Privacy Policy

APLEADS is committed to protecting your personal data in accordance with UK GDPR and applicable data protection laws.

1. Who We Are and What We Do

APLEADS is operated by Alix Pardoe, a sole trader registered in England.

Contact: hello@apleads.co

APLEADS builds agentic website infrastructure for UK service businesses — the free Agentic Readiness audit, flagship builds, and catalog modules — using a modern owned stack (Next.js, Vercel, Supabase, GitHub) to help businesses read demand, route buyers, and capture signal.

2. Data Controller and Processor

APLEADS (Alix Pardoe) is the Data Controller for website visitor analytics, customer contact information, and prospect outreach records.

For build and managed-support customers: The Customer is the Data Controller. APLEADS is a Data Processor on behalf of the Customer. Customer data is processed solely to deliver the contracted service.

Data Protection Officer: APLEADS is a micro-organisation (sole trader with limited employees). A Data Protection Officer is not required under UK GDPR Article 37. For all data protection queries and rights requests, contact hello@apleads.co.

3. What Data We Collect

3.1 Website Visitors

When you visit the APLEADS website we always process a hashed, non-reversible form of your IP address and browser/user-agent for security, bot-detection and rate-limiting of the Agentic Readiness audit. We do not store your raw IP address or user-agent.

If — and only if — you accept the “Analytics” cookie tier, we additionally capture first-party behavioural signals about your visit: pages viewed, scroll depth, time on page, audit usage and form starts, and referrer/campaign (UTM) source. These are linked to two first-party identifiers we generate (a short-lived session ID and a visitor ID stored for up to 180 days) so we can recognise a return visit. We do not use third-party or cross-site tracking. If you do not consent, none of this behavioural capture runs.

No directly identifying information (name, email, phone) is collected unless you voluntarily submit a contact form or run the audit with your email.

3.2 Customers and Prospects

When you engage with APLEADS, we collect: full name, email address, phone number, business name and details, industry/sector, location/service area, payment information (processed securely via Stripe), and communication history.

3.3 Build and Managed-Support Customers

We additionally process the data held in the infrastructure we build on your accounts (contacts, captured signal, pipeline, automations, conversations) — this is owned by you and processed by us on your behalf.

4. Why We Collect This Data (Legal Basis)

Website Analytics & Behavioural Signals: Legal Basis: Consent (UK GDPR Article 6(1)(a)) and PECR. Where you accept the Analytics cookie tier, we capture the first-party behavioural signals described in §3.1 to understand demand and to score the intent of your visit (see §12). You can withdraw consent at any time via “Cookie preferences” in the footer, which stops capture and deletes the visitor identifier. Security, bot-detection and rate-limiting of the audit (using only a hashed IP/user-agent) rely on Legitimate Interest (Article 6(1)(f)).

Customer Account Data: Legal Basis: Performance of Contract (GDPR Article 6(1)(b)). We collect name, email, phone, business details, and usage data to set up your account, deliver the contracted service, provide support, and process payments.

Prospect Outreach Data (B2B Lead Capture): Legal Basis: Legitimate Interest (GDPR Article 6(1)(f)). APLEADS contacts UK service businesses with information about relevant services. This is B2B commercial outreach where contact details are typically sourced from public business directories or LinkedIn. Prospects may opt out at any time.

Payment Information: Legal Basis: Performance of Contract (GDPR Article 6(1)(b)). Payment processing is necessary to fulfil the customer contract. Payment data is processed by Stripe (PCI DSS compliant); APLEADS does not store card data directly.

Marketing Communications (if opted in): Legal Basis: Consent (GDPR Article 6(1)(a)). We send service updates and educational content only to those who have opted in or are existing customers. You may withdraw consent at any time by unsubscribing.

5. How We Use Your Data

• Service Delivery (Lawful Basis: Contract) — Set up and manage your account, deliver contracted services, provide technical support, and manage access.
• Communication (Lawful Basis: Contract / Legitimate Interest) — Send service updates, security notifications, billing confirmations, and responses to support inquiries.
• Payment and Invoicing (Lawful Basis: Contract) — Process payments securely via Stripe, issue invoices, receipts, and accounting records for tax purposes.
• Business Development (Lawful Basis: Legitimate Interest) — Contact prospects with information about APLEADS services and relevant case studies. You may object to this processing at any time.
• Analytics and Service Improvement (Lawful Basis: Legitimate Interest) — Analyse website usage patterns to improve service design and user experience.
• Legal and Tax Compliance (Lawful Basis: Legal Obligation / Legitimate Interest) — Comply with UK tax reporting (HM Revenue & Customs), maintain records as required by law, prevent fraud, and enforce our terms of service.

6. Data Retention Periods

Website Visitor Signals (consent-based): First-party behavioural events and sessions that do not result in an enquiry are retained for 90 days, then deleted. Where a session is linked to a lead or enquiry, it follows the Prospect/Lead retention below. If you withdraw consent, capture stops and the visitor identifier is deleted; a minimal record that you opted out is kept so we can continue to honour it.

Customer Account Data (Service Delivery): Active customers: Retained for the duration of the service plus 2 years after account termination to fulfil legal obligations and contractual requirements (audit trails, dispute resolution). Terminated customers: Retained for 2 years post-termination.

Payment Records and Invoices: Retained for 7 years from the date of transaction (required by UK tax law under the Income Tax Act 1998 and HM Revenue & Customs requirements).

Prospect/Lead Data (B2B Outreach): Retained for 2 years from the date of last contact. Prospects may request deletion at any time by emailing hello@apleads.co.

Cookies and Tracking Data: The cookie-preference cookie is retained for 1 year. The first-party visitor identifier (set only with Analytics consent) is retained for up to 180 days. Session identifiers and session cookies are short-lived and cleared when you close your browser or withdraw consent.

