Legal
Data Privacy
Last updated: May 30, 2026 · Effective: May 30, 2026
This page provides detailed information for compliance officers, enterprise customers, and data subjects about how EazeLead handles personal data — including our legal basis, sub-processors, retention schedules, and how to exercise your rights.
1. Our Role: Data Controller & Data Processor
EazeLead occupies a dual role depending on whose data is being processed. Understanding this distinction is important for compliance with India's DPDPA 2023 and GDPR.
Data Controller / Fiduciary
EazeLead determines the purpose and means of processing for:
- Your registration data (name, email, phone, company)
- Your account settings and preferences
- Billing and payment records
- Support and communication history
- Usage analytics and platform logs
Data Processor
EazeLead processes on your instruction only, for:
- Lead and contact data you import or capture
- Conversation history stored in your CRM workspace
- WhatsApp / SMS campaign recipient data
- Deal values, notes, and pipeline entries
- Any personal data about your customers or prospects
You (our customer) are the Data Controller for this data.
2. Legal Framework
EazeLead's data practices are governed by the following laws:
Digital Personal Data Protection Act, 2023 (DPDPA)
IndiaApplies when: All personal data of Indian residents, regardless of where EazeLead processes it. Partially effective November 2025; full effect May 2027.
Key requirements: Consent-first framework. Grievance Officer mandatory. Breach reporting to Data Protection Board. Data deletion when purpose ends.
Information Technology Act, 2000 (IT Act)
IndiaApplies when: Sensitive personal data collected, stored, or processed in India.
Key requirements: Reasonable security practices required. Privacy policy mandatory. Compensation for wrongful disclosure.
General Data Protection Regulation (GDPR)
EU / EEAApplies when: If EazeLead processes data of individuals located in the EU/EEA — regardless of where EazeLead is based.
Key requirements: Lawful basis required. Data subject rights (access, erasure, portability). DPA mandatory. 72-hour breach reporting.
3. Your Rights in Detail
As a registered user of EazeLead, you hold the following rights over your personal data. To exercise any right, email support@eazelead.com with the subject line matching the right you are invoking.
Right to Access
What it means: Obtain a complete copy of all personal data we hold about you.
How to exercise: Email support@eazelead.com with subject 'Data Access Request'. We will provide a structured export within 30 days.
Response SLA: 30 days
Right to Correction
What it means: Request correction of inaccurate, outdated, or incomplete personal data.
How to exercise: Update directly via your account profile, or email us for data you cannot change yourself.
Response SLA: 14 days
Right to Erasure (Right to be Forgotten)
What it means: Request deletion of your personal data. Note: we may retain certain data where required by law (e.g., billing records for 7 years under Indian tax law).
How to exercise: Email support@eazelead.com with subject 'Data Deletion Request'. Active account data deleted within 30 days; backups purged within 6 months.
Response SLA: 30 days
Right to Data Portability
What it means: Receive a copy of your data in a structured, machine-readable format (CSV or JSON).
How to exercise: Use the in-app data export feature, or request via email. Export includes account data and CRM data you own.
Response SLA: 30 days
Right to Withdraw Consent
What it means: Withdraw consent for marketing emails, WhatsApp campaigns, SMS campaigns, or analytics at any time.
How to exercise: Use in-app consent settings, click the unsubscribe link in any marketing email, or reply STOP to any SMS/WhatsApp message.
Response SLA: Immediate (max 24 hours)
Right to Object
What it means: Object to processing based on legitimate interest, including direct marketing or profiling.
How to exercise: Email support@eazelead.com with subject 'Objection to Processing'. We will cease that processing unless we have compelling legitimate grounds.
