Privacy Policy

1. Who we are

The LeadChase platform at leadchase.co is operated by LeadChase Ltd, a company registered in England and Wales (company number 17225822), registered office 29 Primrose Avenue, Downham Market, PE38 9GF ("we", "us", "our"). Prior to 18 May 2026 the platform was operated by Jordan Edner as a sole trader; on incorporation of LeadChase Ltd on 18 May 2026, responsibility for the platform and this policy transferred to LeadChase Ltd. For any questions about this policy, contact us at jordan@leadchase.co.

2. What data we collect

• Account information: your name, email address, and agency name when you sign up.
• Payment card details: when you sign up for a free trial or paid subscription, payment card details are collected and stored securely by our payment processor, Stripe, on our behalf. We do not store full card numbers ourselves.
• Candidate CVs (raw PDFs): PDF files uploaded by recruiters for outreach generation. The original PDF bytes are processed in memory only and are not retained. We keep only a SHA-256 hash of the original PDF so we can recognise duplicate uploads of the same file.
• Anonymised CVs (saved-CV library): the redacted text of each uploaded CV, plus a structured candidate profile (skills, achievements, role title) generated automatically from that redacted text. Each candidate's name, email, phone number, and personal URLs are replaced with "Redacted" before storage. These are stored against your user account so you can re-attach a CV to future outreach without re-uploading it.
• Company documents: brochures, case studies, market reports, and similar marketing collateral you upload through Settings. We store the original PDF plus an extracted text summary used to ground AI-generated references in your messages. Visible only to you and your agency.
• Email account access: when you connect Gmail or Outlook via OAuth, we access your inbox solely to send outreach emails on your behalf and to detect replies to those emails. We do not read, store, or process any unrelated inbox content.
• CRM data: job and candidate records passed to LeadChase via your connected CRM (e.g. Bullhorn via webhook integration).
• Outreach activity: records of messages generated, hiring manager details, and company names associated with each outreach session.
• Response tracking: whether a hiring manager replied to outreach, the channel (email or LinkedIn), and screenshots uploaded by you as evidence of a response.
• Placement data: placement fees entered by recruiters, attribution relationships between outreach sessions and placements, and revenue share calculations.
• Usage data: actions taken within the platform and session activity, used to improve the service.
• Browser extension activity (LeadChase Companion users only): when the extension's side panel is open on a LinkedIn page, it reads the visible name, role/headline, profile URL, and (where shown on the page) current company of profiles already rendered on screen. These are sent to LeadChase only when you click Generate or paste them into an outreach session. See section 11 for the full extension data flow.

3. How we use your data

• To generate personalised outreach messages on your behalf using AI.
• To send emails from your connected inbox when you explicitly approve and initiate sending.
• To detect replies to outreach emails sent through LeadChase.
• To track attribution between outreach activity and placements — we record which companies were contacted, which responded, and which resulted in placements. This attribution proof chain is used for revenue share calculation.
• To calculate and administer revenue share on attributed placements.
• To improve platform features and performance.

4. Lawful basis for processing

We process your personal data on the following lawful bases under UK GDPR:

• Performance of a contract: to provide the platform services you have signed up for, including account administration, message generation, email delivery, and (where applicable) attribution tracking and revenue share calculation.
• Legitimate interests: for product improvement, security, fraud prevention, and operating the business — balanced against your rights and interests.
• Consent: for any optional features you opt in to (e.g. marketing communications), which you may withdraw at any time.
• Legal obligation: where we must process data to comply with applicable law.

5. Email and CRM access

When you connect your email account (Gmail or Outlook) or CRM (e.g. Bullhorn), we access only the data necessary to provide the service described above. We will never send emails without your explicit approval. We do not share your email or CRM data with any third parties. You can disconnect your email account or CRM at any time from the Settings page.

6. Data sharing and sub-processors

We do not sell your data. We do not share your data with third parties for marketing purposes.

We use the following sub-processors to operate the platform, each under appropriate data processing agreements:

• Anthropic — AI model provider used for message generation and CV redaction.
• EnrichLayer — LinkedIn profile enrichment vendor. We send LinkedIn profile URLs and receive back the structured profile data needed to personalise outreach (current role, employer, recent posts).
• Google (Gmail API) — when you connect Gmail, we use Google's API to send approved outreach emails and detect replies. Subject to Google's API Services User Data Policy.
• Microsoft (Graph API) — when you connect Outlook, we use Microsoft Graph to send approved outreach emails and detect replies.
• Neon — cloud PostgreSQL database hosting.
• Railway — backend application hosting.
• Vercel — frontend hosting and deployment.
• Stripe — payment processor used to verify and store payment card details for trial signup and paid subscriptions.

All sub-processors are bound by appropriate data-processing terms and process your data only on our instructions.

