Back to home

Privacy Policy

This policy explains what data Consent Leads processes, why, and what rights you have. Short version: we build workflow systems for UK businesses and we process the minimum data needed to do that.

Who we are

Consent Leads is operated by Salam O. as a sole trader based in the United Kingdom. We are in the process of incorporating as a UK limited company; this page will be updated when that completes. Contact: [email protected]

What data we collect

From visitors and prospective clients:

• Email address (when you request a scope or reply to outreach)
• Information you choose to share about your business in those messages
• Standard server logs (IP address, browser, referrer) for 30 days, used to debug issues only

From clients during a project:

• Whatever access credentials you grant us to deliver the build (CRM, email, calendar, social inbox)
• Examples of past customer interactions where required to train an assistant for you
• Billing details handled by Stripe. We do not store card data.

For cold outreach:

• Publicly available business contact data (name, email, role, company) sourced from company websites and public business directories
• This data is processed under legitimate interest grounds for B2B outreach. You can opt out at any time by replying with the word "no" or emailing us, and we will suppress your address within 24 hours.

Why we process this data

Prospective clients: processed under UK GDPR Article 6(1)(b), to respond to your enquiry, and Article 6(1)(f), legitimate interest, to follow up.

Active clients: processed under UK GDPR Article 6(1)(b), necessary for performance of our contract with you. Where we process personal data of your end customers on your behalf (for example, booking assistant traffic), we do so as your data processor under a separate processor agreement.

Cold outreach contacts: processed under UK GDPR Article 6(1)(f), legitimate interest. Our legitimate interest is the operation of a B2B services business. We respect opt-out requests immediately.

Who we share data with

We use the following sub-processors. Each is bound by their own GDPR-compliant data processing terms:

• Cloudflare (DNS, hosting, email routing, Pages Functions). UK/EU data residency available.
• Resend (transactional and outbound email delivery)
• Stripe (payment processing when deposits or invoices are taken)
• Twilio (SMS and missed-call workflows where the client opts into that service)
• Anthropic (large language model inference for assistants; Anthropic does not train on our API data)
• Oracle Cloud (UK and EU regions) as required to run server-side components of client systems
• Meta Platforms (Instagram Graph API) where a client connects an Instagram Business account: we read incoming customer DMs and send the client's pre-configured replies via Meta's API. Subject to Meta's own data processing terms.

We do not sell any data. We do not share client data with anyone outside the sub-processors above.

How long we keep data

• Prospective client emails: until you ask us to delete them, or 24 months from last contact, whichever is sooner
• Active client data: for the duration of our contract plus 6 years for HMRC and contract record purposes
• End customer data we process on your behalf: handled per our processor agreement, deleted on your instruction
• Cold outreach contacts: deleted after 6 months of no engagement, or immediately on opt-out request

If you connect an Instagram Business account

When a business owner connects their Instagram Business account to our reply system, we act as their data processor for the following Instagram data, accessed under their instruction:

• Account identifiers: the Instagram user ID, username, and a long-lived access token, stored only to identify the connected account and send replies on the owner's behalf.
• Incoming customer messages: the content of direct messages sent by customers to the connected business account, received via Meta's webhook in real time.
• Outgoing replies: messages generated by the assistant from the owner's configured services, prices, and booking link, sent back to the customer via Meta's Graph API.
• Conversation history: retained only to maintain context across a customer's conversation; deleted when the business owner instructs us to, or when the account is disconnected.

We do not store followers, media, or insights. We do not use this Instagram data for any purpose other than running the reply assistant for the connecting business.

To request deletion of all data held about an Instagram account connection, see our data deletion page. You can also revoke our access at any time from Instagram → Settings → Apps and Websites → Active → remove Consent Leads Reply.

Your rights

Under UK GDPR you can ask us to:

• Show you what data we have about you
• Correct inaccurate data
• Delete your data (unless we have a legal obligation to keep it)
• Object to processing based on legitimate interest
• Port your data to another service

Email [email protected] with any request. We respond within one month.

Cookies

Our website uses no analytics cookies, no advertising cookies, and no tracking. The only cookies in our ecosystem come from Stripe during checkout, and from systems we build for clients on their own domains.

Complaints

You have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk. We would prefer you contact us first so we can fix whatever went wrong.

Changes to this policy

If we change this policy materially, we will update the "last updated" date above and email active clients.