Skip to main content
All systems operational

Privacy Policy

Last updated: April 11, 2026

This Privacy Policy (“Policy”) explains, in detail, how Midbound Limited, a company incorporated in England and Wales with its registered office at Spaceworks Building, 21 Plumbers Row, London, United Kingdom E1 1AG (“Midbound,” “we,” “us,” or “our”), processes personal data when you access or use the Leadpipe marketing website at https://leadpipe.com, any subdomains we operate that link to this Policy, our customer-facing dashboard, APIs, integrations, documentation portals, support channels, webinars, events, and any other products or services that we offer and identify as subject to this Policy (collectively, the “Services”). This Policy is designed to be read together with our Cookie Policy, which describes cookies and similar technologies in greater depth, and our Terms of Service, which govern contractual use of the Services.

We take data protection seriously. This document is lengthy because privacy law is context-specific: the same product feature may involve different categories of data, different legal bases, different retention periods, and different rights depending on whether you are a casual website visitor, a registered user, a billing contact, an administrator configuring integrations for your employer, or an individual whose business contact details appear in data processed by our customers when they use Leadpipe for visitor identification, intent analytics, or related workflows. Where we act as a data controller, we determine the purposes and means of processing and this Policy applies in full. Where we act as a data processor on documented instructions from a business customer, that customer is typically the controller for personal data relating to their end users or prospects, and their privacy notice (not this Policy) is the primary disclosure for those individuals, while we still describe our subprocessors, security practices, and international transfers here so that customers can meet their own accountability obligations.

By accessing or using the Services, or by submitting personal data to us (for example when you complete a “Book a demo” form, create an account, subscribe to product updates, join a webinar, email our team, or interact with in-product chat), you acknowledge that you have accessed this Policy. If you do not agree with how we process personal data as described here (and as updated from time to time), you must discontinue use of the Services and refrain from submitting personal data to us, subject to any rights you may have under applicable law. Nothing in this Policy is intended to limit statutory rights that cannot lawfully be waived.

For all privacy-related enquiries, including requests to exercise rights described in this Policy, you may contact us at support@leadpipe.com. We will respond within the timeframes required by applicable law, which may vary by jurisdiction. Where we need additional information to verify your identity or authority to act on behalf of another person, we will explain what we need and why. We do not charge a fee for responding to legitimate requests unless the law permits a reasonable administrative fee for repetitive or manifestly unfounded requests. We encourage you to read this Policy carefully and revisit it periodically because privacy practices evolve with products and law.

1. Definitions and interpretive rules

To reduce ambiguity, capitalised terms in this Policy have the meanings set out below. Where a term is defined in the UK General Data Protection Regulation (“UK GDPR”) or the EU General Data Protection Regulation (Regulation (EU) 2016/679, “EU GDPR”), we use the same meaning unless we expressly state otherwise. References to “personal data” include any information relating to an identified or identifiable natural person; references to “processing” include any operation performed on personal data, whether automated or not, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

  • Affiliate: any entity that controls, is controlled by, or is under common control with Midbound, where “control” means ownership of more than fifty percent of voting securities or the power to direct management.
  • Anonymous or aggregated data: information that does not relate to an identified or identifiable individual, or that has been irreversibly anonymised in line with applicable law. We may use such data for analytics, benchmarking, and product improvement without treating it as personal data, provided it genuinely does not permit re-identification.
  • Customer: a business or other organisation that enters into a contract with us to use paid or trial Leadpipe functionality, including any authorised users they designate.
  • End user: an individual who interacts with a Customer’s website, advertisements, or other digital properties in connection with features the Customer configures through Leadpipe. Depending on context, End users may include site visitors, leads, or business contacts.
  • Legitimate interests: one of the lawful bases for processing under UK GDPR / EU GDPR, meaning processing is necessary for our (or a third party’s) legitimate interests except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
  • Processor / Sub-processor: where we process personal data on behalf of a Customer under documented instructions, we are a processor; entities we engage to assist that processing are subprocessors, subject to contractual flow-down obligations.
  • Sensitive / special category data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, or data concerning sex life or sexual orientation, and in some jurisdictions additional categories such as precise geolocation or financial account numbers when treated as sensitive by local law.

