← Back to LeadYup
Privacy Policy
Effective date: May 12, 2026 · Last updated: May 12, 2026
This Privacy Policy explains how LeadYup ("we", "us", "our") collects, uses, shares, and protects personal data when you visit leadyup.com, use our cabinet, or when your visitors interact with a LeadYup widget embedded on your website.
1. Who we are
LeadYup is an AI-powered popup-engine SaaS operated by a sole founder (Bootko). We provide tools that website owners embed via a single <script> tag to display popups, capture leads, and route them to delivery channels.
For the purposes of EU GDPR and UK GDPR, we act as data controller for our own account holders' data (your sign-in email, billing info), and as data processor for the lead data captured by widgets you embed on your website (you are the controller of that data).
2. Data we process
2.1 — Account-holder data (you sign up at LeadYup)
- Email address (required for magic-link sign-in)
- Optional display name
- Widget configurations you create (titles, colors, delivery routes)
- Billing identifiers if you subscribe to a paid plan (handled by our payment processor — see §5)
- Server-side logs: IP address, browser user-agent, request timestamps. Retained 30 days.
2.2 — End-visitor data (people who interact with a widget on your site)
- Lead data — exactly the fields your popup form captures (typically email and/or phone, optionally name)
- Session context — current page URL, page title, referrer, UTM parameters (
utm_source, utm_medium, utm_campaign), timestamp
- Behavioral signals for ExitSense ML — scroll velocity, dwell time, rage-clicks, mouse trajectory aggregates, tab switches, input-focus state, viewport size. Stored anonymously per-page-bucket — never linked to identifiable visitors.
- Consent record — whether the visitor checked the consent box on the popup, timestamped
⚠ We do not collect IP addresses, browser fingerprints, or any cross-site tracking identifiers from your visitors. Behavioral ML data is aggregated per page-bucket, not per individual.
3. Purposes & legal bases
We process personal data only for these purposes:
- Operate the service — render widgets, capture leads, deliver leads to your configured destinations. Legal basis: contract (for paid users), legitimate interest (for free users).
- Train ML models — improve popup timing using anonymized behavior signals. Legal basis: legitimate interest. No personal data is used for ML training.
- Bill you on paid plans. Legal basis: contract.
- Customer support — respond to your emails to hi@leadyup.com. Legal basis: legitimate interest.
- Compliance — keep records as required by tax / accounting law. Legal basis: legal obligation.
We do not use personal data for behavioral advertising or sell it to data brokers.
4. Controller / processor roles
For lead data captured via widgets you embed, you (the account holder) are the data controller. You are responsible for:
- Having a lawful basis to collect that data (consent, contract, or legitimate interest under GDPR)
- Providing your visitors with a privacy notice (your own privacy policy) explaining how you'll use their data
- Obtaining explicit consent where the law requires it (EU and UK visitors, sensitive categories)
- Responding to data-subject requests (access, deletion, etc.) from your visitors
We process lead data only on your documented instructions as expressed through your widget configuration. We act as a processor under Art. 28 GDPR. A standalone Data Processing Agreement is available on request to privacy@leadyup.com for customers who need one for their own compliance.
5. Who we share data with
We share personal data only with these subprocessors, and only to the extent strictly necessary:
- TimeWeb Cloud (Latvia, EU) — hosting infrastructure. timeweb.cloud
- OpenRouter / Google Gemini — AI copy generation. We send your widget's target page URL plus the page's public HTML content (the same content your readers see). We do not send any lead data to AI providers. OpenRouter privacy
- Lava.top — payment processing for subscriptions. We share your email and billing identifiers; card data is handled by Lava and never touches our servers. lava.top
- Telegram Bot API — when you configure Telegram delivery, lead notifications are sent through
@Leadyup_bot.
We also share lead data with the delivery destinations you yourself configure (your own email inbox, Slack workspace, webhook URL, etc.). You control these — we just pass the data through.
We may disclose data if required by a valid court order, subpoena, or other legal process binding on us. We will challenge over-broad demands and notify affected users where legally permitted.
