Privacy Policy
Version 1.0 — Last updated: 13 May 2026
⚠️ Closed-beta starter draft. This document is a reasonable starting point for a UK B2B SaaS. It should be reviewed by qualified legal counsel before Totalinfo Ltd accepts external paying customers.
1. Who we are
Totalinfo Ltd (the "Company", "we", "us") is the data controller for personal data processed via the Lead Generation platform at https://leadgen.totalinfo.net.
- Registered office: Belfast, Northern Ireland
- Contact: richard@ipr.guru
- ICO registration: (to be populated when registered)
2. What personal data we collect
We process the following categories of personal data:
| Category | Source | Examples |
|---|---|---|
| Account data | You, when signing up | Name, work email, password hash, plan |
| Lead profile data | Public sources & third-party APIs | Company names, registered addresses, Companies House officer names, patent applicants, job postings |
| Contact data | Hunter.io enrichment + your manual entry | Work email addresses, names, job titles, phone numbers, LinkedIn URLs of decision-makers at companies you target |
| Usage data | Your interactions with the platform | Page views, lead approve/reject decisions, draft emails generated |
| Billing data | Stripe (processor) | Card token, billing address, invoice history (we do NOT store card numbers) |
| Audit data | Automatically | Login timestamps, admin actions, security events |
3. Lawful bases for processing
| Purpose | Lawful basis |
|---|---|
| Providing the service to a user with an account | Contract (GDPR Art. 6(1)(b)) |
| Building lead profiles from public/Companies-House data | Legitimate interest (Art. 6(1)(f)) — B2B prospecting on publicly available information |
| Sending you account emails (welcome, password reset) | Contract (Art. 6(1)(b)) |
| Sending you marketing emails about new features | Consent (Art. 6(1)(a)) — opt-in only |
| Showing lead contact emails to platform users | Legitimate interest (Art. 6(1)(f)) — B2B outreach with corporate addresses |
| Complying with tax/audit/legal obligations | Legal obligation (Art. 6(1)(c)) |
We rely on soft opt-in / legitimate interest under PECR for outbound B2B sales emails to publicly listed corporate addresses. Every outbound email contains a one-click unsubscribe link and an immediate suppression mechanism.
4. Who we share data with (sub-processors)
See the full Sub-processor list. Headline sub-processors:
- Stripe — payments
- Anthropic, OpenAI, Google, OpenRouter, Moonshot — AI providers (we route via OpenRouter's zero-data-retention mode by default)
- Hunter.io — domain/email discovery
- MongoDB — primary datastore (self-hosted on Hetzner cloud VPS in Germany)
- Sentry — error monitoring
- SMTP relay — transactional + outreach email
UK/EU adequacy or Standard Contractual Clauses (SCCs) apply to all transfers outside the UK/EEA.
5. Retention
| Data | Retention |
|---|---|
| Active account data | While account is active |
| Audit logs | 2 years (TTL on audit_logs collection) |
| Sourced lead data | Until you delete it via the dashboard |
| Email send history + open tracking | 12 months |
| Backup snapshots | 14 days rolling |
| Billing records | 7 years (HMRC requirement) |
Deleted accounts are queued for a 14-day cooling-off period (see /admin/dsar) then permanently erased.
6. Your rights (data subjects)
Under UK GDPR / EU GDPR you have the right to:
- Access — request a copy of personal data we hold about you (
Account → Export My Data) - Rectification — correct inaccurate data via the dashboard or by emailing richard@ipr.guru
- Erasure — delete your account via
Account → Delete Account(subject to 14-day cooling-off) - Restriction — ask us to stop using your data while a complaint is investigated
- Portability — receive your data in a structured JSON export
- Object — to legitimate-interest processing (see Section 3)
- Withdraw consent — for marketing emails, via the unsubscribe link
If you believe we have mishandled your data you can complain to the UK Information Commissioner's Office at ico.org.uk.
7. Cookies and tracking
See our separate Cookie Policy. We use only strictly necessary cookies (session, CSRF, Stripe checkout). No analytics or marketing cookies.
8. Children
The service is not intended for use by anyone under 18.
9. Changes to this policy
We will give 30 days' notice of material changes via in-app banner and email. The current version is recorded against your account at signup and re-affirmation is requested when the version increments.
10. Contact
Questions about this policy: richard@ipr.guru