Headings are for convenience only and do not affect interpretation. References to “includes” or “including” are illustrative and non-exhaustive unless the context requires otherwise. If any provision of this Policy conflicts with a data processing agreement (“DPA”) executed between Midbound and a Customer, the DPA prevails with respect to processing performed strictly as a processor for that Customer.

2. Scope: who is covered and when this Policy applies

This Policy applies to personal data we process about: (a) individuals who browse our public marketing website without logging in; (b) individuals who submit forms, download resources, or register for events; (c) administrators, developers, and other personnel who create or manage Leadpipe accounts on behalf of a Customer; (d) billing contacts and signatories to commercial agreements; (e) individuals who communicate with our sales, success, or support teams; (f) individuals who participate in user research, beta programmes, or case studies (subject to separate consents or agreements where applicable); and (g) in limited circumstances, individuals whose data appears in logs or product telemetry when Customers connect their systems to Leadpipe, to the extent we process such data as a controller for our own operational purposes (for example abuse prevention) or as a processor on the Customer’s instructions.

This Policy does not apply to: (i) processing by third-party websites, applications, or services that are linked from our Site but operated by independent controllers (you should read their policies); (ii) processing by Customers in their own capacity as controllers, those Customers must provide appropriate notices to their End users; or (iii) employment-related processing relating to our own staff or contractors, which is covered by internal employment privacy notices.

If you access the Services from outside the United Kingdom, your personal data may be transferred to the UK and other countries as described in the international transfers section. We apply safeguards where required by law.

3. Personal data we collect: overview and categories

The personal data we collect depends on how you interact with us, which features you use, whether you are a Customer or a prospect, and whether third parties send us information (for example from authentication providers or enrichment partners when you choose to connect them). We group data into categories for transparency; a given individual may not fall into every category.

3.1 Website and marketing interactions

When you visit our marketing site, we and our subprocessors may process technical identifiers and usage data such as IP address, user agent string, device type, operating system, browser language, referring URL, pages viewed, scroll depth or video engagement where measured, approximate geographic location derived from IP, timestamps, and unique cookie or local storage identifiers where permitted. If you submit a form, we collect the fields you complete, often including name, work email address, company name, job title, phone number, company size, industry, and free-text messages, as well as metadata such as UTM campaign parameters, form submission time, and (where used) reCAPTCHA or similar anti-abuse signals.

If you register for a webinar, office hours, or in-person event, we may collect dietary or accessibility preferences when you voluntarily supply them, and we may process attendance data, poll responses, and recordings where we give separate notice and obtain consent where required. If you subscribe to email updates, we process your email address, subscription preferences, and engagement metrics (opens and clicks) in line with ePrivacy rules and marketing opt-out mechanisms.

3.2 Account, authentication, and billing

When a Customer creates an account, we process account identifiers, names, email addresses, role assignments, team or workspace structure, API keys or OAuth tokens (stored using appropriate security measures), configuration choices, audit logs of administrative actions, and security settings such as SSO or MFA status. For billing, we or our payment processor may process billing contact details, VAT or tax identifiers where supplied, payment method metadata (we typically do not store full card numbers where a PCI-compliant processor tokenises them), invoices, transaction history, and dunning or collections communications as permitted by law.

3.3 Product usage, support, and communications

We process content you send us by email, in-product messaging, or support tickets, including attachments, screenshots (which may incidentally contain personal data), and call recordings where we notify you and obtain consent if required. We maintain logs for security, debugging, and service improvement, which may include user IDs, IP addresses, request paths, error codes, and timestamps. Where Customers use features that surface analytics about their pipelines, campaigns, or site traffic, the underlying event data may include pseudonymous identifiers, business email addresses, or other attributes depending on Customer configuration; when we process such data strictly to provide the service to the Customer, we generally act as a processor.

