Privacy Policy

Last updated: 08 January 2026

This Privacy Policy explains how we process personal data when you

  • visit our website,
  • create an account, or
  • use our SaaS platform 36leads (AI‑powered LinkedIn content & lead‑generation automation).

Note: This Privacy Policy is tailored to 36leads Soziev / 36leads. Certain details may evolve as our product and service providers change.

1. Controller

36leads Soziev (sole proprietorship)
Owner: Stanislav Soziev
Earhart‑Strasse 8, 8152 Opfikon, Canton Zurich, Switzerland
Email: info@36leads.io
Website: www.36leads.io

Privacy contact: info@36leads.io

EU Representative (Article 27 GDPR):

Vadim Soziev
Schrambergerstrasse 3, 78056 Villingen‑Schwenningen, Germany
Email: info@36leads.io

UK Representative (UK GDPR):

We are based in Switzerland. If we are required under applicable law to appoint a UK representative, we will publish the representative’s contact details here.

2. Scope

This Privacy Policy applies to the website www.36leads.io and to the 36leads platform (web app), including all features (post generator, scheduling/publishing, ICP setup, lead finder, connection engine, lead scanning, icebreaker generation, conversation autopilot, engagement automation).

We offer 36leads worldwide. Depending on your place of residence/location, additional local data protection laws may apply (e.g., GDPR/UK GDPR).

3. Roles: who is responsible for what?

Depending on the context, different roles may apply:

Website & account administration:

We typically act as the controller.

Processing your leads/contacts data (e.g., LinkedIn target persons):

In general, you and/or your company act as the controller and we act as a processor, because we process such data only on your instructions within the platform.

This also applies if you enable enrichment and we (based on your settings) involve external data providers; depending on the provider model, these may act as our sub‑processors/recipients or as independent controllers.

If you provide us with third‑party data (e.g., prospect data), you are responsible for having a valid legal basis and—where required—informing data subjects.

4. What data do we process?

4.1 Website usage (server log files)

When you access our website, we process technically necessary data, e.g.:

  • IP address (possibly shortened),
  • date/time of access,
  • accessed pages/files,
  • referrer URL,
  • browser/device information,
  • operating system,
  • status codes.

Purpose: delivery of the website, stability/security, troubleshooting, prevention/detection of abuse and fraud.

4.2 Contact

If you contact us (e.g., by email), we process the data you provide (e.g., name, email address, message, company details) to handle your request.

4.3 Registration, login & account

When creating and using an account, we may process, for example:

  • master data (name, email, company, role),
  • authentication data (e.g., session tokens),
  • security/abuse data (e.g., technical signals for bot/spam prevention),
  • optional SSO data (e.g., GitHub OAuth, if used),
  • billing and invoicing data for paid plans (e.g., billing address, country, VAT ID, payment status, transaction/invoice numbers, subscribed plan),
  • contract/subscription data (e.g., term/billing interval, subscription status, renewal, cancellation/end date).

Authentication: We use Clerk for login and session management.

CAPTCHA/bot protection: We use a CAPTCHA (e.g., hCaptcha) to prevent abuse.

Payments: 36leads is subscription‑based (recurring billing; typically cancellable monthly). Depending on region/plan, payments are processed via Stripe or Paddle. Payment credentials (e.g., card/bank details) are typically processed directly by the payment provider; we usually receive information such as payment status, invoice details and transaction identifiers.

More information is available in the payment providers’ privacy notices:
Stripe: https://stripe.com/privacy
Paddle: https://www.paddle.com/legal/privacy

4.4 Platform usage data (36leads)

Depending on the features you use, we process in particular:

  • content inputs (raw ideas, notes, briefs, topics),
  • generated content (posts, hooks, variants),
  • planning data (schedule times, status, approvals, feedback),
  • ICP definitions (ideal customer profile, criteria),
  • lead lists/selections within the platform,
  • communication content (e.g., icebreaker texts, message templates, conversation history where enabled),
  • engagement content (e.g., comment suggestions),
  • usage/event data (e.g., which features were used, technical diagnostic data).

4.5 LinkedIn data

To enable LinkedIn automations, we may process—depending on your setup—data from your LinkedIn account and from LinkedIn interfaces/endpoints, e.g.:

  • your LinkedIn profile data (name, profile URL, professional details),
  • content you want to post or schedule,
  • target persons/leads (e.g., name, title, company, profile URL, publicly available profile info),
  • publicly visible posts/interactions of target persons (for context),
  • connection status (e.g., invite sent/accepted),
  • messages/replies, if you enable conversation features.

Connection via Unipile: When you connect your LinkedIn account, 36leads opens a separate Unipile window/tab. Your LinkedIn login credentials are entered directly with Unipile; we do not receive your LinkedIn password. Unipile also describes that it does not store user login credentials, but may store, among other things, message content and account settings of connected accounts on its systems.

