Privacy Policy

1. Introduction

This Privacy Policy describes how UnlockMyLead, operated by Amr Hatahet (sole proprietor) based in Istanbul, Turkey ("UnlockMyLead," "we," "us," or "our"), collects, uses, discloses, and protects personal information when you use our platform, website (unlockmylead.com), API, and related services (collectively, the "Service").

This Privacy Policy applies to:

• Customers: Individuals and businesses that subscribe to or use the Service
• End Recipients: Individuals whose contact information is processed through the Service by our Customers
• Website Visitors: Anyone who visits our website
• Sub-Customers: Customers of our White-Label resellers

We comply with applicable data protection laws, including:

• EU General Data Protection Regulation (GDPR) and UK GDPR
• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
• Turkey's Personal Data Protection Law (KVKK)
• UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL)
• Saudi Arabia Personal Data Protection Law (PDPL)
• Canadian PIPEDA
• Australian Privacy Act
• Brazilian LGPD
• And other applicable regulations

By using the Service, you acknowledge you have read and understood this Privacy Policy.

2. Roles Under Data Protection Law

2.1 Two Distinct Roles

Our role under data protection law depends on whose data is involved:

(A) When you, the Customer, use the Service to communicate with End Recipients:

• You are the Data Controller for the End Recipients' data (you decide why and how to contact them)
• We are the Data Processor, processing End Recipient data on your instructions
• Our processing is governed by our Data Processing Agreement (DPA)

(B) When we collect data about you, the Customer, for our own business operations:

• We are the Data Controller for your account information, billing information, and how you use the Service

This Privacy Policy covers both roles. The DPA governs the Processor relationship in detail.

2.2 Customer Responsibility for End Recipients

You, as a Customer using the Service, are solely responsible for:

• Providing privacy notices to End Recipients
• Obtaining required consents (including for AI-generated calls, recording, and data processing)
• Honoring End Recipients' rights requests
• Complying with all applicable data protection laws

We provide tools to help; we do not assume your compliance obligations.

3. Information We Collect

3.1 Information You Provide

Account Information:

• Name, email, phone number, password
• Business name, role, industry
• Billing address, tax ID

Payment Information:

• Processed by Stripe (we don't store full card numbers)
• Last 4 digits, expiration, billing zip retained for reference

Service Configuration:

• Voice scripts, AI prompts, sequences
• Contact lists you upload
• CRM credentials and integrations
• White-label branding (logos, colors, custom domains)

Communications:

• Support tickets and emails
• Survey responses, feedback

3.2 Information We Collect Automatically

Usage Data:

• Login times, IP address, browser type, device type
• Pages viewed, features used, actions taken
• API calls, error logs, performance metrics

Cookies and Tracking:

• Essential cookies (authentication, session management)
• Analytics cookies (with consent where required)
• See our Cookie Policy

3.3 Information We Process on Your Behalf (End Recipient Data)

When you use the Service to contact End Recipients, we process the following data on your behalf:

• Phone numbers and contact identifiers
• Names, emails, addresses (if you provide them)
• Call recordings (audio files)
• Call transcripts (text)
• Conversation metadata (duration, time, outcome, tags)
• Information disclosed by End Recipients during conversations (whatever they say, which may include sensitive information)
• Webhook payloads sent to your CRM

We process this data only as instructed by you, the Customer, per our DPA.

3.4 Information from Third Parties

• Lead discovery providers (B2B contact databases): when you use our lead discovery features
• CRM integrations: when you connect a CRM, we receive data you authorize
• Payment processors: Stripe sends us transaction confirmations
• Service providers: authentication, fraud detection, analytics

3.5 Sensitive Categories

We do not intentionally collect sensitive personal information (health, biometric, religious, sexual orientation, etc.). If you upload sensitive data through scripts or contact lists, you do so at your own risk and confirm you have the legal authority to do so.