3.4 Data obtained from third parties

We may receive personal data from partners (for example when a partner refers you to us), from publicly available professional sources, or from enrichment vendors where our sales organisation uses such tools in compliance with law and any contractual restrictions. We may merge this with information you have already provided to keep records accurate. We also receive signals from advertising or analytics platforms when you interact with our ads, subject to those platforms’ policies and your settings.

4. Purposes of processing and legal bases (UK / EEA)

Where UK GDPR or EU GDPR applies, we must identify a lawful basis for each processing purpose. The table below summarises typical purposes and bases. In specific cases, more than one basis may be available; we rely on the most appropriate one. If we intend to process personal data for a new purpose incompatible with the original purpose, we will provide a new notice or obtain consent as required.

Purpose (summary) Typical lawful basis Further explanation
Delivering the Services, performing our contract with Customers, account administration Performance of a contract; legitimate interests (service integrity) Processing necessary to register accounts, authenticate users, provide features the Customer purchased, and maintain reliable infrastructure.
Responding to enquiries from prospects and website visitors Legitimate interests; consent where required for certain cookies or marketing We have an interest in responding to commercial enquiries. Where law requires prior consent (for example for electronic direct marketing to individuals in some contexts), we obtain it.
Security, fraud prevention, abuse detection, enforcing acceptable use Legitimate interests; legal obligation where applicable Protecting systems and users against malicious activity is a necessary and proportionate interest; we minimise data use and apply retention limits.
Analytics on our own website and product (non-essential cookies or similar) Consent, where required Where cookies or similar technologies are not strictly necessary, we seek consent in line with PECR / ePrivacy requirements and honour withdrawals.
Legal claims, regulatory requests, corporate transactions Legal obligation; legitimate interests We may process data to comply with law, defend rights in court, or support due diligence subject to confidentiality duties.

Where we rely on legitimate interests, we balance our interests against your rights. You may object to processing based on legitimate interests as described in the rights section, and we will cease unless we demonstrate compelling grounds or the processing is for legal claims.

5. Cookies, pixels, and similar technologies (cross-reference)

We use cookies, local storage, session storage, pixels, tags, and software development kits in line with our Cookie Policy. That document explains categories (strictly necessary, functional, analytics, marketing), how to manage preferences, and third-party technologies that may set their own cookies when loaded on our pages. This Policy focuses on the personal data outcomes of those technologies, for example, an analytics cookie may generate usage records tied to a pseudonymous identifier, which we treat as personal data where it can be linked to an identifiable individual.

6. How we share personal data

We do not sell personal data in the conventional sense of selling a mailing list for monetary consideration. We disclose personal data to categories of recipients as needed to operate the Services:

  • Subprocessors and service providers who host infrastructure, provide CDN and DDoS protection, deliver email, run customer support tooling, process payments, conduct security monitoring, or provide professional services to us under confidentiality and data protection terms.
  • Professional advisers including lawyers, accountants, and insurers, where subject to professional duties of confidentiality.
  • Authorities when we believe disclosure is required by law, regulation, legal process, or governmental request, or to protect vital interests.
  • Corporate transactions such as financing, merger, or acquisition; personal data may be transferred subject to continued protection commitments.
  • Customers in limited cases, for example, where a support ticket shows that a user belongs to a particular Customer organisation and we need to coordinate resolution.

We require subprocessors to implement appropriate technical and organisational measures and to process personal data only on our instructions (when we act as controller) or as permitted by our agreement with Customers (when we act as processor). A list of key subprocessors is available to Customers on request and may be updated with notice as contractually agreed.

