Privacy, Compliance & Security Policy

Policy Version 3.0. Last updated: 27 September 2025

1. Introduction

At XLR8Leads Pty Ltd, privacy, data security, and compliance are integral to the way we operate. We are committed to managing personal data responsibly, transparently, and in accordance with applicable data protection and communication laws across all jurisdictions in which we operate, including Australia, the United States, Canada, the United Kingdom, the European Union, India, and others as required.

This policy explains how we collect, process, store, share, and protect personal data, and how we meet global compliance obligations. By engaging with our services, you consent to the practices described herein.

Note: AI-driven outreach activities are governed by our separate AI Outreach Policy & Disclosure SOP, which sets operational standards, consent requirements, and jurisdiction-specific disclosure rules.

2. Regulatory Compliance Overview

We comply with privacy and communication laws across jurisdictions, including but not limited to:

• Australia: Privacy Act 1988 (Cth), Spam Act 2003, Consumer Law (ACL), Do Not Call Register Act 2006

• United States: California Consumer Privacy Act (CCPA), Telephone Consumer Protection Act (TCPA), and A2P (Application-to-Person) SMS standards

• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s Anti-Spam Legislation (CASL)

• United Kingdom: UK GDPR, Data Protection Act 2018

• European Union: General Data Protection Regulation (GDPR)

• India: Digital Personal Data Protection Act, 2023 (DPDPA)

• Other regions: Local privacy and consumer protection laws where applicable

3. International Data Subject Rights

3.1 EU / UK (GDPR & UK GDPR)

• Right to access, correct, and erase personal data

• Right to restrict or object to processing

• Right to data portability

• Right not to be subject to automated decision-making, including profiling

• Right to lodge complaints with the local supervisory authority

3.2 United States (CCPA & TCPA)

• Right to know what data is collected, shared, or sold

• Right to request deletion

• Right to opt out of sale of personal data

• Right to non-discrimination

• SMS requires prior express written consent under TCPA with clear opt-out mechanisms

3.3 Canada (PIPEDA & CASL)

• Right to access and correct personal data

• Requirement for meaningful consent

• Electronic messages follow CASL requirements with prior opt-in, identification, and unsubscribe mechanisms

3.4 India (DPDPA 2023)

• Right to access, correct, and erase personal data

• Nomination rights in case of incapacity or death

• Children under 18 require parental consent

• Complaints may be lodged with the Data Protection Board of India

4. Consent and Communication

4.0 Consent and Communication

• We only contact individuals with express or implied consent in accordance with their jurisdiction and relevant data privacy laws (e.g., Spam Act 2003, GDPR, TCPA).

• Consent is obtained via digital forms, advertisements, or by the end user texting a keyword to a designated number. All consent records are securely stored with timestamps and source references for auditability.

• By providing consent, users agree to receive communications from XLR8Leads Pty Ltd via SMS, email, WhatsApp, or other electronic means.

• These communications may include transactional messages (e.g., appointment reminders, document requests) and/or promotional offers, depending on the user’s selected preferences.

• Message frequency may vary. Standard message and data rates may apply.

• All outbound communications include clear opt-out instructions.

4.1 SMS Communication Procedures

• All SMS communications include a clear opt-out mechanism in line with applicable laws.

• Recipients may unsubscribe at any time by replying with a recognised keyword (e.g., STOP, CANCEL, UNSUBSCRIBE), or via other opt-out methods provided in the message (e.g., secure link).

• Upon receipt of an opt-out request, our system immediately suppresses further messages and records the request for compliance purposes.

• Clients may configure which opt-out keywords or unsubscribe mechanisms are enabled, provided they remain clear, accessible, and lawful.

• A confirmation message is sent to users once opt-out is complete.

5. Data Collection and Processing

XLR8Leads collects only the minimum information required to deliver its services. We do not collect unnecessary or excessive personal data.

