How does LeadCrunch develop leads compliantly?
LeadCrunch is a technology company and service provider, which acts on behalf of its customers and only as instructed by its customers as it relates to running campaigns to help them generate more business.
In the act of generating such new business for our customers, often referred to as “leads,” if asked to generate leads in a certain jurisdiction that requires it, we make available our standard Data Protection Addendum to our contract that complies with the General Data Protection Regulation
(“GDPR”) and California Consumer Privacy Act
(“CCPA”), among other frameworks.
LeadCrunch is classified as a “Processor” under relevant data protection legislation. As a Processor, we use the Protected Data solely on behalf of the customer’s documented instructions. In processing the Protected Data, LeadCrunch responsibilities include (but not limited to):
- Treating all Protected Data (data considered by regulation to be personal or sensitive) as confidential information,
- Amending, correcting or erasing Protected Data at the customer’s request and ensure that all Protected Data processes are accurate and up-to-date,
- At the direction of the customer, cooperate and assist in conducting a data protection impact assessments and related consultations with any Supervisory Authorities,
- Ensure the reliability of all personnel who Process Protected Data.
Is LeadCrunch GDPR compliant?
Yes, LeadCrunch is GPDR compliant. The majority of LeadCrunch campaigns target individuals outside of the European Union. However, in the cases where LeadCrunch does engage individuals in the E.U., LeadCrunch complies with GDPR. LeadCrunch is considered a “data processor” per GDPR regulations and complies with such requirements.
For such E.U. targeted campaigns, LeadCrunch works with a partner network for E.U. campaigns all of whom have their own GDPR compliance protocols. LeadCrunch only partners with companies that have such protocols in place and have been verified and vetted by LeadCrunch. Although LeadCrunch doesn’t directly obtain opt-ins from the targeted individuals, secure processing of the information has been ensured through secure data processing software.
LeadCrunch partners executing campaigns in the E.U. leverage explicit opt-in data or target business contacts with a “legitimate interest” in the services being offered.
Is LeadCrunch CCPA compliant?
Yes, LeadCrunch is CCPA compliant. As a trusted vendor working on your behalf, we only generate leads that conform to the instructions and parameters you give us, and we do not resell any information you provide to us. Note, LeadCrunch only handles personal data in a business-to-business context, which is not in scope for the CCPA until 2021.
How does LeadCrunch source its data?
For North America and other regions outside of GDPR jurisdiction, LeadCrunch maintains a compliant, proprietary database of information about companies and business professionals used for executing on our customers’ marketing campaigns. This list is a blend of public and commercially available sources and enhanced leveraging our data cleansing and validation technology to ensure each contact is relevant and up-to-date.
We vet our sources of information to ensure they are gathering personal data compliantly and offer contacts the ability to request the removal of their existing individual profile from our database. All of our data is business information only. Personal consumer information is not present in our proprietary database.
How does LeadCrunch use personal contact data in its campaigns?
LeadCrunch, on behalf of its customers, uses a variety of industry standard marketing outreach such as phone, email, and digital advertising. The data used for targeting such individuals comes from LeadCrunch’s proprietary database or those of our vetted and compliant partners.
All contacts are lawfully obtained and have the option to opt out of any individual campaign or from all LeadCrunch campaigns. LeadCrunch’s approach to targeting business individuals identifies and markets to only such individuals who are likely to have a legitimate interest in the relevant services or content being promoted.
Does LeadCrunch maintain a “data inventory” or “record of processing”?
Yes. Understanding and documenting how and why personal data is collected/received, stored, and shared is foundational for any privacy program, and required by some frameworks like the GDPR. We maintain a data inventory that details how we ingest personal data, the kinds of personal data we handle, the purposes of data collection and use, where service providers support personal data processing, and where LeadCrunch is a data controller or processor, among other considerations. The data inventory documentation evolves as our business and data protection obligations do.
Is LeadCrunch equipped to handle data privacy requests?
Yes. LeadCrunch is prepared to field and complete privacy requests, where individuals might ask to invoke their rights to personal data access or deletion for example, as offered by laws and regulations like the GDPR or CCPA. Where LeadCrunch is a data processor, handling personal data on the behalf of and at the direction of its customers, we are also positioned to assist our customers with privacy requests where technical or procedural limitations require it.
Privacy requests can be submitted to us by emailing firstname.lastname@example.org.
Is LeadCrunch required to complete data protection impact assessments (DPIAs) under the GDPR?
No. LeadCrunch handles a low volume of European personal data, and where it does, this information (e.g. name, business contact information, firmographic details) and the manner in which it is used does not present a high level of risk to the rights and freedoms of the associated individuals. Therefore, a DPIA under the GDPR is not required. However, our privacy program was developed by completing an initial privacy impact assessment to ensure it promotes data minimization, purpose limitation, data protection by design, and lawful and transparent processing.
Does LeadCrunch have a Data Protection Officer (DPO)?
No. This GDPR requirement does not apply to LeadCrunch, for similar reasons why a DPIA is not required of us. We do however have a Data Privacy Team dedicated to maintaining our privacy program and our compliance with necessary laws and regulations
Does LeadCrunch have breach reporting procedures in place?
Yes. We have monitoring mechanisms and security incident protocols that allow us to identify, triage, and escalate potential data breaches if they occur. Our policies direct us on when an impacted party or individual would need to be notified and what the message content should describe.
Is LeadCrunch compliant with the Canadian Anti-Spam Law (“CASL”)?
Yes, LeadCrunch is CASL compliant. When generating leads in Canada, LeadCrunch and our partner network only conduct outreach via the phone, unless we have sourced lead data from professionals that have a prior relationship with your business, or have provided express consent to be contacted by email and other forms of commercial messaging covered by the law.
How does LeadCrunch sustain its privacy program?
All of our personnel undergo data privacy training and are bound to strict confidentiality terms. Beyond this, we have published internal policies and procedures that inform our workforce of our privacy obligations and customer expectations and provide guidance on how to comply with and uphold our privacy standards and controls.