7. International transfers of personal data

Midbound is based in the United Kingdom. Our personnel, subprocessors, and infrastructure may be located in the UK, the European Economic Area (“EEA”), the United States, and other countries. When we transfer personal data from the UK or the EEA to countries that have not received an adequacy decision under UK or EU law, we implement appropriate safeguards required by Article 46 UK GDPR / EU GDPR, such as the UK International Data Transfer Agreement (“IDTA”) or Addendum, the EU Commission Standard Contractual Clauses (“SCCs”) with Module Two (controller-to-processor) or Module Three (processor-to-processor) as applicable, supplemented by a transfer impact assessment where required by Schrems II and subsequent regulatory guidance. We assess government access laws in destination countries and, where necessary, implement additional technical measures (for example encryption in transit and at rest, pseudonymisation, or split-key architectures) to reduce risk.

Customers who require specific transfer mechanisms or vendor questionnaires may request our completed documentation subject to confidentiality. If you are located in a jurisdiction that restricts cross-border transfers, contact us to discuss whether local requirements affect your use of the Services.

8. Retention of personal data

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, unless a longer period is required or permitted by law. Retention criteria include: whether you maintain an active account; whether we have an ongoing relationship with your organisation; whether retention is needed for legal, tax, or accounting obligations; whether data is needed to resolve disputes or enforce agreements; and whether anonymisation or aggregation is appropriate as an alternative to deletion.

Illustrative retention periods (subject to variation by contract or law): marketing contact records may be retained for the duration of our commercial relationship plus a limited period for re-engagement unless you object or unsubscribe; backup systems may retain residual copies for a technical window consistent with our backup rotation policy; security logs may be retained for months to years depending on threat environment and legal requirements; billing records may be retained for seven years or as required by tax law; support tickets may be retained to maintain service continuity unless deletion is requested and no overriding interest applies.

When retention expires, we delete or irreversibly anonymise personal data using procedures appropriate to the storage medium. Deletion from active systems may precede deletion from backups; restored backups are purged on the next cycle where feasible.

9. Security measures

We implement a security programme appropriate to the nature of the Services and the risks to individuals, including administrative, technical, and physical safeguards. Measures may include access controls based on least privilege, multi-factor authentication options for accounts, encryption of data in transit using modern TLS configurations, encryption of sensitive data at rest where appropriate, logging and monitoring for security events, vulnerability management, secure development practices, employee training, vendor security assessments, and incident response procedures.

No system is perfectly secure. If you discover a vulnerability, please report it responsibly to support@leadpipe.com. In the event of a personal data breach likely to result in risk to individuals, we will notify supervisory authorities and affected individuals as required by UK GDPR / EU GDPR, and we will support Customers with processor-side notifications where we process data on their behalf.

10. Your rights under UK GDPR and EU GDPR

If you are in the UK or EEA (or where equivalent rights apply), you may have the following rights in relation to personal data we process as controller, subject to conditions and exemptions in law:

  1. Right of access: You may request confirmation of whether we process your personal data and obtain a copy, together with certain information about processing.
  2. Right to rectification: You may request correction of inaccurate data or completion of incomplete data.
  3. Right to erasure (“right to be forgotten”): You may request deletion where grounds apply, such as withdrawal of consent where consent was the sole basis, unlawful processing, or successful objection.
  4. Right to restriction: You may request that we limit processing in certain circumstances, for example while a dispute is resolved.
  5. Right to data portability: Where processing is based on consent or contract and carried out by automated means, you may receive your data in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible.
  6. Right to object: You may object to processing based on legitimate interests or for direct marketing (including profiling related to marketing), and we will stop unless we show compelling legitimate grounds.
  7. Rights related to automated decision-making: You have safeguards where solely automated decisions with legal or similarly significant effects occur; Leadpipe does not intend to make such decisions about consumers in a way that excludes human review for contractual Services, but we describe the position generally for completeness.
  8. Right to withdraw consent: Where we rely on consent, you may withdraw it at any time without affecting prior lawful processing.
  9. Right to lodge a complaint: You may complain to a supervisory authority. In the UK, the Information Commissioner’s Office (“ICO”) at ico.org.uk. In the EEA, you may contact your local authority.

To exercise rights, email support@leadpipe.com. We may need to verify identity. If we decline a request, we will explain why and inform you of appeal paths. If you are an End user of a Customer’s deployment, we may need to refer your request to that Customer where they are the controller for your data.