Note: We are not affiliated with, endorsed by, or authorized by LinkedIn unless explicitly stated otherwise.

4.6 External data sources & enrichment

For lead scoring, segmentation and personalization, we may—depending on your settings—use data from external B2B databases and publicly available sources (“enrichment”). This may include, for example:

  • company and role information (e.g., company, title, industry),
  • contact/identification data (e.g., email address or company domain, where available). Where technically available through data sources, this may also include the email address stored in a LinkedIn account (often a personal email address). We currently do not disclose such email addresses to our customers,
  • firmographics/signals (e.g., size, location, tech stack signals),
  • references/links (e.g., website URLs, profile URLs).

No phone numbers: As of today, we do not process phone numbers as part of enrichment.

4.7 Uploads (images, files, contact lists)

Users can upload content, in particular:

  • images/files (e.g., for LinkedIn posts),
  • contact/lead lists (e.g., CSV/file formats) so that 36leads can process those contacts within your campaigns/workflows.

5. Purposes & legal bases

We process personal data for the following purposes:

Providing the website & platform (operations, security, support)

Legal basis (where applicable): performance of a contract and/or our legitimate interests.

Pre‑contractual steps & contract performance (account, subscription administration, billing, service delivery)

Legal basis (where applicable): performance of a contract.

Communication (support, product/service information, status messages)

Legal basis (where applicable): performance of a contract and/or our legitimate interests.

Product improvement & troubleshooting (e.g., stability, performance)

Legal basis (where applicable): our legitimate interests.

Consent‑based processing (e.g., optional tracking/marketing)

Legal basis (where applicable): your consent (you can withdraw at any time).

Legitimate interests: Where we rely on legitimate interests, these include in particular: IT security, fraud/abuse prevention, stability/operations, and product improvement.

Requirement to provide data: Providing certain data is required to enter into and perform the contract (e.g., account data and billing/invoicing data). If you do not provide such data, we may not be able to provide the platform or bill paid services. Mandatory statutory retention obligations (e.g., tax/accounting records) remain unaffected.

6. Cookies & similar technologies

We use cookies and similar technologies.

  • Essential cookies: required for login, security and basic functionality.
  • Optional cookies/tools (if used): e.g., analytics, marketing.

If we use optional cookies/tools, we will generally do so only with your consent via a cookie banner/settings.

Cookie settings: At present, we use only essential cookies (e.g., for login/security) and no analytics or marketing cookies. If we introduce optional cookies/tools in the future, we will provide an appropriate consent banner and settings.

7. AI features & “human‑in‑the‑loop”

36leads uses AI to generate content (posts, comments, icebreakers) and support workflows.

  • Input: For hyper‑personalization—depending on the features you activate—all data we process in the platform about you and prospects/leads may be included in AI prompts (e.g., raw inputs, ICP criteria, LinkedIn profile/post information, connection/campaign status and—if enabled—conversation content).
  • Output: AI‑generated texts/variants (e.g., posts, comments, icebreakers, reply suggestions).
  • Storage: AI outputs and (where used) relevant conversation/workflow data are stored in 36leads so you can review, edit and (depending on settings) approve them. A general opt‑out from this storage is currently not available, because core platform functions would otherwise not work.

7.1 External AI providers (where used)

Where we use external AI providers, we transmit only the data required for the respective feature. Depending on provider/region, international transfers may occur (see Section 10).

AI providers: OpenAI (direct API use) and OpenRouter (aggregator; depending on the selected model, providers/models such as Google Gemini may be used via OpenRouter).

7.2 Training of general AI models

We do not use customer data to train general AI models unless you explicitly agree.

As of today, we use OpenAI (direct) in a way that inputs/outputs are not used to train general models (“no training by default”). OpenAI may retain certain content for a limited time for safety/abuse purposes (e.g., abuse monitoring).

If we use AI via OpenRouter:

  • OpenRouter states that it does not store prompts/responses unless prompt logging is enabled in OpenRouter settings.
  • Connected model providers (depending on model/endpoint) may apply their own logging/retention rules; OpenRouter publishes provider policies and offers control mechanisms (e.g., choosing providers based on data policies).
  • Optionally, OpenRouter can be configured to use only Zero Data Retention (ZDR)‑capable providers/endpoints.

Important: Models such as “Gemini” are currently not sourced directly from Google by us; where selected, they are used via OpenRouter. The specific data processing therefore depends on OpenRouter and the chosen provider/endpoint.

8. Automated decision‑making / profiling

36leads can create automated suggestions (e.g., prioritizing target persons, text/comment suggestions) and—depending on your configuration—execute automations (e.g., sending connection requests, messages or comments). These processes are designed to provide assistance and follow your settings (e.g., review mode with approval vs. full automation).

