Privacy Policy · All Campaigns

1. Who we are

All Campaigns is operated by an entity established in Sofia, Bulgaria (the "Controller"). For the personal data you upload about your own contacts through All Campaigns — for example, leads, reply-author email addresses, and Unibox thread content — All Campaigns acts as a processor on your behalf, governed by our Data Processing Agreement.

For account-level data — the email you used to sign up, billing information, and product-usage metrics — All Campaigns acts as the controller. This policy describes both roles, with processor-specific obligations addressed primarily in the DPA.

Data-protection enquiries: privacy@leadora.bg.

2. Scope of this policy

This policy applies to:

The All Campaigns marketing site at leadora.bg and its subdomains.
The All Campaigns dashboard at dashboard.leadora.bg and the APIs that power it.
Email and other communications you receive from us in connection with your account or marketing opt-in.

3. What personal data we collect

3.1 Data you provide directly

Account: work email address; optionally, display name and avatar.
Tenant configuration: tenant (workspace) name, optional client/brand metadata.
Instantly API key: encrypted using AES-256-GCM before storage; never displayed back, never logged, never sent to third parties other than Instantly itself.
Billing: handled by myPOS — All Campaigns itself does not store full card details. We retain a tokenized card reference (used only for renewals), plan, invoice history and VAT details where required.
Support: messages you send us via the contact form, email, or in-app feedback.

3.2 Data we collect through the Service

Campaign analytics polled from Instantly: open, reply and bounce counts; sequence step performance; sender health metrics.
Lead records: contact email, name, company, phone, and any custom fields you push from Instantly or import into All Campaigns.
Unibox threads: message subject and body of inbound and outbound emails synced from your Instantly account.
Operator notes: reply notes, call logs (date, duration, outcome, free-text notes) you create against each lead thread.

3.3 Data collected automatically

Operational logs: IP address, user-agent, timestamp, route, response status — used for security, abuse prevention and debugging. Retained 30 days.
Authentication cookies: essential session cookies set by Supabase to keep you signed in. See section 11.
Product analytics: aggregate, pseudonymous event data (e.g. "dashboard opened") — no third-party tracking pixels are deployed on the marketing site or the dashboard.

4. How we use personal data

We use personal data only for purposes you would expect:

Operate the Service: authenticate you, render your dashboard, sync your Instantly data, store the notes you write.
Bill you: process subscription charges via myPOS; issue invoices; satisfy tax obligations.
Communicate with you: send transactional email (magic links, billing receipts, security notices) and, only if you opt in, product updates and tips.
Improve the Service: aggregate, anonymised metrics that help us understand which features are useful.
Secure the Service: detect abuse, prevent unauthorised access, comply with legal obligations.

We do not sell, rent or share personal data with advertisers or data brokers. We do not use Customer Data to train AI models.

5. Legal basis for processing (EU/EEA users)

Under Article 6 of the GDPR we rely on the following legal bases:

Contract (Art. 6(1)(b)) — to provide the Service you have asked us to provide.
Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting and other legal duties.
Legitimate interest (Art. 6(1)(f)) — to operate and secure the Service, to debug, to prevent abuse, and to communicate with you about the Service. We balance our interest against your privacy rights and avoid processing where the balance does not favour us.
Consent (Art. 6(1)(a)) — for non-essential communications such as marketing newsletters. You can withdraw consent at any time.

6. Where we store data

All Customer Data and account data is stored in the European Union, specifically in the Supabase project hosted in Frankfurt (eu-central-1). Application traffic is served from Vercel's European edge regions. myPOS processes payments in the EU under EU data-protection law.

Data at rest is encrypted (Supabase Postgres native AES-256); data in transit is encrypted using TLS 1.2 or higher. Tenants are isolated at the database row level via Postgres Row Level Security (RLS), backed by an additional tenant identifier on every record for defence-in-depth.

7. Sub-processors

We use the following sub-processors to operate the Service. Each processes personal data only on documented instructions, under their own GDPR-aligned data-processing agreement.

Sub-processor	Purpose	Region	DPA
Supabase (Supabase, Inc.)	Postgres database, authentication, realtime	EU (Frankfurt)	supabase.com/legal/dpa
Vercel (Vercel, Inc.)	Web hosting, edge functions, CDN	EU edge regions	vercel.com/legal/dpa
myPOS (myPOS AD)	Subscription billing, card tokenization, refunds	EU (Bulgaria)	mypos.com/legal
Resend (Resend, Inc.)	Transactional email (magic links, receipts)	EU region	resend.com/legal/dpa
Instantly (Bizofficial, Inc.)	Cold-email sending platform that you connect to All Campaigns; we read from your account on your behalf	Per Instantly	instantly.ai/legal/dpa

We will give 30 days' advance notice of any new sub-processor via email or in-app banner, giving you a chance to object before activation.