Response SLA: 30 days
4. Sub-processors & Vendors
EazeLead uses the following categories of sub-processors to deliver our service. All sub-processors are bound by Data Processing Agreements and are required to implement appropriate security safeguards. We will notify customers at least 30 days before adding a new sub-processor that processes personal data.
| Category | Purpose | Data Accessed | Location |
|---|---|---|---|
| Cloud Hosting | Platform infrastructure & data storage | All platform data | India / Global |
| Payment Processor | Billing and subscription management | Billing details, plan info | India / Global |
| Email Delivery | Transactional & marketing emails | Email address, name | Global |
| SMS Gateway | SMS campaign delivery | Phone number, message content | India / Global |
| WhatsApp Business API | WhatsApp campaign delivery | Phone number, message content | US / EU |
| Analytics | Platform usage analytics | Usage data, IP (anonymized) | Global |
| Support Tooling | Customer support communications | Name, email, support history | Global |
For a complete and current list of named sub-processors, email support@eazelead.com.
5. Data Processing Agreement (DPA)
A Data Processing Agreement (DPA) is legally required under GDPR (Article 28) whenever a data controller uses a data processor. EazeLead provides a DPA to all customers who process personal data of EU/EEA residents through our platform.
What our DPA covers:
- Subject matter and duration of processing
- Nature and purpose of processing on your behalf
- Types of personal data and categories of data subjects
- Your obligations and rights as data controller
- Our obligations as data processor (confidentiality, security, sub-processor notification)
- Data deletion or return upon contract termination
- Audit rights and cooperation with supervisory authorities
How to request a DPA:
Email support@eazelead.com with your company name and registered email address. We will send a pre-signed DPA within 5 business days.
Note: By using EazeLead to process personal data of individuals, you represent that you are a lawful data controller and that you have the appropriate consent or legal basis to collect and process that data. EazeLead processes such data solely on your instructions.
6. Data Retention Schedule
The following retention periods apply to each category of data we process:
EazeLead Account Data (Controller)
| Data Category | Retention Period | Reason |
|---|---|---|
| Account profile data | Active account + 90 days post-closure | Recovery window |
| Billing / invoice records | 7 years after invoice date | Indian GST / IT Act requirement |
| Support communications | 2 years | Legal defense, quality assurance |
| Security & access logs | 12 months | Security investigation |
| Backup copies | 30–90 days post-deletion | Disaster recovery |
| Fully deleted data | Purged from all systems within 6 months | DPDPA / GDPR compliance |
Customer Lead / Contact Data (Processor)
| Data Category | Default Retention | Notes |
|---|---|---|
| Active leads / contacts | Customer-controlled | Retained while your account is active |
| Soft-deleted leads | 30 days | Allow undo; permanently purged after |
| Conversation history | Customer-controlled (recommend 2–3 years) | Linked to lead lifecycle |
| Campaign history | 1–2 years | Analytics, compliance proof |
| Consent & opt-out records | 3 years after contact deletion | Legal audit trail |
| Bounced / invalid contacts | 6–12 months | List hygiene, prevent re-contact |
| Post-account-closure | Purged within 30 days of closure | After recovery window |
7. WhatsApp & SMS Compliance
The DPDPA 2023 and GDPR impose strict requirements on consent for direct messaging channels. EazeLead is designed to support your compliance — but you (the controller) remain responsible for ensuring you have a lawful basis to contact each recipient.
Separate, explicit opt-in
WhatsApp and SMS campaign consent is tracked separately from email marketing consent. Users must actively check an opt-in box — no pre-selection.
Consent audit trail
Every consent record includes: data principal identifier, consent type (WhatsApp/SMS), timestamp, collection method, and IP address (where available).
Easy opt-out on every message
All outbound WhatsApp and SMS messages sent via EazeLead include an opt-out instruction. Opt-outs are honoured within 24 hours and permanently recorded.
No tracking without consent
EazeLead does not perform behavioral tracking, cross-device profiling, or create shadow profiles. Campaign analytics are limited to delivery, open, and reply rates.
Your responsibility
You are responsible for obtaining the initial consent to contact each lead. EazeLead provides the tools (consent logs, opt-out management, audit exports) to help you demonstrate compliance.
