Data protection & POPIA compliance

LeadAtomic is a quality-first B2B outreach platform. We help businesses find and contact other businesses that genuinely fit their ideal customer profile, at a deliberately human scale, with messages a person reviews and approves. We designed the product so that doing outreach well and respecting data-protection law point in the same direction.

This page explains, in plain terms, how we align with South Africa's Protection of Personal Information Act (POPIA) and why — and how those same controls map onto comparable regimes elsewhere. It is written in good faith to describe our engineering and operational practices; it is not legal advice and does not create a warranty. Each customer remains responsible for their own lawful use of the platform.

POPIA protects "personal information," which under South African law includes information relating to both natural persons and juristic persons (companies). We do not treat "it's just business data" as a reason to opt out of the law. Where we hold a named contact, a work email, or a phone number, we treat it as personal information and apply the protections below.

Most of the contact data in the platform is sourced from information a business has deliberately made public — its own website and public business listings. POPIA expressly permits collecting personal information from such sources, which is the lawful basis for how leads enter the system. It does not, however, switch off the direct-marketing, openness, security, or data-subject-rights obligations, so we honour those regardless.

• Accountability. Data-protection responsibilities are owned internally, and customer-facing requests route to hello@leadatomic.com.
• Processing limitation. We collect business-contact data from public sources, in proportion to a legitimate outreach purpose, and keep volumes at a human, non-spam scale.
• Purpose specification. Data is used to qualify and contact prospects that fit a customer's stated ideal customer profile — not resold or repurposed.
• Further-processing limitation. Enrichment and scoring serve that same outreach purpose and nothing incompatible with it.
• Information quality. Records are deduplicated and kept current; bounced or invalid addresses are detected and suppressed automatically.
• Openness. This page and our Privacy Policy explain what we process and why, including a dedicated section for people who receive outreach.
• Security safeguards. See section 6 below.
• Data-subject participation. Anyone can ask what we hold, correct it, or have it deleted — see section 7.

POPIA requires that direct-marketing communications identify the sender and offer a way to ask them to stop. We build both into the product so they cannot be skipped:

• Every email identifies who is writing. Each message carries a sender identity — the person's name, role, and the business they represent — added by the system at send time rather than left to chance.
• Every email offers a one-click opt-out. Messages include a personal unsubscribe link and standard one-click List-Unsubscribe headers, and recipients can simply reply with "unsubscribe." Any of these works.
• Opt-outs are honoured permanently and immediately. An opt-out is recorded against that recipient for that customer and blocks all future sending to them — under every sender and mailbox the customer uses — even if the same lead is rediscovered later.
• We fail safe. If a compliant sender identity and working unsubscribe link cannot be attached to a message, the system refuses to send it rather than send a non-compliant email.
• Human scale and human approval. Outreach is low-volume and reviewed by a person, not bulk blasting — consistent with proportionate, legitimate business communication.

Unsubscribe links are signed so they cannot be forged or used to guess other recipients, and the link itself contains no account login. Because email security scanners automatically open links, simply opening the page never unsubscribes anyone — the opt-out is only recorded after an explicit confirmation (or the mailbox provider's native one-click action). Recipients can also resubscribe if they change their mind.

• Account passwords are hashed, never stored in plain text.
• Connected-mailbox credentials and OAuth tokens are encrypted at rest.
• Authentication and sensitive public endpoints are rate-limited and abuse-resistant.
• Operational and audit records support investigation and accountability.
• Access to customer data is limited to what operating the service requires.

No system can promise absolute security, and customers remain responsible for protecting their own devices, mailboxes, and credentials.

Whether you are a LeadAtomic customer or someone who received outreach through the platform, you can ask us to tell you what personal information we hold about you, correct it, or delete it. The fastest way to stop receiving outreach is the unsubscribe link in any message or replying "unsubscribe." For anything else, contact hello@leadatomic.com and we will action the request and, where the data was processed on a customer's behalf, route it to them as the responsible party while assisting as the platform operator.

We use a small set of trusted providers to operate the service — transactional email infrastructure, the mailbox providers customers connect (such as Google or Microsoft), and AI/model providers used for tasks like profile extraction, enrichment, scoring, and drafting. Some of these process data outside South Africa. We rely on these providers under terms that require them to protect the information and use it only to deliver the service, consistent with POPIA's rules on operators and cross-border transfers.

The controls above are built on principles shared across modern data-protection and anti-spam law, so the same product behaviour supports compliance beyond South Africa:

• GDPR / UK GDPR (EU & UK). Lawful-basis thinking, transparency, data-subject access and erasure, security of processing, and an objection/opt-out route.
• PECR & similar e-marketing rules. Clear sender identification and a simple, free, always-available way to opt out of electronic marketing.
• CAN-SPAM (US). Accurate sender identity, honest subject lines, a working unsubscribe mechanism honoured promptly, and (optionally) a postal identifier on the sender identity.

Where a customer operates under a specific regime, they should confirm their own obligations; we provide the mechanisms (identity, consent records, opt-out, suppression, security, deletion) that make meeting them practical.

We will keep this page current as the product and the law evolve. If we make a material change, we will update the effective date above.