11. United States state privacy disclosures

Several US states have enacted comprehensive privacy laws that grant residents specific rights and require certain disclosures. Depending on your state of residence and the scope of the statute, you may have rights to know categories and specific pieces of personal information collected; to delete personal information subject to exceptions; to correct inaccuracies; to opt out of “sale,” “sharing,” or targeted advertising as those terms are defined locally; to limit use of sensitive personal information; and to appeal our response to a request. We describe categories of information collected and purposes in this Policy; we do not “sell” personal information as commonly defined under the California Consumer Privacy Act as amended (“CCPA”) / California Privacy Rights Act (“CPRA”) in the sense of exchanging personal information for money without appropriate notice and opt-out rights, but we may use analytics or advertising partners whose activities could constitute “sharing” for cross-context behavioural advertising under California law, in which case we honour applicable opt-out mechanisms such as Global Privacy Control signals where legally required and technically feasible.

We do not discriminate against individuals for exercising privacy rights. Financial incentives, if ever offered in connection with personal information programs, will be described with required details. We do not knowingly sell or share personal information of minors under sixteen for behavioural advertising.

Authorized agents may submit requests on your behalf where permitted by law, with proof of authorisation. We may verify consumer requests using information matching our records.

12. Processor processing on behalf of Customers

When Customers use Leadpipe to identify visitors, route events to integrations, or analyse intent, we often process personal data about End users strictly as a processor. In that role, we process data only on documented instructions (including via the Services’ configuration and the Terms), assist Customers with responding to individual rights requests where feasible, ensure personnel confidentiality, implement appropriate security, notify Customers of breaches without undue delay, delete or return data at the end of service as agreed, make available information needed for audits, and flow down obligations to subprocessors. The Customer remains responsible for lawful collection, notices, consents, and opt-outs toward End users.

If you believe a Customer has processed your data through Leadpipe unlawfully, you should contact that organisation first. We will assist as required by law and contract.

13. Marketing, profiling, and non-personal uses

We may send product updates, invitations, and thought leadership where permitted. You may opt out of marketing emails using the unsubscribe link or by contacting us. Operational messages (security alerts, billing notices, policy updates that affect you) are not necessarily marketing. We may build segment-level profiles (for example, grouping companies by industry and engagement score) using personal data combined with business information; we do not use sensitive categories for profiling for incompatible purposes.

14. Children’s data

The Services are directed to businesses and adult professionals. We do not knowingly collect personal data from children under sixteen (or a higher age where local law requires) for consumer-facing marketing. If you believe we have collected such data, contact us and we will take appropriate steps to delete it.

15. Automated decision-making and AI-assisted features

Some product capabilities may involve machine learning or statistical models (for example, scoring engagement likelihood or clustering accounts). Where such processing produces legal or similarly significant effects on individuals in jurisdictions that regulate solely automated decisions, we work with Customers to ensure appropriate human oversight, transparency, and rights. For our own B2B marketing stack, we do not use solely automated decision-making that denies individuals essential services in a consumer context.

16. Research, benchmarking, and product telemetry

We may analyse usage patterns in aggregate or pseudonymous form to prioritise roadmap items, measure feature adoption, and improve reliability. Where such analysis uses personal data, we apply minimisation and retention limits. We may publish high-level benchmarks that do not identify individuals or Customers without consent.

17. Third-party links and embedded content

Our Site may embed videos, maps, social widgets, or calendars from third parties. Interacting with those embeds may allow third parties to collect information even if you do not leave our Site. Their processing is governed by their policies.

18. Changes to this Policy

We may update this Policy to reflect legal, technical, or business developments. We will post the revised version on this page and update the “Last updated” date. Where changes are material and consent is required, we will obtain it or give you choices. Where contractually required for Customers, we will provide additional notice. Continued use of the Services after the effective date of non-material updates may constitute acceptance to the extent permitted by law.