5.1 Client Information

For clients engaging XLR8Leads, we collect:

• Company details (e.g., business name, registered address, ABN/identification where applicable)

• Client representative details (name, email, phone number)

• Verification information required for tax, communication, and operational purposes, including registration of Twilio virtual numbers used in outreach campaigns

This information is necessary for:

• Establishing and maintaining the business relationship

• Tax and invoicing compliance

• Provisioning communication channels for campaigns

5.2 Outreach Campaign Data

For outreach campaigns performed on behalf of clients, we only collect:

• First and last name of the contact

• Mobile phone number

• Email address

This limited information is required solely to:

• Deliver campaign messages (SMS, WhatsApp, email)

• Personalise outreach and engagement

• Support lawful follow-up communications

5.3 No Additional Data Collection

• We do not collect browsing behaviour, IP addresses, geolocation, or other technical identifiers for outreach contacts.

• Aggregated analytics are generated only from campaign results (e.g., response rates, delivery success), without storing or linking to unnecessary personal identifiers.

• All outreach contacts remain under the ownership and control of the client.

5.4 Consent Management

• All outreach contacts must have provided consent in accordance with applicable laws (e.g., GDPR, CCPA, CASL, Spam Act 2003, DPDPA 2023).

• Opt-in and opt-out options are included in all communications.

• For the purposes of applicable law, the client remains the data controller, and XLR8Leads acts solely as a data processor. Clients are responsible for ensuring their databases are lawfully collected and consent is valid. XLR8Leads processes data only under client instruction and in compliance with applicable privacy regulations.

6. Document Handling & Secure Storage Options

We support multiple secure methods for document submission and storage, including channel transitions (SMS → WhatsApp) to ensure security and convenience:

1. CRM Secure Upload – Documents are stored within our CRM under client control, with full client access for management, retrieval, and deletion.

2. Direct Client Portal Upload – Documents may be securely transferred directly into the client’s designated storage environment (e.g., AWS, Azure, or Google Cloud).

3. Cross-Channel Secure Upload (SMS → WhatsApp) – Outreach campaigns may begin via SMS to engage and nurture leads, including pitching services and booking appointments for handover to the client’s sales team.

Where the process requires submission of supporting documents (e.g., identification or financial verification materials), communication is transitioned to WhatsApp.

This ensures that sensitive documents are exchanged in a channel providing end-to-end encryption and secure handling, while also enabling the upload of files in multiple formats (e.g., PDF, Word, JPEG, PNG). This cross-channel process maintains both user convenience and data security throughout the engagement lifecycle.

4. Supported Formats – PDF, Word, Excel, PowerPoint, JPEG, PNG, TIFF, and other approved formats are supported across secure channels.

7. Data Handling & Security

Our infrastructure uses trusted cloud and VPS providers. Security measures include:

• AES-256 encryption (in transit and at rest)

• TLS 1.2+ secure communications

• Role-Based Access Control (RBAC)

• Multi-Factor Authentication (MFA)

• Real-time threat detection (SIEM)

• OWASP-aligned secure development practices

• Ongoing staff training in cybersecurity

8. Data Storage & Location (Sovereignty)

• Australian Clients: Data hosted on AU servers (e.g., Sydney).

• International Clients: Dedicated VPS provisioned within the client’s chosen jurisdiction (US, UK, EU, CA, IN).

• Non-Sovereignty Clients: Default hosting in Australia unless otherwise required.

The physical server location determines data residency. For Indian clients, VPS hosting within India is available to meet the requirements of the Digital Personal Data Protection Act, 2023 (DPDPA).

Roles and Transfers:

• XLR8Leads acts as a data processor; the client remains the data controller.

• Where data must be transferred across borders, transfers are safeguarded by Standard Contractual Clauses (SCCs), UK International Data Transfer Addendums, or equivalent mechanisms required under applicable law.

9. Workflow Handling Process

1. Individual initiates contact and provides consent

2. Data retrieved from CRM or database

3. Automated workflows triggered

4. Individual responds (confirming or opting out)

5. Documents securely uploaded if required

6. Data synced to client CRM

7. Client teams receive qualified contacts for follow-up

10. Third-Party Integrations

To deliver secure and effective services, XLR8Leads relies on carefully selected third-party integrations. These providers act as sub-processors under applicable privacy laws, handling only the minimum data required for service delivery. All integrations are reviewed for compliance with international data protection and security standards. Refer to Data- Sub-Processor Register below highlighting the touchpoints at each stage of data flow.