8. Data retention

Account data: retained for the life of your account plus 30 days after deletion to allow for accidental recovery, then permanently erased.
Customer Data (tenants, leads, threads, notes): retained for the life of your account; you may delete individual records or an entire tenant at any time, and deletion is honoured within 7 days.
Billing records: retained for 10 years to satisfy Bulgarian accounting law.
Operational logs: 30 days.
Support correspondence: 3 years from last contact.

9. International transfers

As of the "last updated" date above, All Campaigns processes and stores personal data exclusively within the European Union. If any sub-processor processes data outside the EEA (e.g. limited support operations of myPOS or Resend), the transfer is governed by the European Commission's Standard Contractual Clauses (Implementing Decision 2021/914) and additional supplementary measures where required.

10. Your rights under the GDPR

If you are in the EU/EEA you have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure("right to be forgotten") — ask us to delete your data. Account deletion is available in-app.
Portability — receive your data in a machine-readable format. The dashboard offers self-serve CSV/JSON export.
Restriction — ask us to limit processing in certain circumstances.
Objection — object to processing based on legitimate interest.
Withdraw consent — where processing is based on consent, withdraw it without affecting prior lawful processing.
Lodge a complaint — with the Bulgarian Commission for Personal Data Protection (CPDP) or the supervisory authority in your EU country of residence.

To exercise any of these rights, contact us at privacy@leadora.bg. We respond within 30 days. We will verify your identity before fulfilling the request.

If you are an end recipientof a cold-email campaign run through All Campaigns by one of our customers (not the All Campaigns customer themselves), All Campaigns acts as a processor on the customer's behalf. Direct your request to the sending customer, whose identifying information is in the email you received. We will forward any request you send us directly to the relevant customer within 7 days.

11. Cookies & similar technologies

All Campaigns uses only essential cookies: the authentication-session cookie set by Supabase to keep you signed in, a short-lived CSRF token, and a theme preference cookie. We do not use marketing cookies, advertising pixels or third-party analytics that track you across sites.

Because all cookies are strictly necessary for the Service to function, no consent banner is shown — consent is not required for strictly necessary cookies under the ePrivacy Directive. You can clear cookies in your browser at any time; doing so will sign you out.

12. Security

We apply administrative, technical and physical safeguards designed to protect personal data, including:

TLS 1.2+ for all data in transit.
AES-256 encryption at rest for the Postgres database.
AES-256-GCM application-level encryption for Instantly API keys and other secrets.
Row-Level Security policies tested in CI; tenant boundary enforced at the database layer.
Least-privilege access for engineers; audit logging on prod.
Magic-link authentication — no password reuse risk; rate limits on sign-in attempts.
Regular dependency updates, automated vulnerability scanning, and penetration testing on production releases.

No system is impenetrable. If we become aware of a personal-data breach affecting you we will notify you and the relevant supervisory authority within 72 hours, as required by Art. 33 GDPR.

13. Children

The Service is intended for business users aged 18 and over. We do not knowingly collect personal data from children under 16. If you believe we have done so, contact us and we will delete it.

14. Changes to this policy

We may revise this Privacy Policy from time to time. For material changes we will notify you in-app or by email at least 14 days before the changes take effect. The "last updated" date at the top of this page reflects the most recent revision.

15. Contact

Privacy questions, data-subject requests and complaints: privacy@leadora.bg. For other enquiries use the contact form. We do not have a statutory obligation to appoint a Data Protection Officer; the contact above reaches the team member responsible for data protection at All Campaigns.

1. Who we are

Data-protection enquiries: privacy@leadora.bg.

2. Scope of this policy

This policy applies to:

The All Campaigns marketing site at leadora.bg and its subdomains.
The All Campaigns dashboard at dashboard.leadora.bg and the APIs that power it.
Email and other communications you receive from us in connection with your account or marketing opt-in.

3. What personal data we collect

3.1 Data you provide directly

Account: work email address; optionally, display name and avatar.
Tenant configuration: tenant (workspace) name, optional client/brand metadata.
Instantly API key: encrypted using AES-256-GCM before storage; never displayed back, never logged, never sent to third parties other than Instantly itself.
Billing: handled by myPOS — All Campaigns itself does not store full card details. We retain a tokenized card reference (used only for renewals), plan, invoice history and VAT details where required.
Support: messages you send us via the contact form, email, or in-app feedback.

