Privacy, Compliance & Security Policy

Last updated: 08 September 2025

1. Introduction

At XLR8Leads Pty Ltd, your privacy, data security, and compliance are integral to the way we operate. We are committed to managing personal data responsibly, transparently, and in accordance with applicable data protection and communication laws across the jurisdictions in which we serve clients—including Australia, the United States, Canada, the United Kingdom, the European Union, India, and others as required.

This policy explains how we collect, use, store, share, and protect your information, and how we meet compliance obligations globally. By engaging with our services, you consent to the practices described in this policy.

2. Regulatory Compliance Overview

We comply with privacy and communication laws across jurisdictions, including but not limited to:

• Australia: Privacy Act 1988 (Cth), Spam Act 2003, Consumer Law (ACL), Do Not Call Register Act 2006

• United States: California Consumer Privacy Act (CCPA), Telephone Consumer Protection Act (TCPA), and A2P (Application-to-Person) SMS standards

• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s Anti-Spam Legislation (CASL)

• United Kingdom: UK GDPR, Data Protection Act 2018

• European Union: General Data Protection Regulation (GDPR)

• India: Digital Personal Data Protection Act, 2023 (DPDPA)

• Other regions: Local privacy and consumer protection laws where applicable

3. International Data Subject Rights

3.1 EU / UK (GDPR & UK GDPR)

• Right to access, correct, and erase personal data

• Right to restrict or object to processing

• Right to data portability

• Right not to be subject to automated decision-making, including profiling

If you are located in the EU or UK, you also have the right to lodge a complaint with your local supervisory authority.

• A list of EU Data Protection Authorities is available here: https://edpb.europa.eu/about-edpb/board/members_en

• UK residents may contact the Information Commissioner’s Office (ICO) at https://ico.org.uk

3.2 United States (CCPA & TCPA)

• Right to know what data is collected, shared, or sold

• Right to request deletion of personal data

• Right to opt out of the sale of personal data

• Right to non-discrimination for exercising rights

• For SMS, prior express written consent is required under TCPA, with clear opt-out mechanisms

3.3 Canada (PIPEDA & CASL)

• Right to access and correct personal data

• Obligation of meaningful consent for data collection, use, or disclosure

• All electronic messages follow CASL requirements: prior opt-in, identification, and unsubscribe mechanisms

3.4 India (DPDPA 2023)

• Right to access and obtain information about personal data

• Right to correct or erase personal data

• Right to nominate another person to exercise rights in case of death or incapacity

• Children under 18 require parental consent for processing

• Data Principals may lodge complaints with the Data Protection Board of India if rights are violated

4. Consent and Communication

• We only contact individuals with express or implied consent in accordance with their jurisdiction.

• Consent records are securely stored and traceable.

• All outbound communications include clear opt-out instructions.

4.1 SMS Communication Procedures

• All SMS communications include a clear opt-out mechanism in line with applicable laws (e.g., Spam Act 2003, TCPA, CASL, GDPR, DPDPA).

• Recipients may unsubscribe at any time by replying with a recognised keyword (e.g., Stop, Cancel, Unsubscribe, End), or by using an alternate method provided in the message (such as a secure link).

• Once an opt-out request is received, our system automatically suppresses further messages to that contact and records the request for compliance purposes.

• Clients may configure which keywords or unsubscribe methods are used, provided they remain clear, accessible, and lawful.

• Unsubscribe requests are actioned immediately, and confirmation of removal is sent to the contact.

5. Data Collection and Processing

XLR8Leads collects only the minimum information required to deliver its services. We do not collect unnecessary or excessive personal data.

5.1 Client Information

For clients engaging XLR8Leads, we collect:

• Company details (e.g., business name, registered address, ABN/identification where applicable)

• Client representative details (name, email, phone number)

• Verification information required for tax, communication, and operational purposes, including registration of Twilio virtual numbers used in outreach campaigns

This information is necessary for:

• Establishing and maintaining the business relationship

• Tax and invoicing compliance

• Provisioning communication channels for campaigns

5.2 Outreach Campaign Data

For outreach campaigns performed on behalf of clients, we only collect:

• First and last name of the contact

• Mobile phone number

• Email address

This limited information is required solely to:

• Deliver campaign messages (SMS, WhatsApp, email)

• Personalise outreach and engagement

• Support lawful follow-up communications

5.3 No Additional Data Collection

• We do not collect browsing behaviour, IP addresses, geolocation, or other technical identifiers for outreach contacts.