4. How We Use Information

4.1 As a Controller (Customer Data)

We process your data to:

• Provide the Service: account creation, authentication, feature delivery
• Process payments: billing, invoicing, fraud prevention
• Communicate with you: transactional emails, service updates, support
• Improve the Service: analytics, debugging, feature development
• Marketing: newsletters, product announcements (you can opt out)
• Security: detect and prevent fraud, abuse, unauthorized access
• Legal compliance: tax records, regulatory requirements
• Enforce our Terms: investigate violations, defend legal claims

4.2 As a Processor (End Recipient Data)

We process End Recipient data only to:

• Place calls, send messages, and execute the communication tasks you initiate
• Generate transcripts and recordings
• Sync results to your CRM
• Provide analytics and reporting back to you
• Comply with legal obligations

We do not:

• Use End Recipient data for our own marketing
• Sell End Recipient data
• Share End Recipient data with other Customers

4.3 Aggregate and Anonymized Data

We may use aggregated, anonymized, or de-identified data (which cannot reasonably identify you or any individual) for any purpose, including improving AI models, benchmarking, research, and product development.

5. Legal Bases for Processing (GDPR / UK GDPR)

We rely on the following legal bases:

For sensitive data processing under Art. 9, we rely on explicit consent or other applicable exceptions.

6. How We Share Information

6.1 We Do Not Sell Personal Information

We do not sell personal information for monetary or other valuable consideration, as defined by CCPA, GDPR, or similar laws.

6.2 Service Providers (Sub-Processors)

We share data with carefully selected service providers who help us deliver the Service. They are bound by data protection agreements and may only use data on our instructions.

Current sub-processors include:

A current list is maintained at: unlockmylead.com/sub-processors (you should consult the live list).

6.3 Other Sharing

We may share information:

• With your consent: when you direct us to (e.g., CRM integration)
• Legal compliance: to comply with laws, court orders, regulators, or government requests
• Protect rights: to enforce Terms, protect against fraud, or protect safety
• Business transfers: in connection with a merger, acquisition, or sale of assets (with notice)
• Aggregated form: anonymized data may be shared freely

6.4 White-Label Resellers

If you are a Sub-Customer of a White-Label reseller, your data may be shared with the reseller as part of the service relationship. Resellers are contractually obligated to protect your data.

7. International Data Transfers

7.1 Data Locations

We primarily store data in the United States (Render, Firebase, third-party AI services). Some sub-processors operate globally.

7.2 Transfer Mechanisms

For transfers from the EU, UK, Switzerland, or other restricted jurisdictions, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) for UK transfers
• Adequacy decisions where applicable
• Your explicit consent for specific transfers
• Other lawful transfer mechanisms

7.3 Onward Transfers

Sub-processors may transfer data further only as permitted by their agreements with us.

8. Data Retention

After retention periods expire, data is deleted or anonymized using industry-standard methods.

9. Your Privacy Rights

9.1 Rights Under GDPR / UK GDPR (EEA, UK)

You have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase ("right to be forgotten") your data
• Restrict processing
• Data portability in machine-readable format
• Object to processing (including direct marketing)
• Withdraw consent at any time
• Lodge a complaint with your local supervisory authority

9.2 Rights Under CCPA / CPRA (California)

You have the right to:

• Know what data we collect, use, and share
• Delete your personal information
• Correct inaccurate information
• Opt-out of "sales" and "sharing" (we do not sell data)
• Limit use of sensitive personal information
• Non-discrimination for exercising your rights

9.3 Rights Under KVKK (Turkey)

You have the right to:

• Learn whether your data is being processed
• Request information about processing
• Request rectification, erasure, or destruction
• Object to processing leading to adverse outcomes
• Seek compensation for damages

9.4 Rights Under UAE PDPL

You have the right to access, correct, transfer, restrict, and erase your data, subject to applicable exceptions.

9.5 How to Exercise Your Rights

Send a request to privacy@unlockmylead.com. We will respond within the time required by applicable law (typically 30 days for GDPR, 45 days for CCPA).

We may need to verify your identity before responding. Authorized agents may submit requests with proof of authorization.