Where an automated individual decision within the meaning of applicable law would apply, we provide appropriate options to request human review or influence the processing (e.g., review mode, stop criteria, safe limits).

9. Recipients & service providers

We use carefully selected service providers (hosting, infrastructure, storage, payments, and—where applicable—communications). These providers process data on our behalf and under our instructions.

Current categories/service providers (excerpt):

  • Hosting/platform operations: Railway (region: Amsterdam, Netherlands)
  • CDN/WAF & DDoS protection (via hosting platform): Cloudflare (via Railway)
  • Authentication/identity & session management: Clerk
  • CAPTCHA/bot protection: hCaptcha
  • Database/backend & storage: Supabase (region: EU; e.g., Frankfurt)
  • Uploads / image CDN: ImageKit (delivery/optimization of images)
  • LinkedIn account connection / messaging infrastructure: Unipile
  • Payments: Stripe (Switzerland; EU & Northern Ireland for B2B) and Paddle (e.g., other regions and/or B2C). Payment providers typically process payment data as independent controllers (e.g., payment processing, fraud prevention, compliance).
  • AI providers: OpenAI (direct) and OpenRouter (including any integrated model providers/models, e.g., Google Gemini)
  • Data providers / enrichment: providers of B2B databases and web/data services for enriching lead/company data (no phone numbers).
  • Analytics: none
  • Support chat: none

We may add additional service providers (e.g., email delivery, support ticketing) as our setup evolves.

10. International data transfers

We are based in Switzerland and offer the platform worldwide. Depending on features and service providers, personal data may be transferred to countries outside Switzerland/the EEA (e.g., via LinkedIn, AI providers, or payment providers).

In particular, transfers to the United States may occur (e.g., in connection with OpenAI, Cloudflare, Stripe/Paddle, or OpenRouter/integrated model providers—depending on configuration and routing).

Where we transfer data internationally, we implement appropriate safeguards where required, such as:

  • adequacy decisions,
  • Standard Contractual Clauses (SCCs), and/or
  • additional technical and organizational measures (e.g., access restrictions, encryption, minimization).

Note: When using AI via OpenRouter, transfer and retention rules can differ depending on the selected model/provider.

11. Retention

We store personal data only for as long as necessary for the respective purposes, in particular:

  • Account data: as long as your account exists; you can currently request account deletion by email to info@36leads.io.
  • State‑of‑the‑art deletion approach (target): after a confirmed deletion request, we deactivate the account and delete or anonymize production customer data generally within 30 days, unless statutory retention obligations apply. Backup data is deleted as part of regular overwrite cycles (typically within max. 90 days).
  • Trial: if you use a trial (currently typically 7 days, limited), the same principles apply to account/usage data as for regular accounts.
  • Content/automation data: for as long as you keep it in the platform or until you delete it, or as agreed.
  • Messages/conversation history: stored in the platform and visible to you; generally for as long as your account exists or until you delete content.
  • Uploads (images/files) & imported contact lists: for as long as your account exists or until you delete them.
  • Support communications: as long as needed for handling and documentation.
  • Server logs: generally stored for 30 days, unless security incidents require longer retention.
  • Statutory retention obligations: where applicable, retention as required by law (e.g., tax/accounting records).

12. Your rights

Depending on applicable law, you may have the following rights, in particular:

  • access to your personal data,
  • rectification,
  • deletion (where no retention obligation applies),
  • restriction of processing,
  • data portability (where applicable),
  • objection to processing based on legitimate interests (where applicable),
  • withdrawal of consent (effective for the future).

Account deletion: You can currently request deletion of your 36leads account by email.

Right to complain: You may have the right to lodge a complaint with a competent data protection authority.

Contact for rights requests: info@36leads.io

Identity verification: To protect your data, we may request reasonable information to verify your identity before processing a request (e.g., a reply from the email address linked to the account or additional proof), where there is doubt about identity.

Note for prospect/lead data processed on behalf of our customers: please contact the company that contacted you (our customer) in the first instance. We support our customers within our contractual obligations.

13. Data security

We implement appropriate technical and organizational measures to protect data, including:

  • Authentication & access control: login/sessions via Clerk; global access controls (middleware) for app/API routes.
  • Data isolation: Supabase row‑level security (RLS) for strict separation of data by organization/workspace.
  • Input validation: validation of inputs/responses (e.g., using Zod).
  • Transport security: encrypted transmission via HTTPS/TLS.
  • Secret management: API keys/secrets are stored in environment variables and not hard‑coded.
  • Abuse protection: CAPTCHA/bot protection.
  • Admin access: Employees with administrative permissions may access customer data to the extent necessary for operations, security, support and troubleshooting. There are no external third parties with admin access to the platform.

14. Changes to this Privacy Policy

We may update this Privacy Policy if laws, the product or service providers change. The current version is available on our website under “Privacy Policy”.