1. Roles – Controller vs Processor

You are the Data Controller for any personal data you input (e.g., your customer list). Lead IT Lab Ltd and its platform provider HighLevel act as a Data Processor, processing that data only on your instructions. We do not independently decide how to use your data or sell it.

2. HighLevel’s GDPR Commitments

HighLevel provides a comprehensive Data Processing Agreement (DPA) with Standard Contractual Clauses and participates in the EU-U.S. Data Privacy Framework (including the UK extension). This ensures lawful international data transfers and obligates HighLevel to assist with data subject rights requests, notify us of any breaches, and maintain robust security measures.

3. Data Transfers and Privacy Framework

Because HighLevel’s servers are located in the U.S., personal data may be stored or processed there. HighLevel’s participation in the Data Privacy Framework and adoption of Standard Contractual Clauses means your UK and EU data is legally protected and can flow to and from the U.S.

4. Security Measures

HighLevel hosts data on Google Cloud and AWS, using encryption in transit and at rest, strict access controls, and regular security testing. We recommend you enable two-factor authentication on your account for added protection.

5. Data Subject Rights & Assistance

If your customers request to access, rectify, or delete their data, you must handle those requests as the data controller. We will assist by providing tools to export or delete contacts, including permanent deletion if needed.

6. GDPR Tools in the Platform

Our platform includes GDPR-friendly features like consent checkboxes on forms, double opt-in options for emails, automatic unsubscribe links, and cookie consent banners. Use these tools to help ensure your marketing practices are compliant.

7. UK-Specific & PECR Considerations

The UK GDPR mirrors the EU GDPR. Additionally, the UK’s Privacy and Electronic Communications Regulations (PECR) require clear opt-in consent for marketing via SMS and email. Always obtain consent before sending marketing communications.

8. Accountability & Documentation

We keep records of processing activities and can supply compliance documentation on request (e.g., our DPA, security overview, and sub processor list). Use our Terms & Conditions, Privacy Policy, and Extra Costs pages for full details.