9.6 End Recipients' Rights

If you are an End Recipient (someone who received a call/message via the Service), please direct rights requests to the Customer who initiated the communication. We will assist the Customer in fulfilling their obligations.

You may also contact us at privacy@unlockmylead.com, and we will forward your request to the Customer.

10. Security

10.1 Security Measures

We implement reasonable technical and organizational measures to protect data, including:

• TLS encryption in transit (HTTPS)
• Encryption at rest for sensitive data (AES-256)
• Hashed and salted passwords (bcrypt)
• Access controls (RBAC, multi-tenant isolation)
• API rate limiting and authentication
• Logging and monitoring
• Regular security reviews

10.2 No Absolute Security

NO SYSTEM IS PERFECTLY SECURE. WE CANNOT GUARANTEE THE ABSOLUTE SECURITY OF YOUR DATA. YOU USE THE SERVICE AT YOUR OWN RISK.

10.3 Breach Notification

If we become aware of a security breach affecting your personal data, we will notify you and applicable authorities as required by law (typically within 72 hours under GDPR).

11. AI and Automated Processing

11.1 AI Voice Generation

The Service uses AI to generate voice content. AI outputs:

• Are based on your scripts and prompts
• May produce errors or inaccuracies
• Are not guaranteed to comply with all applicable laws

11.2 Automated Decision-Making

We do not engage in automated decision-making with legal or significant effects on individuals (under GDPR Art. 22). Customers using the Service must comply with this requirement themselves.

11.3 AI Training

We do not use End Recipient personal data (recordings, transcripts) to train our own AI models without explicit consent. We may use anonymized, aggregated data.

Third-party AI services (Groq, Cartesia, Deepgram) may have their own data practices; consult their privacy policies.

12. Children's Privacy

The Service is not intended for individuals under 18. We do not knowingly collect data from children. If we learn we have collected data from a child, we will delete it.

Customers must not use the Service to contact children.

13. Cookies and Tracking

We use cookies as described in our Cookie Policy, which is incorporated by reference. You can manage cookie preferences through your browser settings or our cookie banner.

14. Marketing Communications

14.1 Existing Customers

We may send service-related communications (which you cannot opt out of while having an active account) and marketing communications (which you can opt out of via unsubscribe links or account settings).

14.2 Prospects

We send marketing only with consent or as permitted by applicable law (e.g., legitimate interest with opt-out for B2B in some jurisdictions).

15. Third-Party Links

Our Service may contain links to third-party sites. This Privacy Policy does not apply to those sites. Review their privacy policies separately.

16. Do Not Track

Some browsers send "Do Not Track" signals. Because there is no industry consensus on how to handle these, we do not currently respond to them. We honor opt-outs through our cookie settings.

17. California-Specific Disclosures

For California residents, in the past 12 months we may have:

• Collected these categories of data: identifiers, commercial information, internet activity, geolocation (approximate), professional information
• Disclosed for business purposes these categories to: service providers, legal advisors, regulators when required
• Sold or shared: None

You can submit CCPA requests to privacy@unlockmylead.com.

We do not knowingly collect or sell personal information of minors under 16.

18. Changes to This Privacy Policy

We may update this Privacy Policy. Material changes will be communicated via email or in-app notice at least 14 days before they take effect. Continued use of the Service constitutes acceptance.

19. Contact Information

• Privacy / Data Protection: privacy@unlockmylead.com
• General: support@unlockmylead.com
• Data Protection Officer: Currently the same contact (will be updated upon company registration)

Supervisory Authorities:

• EU residents: Contact your country's Data Protection Authority. List at edpb.europa.eu.
• UK residents: Information Commissioner's Office (ICO) — ico.org.uk
• Turkey residents: Personal Data Protection Authority (KVKK) — kvkk.gov.tr
• California residents: California Attorney General — oag.ca.gov
• UAE residents: UAE Data Office — uaedataoffice.ae

You have the right to lodge a complaint with the appropriate authority if you believe we have violated your privacy rights.

By using the Service, you confirm you have read and understood this Privacy Policy.