Privacy Policy

Modern Leads is a product of Modern Inbound, a company incorporated and operating under the laws of the Republic of India. Modern Inbound is the Data Controller for all personal data processed through the Modern Leads platform, accessible at modernleads.io and app.modernleads.io.

Data Protection Officer (DPO): Rishabh Ambasta
Contact: rishabh@moderninbound.com
Registered address: Modern Inbound, India

Throughout this Policy, “we,” “us,” and “our” refer to Modern Inbound. “You” and “your” refer to any individual or entity accessing or using the Modern Leads platform.

This Privacy Policy applies to:

• Platform Users (Customers): Individuals and entities who register for, subscribe to, or otherwise use the Modern Leads platform to enrich business contact data.
• Data Subjects (Enriched Contacts): Business professionals whose publicly available professional contact information may be returned by our enrichment services at the instruction of our Customers.
• Website Visitors: Individuals who visit our marketing website, blog, or landing pages.

This Policy is designed to comply with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 (India), the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act of 2018 as amended by the CPRA (“CCPA”), and other applicable data protection legislation.

Modern Leads operates in a dual capacity depending on the context of data processing:

• Data Controller: We act as the Controller for data we collect directly from Platform Users (account registration, billing, usage analytics) and Website Visitors. We determine the purposes and means of processing this data.
• Data Processor: When a Customer uploads a list of contacts for enrichment, we act as a Data Processor. The Customer is the Data Controller for that contact list and is responsible for ensuring a lawful basis exists for the enrichment of those contacts.

Our third-party enrichment providers (described in Section 7) act as Sub-processors in the Controller → Processor → Sub-processor chain. We maintain executed Data Processing Agreements (DPAs) with each Sub-processor.

We process the following categories of personal data:

4.1 Data collected directly from Platform Users

• Identity data: Full name, email address, company name.
• Authentication data: Hashed passwords, OAuth tokens (Google, Microsoft), session cookies.
• Billing data: Transaction records, coin purchase history, GSTIN (if voluntarily provided). Full payment card details are processed exclusively by Razorpay and are never stored on our servers.
• Usage data: Credit consumption, enrichment history, feature interactions, research module usage, referral activity.
• Profile data: Website URL, LinkedIn profile URL, client brief, and case studies voluntarily submitted for SDR Research personalization.

4.2 Data processed on behalf of Customers (Processor role)

• Contact identifiers uploaded by Customers: First name, last name, company name, domain, job title, LinkedIn URL, country.
• Enriched data returned by Sub-processors: Professional email addresses, direct mobile phone numbers, verification status.

4.3 Data collected from Website Visitors

• Analytics data: Page views, session duration, and referral source collected via Google Tag Manager (GTM-PHQMVFW4). We do not use tracking cookies for advertising.

We process personal data under the following lawful bases as defined under Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b)): Processing account data, managing subscriptions, delivering enrichment results, and processing payments — all necessary to perform our service obligations.
• Legitimate interest (Art. 6(1)(f)): Processing publicly available business contact data for B2B prospecting purposes. We have conducted a Legitimate Interest Assessment (LIA) and determined that the processing is necessary for the purposes of legitimate business-to-business communication, is proportionate, and does not override the fundamental rights of data subjects. The data processed is limited to professional (not personal) contact information.
• Consent (Art. 6(1)(a)): Where applicable, for optional features such as referral programs, marketing communications, and voluntary submission of LinkedIn profiles and client briefs.
• Legal obligation (Art. 6(1)(c)): Retention of billing and tax records as required under the Indian Income Tax Act and GST legislation.

We use personal data exclusively for the following purposes:

• Service delivery: Running contacts through our enrichment waterfall, returning verified email addresses and phone numbers, and providing AI-powered SDR research output.
• Account management: Registration, authentication, subscription management, credit accounting.
• Payment processing: Creating Razorpay orders, verifying payment signatures, generating GST-compliant invoices.
• Service improvement: Monitoring cache hit rates, provider accuracy, and system performance to improve enrichment quality.
• Communication: Responding to support requests, sending transactional emails (password resets, payment receipts), and referral notifications.
• Compliance: Fulfilling legal obligations including tax reporting, responding to data subject requests, and maintaining audit trails.

We do not sell personal data. We do not use personal data for advertising, profiling, or automated decision-making that produces legal effects.

To deliver our enrichment service, we transmit the minimum necessary data (typically first name, last name, and company domain) to a curated network of third-party B2B data enrichment and verification providers. These providers source business contact information from publicly available professional directories, corporate websites, business registries, and other legitimate B2B data sources.

Our current categories of Sub-processors include:

7.1 Enrichment providers

• Email and phone enrichment providers: Multiple vetted providers operating under executed DPAs, subject to GDPR and/or CCPA compliance. These providers source data from publicly available business information and process it under the Legitimate Interest basis for B2B prospecting.
• Email verification providers: Services that validate email deliverability via MX record checks, SMTP verification, and catch-all domain detection to ensure data accuracy per GDPR Article 5(1)(d).

7.2 Infrastructure providers

• Supabase (Database): Hosted on Amazon Web Services (AWS). Data is encrypted at rest (AES-256) and in transit (TLS 1.3). Row-level security enforces data isolation between customers.
• Vercel (Hosting): Application hosting and serverless compute. SOC 2 Type II certified.
• Razorpay (Payments): PCI DSS Level 1 certified payment processor. Processes all financial transactions. We do not store card data.
• Google Tag Manager: Analytics tag management. No advertising cookies deployed.
• DeepSeek (AI): Large language model used for SDR Research qualification and prospect analysis. Only business context (company descriptions, not personal data) is transmitted for AI processing.

A complete, current list of sub-processors is available upon request by emailing rishabh@moderninbound.com. We will notify customers of any material changes to our sub-processor list, providing an opportunity to object, in accordance with GDPR Article 28.

Modern Inbound is based in India. Personal data may be transferred to and processed in jurisdictions outside the European Economic Area (EEA), including the United States (cloud infrastructure) and India (operations).

Where such transfers occur, we ensure adequate safeguards are in place:

• Standard Contractual Clauses (SCCs): We rely on the European Commission's 2021 Standard Contractual Clauses for transfers to countries without an adequacy decision.
• Sub-processor DPAs: All enrichment providers with whom we share data operate under executed DPAs that include appropriate transfer mechanisms.
• Technical measures: All data in transit is encrypted via TLS 1.3. Data at rest is encrypted using AES-256. Access is restricted via role-based access control (RBAC).

We retain personal data only for as long as necessary for the purposes set out in this Policy:

• Enrichment cache: Cached enrichment results are retained for up to 90 days to prevent redundant lookups and reduce costs. After expiry, cached data is cleared and a fresh lookup is performed if requested.
• API response cache: Third-party API responses are cached for up to 90 days for cost optimization and rate limit management.
• Account data: Retained for as long as your account is active. Upon account deletion request, personal data is permanently deleted within 30 days, except where legal retention obligations apply.
• Billing records: Retained for a minimum of 7 years as required under Indian tax legislation (Income Tax Act, 1961; GST Act, 2017).
• Audit logs: Provider call logs, credit transaction records, and enrichment histories are retained for 12 months for operational integrity and dispute resolution.

Where our Sub-processors impose shorter retention windows (e.g., automatic deletion after 3 months), we respect those windows and do not independently replicate or extend the retention of data received from those providers beyond our stated cache period.

We implement appropriate technical and organizational measures to protect personal data, in accordance with GDPR Article 32:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256 via Supabase/AWS).
• Access control: Role-based access control (RBAC) with principle of least privilege. Admin operations require authenticated admin role verification.
• Row-level security: Supabase RLS policies ensure that each customer can only access their own data. Service-level access is restricted to authenticated server-side operations.
• Authentication: Supabase Auth with secure session management, OAuth 2.0 (Google, Microsoft), and PKCE flow for token exchange.
• Payment security: Razorpay HMAC-SHA256 signature verification on all payment callbacks and webhooks. Duplicate payment prevention via idempotency checks.
• Rate limiting: Per-user, per-route rate limiting to prevent abuse and credential stuffing.
• Input validation: All user inputs are validated for type, length, and format before processing. SQL injection and XSS vectors are mitigated via parameterized queries and React's built-in escaping.
• Atomic credit operations: Credits are debited and refunded via atomic database functions (PostgreSQL RPC) to prevent race conditions.

