LeadLogix Privacy Policy
This Privacy Policy describes how Diggit Software Solutions Co. LLC (“Diggit”, “we”, “us”, or “our”) collects, uses, discloses, and safeguards information when you, or a business entity on whose behalf you act, use our LeadLogix platform (the “Service”). LeadLogix is a multi-tenant marketing automation platform that operates advertising campaigns on behalf of business clients across third-party advertising platforms.
This Policy applies to:
- Business representatives who interact with LeadLogix as employees, contractors, or agents of a client company (“Client Users”).
- Visitors to leadlogix.ai and dashboard.leadlogix.ai (“Site Visitors”).
- End users whose personal data may be processed by LeadLogix on behalf of a client company in the course of advertising operations (“End Users”).
If you are an End User and have questions about how a specific client company processes your personal data, please contact that company directly. LeadLogix processes End-User data only on the instructions of, and under contract with, the client company that is the data controller.
1. Who we are
Controller of personal data:
- Diggit Software Solutions Co. LLC
- 807, Ubora Business Tower, Marasi Drive, Business Bay, Dubai, United Arab Emirates
- Contact for privacy inquiries: montazir@diggitglobal.com
Diggit is the operator of LeadLogix. Where LeadLogix processes data on behalf of a client company as a processor, the client company is the controller of End-User data.
2. Information we collect
2.1 Information you provide directly
- Account information: business email address, password (stored as a bcrypt hash, never in plain text), name, role designation, and the client identifier of the client company you represent.
- Campaign briefing information: product descriptions, target audience descriptions, budget parameters, campaign duration preferences, competitor names, and campaign goals submitted to the platform.
- Creative assets: images, videos, copy variants, and other marketing materials uploaded for use in campaigns.
- Communication: messages or feedback sent to Diggit via the platform or via email.
2.2 Information collected automatically
- Authentication and security logs: timestamps of login attempts, failed login counts, IP-derived information for anti-abuse purposes.
- Service usage logs: job identifiers, agent execution timestamps, status of automated processes, and audit-log entries describing actions taken within the platform.
- Performance data: aggregated and per-campaign metrics such as impressions, clicks, spend, and conversion counts returned by third-party advertising platforms.
2.3 Information from third parties
- Advertising platforms: campaign performance data from Meta, Google, LinkedIn, and similar platforms when LeadLogix operates campaigns under credentials authorised by the client company.
- Public sources: publicly visible advertising creatives, search results, and competitor advertising activity used by the platform’s strategist agent to inform recommendations.
2.4 What we do not collect
- We do not currently use analytics cookies, advertising cookies, or third-party tracking pixels on leadlogix.ai or dashboard.leadlogix.ai. If this changes in the future, we will update this Policy and present a cookie consent notice before any non-essential cookie is set.
- We do not require payment card information through the LeadLogix platform itself; ad spend is billed by third-party advertising platforms to credentials supplied by the client company.
3. How we use information
We use the information described above to:
- Operate the Service: authenticate users, run agentic workflows, generate strategy and creative outputs, deploy campaigns to advertising platforms, and report performance.
- Protect the Service: detect and prevent unauthorised access, abuse, and security incidents, including via login throttling and audit logging.
- Improve the Service: diagnose errors, analyse aggregated usage patterns, and develop new features. We do not use Client User personal data to train third-party machine learning models.
- Communicate: respond to support inquiries, provide service notifications, and inform users of material changes to the Service.
- Comply with law: meet obligations under applicable data-protection laws, respond to lawful requests from authorities, and exercise or defend legal rights.
4. Legal bases for processing (GDPR / UK GDPR)
Where the General Data Protection Regulation or UK GDPR applies, we rely on the following legal bases:
- Contract: processing necessary to deliver the Service to client companies and their authorised users.
- Legitimate interests: securing the Service against fraud and abuse, improving features, and supporting business operations, balanced against the rights and freedoms of data subjects.
- Consent: where we ask for it expressly, for example before introducing non-essential cookies in the future.
- Legal obligation: where processing is required by law, regulation, or court order.
5. Sharing and disclosure of information
We do not sell personal data. We share personal data only as follows:
- Service providers (sub-processors): third parties that host or process data on our behalf under contractual data-protection obligations. Current sub-processors are listed in Section 7.
- Advertising platforms: campaign payloads, creative assets, and targeting parameters are transmitted to advertising platforms such as Meta, Google, and LinkedIn when the client company has authorised this. These platforms operate as independent controllers under their own privacy terms.
- Client companies: data created by or about a Client User is accessible to authorised administrators of that client company.
- Legal: when required by law, regulation, or valid legal process, or to protect the rights, property, or safety of Diggit, our users, or others.
- Corporate transactions: in connection with a merger, acquisition, financing, or sale of business assets, subject to ongoing confidentiality and protection of personal data.
6. Multi-tenant data isolation
LeadLogix is engineered as a multi-tenant platform. Every record we hold on behalf of a client company is tagged with a unique client identifier. Application-layer access controls and database query filters ensure that a Client User of one client company cannot access records belonging to another client company. Administrative access by Diggit personnel is limited to operational and support purposes and is logged.
7. Sub-processors and data location
LeadLogix currently uses the following sub-processors. Where personal data is transferred outside the data subject’s jurisdiction, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses, adequacy decisions, or equivalent safeguards.
7.1 Sub-processors
- Hetzner Online GmbH — primary application and database hosting. Data centre: Falkenstein, Germany.
- Airtable, Inc. — structured data layer for campaign records, audit logs, and configuration. Servers in the United States.
- Cloudinary Ltd. — creative asset storage and delivery via a global content delivery network.
- Cloudflare, Inc. — DNS, edge security, and DDoS protection.
- Anthropic PBC — large language model inference for agent reasoning. Servers in the United States.
- Google LLC — Gemini large language model inference for selected agent steps. Servers in the United States and other regions.
- Slack Technologies — internal operational alerts. Servers in the United States.
- Vercel Inc. — hosting of the LeadLogix dashboard application. Servers globally distributed.
7.2 Primary data residency
- Primary processing and most operational data: Germany (Hetzner Falkenstein).
- Structured campaign records, audit logs, configuration: United States (Airtable).
- Creative assets: globally distributed via Cloudinary content delivery network.
8. International transfers of personal data
Because our sub-processors operate globally, personal data may be transferred to, stored, and processed in countries other than your country of residence, including the United States. For transfers from the European Economic Area, the United Kingdom, and the United Arab Emirates, we rely on contractual safeguards such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented by additional technical and organisational measures.
9. Security
We protect personal data using a combination of technical and organisational measures, including:
- Encryption in transit using TLS for all dashboard, API, and webhook traffic.
- Encryption at rest for credentials stored in the n8n credential vault (AES-256).
- Strong password hashing using bcrypt with 12 salt rounds; no plain-text passwords are stored.
- Five-strike account lockout to mitigate brute-force authentication attempts.
- Per-client data segregation at the application layer.
- Network protections via Cloudflare WAF and DDoS mitigation.
- Audit logging of significant actions for after-the-fact review.
No system can be guaranteed completely secure. If you suspect a security issue, contact us promptly at montazir@diggitglobal.com.
10. Data retention
We retain personal data for as long as it is needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Operational logs and audit-log entries are typically retained for the lifetime of the relevant client account, after which they are deleted or anonymised within a reasonable period. Client companies may request deletion of specific records subject to legal retention requirements.
11. Your rights
Depending on your jurisdiction, you may have rights to:
- Access the personal data we hold about you and obtain a copy.
- Request correction of inaccurate or incomplete data.
- Request deletion of personal data, subject to legal and contractual constraints.
- Restrict or object to certain processing activities.
- Request portability of personal data you have provided to us.
- Withdraw any consent you previously gave, without affecting the lawfulness of prior processing.
- Lodge a complaint with a supervisory authority in your jurisdiction.
To exercise these rights, contact us at montazir@diggitglobal.com. If your data is processed by us on behalf of a client company that is the controller, we will direct your request to that company or assist it in responding.
12. Children
LeadLogix is a business-to-business platform intended for use by representatives of organisations who are at least 18 years old. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will delete it.
13. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the version and date at the top of this document and, where appropriate, notify users through the platform or by email. Continued use of the Service after the effective date of an updated Policy constitutes acceptance of the changes.
14. How to contact us
For privacy inquiries, data subject requests, or questions about this Policy:
- Email: montazir@diggitglobal.com
- Postal: Diggit Software Solutions Co. LLC, 807, Ubora Business Tower, Marasi Drive, Business Bay, Dubai, United Arab Emirates
15. Jurisdiction-specific notices
15.1 European Economic Area, United Kingdom, and Switzerland
If you are located in the EEA, the UK, or Switzerland, your personal data is processed in accordance with the GDPR or UK GDPR as applicable. The legal bases on which we rely are set out in Section 4. International transfers are governed by the safeguards described in Section 8. You have the right to lodge a complaint with your national supervisory authority.
15.2 United Arab Emirates
If you are located in the United Arab Emirates, your personal data is processed in accordance with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and applicable free-zone data-protection regulations. You may contact us with requests regarding access, correction, deletion, or restriction of processing.
15.3 California, United States
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding personal information, including the right to know, the right to delete, the right to correct, the right to opt out of sale or sharing (we do not sell or share personal information for cross-context behavioural advertising), and the right to limit use of sensitive personal information. To exercise these rights, contact us at montazir@diggitglobal.com.
15.4 Singapore
If you are located in Singapore, your personal data is processed in accordance with the Personal Data Protection Act 2012 (PDPA). You may contact us with questions or requests regarding your personal data.