• Aggregated analytics are generated only from campaign results (e.g., response rates, delivery success), without storing or linking to unnecessary personal identifiers.

• All outreach contacts remain under the ownership and control of the client.

5.4 Consent Management

• All outreach contacts must have provided consent in accordance with applicable laws (e.g., GDPR, CCPA, CASL, Spam Act 2003, DPDPA 2023).

• Opt-in and opt-out options are included in all communications.

• For the purposes of applicable law, the client remains the data controller, and XLR8Leads acts solely as a data processor. Clients are responsible for ensuring their databases are lawfully collected and consent is valid. XLR8Leads processes data only under client instruction and in compliance with applicable privacy regulations.

6. Document Handling & Secure Storage Options

We support multiple secure methods for document submission and storage, including channel transitions (SMS → WhatsApp) to ensure security and convenience:

1. CRM Secure Upload – Documents are stored within our CRM under client control, with full client access for management, retrieval, and deletion.

2. Direct Client Portal Upload – Documents may be securely transferred directly into the client’s designated storage environment (e.g., AWS, Azure, or Google Cloud).

3. Cross-Channel Secure Upload (SMS → WhatsApp) – Outreach campaigns may begin via SMS to engage and nurture leads, including pitching services and booking appointments for handover to the client’s sales team.

Where the process requires submission of supporting documents (e.g., identification or financial verification materials), communication is transitioned to WhatsApp.

This ensures that sensitive documents are exchanged in a channel providing end-to-end encryption and secure handling, while also enabling the upload of files in multiple formats (e.g., PDF, Word, JPEG, PNG). This cross-channel process maintains both user convenience and data security throughout the engagement lifecycle.

4. Supported Formats – PDF, Word, Excel, PowerPoint, JPEG, PNG, TIFF, and other approved formats are supported across secure channels.

7. Data Handling & Security

Our infrastructure uses trusted cloud and VPS providers. Security measures include:

• AES-256 encryption (in transit and at rest)

• TLS 1.2+ secure communications

• Role-Based Access Control (RBAC)

• Multi-Factor Authentication (MFA)

• Real-time threat detection (SIEM)

• OWASP-aligned secure development practices

• Ongoing staff training in cybersecurity

8. Data Storage & Location (Sovereignty)

• Australian Clients: Data hosted on AU servers (e.g., Sydney).

• International Clients: Dedicated VPS provisioned within the client’s chosen jurisdiction (US, UK, EU, CA, IN).

• Non-Sovereignty Clients: Default hosting in Australia unless otherwise required.

The physical server location determines data residency. For Indian clients, VPS hosting within India is available to meet the requirements of the Digital Personal Data Protection Act, 2023 (DPDPA).

Roles and Transfers:

• XLR8Leads acts as a data processor; the client remains the data controller.

• Where data must be transferred across borders, transfers are safeguarded by Standard Contractual Clauses (SCCs), UK International Data Transfer Addendums, or equivalent mechanisms required under applicable law.

9. Workflow Handling Process

1. Lead provides consent and initiate’s interest

2. Data retrieved from CRM or database

3. Automated workflows triggered

4. Individual responds (confirming or opting out)

5. If required, documents securely uploaded via CRM, client portal, or WhatsApp

6. Data synced to client CRM

7. Client teams receive qualified contacts

10. Third-Party Integrations

To deliver secure and effective services, XLR8Leads relies on carefully selected third-party integrations. These providers act as sub-processors under applicable privacy laws, handling only the minimum data required for service delivery. All integrations are reviewed for compliance with international data protection and security standards. Refer to Data- Sub-Processor Register below highlighting the touchpoints at each stage of data flow.