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly investigating and responding to any suspected data breach.

Modern Leads uses only the following cookies and tracking technologies:

• Essential authentication cookies (Supabase): Strictly necessary for maintaining your login session. These cannot be disabled without losing access to the platform. No consent required under ePrivacy Directive Article 5(3).
• Google Tag Manager:Used for aggregate analytics (page views, session counts). We do not deploy advertising, remarketing, or cross-site tracking cookies. GTM is configured to respect “Do Not Track” browser signals.

We do not use third-party advertising cookies, social media tracking pixels, or fingerprinting technologies.

Under the GDPR, CCPA, and applicable Indian data protection law, you have the following rights:

• Right of access (Art. 15 GDPR / CCPA §1798.100): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17 GDPR / CCPA §1798.105): Request deletion of your personal data, subject to legal retention obligations.
• Right to restriction (Art. 18 GDPR): Request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20 GDPR): Request an export of your data in a structured, machine-readable format (CSV/JSON).
• Right to object (Art. 21 GDPR): Object to processing based on legitimate interest, including processing for B2B prospecting purposes.
• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, withdraw that consent at any time.
• Right to non-discrimination (CCPA §1798.125): We will not discriminate against you for exercising your privacy rights.

For Enriched Data Subjects (individuals whose data was returned by our service)

If your professional contact information was returned as part of an enrichment lookup, you have the right to request erasure or suppression. Upon receiving a valid request, we will:

• Add your email address and/or phone number to our Master Suppression List.
• Ensure your data is excluded from future enrichment results.
• Propagate the suppression request to our Sub-processors where technically feasible.
• Notify the Customer who initiated the enrichment, in accordance with GDPR Article 19.

To exercise any of these rights, email rishabh@moderninbound.com. We will acknowledge your request within 72 hours and fulfill it within 30 days, extendable by an additional 60 days for complex requests with prior notification.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34.
• Document the breach, its effects, and the remedial actions taken in our internal breach register.

Modern Leads is a B2B service designed for business professionals. We do not knowingly collect or process personal data from individuals under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.

When using Modern Leads as a Data Processor, Customers acknowledge, agree, and warrant that:

• They are the Data Controller for any contact lists uploaded for enrichment and are solely responsible for ensuring a valid lawful basis exists for the processing, including but not limited to conducting a Legitimate Interest Assessment (LIA) where required.
• They will comply with GDPR Article 14 (information to be provided where data has not been obtained from the data subject) when using enriched contact data for outreach. This includes disclosing the source of the data and providing opt-out mechanisms in initial communications. A recommended disclosure is: “We obtained your professional contact information through publicly available business directories as part of our legitimate interest in B2B networking.”
• They will not use enriched data for any purpose that violates applicable law, including unsolicited bulk messaging to individuals who have not been given a reasonable opportunity to object, harassment, discrimination, or any non-B2B purpose.
• They will honor data subject requests received directly and propagate deletion requests to Modern Leads where applicable.
• They indemnify and hold harmless Modern Inbound, its officers, and employees from any claims, damages, losses, or expenses (including legal fees) arising from the Customer's use of enriched data in violation of applicable data protection laws, spam legislation, or this Policy.
• They acknowledge that enriched data is provided “as-is” for B2B prospecting purposes and that Modern Leads does not guarantee the accuracy, completeness, or fitness for any particular purpose of any individual data point.

Modern Leads operates a “waterfall” enrichment architecture in which contact data requests are routed sequentially through multiple independent third-party data providers until a verified result is obtained. Each provider in the waterfall may, in turn, maintain its own network of upstream data sources and sub-processors.

Transparency disclosure: Modern Leads does not independently verify the original provenance of data returned by its enrichment providers. Our providers represent that they source data from publicly available business directories, corporate websites, professional networks, business registries, and other legitimate B2B data sources. We rely on the contractual representations and DPAs of our providers regarding the lawfulness of their data collection practices.

Chain-of-custody limitation:In the event that any upstream data source within a provider's network is found to have collected data unlawfully, Modern Leads will take immediate remedial action upon notification, including but not limited to: suppressing the affected data, notifying impacted Customers, and suspending the relevant provider pending investigation. However, Modern Leads cannot guarantee the compliance practices of every entity within the extended data supply chain.