6. International transfers
Our hosting infrastructure is in Latvia (European Union). When delivering leads to channels you configure (e.g. a US-based Slack workspace), data crosses borders to those destinations under your direction. AI-related calls go to OpenRouter (US-based) — covered by Standard Contractual Clauses under Art. 46 GDPR.
EU and UK visitors: your data is subject to EU GDPR protections. The transfer mechanisms used are appropriate under EU adequacy decisions and SCCs where applicable.
7. Retention
- Account email + widget configs — kept while your account is active. Deleted within 30 days after account deletion (except as required for tax law, see below).
- Lead data — kept until you delete it or delete your account. No automatic expiry — you control retention via the cabinet.
- Server logs — 30 days, then auto-purged.
- Behavioral ML aggregates — anonymous per-page-bucket data is kept indefinitely for model improvement (no personal data).
- Billing records — 7 years for tax/accounting compliance (legal obligation under most jurisdictions).
8. Your rights
8.1 — Under GDPR (EU / UK / EEA residents)
You have the right to:
- Access — request a copy of personal data we hold about you
- Rectification — correct inaccurate data
- Erasure ("right to be forgotten") — delete your data
- Restriction — limit how we process your data
- Portability — receive your data in a machine-readable format
- Object — refuse processing based on legitimate interest
- Withdraw consent at any time where consent was the legal basis
- Lodge a complaint with your local supervisory authority (in Latvia: Data State Inspectorate)
To exercise any right, email privacy@leadyup.com from the address tied to your account. We verify identity, then respond within 30 days (extensible by 60 if the request is complex; we'll explain why).
8.2 — Under CCPA / CPRA (California residents)
You have the right to know what personal information we collect, the right to delete, the right to correct, the right to opt-out of sale or sharing (we do neither), and the right to non-discrimination. We do not sell personal information and we do not engage in cross-context behavioral advertising.
To exercise CCPA rights, email privacy@leadyup.com. We respond within 45 days.
8.3 — Visitor-level requests
If you are a visitor whose data was collected by a widget on someone else's website, your request goes first to that website owner (they are the controller). We will assist them in fulfilling the request as a processor — including providing data export or deletion within 14 days of the controller's authenticated request.
9. Cookies & local storage
The LeadYup widget uses your browser's sessionStorage and localStorage to:
- Prevent showing the same popup twice in one session (
__ll_seen_*)
- Remember the A/B variant assigned to a visitor for consistency (
__ll_ab_*)
- Track ExitSense behavioral signals client-side before sending aggregates (
__ll_es_*)
These are first-party storage entries, not cross-site tracking cookies. We do not place any third-party cookies on your visitors' devices.
For our own marketing site (leadyup.com), we use only essential cookies for the cabinet session (ly_session). No analytics cookies, no advertising cookies, no fingerprinting.
10. Security
- All data in transit: TLS 1.3 (HTTPS only, HSTS enforced)
- Data at rest: encrypted JSON storage on our hosted infrastructure
- Session tokens: signed JWTs (HS256), 30-day expiry, HttpOnly + Secure cookies
- Payment data: never stored on our servers — handled exclusively by Lava.top
- Bot protection on lead forms: honeypot field + submission-speed analysis
- Internal access: limited to the founder; no third-party access
If we discover a personal-data breach that creates a risk to data subjects, we will notify affected users within 72 hours as required by GDPR Art. 33.
11. Children
LeadYup is not directed to children under 16, and we do not knowingly collect personal data from minors. If you believe a child has provided data through a widget, contact us at privacy@leadyup.com — we will delete it.
12. Changes to this policy
We may update this policy as the service evolves or laws change. The "Last updated" date at the top reflects the most recent revision. Material changes (anything that expands the use of personal data) are announced via email to all account holders at least 30 days before taking effect. Continued use of LeadYup after that date constitutes acceptance.
Privacy questions: privacy@leadyup.com
General support: hi@leadyup.com
Postal: Available on request — email us.
© 2026 LeadYup. All rights reserved.