• Twilio – Our trusted communications provider for SMS, WhatsApp, and voice services. Twilio enables the provisioning of virtual numbers and the lawful delivery of campaign messages. All transmissions through Twilio are encrypted in transit, and Twilio maintains SOC 2, ISO 27001, and GDPR compliance certifications.

• Our CRM – Go High Level is the central platform for client data management, workflow execution, and secure storage. Client accounts are segregated, and data is only accessible by authorised users.

• WhatsApp & SMS APIs – Used to facilitate direct, secure, and lawful engagement. Where appropriate, campaigns may initiate via SMS and transition to WhatsApp for end-to-end encrypted file and document sharing.

• n8n (Self-Hosted) – Our primary automation platform for clients requiring sovereignty. VPS instances are provisioned within the client’s chosen jurisdiction, ensuring data never leaves that region. All workflows are fully encrypted and client controlled.

• Zapier – Maybe used at the discretion of XLR8Leads for workflow automation where data sovereignty restrictions do not apply. Data is encrypted during processing and retained only as long as necessary for workflow execution.

All integrations are governed by data processing agreements and undergo regular security reviews to ensure continued compliance with GDPR, CCPA, CASL, Spam Act 2003, DPDPA 2023, and other applicable privacy regulations.

Data Sub-Processor Register

11. Data Sharing and International Transfers

• We do not sell personal data.

• Data is shared only with essential service providers.

• Cross-border transfers use legal safeguards (SCCs, PIPEDA-compliant contracts, UK Transfer Risk Assessments).

Retention:

• Data is retained only as long as necessary for the lifecycle of workflows or as required by law.

• By default, XLR8Leads retains workflow metadata for up to 24 months unless clients specify shorter retention periods.

• Clients control the retention of contact data within their CRM accounts and may delete it at any time.

• Where local law requires shorter or longer retention (e.g., financial records under tax law), those obligations override our defaults.

12. Service Workflows & Compliance

XLR8Leads delivers a suite of automation modules including Speed to Lead, Follow-Up, Recover, Ad-Ons, Out of Hours, Reputation, Document Collection, eCommerce, Webinars and others under a unified compliance framework. Each module is operated with the same strict safeguards to ensure lawful engagement, secure data handling, and brand-safe outcomes.

12.1 Consent & Lawful Basis

• All outreach is performed only where a lawful basis exists (e.g., prior consent, contractual necessity, or legitimate interest).

• Re-permissioning campaigns are recommended when consent records are uncertain, incomplete, or outdated.

• Consent records are securely maintained in accordance with regional laws, including GDPR, CCPA, CASL, Spam Act 2003, and DPDPA 2023.

12.2 Data Minimisation & Purpose Limitation

• Only the minimum information necessary to deliver each module is collected and processed.

• No personal data is copied, sold, or used outside of the agreed campaign or workflow scope.

• All workflows are reviewed periodically to ensure alignment with compliance obligations.

12.3 Transparency & Opt-Outs

• Every outbound communication clearly identifies the sender and includes simple, accessible opt-out instructions.

• SMS and messaging campaigns comply with A2P, TCPA, CASL, Spam Act 2003, and DPDPA 2023, while email, WhatsApp, and other channels follow their respective legal standards.

• Opt-out requests are honoured immediately, logged for audit purposes, and confirmed back to the contact.

12.4 Module-Specific Safeguards

• Speed to Lead – Ensures prospects are contacted quickly, but always within compliant communication windows.

• Follow-Up – Designed to re-engage warm leads on-demand while maintaining opt-out options.

• Recover – Used to re-engage missed opportunities lawfully, turning unconverted leads into compliant new outreach.

• Out of Hours – Configured to respect local time zones and regulatory contact-hour restrictions.

• Reputation – Manages post-sale communications ethically, including customer feedback and review requests.

• Document Collection – Where verification documents (e.g., ID or financial proof) are required, outreach may begin via SMS but transitions to WhatsApp for secure, encrypted document sharing across multiple file formats.

• eCommerce – Operates under opt-in frameworks for cart recovery and promotional messaging, with transparent unsubscribe mechanisms.