7. Data retention

• Account data for paid subscribers is retained for as long as your account is active.
• Free trial accounts (pending onboarding): after signup, accounts wait in a pending state until your onboarding call activates the trial. If activation does not occur within fourteen (14) days of signup, the account is automatically cancelled and your payment card details are removed from our payment processor.
• Free trial accounts (active and post-trial): data is retained for the 14-day Free Trial (starting on the Trial Start Date) plus a 30-day read-only Post-Trial Access Period (44 days total from the Trial Start Date). At the end of the Post-Trial Access Period, your account and all associated data will be permanently deleted unless you have upgraded to a paid subscription. We will send you a reminder email at least seven (7) days before deletion. You may export your data at any time before deletion. Combined with the pre-activation window, the maximum retention period for a free trial account is up to 58 days from signup.
• Raw CV PDFs: discarded after redaction. We keep only a SHA-256 hash of the original PDF to recognise re-uploads of the same file.
• Anonymised CVs (saved-CV library): retained against your user account until you archive them (via the extension CV picker or the web app) or until your account is deleted. Archived CVs are excluded from your library immediately and hard-deleted from the database within 90 days, to allow recovery from an accidental delete.
• Company documents: retained until you delete them in Settings, or until your account is deleted.
• Outreach activity, response records, and placement data are retained to support attribution tracking and revenue share administration.
• Payment card details are retained securely by Stripe for as long as your account is active. You may request deletion of your card details at any time.
• You may request deletion or export of your account and all associated data at any time by emailing jordan@leadchase.co. Note that deletion of placement records may affect revenue share obligations already confirmed.

8. Your rights under UK GDPR

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request erasure of your data (subject to legal obligations).
• Request portability of your data in a machine-readable format.
• Object to processing based on legitimate interests.

To exercise any of these rights, email jordan@leadchase.co. We will respond within 30 days.

9. Cookies and local storage

We use essential cookies required to keep you logged in (session authentication). Our session replay provider (PostHog) uses localStorage to correlate page visits within a single browsing session. We do not use advertising cookies.

If you use the LeadChase Companion browser extension, the extension stores your access token and a list of recently-seen LinkedIn managers in Chrome's per-extension local storage (chrome.storage.local). This storage is isolated from the websites you visit — LinkedIn cannot read it, and we cannot read your LinkedIn cookies. The token is cleared when you sign out of the extension or disable extension access on your account.

No advertising cookies or third-party tracking cookies are set by LeadChase.

10. Session recording

When you use our free lead magnet tools (e.g. pages under /tryam), we record your browsing session to understand how visitors interact with the product. These recordings capture page content, mouse movements, clicks, and scrolling — but all form inputs are automatically masked so we never see what you type. Recordings are processed by our analytics provider, PostHog (see their privacy policy). Recordings are retained for up to 30 days and are used solely for product improvement.

11. Browser extension (LeadChase Companion)

The LeadChase Companion is an optional Chrome and Edge extension that lets you build a manager list from a LinkedIn page you are already viewing, in one click, without copy-pasting URLs. It is a clipboard helper — it never clicks LinkedIn UI, scrolls, paginates, sends messages, or modifies the LinkedIn page in any way.

What it reads. When you open its side panel on a LinkedIn profile, company People tab, search-results page, or Sales Navigator page, it reads the visible name, role/headline, profile URL, and (where shown) current company of profiles already rendered on screen. It does not auto-read Recruiter pages — those fall back to a manual paste-in box.

What it does not read. The extension does not read LinkedIn cookies, page HTML, page screenshots, your LinkedIn account credentials, or any LinkedIn private API. It runs in the browser's isolated content-script context and cannot access the page's own JavaScript state.

What it sends to LeadChase. Only the manager details listed above plus your normal session inputs (text brief, CV selections, document selections), sent to leadchase.co when you click Generate. No LinkedIn page content or cookies are ever sent.

What it stores on your device. Your LeadChase access token after you connect, and the last list of managers seen on each LinkedIn tab so the side panel renders instantly when reopened. Both are kept in the browser's per-extension local storage, which is isolated from the websites you visit.

Permissions. The extension requests only storage, side-panel, and active-tab access. It does not request broad tab access, cookie access, network interception, or all-sites access.

Your controls. You can pause the extension on LinkedIn at any time from the side panel settings, or disable extension access for your account entirely from web Settings → Integrations → Browser Extension. Both take effect immediately.

LinkedIn's Terms of Service. LinkedIn's User Agreement prohibits browser extensions that read data from its site. By using the LeadChase Companion, you accept that risk on your own LinkedIn account. We minimise detection surface, but no extension can be guaranteed undetectable. You are shown this disclosure once when you first open the side panel and must explicitly acknowledge it before the extension activates.

12. Security

All data in transit between your browser, the extension, and the LeadChase backend is encrypted with TLS. Email-account OAuth refresh tokens (Gmail and Outlook) and any stored CRM API keys are encrypted at rest using symmetric encryption with a key held only on our backend servers. Other data is protected by per-tenant row-level security in our PostgreSQL database and by the disk-level encryption applied by our hosting providers. Access to the production database is restricted to the LeadChase backend service and named operators.

13. Changes to this policy

We may update this policy from time to time. We will notify you of significant changes by email or via the platform. Continued use of LeadChase after changes are notified constitutes acceptance of the updated policy.

14. Contact and complaints

For any privacy-related questions or requests, contact jordan@leadchase.co.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.