8. Security Measures
EazeLead implements the following technical and organizational security measures (TOMs) in line with DPDPA 2023 and GDPR Article 32:
Encryption in Transit
TLS 1.2+ for all data in transit between clients and our servers.
Encryption at Rest
AES-256 encryption for all stored personal data and database backups.
Access Controls
Role-based access controls (RBAC). Least-privilege principle. MFA for internal systems.
Audit Logging
Comprehensive audit logs for all data access events, retained for 12 months.
Vulnerability Management
Periodic penetration testing, dependency scanning, and security patch management.
Incident Response
Documented breach response plan with defined escalation paths and notification timelines.
Vendor Security
All sub-processors are reviewed for security compliance before onboarding.
Business Continuity
Regular backups with tested restoration procedures. Disaster recovery plan maintained.
9. Breach Notification
In the event of a personal data breach, EazeLead will follow the procedure below:
Contain & Assess
0–4 hoursOur security team immediately contains the breach and assesses the scope, type of data affected, and risk to data subjects.
Notify Authorities
Within 72 hours (GDPR) / Promptly (DPDPA)We notify the relevant Data Protection Authority — Data Protection Board of India (DPDPA) or local DPA (GDPR) — with details of the breach, categories of data affected, and remediation steps.
Notify Affected Customers
Within 72 hours of confirmed high-risk breachWe notify affected customers via email with details of what happened, what data was involved, and steps taken to remediate.
Notify Affected Individuals (if required)
As required by applicable lawWhere there is a high risk to individuals' rights and freedoms, we work with you (as controller) to notify affected data subjects directly.
Post-Incident Review
Within 30 daysFull incident report provided to affected customers. Root cause analysis, remediation actions, and preventive measures documented.
To report a suspected security incident, email support@eazelead.com immediately.
10. International Data Transfers
EazeLead primarily stores data on servers located in India. Some of our sub-processors (e.g., WhatsApp Business API via Meta, SMS gateways) may process data outside India or the EU/EEA.
When personal data is transferred outside India, we rely on one or more of the following safeguards:
- Standard Contractual Clauses (SCCs): European Commission-approved contractual terms for EU/EEA data transfers.
- Adequacy decisions: Where the destination country has been deemed adequate by the EU Commission.
- Consent: Where the data subject has explicitly consented to the transfer after being informed of the risks.
- DPDPA cross-border mechanisms: In accordance with the Data Protection Board of India's approved transfer frameworks once notified.
11. Consent Management
EazeLead uses a granular consent model in line with DPDPA 2023 requirements. Each consent is purpose-specific, freely given, and independently withdrawable.
| Consent Type | Required? | How to Withdraw |
|---|---|---|
| Service delivery (account, CRM) | Implied by contract — withdrawal = account deletion | Delete account |
| Transactional emails (receipts, alerts) | Implicit in contract — cannot be withdrawn while active | Close account |
| Marketing / newsletter emails | Explicit opt-in required | Unsubscribe link in every email |
| WhatsApp campaigns | Explicit opt-in required (separate from email) | Reply STOP or in-app settings |
| SMS campaigns | Explicit opt-in required (separate from email) | Reply STOP or in-app settings |
| Analytics & usage tracking | Explicit opt-in required | In-app privacy settings or email us |
12. Filing a Complaint
If you believe your data privacy rights have been violated, please follow the escalation path below:
Contact our Privacy Team
Email support@eazelead.com with full details of your concern. We will acknowledge within 7 days and resolve within 30 days.
Escalate to Grievance Officer
If unresolved, escalate to support@eazelead.com. Our Grievance Officer will respond within 90 days in line with DPDPA 2023 obligations.
Data Protection Board of India
If still unresolved, you may file a complaint with the Data Protection Board of India (once fully constituted under DPDPA 2023).
Your Local Data Protection Authority
EU/EEA residents may also lodge a complaint with their national Data Protection Authority (e.g., ICO in the UK, CNIL in France, BfDI in Germany).