Build and Managed-Support Customer Data: Retained for the duration of the active service agreement. Upon service termination, the customer receives a complete data export within 30 days. Data is then deleted from APLEADS’ systems within 60 days of termination (excluding payment records retained per tax requirements). Where the build runs on the customer’s own accounts, the data remains under the customer’s control.

Right to Deletion: Where legally permitted, you may request deletion sooner. Some data must be retained to comply with legal obligations (tax records, contractual dispute resolution).

7. Data Processors and International Transfers

Processors and Data Controllers: APLEADS uses third-party service providers (Data Processors) under Data Processing Agreements to deliver services:

International Data Transfers:

• EU Processing (Adequacy Decision): Supabase stores customer data in the EU (Dublin, Ireland). The UK has an Adequacy Decision with the EU, enabling transfers without additional safeguards.
• US Transfers (Standard Contractual Clauses): Vercel, GitHub, Stripe, Resend, and Cloudflare operate in the US. Data transfers are governed by Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office. SCCs ensure data protection equivalent to UK GDPR standards even in jurisdictions without formal data protection equivalence.
• Adequacy Decision Reliance: Where available, we rely on the UK Government’s adequacy assessments of data protection laws in receiving countries.

Data Sharing Policy: APLEADS does NOT sell, share, or disclose personal data to third parties for marketing, advertising, or commercial purposes outside of contractual service delivery.

8. Your Data Protection Rights (UK GDPR)

Under UK GDPR, you have the right to:

• Right of Access: Request a copy of all personal data APLEADS holds about you. Response time: 30 days.
• Right of Rectification: Request that inaccurate data be corrected.
• Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data, subject to legal requirements (tax records must be retained for 7 years).
• Right to Restrict Processing: Limit how your data is used.
• Right to Object: Object to direct marketing, legitimate interest processing, or automated decision-making.
• Right to Data Portability: Request your data in a portable format (CSV).

For all requests: email hello@apleads.co with the relevant subject line. Response within 30 days.

9. Data Security

APLEADS takes data security seriously:

• All customer data is stored securely in Supabase (SOC 2 compliant) or in the customer’s own access-controlled accounts
• Payment data is processed via Stripe (PCI DSS compliant); card data is not stored by APLEADS
• Access to customer data is restricted to Alix Pardoe and any contracted service providers
• Data is encrypted in transit (HTTPS) and at rest
• Regular backups are maintained

No system is 100% secure. APLEADS cannot guarantee absolute security but commits to industry-standard protections.

10. International Data Transfers and Safeguards

Transfer Mechanisms and Legal Framework: APLEADS has implemented appropriate safeguards for all international data transfers:

• EU/EEA Transfers: Supabase (Ireland) — Protected by UK-EU Adequacy Decision. No additional safeguards required.
• US Transfers: Vercel, GitHub, Stripe, Resend, Cloudflare — All transfers are governed by Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office. SCCs ensure contractual guarantees of data protection standards equivalent to UK GDPR, even in the absence of a formal adequacy decision.
• Supplementary Measures: Where necessary, additional technical and organisational safeguards are implemented (encryption, access controls, sub-processor restrictions).

Your Rights: You have the right to request a copy of the safeguards in place for your data transfers. Contact hello@apleads.co for details.

11. Cookies and Analytics

By default, the APLEADS website uses only essential cookies and local storage, plus the bot-detection cookies set by Cloudflare Turnstile. With your consent — the “Analytics” tier of our cookie banner, which is off until you choose it — we also run first-party, privacy-respecting analytics: Vercel Analytics and our own behavioural signal capture (see §3.1). These set no third-party advertising cookies and perform no cross-site tracking. You can accept, decline or withdraw at any time via “Cookie preferences” in the footer. See our Cookie & Storage Policy for the full cookie list.

12. Automated Decision-Making and Profiling

Intent profiling (with consent): Where you accept the Analytics cookie tier, APLEADS scores the intent of your visit from the behavioural signals in §3.1 — an automated estimate of how likely a visit reflects a genuine prospective buyer. This is profiling under UK GDPR, carried out on the basis of your consent.

No legal or similarly significant effect (Article 22): This profiling does NOT produce legal or similarly significant effects on you. Its only effect is to vary which call-to-action, proof or section the website emphasises, and the order in which content appears. It never changes prices, never determines whether you can access a service or on what terms, and never makes any decision about an individual account. All commercial and account decisions are made by Alix Pardoe or staff with human oversight.

Audit Processing: The Agentic Readiness audit scores the public content of a URL you submit. It does not make decisions about individuals; it produces an indicative report about a website.

Your controls: You can decline or withdraw Analytics consent at any time via “Cookie preferences” in the footer, which stops scoring and deletes the visitor identifier. You may also object to this processing or request human review by contacting hello@apleads.co.

13. Marketing Communications

If you engage with APLEADS, you may receive service updates, security notifications, and educational content about agentic websites and answer- engine readiness. You may unsubscribe at any time by clicking “Unsubscribe” in any email or emailing hello@apleads.co. All emails will cease within 3 business days.

14. Complaints and Contact

For any data protection requests, questions, or complaints:
hello@apleads.co — Response within 30 days.

APLEADS is registered with the UK Information Commissioner’s Office (ICO). Registration number: [INSERT ICO REGISTRATION NUMBER]. Verify at ico.org.uk/registration.

If you believe APLEADS has violated your data protection rights, you may lodge a complaint with the ICO:

ICO · Wycliffe House · Water Lane · Wilmslow · Cheshire SK9 5AF
Phone: 0303 123 1113 · Website: www.ico.org.uk

By using APLEADS’ services or website, you confirm you have read and understood this Privacy Policy.

Questions? hello@apleads.co