GDPR Compliance

GDPR Overview

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a comprehensive data protection law that applies to all organizations processing personal data of EU residents, regardless of where the organization is located. As a global provider of AI-powered marketing automation services, we take our GDPR obligations seriously.

Regulation Application: GDPR applies to our processing of personal data when:

• We offer services to individuals in the EU
• We monitor behavior of individuals in the EU
• We process personal data in the context of our EU business activities

Our Role Under GDPR

Data Controller

AI Lead Strategies LLC acts as a Data Controller when we determine the purposes and means of processing personal data for our own business operations, including:

• User account management and authentication
• Service provision and platform functionality
• Customer support and communication
• Marketing and business development (with consent)
• Security monitoring and fraud prevention

Data Processor

We act as a Data Processor when processing personal data on behalf of our customers for their marketing campaigns and lead generation activities:

• Lead data processing for customer campaigns
• Email marketing automation on behalf of customers
• Social media management and engagement
• Analytics and reporting for customer campaigns

Legal Basis for Processing

We process personal data only when we have a valid legal basis under GDPR Article 6:

Article 6(1)(a) - Consent

• Marketing Communications: Direct marketing emails, promotional materials, newsletter subscriptions
• Optional Features: Advanced analytics, personalized recommendations, third-party integrations
• Cookies: Non-essential cookies for marketing, analytics, and personalization

Consent Management

• Clear and specific consent requests
• Granular consent options for different processing purposes
• Easy withdrawal mechanisms available at any time
• Regular consent renewal for ongoing marketing activities

Article 6(1)(b) - Contract Performance

• Account Management: User registration, authentication, profile management
• Service Delivery: Platform access, feature provision, technical support
• Billing and Payments: Subscription management, payment processing, invoicing
• Platform Communication: Service updates, technical notifications, account-related messages

Article 6(1)(c) - Legal Obligation

• Regulatory Compliance: Tax reporting, financial record keeping, legal document retention
• Law Enforcement: Response to valid legal requests, court orders, regulatory investigations
• Security Incidents: Breach notification, incident reporting to supervisory authorities

Article 6(1)(f) - Legitimate Interests

• Platform Security: Fraud prevention, account security, system monitoring
• Service Improvement: Usage analytics, performance optimization, feature development
• Business Operations: Customer support, internal administration, vendor management
• Marketing to Existing Customers: Service-related communications, similar services promotion

Legitimate Interest Assessments: We conduct regular Legitimate Interest Assessments (LIA) to ensure our processing is necessary, proportionate, and balanced against individual privacy rights.

Data Subject Rights

Under GDPR, EU residents have specific rights regarding their personal data. We provide multiple mechanisms to exercise these rights:

Right of Access (Article 15)

What you can access:

• Categories of personal data we process
• Purposes of processing and legal basis
• Recipients of your data
• Data retention periods
• Source of data (if not collected directly from you)

How to exercise:

• Self-service data export through account settings
• Email request to dpo@aileadstrategies.com
• Comprehensive data report provided within 30 days

Right to Rectification (Article 16)

What you can correct:

• Inaccurate personal information
• Incomplete data records
• Outdated contact information
• Profile and preference settings

How to exercise:

• Direct updates through platform account settings
• Support ticket for complex corrections
• Email request to dpo@aileadstrategies.com

Right to Erasure / "Right to be Forgotten" (Article 17)

When erasure applies:

• Personal data no longer necessary for original purposes
• Consent withdrawal (where consent was the legal basis)
• Objection to legitimate interest processing
• Unlawful processing identification
• Legal obligation for erasure

Erasure limitations:

• Legal obligation retention requirements
• Freedom of expression and information
• Public interest or scientific research purposes
• Legal claims establishment, exercise, or defense

How to exercise:

• Account deletion through platform settings
• Email request to dpo@aileadstrategies.com
• Processing completed within 30 days (subject to retention obligations)

Right to Restrict Processing (Article 18)

When restriction applies:

• Accuracy of data is contested
• Processing is unlawful but erasure is refused
• Data no longer needed but required for legal claims
• Objection pending legitimate interest assessment

Right to Data Portability (Article 20)

What you can port:

• Account information and profiles
• Campaign data and templates
• Contact lists and lead information
• Usage analytics and reports (where technically feasible)

Format provided:

• Machine-readable formats (JSON, CSV, XML)
• Direct transfer to another service (where technically feasible)
• Structured data export tools

Right to Object (Article 21)

Objection grounds:

• Legitimate interest processing (including profiling)
• Direct marketing communications
• Scientific or historical research processing
• Statistical processing

How to exercise:

• Opt-out links in marketing communications
• Account preferences for profiling and automation
• Email request to dpo@aileadstrategies.com

Rights Related to Automated Decision Making (Article 22)

Automated decisions in our services:

• Lead scoring and qualification
• Content personalization and recommendations
• Campaign optimization and timing
• Fraud detection and security measures

Your rights:

• Human review of automated decisions
• Explanation of automated decision logic
• Contest automated decisions
• Opt-out of automated decision making (where feasible)

International Data Transfers

As a US-based company serving EU customers, we implement appropriate safeguards for international data transfers:

Transfer Mechanisms

Standard Contractual Clauses (SCCs)

• European Commission approved SCCs for all international transfers
• Regular review and updates as per European Data Protection Board guidance
• Supplementary measures assessment for high-risk transfers

Adequacy Decisions

• Recognition of countries with adequate protection levels
• Monitoring of adequacy decision changes and implications
• Adjustment of transfer mechanisms as necessary

Transfer Recipients

Primary Recipients:

• Railway (Cloud Infrastructure) - US with SCCs
• PostgreSQL hosting providers - Various locations with SCCs
• Payment processors - Various locations with adequacy decisions or SCCs
• AI service providers (OpenAI, Anthropic) - US with SCCs

Transfer Safeguards:

• Contractual data protection obligations
• Technical and organizational measures
• Regular compliance assessments
• Incident notification procedures

Data Retention and Deletion

We implement comprehensive data retention policies compliant with GDPR principles:

Retention Periods

Account Data

• Active accounts: Duration of service relationship plus 7 years for legal obligations
• Deleted accounts: 30 days for recovery, then permanent deletion (subject to legal retention)
• Payment records: 7 years for tax and accounting obligations

Marketing Data

• Consented marketing: Until consent withdrawal plus 2 years for evidence
• Legitimate interest marketing: 2 years from last interaction or objection
• Marketing analytics: 26 months (aligned with ePrivacy Directive)

Support and Communication

• Support tickets: 3 years for service improvement and legal protection
• Communication records: 7 years for legal and compliance purposes
• Security logs: 1 year for security monitoring and incident response

Automated Deletion

• Scheduled Deletion Jobs: Automated removal of data beyond retention periods
• Account Deletion: Immediate removal of personal data upon account deletion request
• Consent Withdrawal: Automatic cessation of processing and scheduled deletion
• Data Minimization: Regular review and deletion of unnecessary data

Breach Notification

We maintain comprehensive procedures for data breach detection, assessment, and notification:

Internal Procedures

1. Detection: 24/7 monitoring through our Healing Sentinel AI agent
2. Assessment: Rapid risk evaluation within 4 hours of detection
3. Containment: Immediate measures to prevent further breaches
4. Documentation: Complete incident records and evidence preservation

Regulatory Notification

• Supervisory Authority: Notification within 72 hours of becoming aware (where required)
• Data Subjects: Direct notification without undue delay (where high risk exists)
• Documentation: Breach register maintenance with all required details

Data Protection Officer (DPO)

DPO Responsibilities:

• GDPR compliance monitoring and advisory
• Data protection impact assessment oversight
• Supervisory authority liaison and communication
• Data protection training and awareness programs
• Privacy complaint investigation and resolution

Contact Information

GDPR Inquiries

Company Information