MyLeadTeamMyLeadTeam.

Privacy Policy

Last updated: 2026-05-20

This notice is provided in accordance with Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Data Controller

The Data Controller for personal data processed in connection with your use of the MyLeadTeam platform as an account holder is:

BuildFlow

Polish sole proprietorship (JDG)

NIP: 6711821792

REGON: 364919712

Address: ul. 1 Maja 13/1, 78-100 Kolobrzeg, Poland

Product brand: MyLeadTeam

Privacy contact: support@myleadteam.com

2. Data Controller vs. Data Processor Roles

MyLeadTeam operates in two distinct capacities depending on the category of data:

Controller - Account and Platform Data

BuildFlow acts as Data Controller for personal data of registered users (name, email address, account activity, billing information). We determine the purposes and means of processing this data.

Processor - Lead / Contact Data uploaded by Customers

When Customers upload or generate lead lists (names, email addresses, companies, and other contact details of third parties), the Customer acts as the Data Controller for that data. BuildFlow (MyLeadTeam) acts as a Data Processor, processing that data solely on the Customer's documented instructions. Customers are responsible for ensuring they have a lawful basis for the personal data they introduce to the platform.

3. Categories of Personal Data Processed

3.1 Account and User Data (Controller capacity)

  • Name and email address provided during registration.
  • Organisation name, team members invited and their roles.
  • Authentication credentials (passwords stored as bcrypt hashes - never in plain text).
  • Account preferences and settings.
  • Timestamps of login events and session activity for security purposes.

3.2 Lead and Contact Data (Processor capacity)

  • Business contact details of third-party leads discovered or uploaded by the Customer (name, job title, company, business email address, LinkedIn profile, phone number where provided).
  • AI-enriched profile data generated from publicly available information (company description, domain, industry category).
  • Email sequences drafted by AI agents for the Customer's review and approval.

3.3 Email Engagement Data

  • Email open events, link click events, and reply tracking data, collected via tracking pixels and signed redirect URLs embedded in sent emails.
  • Bounce and delivery status received from the Customer's SMTP infrastructure.

3.4 Technical and Log Data

  • IP addresses, browser type, and device information for security monitoring.
  • API call logs and error logs for debugging and platform reliability.

4. Legal Bases for Processing

Contract performance (Art. 6(1)(b) GDPR)

Processing account and user data to provide the Service under our Terms of Service.

Legitimate interests (Art. 6(1)(f) GDPR)

Security monitoring, fraud prevention, platform stability, analytics to improve the Service, and direct marketing to existing Customers about related products and features. Our legitimate interests do not override your rights and freedoms.

Legal obligation (Art. 6(1)(c) GDPR)

Processing required to comply with applicable Polish and EU law (e.g. tax record-keeping obligations).

Consent (Art. 6(1)(a) GDPR)

Where we rely on consent (e.g. optional analytics cookies), you may withdraw it at any time without affecting the lawfulness of prior processing.

5. Sub-processors and Third-Party Recipients

To deliver the Service, we share personal data with the following categories of sub-processors under appropriate data processing agreements:

Sub-processor / CategoryPurposeLocation
Anthropic (Claude AI)AI text generation - lead enrichment and email draftingUSA (SCCs)
Resend (email infrastructure)Transactional email delivery (account notifications)USA (SCCs)
Google (Places API)Business discovery and lead sourcingUSA (SCCs)
Voyage AIVector embeddings for semantic search and AI enrichmentUSA (SCCs)
Railway (cloud hosting)Database and worker infrastructure hostingUSA (SCCs)
Vercel (cloud hosting)Web application hosting and edge deliveryUSA / EU (SCCs)

SCCs = Standard Contractual Clauses (EU Commission Decision 2021/914), the lawful transfer mechanism for international data transfers to third countries not covered by an adequacy decision.

We do not sell personal data to third parties.

6. Data Retention

  • Account data: retained for the duration of the account and for up to 5 years after account closure for legal and tax record-keeping purposes under Polish accounting law (ustawa o rachunkowosci).
  • Lead and contact data: retained for the duration of the Customer's subscription and deleted within 90 days of account termination, unless the Customer requests earlier deletion.
  • Email engagement data: retained for up to 24 months from the date of collection for campaign analytics, then aggregated or deleted.
  • Security and audit logs: retained for up to 12 months.

7. Your Rights as a Data Subject

Where BuildFlow acts as Data Controller, you have the following rights under GDPR:

  • Right of access (Art. 15): Request a copy of personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your personal data where no legal retention obligation applies.
  • Right to restriction (Art. 18): Request that we restrict processing in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests, including for direct marketing.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without detriment.

To exercise any of these rights, please contact us at support@myleadteam.com. We will respond within 30 days. Identity verification may be required before we can process your request.

If you are a lead or contact whose data has been uploaded by one of our Customers and you wish to exercise your data subject rights, please contact the Customer organisation that collected your data, as they act as the Data Controller for that data.

8. International Data Transfers

Some personal data is transferred to sub-processors located in the United States, which is not subject to an EU adequacy decision. These transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914). You may obtain a copy of the relevant safeguards by contacting us at support@myleadteam.com.

9. Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • Passwords hashed with bcrypt (cost factor 12+).
  • SMTP credentials encrypted with AES-256-GCM at rest.
  • All data in transit protected by TLS/HTTPS.
  • Row-level access controls ensuring tenant data isolation.
  • Audit logging of significant platform events.

No transmission over the internet is 100% secure. In the event of a personal data breach likely to result in high risk to your rights, we will notify you and the relevant supervisory authority as required by GDPR Art. 33-34.

10. Supervisory Authority and Right to Lodge a Complaint

You have the right to lodge a complaint with the Polish supervisory authority for data protection:

Urzad Ochrony Danych Osobowych (UODO)

Stawki 2, 00-193 Warsaw, Poland

Website: uodo.gov.pl

Phone: +48 22 531 03 00

You may also lodge a complaint with the supervisory authority of your EU member state of habitual residence.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered account holders at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

For privacy-related questions, data subject requests, or concerns:

BuildFlow (MyLeadTeam)

ul. 1 Maja 13/1, 78-100 Kolobrzeg, Poland

Email: support@myleadteam.com