Privacy Policy

Last updated: May 2026

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection laws is:
Deimann Com GmbH
Randstraße 75, 22525 Hamburg
Germany
Phone: upon request
Email: info@leadscraper.de
Managing Director: Janik Deimann

2. Contact for data protection matters

A data protection officer has not been appointed, as the legal requirements under Art. 37 GDPR and § 38 BDSG are not met. For questions regarding data protection or the exercise of your data subject rights, please contact:
datenschutz@leadscraper.de

3. Scope of this Privacy Policy

This Privacy Policy describes two separate processing contexts:

  • Section A: The processing of data relating to users of our website and platform (customers, prospects, website visitors).
  • Section B: The processing of business-related data of third parties that we collect from publicly accessible sources as part of our B2B lead research service and make available to our customers.

Information on the use of cookies and tracking technologies can be found in our separate Cookie Policy.

A. Processing in connection with the operation of the platform and website

A.1 Accessing the website and server log files

Each time our website is accessed, technically necessary data is processed (IP address, date and time, requested resource, browser type, referrer). The processing is carried out on the basis of Art. 6(1)(f) GDPR for the purpose of providing, maintaining the stability of and securing the website. Server log files are deleted after a maximum of 30 days unless security-related incidents require longer storage.

A.2 Registration and use of the platform

Use of our platform at app.leadscraper.de requires registration. In this context, we process: name, business email address, password (encrypted), company data, billing data and usage behaviour within the platform. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) and, for supplementary analyses to improve the product, Art. 6(1)(f) GDPR. Account data is deleted up to 12 months after the end of the contract; statutory retention obligations, in particular § 147 AO and § 257 HGB — 6 or 10 years for invoice and business records — remain unaffected.

A.3 Payment processing

Payment processing is carried out via Stripe Payments Europe Ltd. (Ireland). Stripe processes payment data as an independent controller; we only receive confirmations of successful transactions and data required for invoicing. Legal basis: Art. 6(1)(b) GDPR. Stripe’s privacy information: stripe.com/de/privacy.

A.4 Cookies and tracking

We use technically necessary cookies (session management, login). These are required for the platform to function; the legal basis is § 25(2) no. 2 TDDDG. Optional analytics and marketing cookies are only set on the basis of your consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG). Details of the tools used, their providers, purposes, storage periods and any transfers to third countries can be found in our Cookie Policy.

B. Processing of business-related data of third parties (lead research)

B.1 Subject matter of the processing

As part of our B2B lead research service, we collect and process personal data that relates to a professional context. We expressly point out that business contact data (e.g. business email addresses, names of managing directors or sales managers) is also personal data within the meaning of Art. 4 no. 1 GDPR and is fully subject to the GDPR.

In particular, the following data is processed:

  • company name, address, website, industry and size classification
  • first and last names of persons in a business function (e.g. management, sales, marketing)
  • business contact details (business email address, business phone number)
  • professional position

B.2 Source of the data

All data is obtained exclusively from publicly accessible sources, in particular:

  • company websites and legal notices / impressums
  • public industry and company directories
  • public registers (e.g. commercial registers)
  • map services with publicly available business information

We do not collect data from sources whose terms of use prohibit automated data collection.

B.3 Purposes of the processing

We collect, structure, verify, enrich and make the above-mentioned data available to our business customers so that they can use the data, under their own responsibility, for B2B business development towards the relevant companies.

B.4 Legal basis and balancing of interests (legitimate interest)

The legal basis for the processing is Art. 6(1)(f) GDPR. The processing is based on a balancing of interests carried out by us and documented in writing (Legitimate Interest Assessment). The key considerations can be summarised as follows:

(1) Legitimate interests pursued. Our legitimate interest consists in providing a tool that enables business customers to identify potential business partners in a structured manner using publicly accessible sources. This is a processing purpose expressly recognised in Recital 47 sentence 2 GDPR (direct marketing in the broader sense in the context of B2B business development). The interest of our customers in obtaining information about potential business partners before contacting them is also to be recognised as a legitimate third-party interest within the meaning of Art. 6(1)(f) GDPR.

(2) Necessity. The processing is limited to data necessary to identify a company and its business contact person. No further data is processed, in particular no private data, no special categories of data within the meaning of Art. 9 GDPR and no analysis aimed at profiling. No data from the private sphere of the data subjects is collected or linked with professional data.

(3) Balancing against the interests of the data subjects. The data subjects appear exclusively in their professional capacity. The processed data was actively published in business dealings by the data subjects or their companies — typically in the legal notice of the company website, in industry or commercial registers or in public business directories — and was therefore made accessible precisely for the purpose of being reachable for business contact. Data subjects must therefore reasonably expect, within the meaning of Recital 47 GDPR, that this data may be used for the purpose of business contact. The level of interference is low: there is no profiling, no tracking, no linking with private data and no automated individual decision-making. Data subjects may object to the processing at any time pursuant to Art. 21 GDPR.

(4) Safeguards. We have implemented technical and organisational measures to protect the rights of data subjects, in particular: limitation to publicly accessible sources, regular updating and deletion of outdated datasets (see B.7), provision of public lead-specific information pursuant to Art. 14 GDPR (see B.6), contractual obligation of customers to independently verify the lawfulness of each contact attempt, and a simple and directly effective objection process.