• Webinars – Engagement flows for pre- and post-event communication are managed with explicit opt-in and data protection safeguards.

• Ad-Ons (Resell, Cross-Sell, Upsell) – This module is designed to unlock new revenue from the client’s existing database by re-engaging prior leads and customers with contextually relevant offers. Because these databases often include a mix of different contact types, the following rules apply:

1. Current Customers

• Lawful basis: Contractual necessity or legitimate interest.

• You may engage them with:

• Upsell opportunities (higher-tier products or services).

• Cross-sell opportunities (related products or services).

• Resell opportunities (repeat purchase cycles).

• Conditions: Clear opt-out instructions must be included in all communications.

2. Ex-Customers (recent churn, past 6–12 months)

• Lawful basis: Legitimate interest may apply if the outreach is related to their prior purchase, if it’s within a reasonable timeframe.

• You may engage them with:

• Resell offers reminding them of prior services.

• Cross-sell opportunities that are closely related to prior use.

• Conditions:

• Outreach must be relevant and non-intrusive.

• Where uncertainty exists, a re-permissioning campaign should precede ongoing communication.

3. Inactive Leads (engaged in past but never converted)

• Lawful basis: Prior consent must be demonstrated (e.g., original opt-in to receive marketing).

• You may engage them with:

• Cross-sell or upsell if related to their original inquiry.

• Resell-style messaging if their inquiry indicated purchase intent.

• Conditions:

• Consent must still be valid (not excessively aged).

• If consent status is unclear, initiate a re-permissioning campaign first.

4. Aged Leads (very old, unclear consent)

• Lawful basis: Cannot re-engage without refreshed consent.

• You may not directly engage them with promotional outreach.

• Recommended:

• Launch a re-permissioning campaign (e.g., “Would you like to hear from us again?”) before including them in cross-sell or upsell flows.

12.5 Compliance Monitoring

• All modules undergo routine compliance reviews to ensure alignment with global privacy and consumer protection standards.

• Clients are responsible for ensuring that contact lists provided to XLR8Leads were lawfully collected with proper consent.

By applying this comprehensive compliance framework across all modules, XLR8Leads ensures that every engagement from lead capture to document collection and beyond is delivered securely, ethically, and in full compliance with applicable laws.

13. Brand Protection & Responsible AI Use

• All our services detect hostile or non-cooperative replies and disengages automatically

• Protects customer goodwill and preserves brand reputation

14. User Rights & Data Requests

• Users may request access, correction, or deletion of their data

• Requests must be submitted by email or portal; responses are provided within required legal timeframes (e.g., 30 days under GDPR, 15 days under DPDPA)

• Clients may directly manage their CRM-stored data

15. Children’s Privacy

Our services are not intended for children under 18 (or the local equivalent minimum age). Under India’s DPDPA, processing of children’s data under 18 requires parental consent. We do not knowingly collect data from minors.

16. Cookies & Website Tracking

Cookies and similar tracking technologies are used only on our website and landing pages, not in SMS, WhatsApp, or other outbound campaigns.

These tools help us:

• Enhance user experience when visiting our website

• Analyse traffic and visitor engagement

• Support lawful marketing and remarketing initiatives (e.g., Google Analytics, Meta Pixel)

Visitors can manage cookie preferences through their browser settings or our website’s cookie consent banner.

Important: Cookies and tracking do not apply to SMS or WhatsApp communications. Those channels are managed strictly through lawful consent and opt-out processes, independent of website tracking technologies.

17. External Links & Public Interactions

• We are not responsible for the practices of third-party websites linked from our site

• Information disclosed in public forums may be collected or used by others

18. Updates to Policy

• Using our services implies acceptance of this Privacy Policy and Terms of Service

• Content is owned by XLR8Leads Pty Ltd or licensors

• Linking is permitted; framing requires written consent

• Refunds are governed by service-specific terms

• Legal governance is determined by jurisdiction relevant to your contract

19. Terms of Use Summary

We may update this policy periodically to reflect legal, technical, or business changes. All material changes will be communicated to users.