• Twilio – Our trusted communications provider for SMS, WhatsApp, and voice services. Twilio enables the provisioning of virtual numbers and the lawful delivery of campaign messages. All transmissions through Twilio are encrypted in transit, and Twilio maintains SOC 2, ISO 27001, and GDPR compliance certifications.

• Our CRM – Go High Level is the central platform for client data management, workflow execution, and secure storage. Client accounts are segregated, and data is only accessible by authorised users.

• WhatsApp & SMS APIs – Used to facilitate direct, secure, and lawful engagement. Where appropriate, campaigns may initiate via SMS and transition to WhatsApp for end-to-end encrypted file and document sharing.

• n8n (Self-Hosted) – Our primary automation platform for clients requiring sovereignty. VPS instances are provisioned within the client’s chosen jurisdiction, ensuring data never leaves that region. All workflows are fully encrypted and client controlled.

• Zapier – Maybe used at the discretion of XLR8Leads for workflow automation where data sovereignty restrictions do not apply. Data is encrypted during processing and retained only as long as necessary for workflow execution.

All integrations are governed by data processing agreements and undergo regular security reviews to ensure continued compliance with GDPR, CCPA, CASL, Spam Act 2003, DPDPA 2023, and other applicable privacy regulations.

Data Sub-Processor Register

11. Data Sharing and International Transfers

• We do not sell personal data.

• Data is shared only with essential service providers.

• Cross-border transfers use legal safeguards (SCCs, PIPEDA-compliant contracts, UK Transfer Risk Assessments).

Retention:

• Data is retained only as long as necessary for the lifecycle of workflows or as required by law.

• By default, XLR8Leads retains workflow metadata for up to 24 months unless clients specify shorter retention periods.

• Clients control the retention of contact data within their CRM accounts and may delete it at any time.

• Where local law requires shorter or longer retention (e.g., financial records under tax law), those obligations override our defaults.

Metadata includes timestamp logs, delivery status, campaign labels, and engagement actions, but excludes personal identifiers or message content.

12. Service Workflows & Compliance

XLR8Leads delivers a suite of automation modules including Speed to Lead, Follow-Up, Recover, Ad-Ons, Out of Hours, Reputation, Document Collection, eCommerce, Webinars and others under a unified compliance framework. Each module is operated with the same strict safeguards to ensure lawful engagement, secure data handling, and brand-safe outcomes.

12.1 Consent & Lawful Basis

• All outreach is performed only where a lawful basis exists (e.g., prior consent, contractual necessity, or legitimate interest).

• Re-permissioning campaigns are recommended when consent records are uncertain, incomplete, or outdated.

• Consent records are securely maintained in accordance with regional laws, including GDPR, CCPA, CASL, Spam Act 2003, and DPDPA 2023.

12.2 Data Minimisation & Purpose Limitation

• Only the minimum information necessary to deliver each module is collected and processed.

• No personal data is copied, sold, or used outside of the agreed campaign or workflow scope.

• All workflows are reviewed periodically to ensure alignment with compliance obligations.

12.3 Transparency & Opt-Outs

• Every outbound communication clearly identifies the sender and includes simple, accessible opt-out instructions.

• SMS and messaging campaigns comply with A2P, TCPA, CASL, Spam Act 2003, and DPDPA 2023, while email, WhatsApp, and other channels follow their respective legal standards.

• Opt-out requests are honoured immediately, logged for audit purposes, and confirmed back to the contact.

12.4 Module-Specific Safeguards

• Speed to Lead – Ensures prospects are contacted quickly, but always within compliant communication windows.

• Follow-Up – Designed to re-engage warm leads on-demand while maintaining opt-out options.

• Recover – Used to re-engage missed opportunities lawfully, turning unconverted leads into compliant new outreach.

• Out of Hours – Configured to respect local time zones and regulatory contact-hour restrictions.

• Reputation – Manages post-sale communications ethically, including customer feedback and review requests.

• Document Collection – Where verification documents (e.g., ID or financial proof) are required, outreach may begin via SMS but transitions to WhatsApp for secure, encrypted document sharing across multiple file formats.

• eCommerce – Operates under opt-in frameworks for cart recovery and promotional messaging, with transparent unsubscribe mechanisms.