19. Regulatory references and compliance posture

We aim to align our programme with the UK GDPR, the Data Protection Act 2018, the EU GDPR where we offer services into the EEA, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) for relevant electronic marketing and cookies, and applicable US state privacy laws. We monitor guidance from the ICO, the European Data Protection Board, and other regulators. Specific certifications or audit reports, if available, may be shared under NDA with enterprise Customers.

20. Data Protection Impact Assessments and records of processing

We maintain internal records of processing activities as required by Article 30 UK GDPR / EU GDPR and conduct data protection impact assessments when processing is likely to result in high risk to individuals, implementing mitigations and consulting regulators where mandatory. Customers may request reasonable cooperation for their own DPIAs relating to the Services.

21. Your California “Do Not Sell or Share” and similar opt-outs

California residents may have the right to opt out of the sale or sharing of personal information and to limit use of sensitive personal information. Details of how to signal opt-out preferences (including browser-based mechanisms) are provided in our Cookie Policy and any linked preference centre. We will not discriminate for exercising these rights.

22. Contact and supervisory authority details (summary)

Controller contact: Midbound Limited, Spaceworks Building, 21 Plumbers Row, London, United Kingdom E1 1AG; support@leadpipe.com.

UK supervisory authority: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom; telephone 0303 123 1113; website ico.org.uk.

This Policy is provided for transparency and does not by itself create contractual rights beyond those in your agreement with us or rights that cannot be excluded under applicable law. If any translated version conflicts with the English version, the English version prevails for legal interpretation unless local law requires otherwise.

23. Subprocessors, audits, and on-site inspections

Enterprise Customers may require advance notice of changes to our subprocessor list and a reasonable objection process before a new subprocessor processes personal data covered by their DPA. Where a Customer objects on documented data-protection grounds and we cannot offer a commercially reasonable alternative, either party may terminate the affected portion of the Services. Audit rights, if granted in a Customer’s DPA, are typically satisfied by provision of third-party certifications, audit reports, or questionnaires, with physical on-site audits reserved for circumstances where mandated by supervisory authority or where other assurance is insufficient and the scope is agreed in writing in advance. We maintain due diligence files on subprocessors including security questionnaires, contractual data protection terms, and periodic reviews proportional to risk.

24. Detailed data inventory (illustrative, non-exhaustive)

The following narrative inventory supplements earlier sections and is illustrative: Identifiers may include real name, alias, online identifier, Internet Protocol address, email address, account name, or similar identifiers. Commercial information may include records of products or services purchased or considered, or other purchasing histories. Internet or network activity may include browsing history, search history, and information regarding interaction with our Site or ads. Geolocation data may include approximate location from IP. Professional or employment-related information may include current or past job title, employer name, and team role. Inferences may be drawn from the above to create profiles reflecting preferences or propensity to purchase. Not every data element is collected for every individual; actual fields depend on interactions, integrations, and Customer configuration. We do not use this Policy to collect special category data from website visitors without a lawful basis and explicit steps; Customers must not configure the Services to process prohibited categories without appropriate legal grounds and safeguards.

25. Conflict between notices, order forms, and DPAs

In case of conflict: (i) for processing as a processor, the executed DPA and order form control over this Policy; (ii) for processing as a controller, the Policy and Terms control unless a separate written agreement expressly states otherwise for a specific campaign or pilot; (iii) for employment or contractor relationships, internal notices prevail. We will not reduce statutory protections for individuals through contract where such reduction is void.

26. Accessibility of this Policy

We aim to present this Policy in readable language while preserving legal precision. If you need this Policy in another format (for example large print or machine-readable text) due to a disability, contact support@leadpipe.com and we will work with you to provide reasonable assistance, subject to operational constraints. We may update contact channels, addresses, or regulatory citations as they change; the version posted on this page with the “Last updated” date remains the authoritative consumer-facing text unless a signed agreement explicitly incorporates a different document by reference. Printed copies, PDF exports, or cached versions may become outdated; always verify the current text on leadpipe.com/privacy-policy before relying on it for compliance decisions.