Article 1: Our Commitment to Data Protection

Intellixio, the parent company of ZendoLead, is fully committed to upholding the principles of the General Data Protection Regulation ((EU) 2016/679) and applicable data protection laws in the UK and Switzerland. This document outlines our compliance framework, our processing activities, and the rights of individuals whose data we may process in the provision of our Service. This statement supplements our main ZendoLead Privacy Policy and ZendoLead Terms of Service.

Article 2: Our Role - Data Controller and Data Processor

Understanding our role is fundamental to GDPR compliance. For the ZendoLead Service, our roles are distinctly defined:

• 2.1 Intellixio as a Data Controller: We act as a Data Controller for Customer Account Data (e.g., your name, email, company name, billing information) and our own Marketing Data (e.g., data from our website cookies). For this data, we determine the purpose and means of processing.
• 2.2 Intellixio as a Data Processor: For all data processed within the core ZendoLead Service, we act as a Data Processor on behalf of our customers. This data ("Service Data") includes:
  • Your Knowledge Base
  • Sourced Lead Data (business contact information sourced by the AI)
  • Conversation Data

In this capacity, you, our Customer, are the Data Controller. You determine the purpose of the processing (to generate business leads) and are solely responsible for ensuring the lawfulness of the processing activities you instruct us to perform.

Article 3: Lawful Basis for Processing

We only process personal data when a valid legal basis exists under Article 6 of the GDPR.

• For Customer Account Data: Our basis is Performance of a Contract, as we need this data to provide you with the Service you subscribed to.
• For Service Data: We process this data based on your instructions as your Processor. The lawful basis you, as the Controller, must establish for proactive B2B lead generation is Legitimate Interest. You are responsible for conducting and documenting a Legitimate Interest Assessment (LIA) to ensure that your interest in direct B2B marketing is balanced against the rights and freedoms of the individuals being contacted.

Article 4: Data Protection by Design and Security Measures

We have built ZendoLead on a foundation of privacy by design and by default (Article 25).

• Data Minimization: Our autonomous agent is designed to source only necessary business-related contact information (e.g., name, company, job title, business email) and is engineered to avoid seeking or processing sensitive personal data categories.
• Purpose Limitation: All Service Data is processed for the sole and exclusive purpose of providing lead generation services as instructed by you. It is not re-used for other commercial purposes.
• Security: We implement robust technical and organizational measures, including end-to-end encryption for data in transit (TLS 1.2+), AES-256 encryption for data at rest, strict access controls, and regular security assessments.

Article 5: AI and Automated Decision-Making (Article 22)

We are transparent about our use of AI. ZendoLead's AI performs automated decision-making to classify leads.

• Logic Involved: The AI analyzes conversation content to assess interest levels against the criteria provided in your Knowledge Base.
• Significance and Envisaged Consequences: This process has a low-impact outcome. It is a business lead classification, not a decision that produces legal or similarly significant effects on an individual. The sole consequence for a data subject is the potential for an introduction to your human sales team. It does not result in a denial of service, financial loss, or legal impact.

Article 6: Data Subject Rights

As the Data Controller, you are responsible for handling data subject rights requests from the leads we source for you. As your Data Processor, we are committed to providing you with the tools and support needed to comply. We will promptly notify you of any request we receive and will assist you in fulfilling requests for access, rectification, erasure, objection, and restriction of processing related to the data we process on your behalf.

Article 7: International Data Transfers & Sub-processors

• 7.1 International Transfers: As a global company, data may be transferred outside of the EEA. We ensure this data is protected by using the European Commission's approved Standard Contractual Clauses (SCCs), which are incorporated into our Data Processing Addendum.
• 7.2 Sub-processors: We may engage trusted third-party sub-processors (e.g., cloud hosting providers) to assist in providing our services. All sub-processors are vetted and contractually bound to process data only according to our instructions and to implement GDPR-compliant security measures.

Article 8: Data Processing Addendum (DPA)

In accordance with Article 28 of the GDPR, we offer all our customers a comprehensive Data Processing Addendum (DPA). This legal agreement outlines our duties as your Data Processor, details our security measures, and includes the Standard Contractual Clauses (SCCs) to ensure lawful international data transfers. Please contact [email protected] to obtain and execute our DPA.

Article 9: Data Retention and Breach Notification

• 9.1 Data Retention: Service Data processed on your behalf is retained for the duration required to provide the Service and is securely deleted from our systems within 90 days of account termination, unless otherwise required by law.
• 9.2 Data Breach Notification: In the unlikely event of a data breach affecting the data we process on your behalf, we will notify you without undue delay, typically within 48 hours of discovery, to help you fulfill your notification obligations as a Data Controller.

Article 10: Data Protection Officer

We have appointed a dedicated Data Protection Team to oversee our compliance efforts. For all inquiries related to GDPR and our data protection practices, please contact them: