

results of

outreach

campaigns

We never collect or process consumer/personal data for outreach — only verified business contacts.

We never collect or process consumer/personal data

for outreach — only verified business contacts.

3. How we use your information

  • To reply when you contact us or book a call

  • To deliver and improve the services you or our clients purchase

  • To run compliant B2B lead-generation and cold outreach campaigns (only for clients who hire us for that)

  • To analyse website usage (completely anonymised where possible)

  • To comply with South African and Mauritian law once registered

3. How we use your information

  • To reply when you contact us or book a call

  • To deliver and improve the services you or our clients

    purchase

  • To run compliant B2B lead-generation and cold

    outreach campaigns (only for clients who hire us for

    that)

  • To analyse website usage (completely anonymised

    where possible)

  • To comply with South African and Mauritian law once

    registered

4A. Lead Generation Systems – How we stay 100% POPIA compliant

All data is sourced from public business directories and platforms (LinkedIn, Google Maps, company websites, etc.). We follow POPIA Sections 10–14, 19–21 at minimum:

  • Lawfulness & legitimacy (B2B legitimate interest)

  • Purpose limitation & data minimisation

  • Collection directly from public sources

  • Security safeguards & operator responsibilities

  • Retention: leads are deleted or handed over to the client within 90 days unless otherwise agreed

4A. Lead Generation Systems – How we stay 100% POPIA

compliant


All data is sourced from public business directories and

platforms (LinkedIn, Google Maps, company websites,

etc.). We follow POPIA Sections 10–14, 19–21 at minimum:


  • Lawfulness & legitimacy (B2B legitimate interest)

  • Purpose limitation & data minimisation

  • Collection directly from public sources

  • Security safeguards & operator responsibilities

  • Retention: leads are deleted or handed over to the

    client within 90 days unless otherwise agreed

4A. Lead Generation Systems – How we stay 100% POPIA compliant


All data is sourced from public business directories and platforms (LinkedIn, Google Maps, company websites, etc.).

We follow POPIA Sections 10–14, 19–21 at minimum:


  • Lawfulness & legitimacy (B2B legitimate interest)

  • Purpose limitation & data minimisation

  • Collection directly from public sources

  • Security safeguards & operator responsibilities

  • Retention: leads are deleted or handed over to the client within 90 days unless otherwise agreed

4B. Cold Email Outreach Campaigns – Extra POPIA promises we keep

Every single campaign we run complies with POPIA Section 18 (notification) and the rest of the Act:

  • Every email contains your full name + company + one-click unsubscribe

  • Clear identification of sender

  • Physical address & contact details included

  • Immediate suppression on unsubscribe or reply

  • No data retained longer than 30 days after the initial email was sent (unless client requests justified extension)

  • Full audit trail available on request

4B. Cold Email Outreach Campaigns – Extra POPIA

promises we keep


Every single campaign we run complies with POPIA

Section 18 (notification) and the rest of the Act:


  • Every email contains your full name + company +

    one-click unsubscribe

  • Clear identification of sender

  • Physical address & contact details included

  • Immediate suppression on unsubscribe or reply

  • No data retained longer than 30 days after the initial

    email was sent (unless client requests justified

    extension)

  • Full audit trail available on request

5. Cookies & tracking on our website


We use only essential cookies to make the site work (Framer’s own). Optional analytics cookies (if enabled) are 100% anonymised and can be rejected via the banner

(coming soon). No advertising or cross-site tracking.

5. Cookies & tracking on our website


We use only essential cookies to make the site work

(Framer’s own). Optional analytics cookies (if enabled)

are 100% anonymised and can be rejected via the banner

(coming soon). No advertising or cross-site tracking.

5. Cookies & tracking on our website


We use only essential cookies to make the site work (Framer’s own). Optional analytics cookies (if enabled) are

100% anonymised and can be rejected via the banner (coming soon). No advertising or cross-site tracking.

6. How we keep your data safe

We use enterprise-grade security measures on every platform we touch:

  • End-to-end encryption in transit (TLS 1.3) and at rest (AES-256 where available)

  • Mandatory two-factor authentication (2FA) for all team members and systems

  • Strict role-based access controls – no one sees data they don’t strictly need

  • All credentials and API keys stored in encrypted vaults

  • Regular third-party penetration tests and security audits

  • All third-party processors are SOC 2, ISO 27001, or equivalently certified and bound by operator agreements that fully satisfy POPIA Section 21

We’re happy to share our full sub-processor list and certifications with any client.