As a result, our interests and those of our customers outweigh the interests or fundamental rights and freedoms of the data subjects that require the protection of personal data. The balancing of interests is reviewed regularly. A summary of the balancing of interests can be requested upon reasoned request at datenschutz@leadscraper.de.

B.5 Responsibility and data flow

We and our customers are each separate controllers within the meaning of Art. 4 no. 7 GDPR. Joint controllership pursuant to Art. 26 GDPR or processing on behalf pursuant to Art. 28 GDPR expressly does not exist.

  • Deimann Com GmbH is the controller for the collection, preparation and provision of the data within the platform.
  • Upon transmission of the data to the customer, the customer becomes an independent controller for any further processing, in particular for contacting the data subjects.

The customer is obliged to independently verify whether and on what legal basis a specific contact attempt may be carried out in accordance with data protection and competition law, in particular § 7 UWG. Deimann Com GmbH assumes no responsibility and provides no warranty that a contact attempt initiated by the customer is lawful.

B.6 Information of data subjects (Art. 14 GDPR)

We do not collect the data directly from the data subjects, but from publicly accessible sources. We fulfil our information obligation under Art. 14 GDPR as follows:

  • At www.leadscraper.de/lead-information, we permanently provide publicly accessible lead-specific privacy information containing all mandatory information under Art. 14(1) and Art. 14(2) GDPR.
  • We contractually oblige our customers to indicate the source of the data when first making business contact with a data subject, unless this is already apparent from the communication itself.
  • Where individual information to data subjects would involve disproportionate effort (Art. 14(5)(b) GDPR), we fulfil the information obligation through the public provision described above.

Upon direct request by a data subject, we provide individual information and correct or delete the data within the statutory deadlines.

B.7 Storage period

Lead datasets are regularly reviewed for accuracy and currency. Datasets that have not been updated or verified for more than 24 months are deleted or anonymised. In the event of an objection by a data subject pursuant to Art. 21 GDPR, deletion will take place without undue delay, at the latest within 30 days of receipt of the objection.

B.8 No automated individual decision-making

No automated individual decision-making with legal effect or similarly significant impact on data subjects within the meaning of Art. 22 GDPR takes place. The automated procedures used serve exclusively to structure, verify and deduplicate datasets.

C. General provisions

C.1 Data security

We take technical and organisational measures pursuant to Art. 32 GDPR to protect personal data against loss, manipulation or unauthorised access. These include in particular: encrypted data transmission (TLS), access restrictions with a role-based concept, storage primarily on servers within the European Union and regular security reviews.

C.2 Processors

We use carefully selected processors with whom a contract pursuant to Art. 28 GDPR has been concluded in each case:

  • Hosting infrastructure: DigitalOcean, LLC, USA — processing in an EU region (Frankfurt). There is a third-country reference at group level; the data processing itself takes place within the EU.
  • Database and backend services: Google Ireland Ltd., Ireland (Firebase / Firestore). Where data processing takes place outside the EU, it is carried out on the basis of the EU-US Data Privacy Framework and supplementary EU Standard Contractual Clauses.
  • Payment service provider: Stripe Payments Europe Ltd., Ireland.

The complete current list of processors can be requested at datenschutz@leadscraper.de.

C.3 Transfers to third countries

Data processing generally takes place within the European Union. Where data is transferred to recipients outside the European Economic Area — in particular in connection with the services of Google (Firebase / Firestore) and DigitalOcean —, this is carried out exclusively on the basis of appropriate safeguards pursuant to Art. 46 GDPR (in particular EU Standard Contractual Clauses) or an adequacy decision pursuant to Art. 45 GDPR. For transfers to the USA, where applicable, we rely on the adequacy decision for the EU-US Data Privacy Framework of 10 July 2023 and supplementary Standard Contractual Clauses.

C.4 Rights of data subjects

Data subjects have the following rights pursuant to Art. 15 et seq. GDPR:

  • right of access to stored personal data (Art. 15 GDPR)
  • right to rectification of inaccurate or incomplete data (Art. 16 GDPR)
  • right to erasure (“right to be forgotten”, Art. 17 GDPR)
  • right to restriction of processing (Art. 18 GDPR)
  • right to data portability (Art. 20 GDPR)
  • right to object to processing based on legitimate interests (Art. 21 GDPR)
  • right to withdraw consent given with effect for the future (Art. 7(3) GDPR)

To exercise these rights, an informal email to datenschutz@leadscraper.de is sufficient.

C.5 Right to lodge a complaint

There is a right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The authority responsible for Deimann Com GmbH is:
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Straße 22, 20459 Hamburg
datenschutz-hamburg.de

C.6 Changes to this Privacy Policy

We reserve the right to adapt this Privacy Policy to changes in the legal situation, technical developments or adjustments to our processing processes. The current version is available on our website at all times.

LeadScraper: AI-powered B2B leads that truly convert. GDPR compliant. Results-driven.

Still have questions? Feel free to contact us at info@leadscraper.uk

Navigation
HomeBenefitsHow it worksIndustries
Knowledge Base
TestimonialsBlogIndustriesFacts
Company
Privacy PolicyCookie PolicyData Subject InformationLegal NoticeTerms
Ask the AI about Leadscraper:
© 2025 LeadScraper – Generate GDPR-compliant B2B Leads with AI Technology. All rights reserved.