Accuracy commitment: To mitigate data quality and compliance risk, every email address returned by our service undergoes mandatory two-tier verification (syntax validation followed by SMTP deliverability check) before delivery to the Customer. This ensures compliance with GDPR Article 5(1)(d) (accuracy principle) and reduces the risk of processing incorrect personal data.

Modern Leads is architected on a transient data philosophy aligned with the GDPR principle of data minimization (Article 5(1)(c)) and storage limitation (Article 5(1)(e)):

• No permanent contact database: Modern Leads does not maintain a persistent, proprietary database of personal contact information. Enrichment results are generated on-demand via real-time API calls to our providers.
• 90-day result cache: Successfully enriched results are cached for up to 90 days solely to prevent redundant API calls and reduce costs for repeat lookups of the same contact. After expiry, cached data is automatically purged.
• Provider-side retention: Our enrichment providers maintain their own retention policies, some as short as 3 months (automatic deletion). We do not independently replicate or extend the retention of data received from providers beyond our stated cache period.
• Deletion on request: Cached enrichment data for any specific contact can be permanently deleted at any time upon request from a Customer or Data Subject, overriding the 90-day cache window.

Modern Leads maintains a Master Suppression List containing the email addresses and/or phone numbers of individuals who have exercised their right to erasure or objection. The Suppression List operates as follows:

• When a Data Subject requests suppression, their contact identifiers are added to the Suppression List and permanently excluded from all future enrichment results returned by our platform.
• The Suppression List is checked before every enrichment result is delivered, ensuring that suppressed individuals are never re-enriched in subsequent sessions.
• Where technically feasible, suppression requests are propagated to our upstream Sub-processors to prevent the individual's data from being returned at the source level.
• The Suppression List itself contains only the minimum data necessary for matching (email address or phone number) and does not store any other personal information about the suppressed individual.
• The Suppression List is retained indefinitely to ensure ongoing compliance with the individual's expressed wishes.

To the maximum extent permitted by applicable law:

• Modern Leads provides its enrichment service on an “as-is” and “as-available” basis. We make no warranties, express or implied, regarding the accuracy, completeness, or reliability of any individual enrichment result.
• Modern Leads shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from the use of enriched data, including but not limited to damages arising from email bounces, spam complaints, regulatory fines imposed on the Customer, or reputational harm.
• Our total aggregate liability for any claims arising under this Policy or related to our service shall not exceed the total fees paid by the Customer to Modern Leads in the twelve (12) months preceding the claim.
• Modern Leads is not responsible for the data protection practices of its upstream enrichment providers. We select providers based on their stated compliance posture, executed DPAs, and technical security measures, but we do not audit the internal operations of third-party providers.

Modern Leads offers a Data Processing Agreement (DPA) to all Customers who require one for GDPR compliance. Our DPA incorporates:

• Standard Contractual Clauses (2021 SCCs) for international data transfers.
• Technical and Organizational Measures (TOMs) as described in Section 10.
• Sub-processor authorization and notification procedures.
• Data breach notification obligations.
• Audit rights for the Customer or their appointed auditor.

To request a DPA, contact rishabh@moderninbound.com.

Modern Leads uses AI-powered qualification scoring (DeepSeek) to assess the fit between a Customer's business and their prospective leads. This scoring is:

• Based solely on publicly available business information (company descriptions, industry classifications).
• Advisory in nature — it does not produce legal effects or similarly significantly affect any individual.
• Not used for credit decisions, employment screening, or any purpose subject to GDPR Article 22 restrictions.

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

• Update the “Last revised” date at the top of this page.
• Provide notice via email to registered users for material changes affecting their rights.
• Maintain an archive of previous versions available upon request.

Your continued use of Modern Leads after any changes constitutes your acknowledgment of the updated policy.

If you are located in the European Economic Area and believe that we have violated your data protection rights, you have the right to lodge a complaint with your local supervisory authority under GDPR Article 77.

For users in India, complaints may be directed to the Data Protection Board of India once constituted under the Digital Personal Data Protection Act, 2023.

We encourage you to contact us first at rishabh@moderninbound.com so we can attempt to resolve your concern directly.