6. How we keep your data safe

We use enterprise-grade security measures on every

platform we touch:

  • End-to-end encryption in transit (TLS 1.3) and at rest

    (AES-256 where available)

  • Mandatory two-factor authentication (2FA) for all team

    members and systems

  • Strict role-based access controls – no one sees data

    they don’t strictly need

  • All credentials and API keys stored in encrypted vaults

  • Regular third-party penetration tests and security

    audits

  • All third-party processors are SOC 2, ISO 27001, or

    equivalently certified and bound by operator

    agreements that fully satisfy POPIA Section 21


We’re happy to share our full sub-processor list and

certifications with any client.

6. How we keep your data safe

We use enterprise-grade security measures on every platform we touch:

  • End-to-end encryption in transit (TLS 1.3) and at rest (AES-256 where available)

  • Mandatory two-factor authentication (2FA) for all team members and systems

  • Strict role-based access controls – no one sees data they don’t strictly need

  • All credentials and API keys stored in encrypted vaults

  • Regular third-party penetration tests and security audits

  • All third-party processors are SOC 2, ISO 27001, or equivalently certified and bound by operator agreements

    that fully satisfy POPIA Section 21


We’re happy to share our full sub-processor list and certifications with any client.

7. How long we keep your data

Type of data

Type of data

Contact form / audit booking data

Contact form / audit booking data

Client project data & lead lists

Client project data & lead lists

Cold outreach campaign contacts

Cold outreach campaign contacts

Unsubscribed / opted-out contacts

Unsubscribed / opted-out contacts

Website analytics

Website analytics

Invoices & accounting records

Invoices & accounting records

Retention period

Retention period

12 months after last contact (or sooner if you ask us to delete)

12 months after last

contact (or sooner if you

ask us to delete)

Duration of contract + 90 days (then handed to you or deleted)

Duration of contract + 90

days (then handed to you

or deleted)

Maximum 30 days after last touch (unless client gives written justification)

Maximum 30 days after

last touch (unless client

gives written justification)

Removed within 48 hours – only kept on permanent suppression list

Removed within 48 hours –

only kept on permanent

suppression list

Maximum 26 months (anonymised after 30 days where possible)

Maximum 26 months

(anonymised after 30 days

where possible)

5 years (required by South African & Mauritian tax law)

5 years (required by South

African & Mauritian tax

law)

8. Your rights – you stay in control

Under POPIA (and GDPR if you’re in the EU) you can, completely free:

  • See every piece of data we have about you

  • Correct anything wrong

  • Ask us to delete or restrict it

  • Object to any processing (especially marketing)

  • Get your data in a portable format

  • Withdraw consent anytime

Email privacy@leadpointsai.com

You can also complain to the Information Regulator (South Africa) or the Data Protection Commission (Mauritius) once we’re registered there.

8. Your rights – you stay in control

Under POPIA (and GDPR if you’re in the EU) you can,

completely free:


  • See every piece of data we have about you

  • Correct anything wrong

  • Ask us to delete or restrict it

  • Object to any processing (especially marketing)

  • Get your data in a portable format

  • Withdraw consent anytime


Email privacy@leadpointsai.com

You can also complain to the Information Regulator

(South Africa) or the Data Protection Commission

(Mauritius) once we’re registered there.

8. Your rights – you stay in control


Under POPIA (and GDPR if you’re in the EU) you can, completely free:

  • See every piece of data we have about you

  • Correct anything wrong

  • Ask us to delete or restrict it

  • Object to any processing (especially marketing)

  • Get your data in a portable format

  • Withdraw consent anytime


Email privacy@leadpointsai.com


You can also complain to the Information Regulator (South Africa) or the Data Protection Commission (Mauritius)

once we’re registered there.

9. International data transfers


Your data is processed primarily in South Africa and the European Union.

Limited transfers to the United States only happen through processors protected

by Standard Contractual Clauses and additional safeguards (encryption + access controls).

9. International data transfers


Your data is processed primarily in South Africa and

the European Union. Limited transfers to the United

States only happen through processors protected by

Standard Contractual Clauses and additional safeguards

(encryption + access controls).

10. Contact us

Email: privacy@leadpointsai.com

Once we complete registration in Mauritius, we’ll add the official company number and registered address here.

Thank you for trusting us with your data. We treat it exactly the way we’d want ours treated.

— LeadPointsAi Team

10. Contact us


Email: privacy@leadpointsai.com


Once we complete registration in Mauritius, we’ll add the

official company number and registered address here.


Thank you for trusting us with your data. We treat it exactly

the way we’d want ours treated.


— LeadPointsAi Team