• Webinars – Engagement flows for pre- and post-event communication are managed with explicit opt-in and data protection safeguards.

• Ad-Ons (Resell, Cross-Sell, Upsell) – This module is designed to unlock new revenue from the client’s existing database by re-engaging prior leads and customers with contextually relevant offers. Because these databases often include a mix of different contact types, the following rules apply:

1. Current Customers

• Lawful basis: Contractual necessity or legitimate interest.

• You may engage them with:

• Upsell opportunities (higher-tier products or services).

• Cross-sell opportunities (related products or services).

• Resell opportunities (repeat purchase cycles).

• Conditions: Clear opt-out instructions must be included in all communications.

2. Ex-Customers (recent churn, past 6–12 months)

• Lawful basis: Legitimate interest may apply if the outreach is related to their prior purchase, if it’s within a reasonable timeframe.

• You may engage them with:

• Resell offers reminding them of prior services.

• Cross-sell opportunities that are closely related to prior use.

• Conditions:

• Outreach must be relevant and non-intrusive.

• Where uncertainty exists, a re-permissioning campaign should precede ongoing communication.

3. Inactive Leads (engaged in past but never converted)

• Lawful basis: Prior consent must be demonstrated (e.g., original opt-in to receive marketing).

• You may engage them with:

• Cross-sell or upsell if related to their original inquiry.

• Resell-style messaging if their inquiry indicated purchase intent.

• Conditions:

• Consent must still be valid (not excessively aged).

• If consent status is unclear, initiate a re-permissioning campaign first.

4. Aged Leads (very old, unclear consent)

• Lawful basis: Cannot re-engage without refreshed consent.

• You may not directly engage them with promotional outreach.

• Recommended:

• Launch a re-permissioning campaign (e.g., “Would you like to hear from us again?”) before including them in cross-sell or upsell flows.

12.5 Compliance Monitoring

• All modules undergo routine compliance reviews to ensure alignment with global privacy and consumer protection standards.

• Clients are responsible for ensuring that contact lists provided to XLR8Leads were lawfully collected with proper consent.

By applying this comprehensive compliance framework across all modules, XLR8Leads ensures that every engagement from lead capture to document collection and beyond is delivered securely, ethically, and in full compliance with applicable laws.

13. Brand Protection & Responsible AI Use

• All our services detect hostile or non-cooperative replies and disengages automatically

• Protects customer goodwill and preserves brand reputation

14. User Rights & Data Requests

• Users may request access, correction, or deletion of their data

• Requests must be submitted by email or portal; responses are provided within required legal timeframes (e.g., 30 days under GDPR, 15 days under DPDPA)

• Clients may directly manage their CRM-stored data

15. Children’s Privacy

Our services are not intended for children under 18 (or the local equivalent minimum age). Under India’s DPDPA, processing of children’s data under 18 requires parental consent. We do not knowingly collect data from minors.

16. Cookies & Website Tracking

Cookies and similar tracking technologies are used only on our website and landing pages, not in SMS, WhatsApp, or other outbound campaigns.

These tools help us:

• Enhance user experience when visiting our website

• Analyse traffic and visitor engagement

• Support lawful marketing and remarketing initiatives (e.g., Google Analytics, Meta Pixel)

Visitors can manage cookie preferences through their browser settings or our website’s cookie consent banner.

Important: Cookies and tracking do not apply to SMS or WhatsApp communications. Those channels are managed strictly through lawful consent and opt-out processes, independent of website tracking technologies.

“For more details on user responsibilities and platform usage, please refer to our Terms of Service

17. External Links & Public Interactions

• We are not responsible for the practices of third-party websites linked from our site

• Information disclosed in public forums may be collected or used by others

18. Updates to Policy

• Using our services implies acceptance of this Privacy Policy and Terms of Service

• Content is owned by XLR8Leads Pty Ltd or licensors

• Linking is permitted; framing requires written consent

• Refunds are governed by service-specific terms

• Legal governance is determined by jurisdiction relevant to your contract

19. Terms of Use Summary

• For AI-driven messaging, automation, and operational standards, clients should consult the standalone AI Outreach Policy & Disclosure SOP. Request to [email protected]