3.2 Data we collect through the Service

Campaign analytics polled from Instantly: open, reply and bounce counts; sequence step performance; sender health metrics.
Lead records: contact email, name, company, phone, and any custom fields you push from Instantly or import into All Campaigns.
Unibox threads: message subject and body of inbound and outbound emails synced from your Instantly account.
Operator notes: reply notes, call logs (date, duration, outcome, free-text notes) you create against each lead thread.

3.3 Data collected automatically

Operational logs: IP address, user-agent, timestamp, route, response status — used for security, abuse prevention and debugging. Retained 30 days.
Authentication cookies: essential session cookies set by Supabase to keep you signed in. See section 11.
Product analytics: aggregate, pseudonymous event data (e.g. "dashboard opened") — no third-party tracking pixels are deployed on the marketing site or the dashboard.

4. How we use personal data

We use personal data only for purposes you would expect:

Operate the Service: authenticate you, render your dashboard, sync your Instantly data, store the notes you write.
Bill you: process subscription charges via myPOS; issue invoices; satisfy tax obligations.
Communicate with you: send transactional email (magic links, billing receipts, security notices) and, only if you opt in, product updates and tips.
Improve the Service: aggregate, anonymised metrics that help us understand which features are useful.
Secure the Service: detect abuse, prevent unauthorised access, comply with legal obligations.

We do not sell, rent or share personal data with advertisers or data brokers. We do not use Customer Data to train AI models.

5. Legal basis for processing (EU/EEA users)

Under Article 6 of the GDPR we rely on the following legal bases:

Contract (Art. 6(1)(b)) — to provide the Service you have asked us to provide.
Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting and other legal duties.
Legitimate interest (Art. 6(1)(f)) — to operate and secure the Service, to debug, to prevent abuse, and to communicate with you about the Service. We balance our interest against your privacy rights and avoid processing where the balance does not favour us.
Consent (Art. 6(1)(a)) — for non-essential communications such as marketing newsletters. You can withdraw consent at any time.

6. Where we store data

7. Sub-processors

We use the following sub-processors to operate the Service. Each processes personal data only on documented instructions, under their own GDPR-aligned data-processing agreement.

Sub-processor	Purpose	Region	DPA
Supabase (Supabase, Inc.)	Postgres database, authentication, realtime	EU (Frankfurt)	supabase.com/legal/dpa
Vercel (Vercel, Inc.)	Web hosting, edge functions, CDN	EU edge regions	vercel.com/legal/dpa
myPOS (myPOS AD)	Subscription billing, card tokenization, refunds	EU (Bulgaria)	mypos.com/legal
Resend (Resend, Inc.)	Transactional email (magic links, receipts)	EU region	resend.com/legal/dpa
Instantly (Bizofficial, Inc.)	Cold-email sending platform that you connect to All Campaigns; we read from your account on your behalf	Per Instantly	instantly.ai/legal/dpa

We will give 30 days' advance notice of any new sub-processor via email or in-app banner, giving you a chance to object before activation.

8. Data retention

Account data: retained for the life of your account plus 30 days after deletion to allow for accidental recovery, then permanently erased.
Customer Data (tenants, leads, threads, notes): retained for the life of your account; you may delete individual records or an entire tenant at any time, and deletion is honoured within 7 days.
Billing records: retained for 10 years to satisfy Bulgarian accounting law.
Operational logs: 30 days.
Support correspondence: 3 years from last contact.

9. International transfers

10. Your rights under the GDPR

If you are in the EU/EEA you have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure("right to be forgotten") — ask us to delete your data. Account deletion is available in-app.
Portability — receive your data in a machine-readable format. The dashboard offers self-serve CSV/JSON export.
Restriction — ask us to limit processing in certain circumstances.
Objection — object to processing based on legitimate interest.
Withdraw consent — where processing is based on consent, withdraw it without affecting prior lawful processing.
Lodge a complaint — with the Bulgarian Commission for Personal Data Protection (CPDP) or the supervisory authority in your EU country of residence.

To exercise any of these rights, contact us at privacy@leadora.bg. We respond within 30 days. We will verify your identity before fulfilling the request.

11. Cookies & similar technologies

12. Security

We apply administrative, technical and physical safeguards designed to protect personal data, including:

TLS 1.2+ for all data in transit.
AES-256 encryption at rest for the Postgres database.
AES-256-GCM application-level encryption for Instantly API keys and other secrets.
Row-Level Security policies tested in CI; tenant boundary enforced at the database layer.
Least-privilege access for engineers; audit logging on prod.
Magic-link authentication — no password reuse risk; rate limits on sign-in attempts.
Regular dependency updates, automated vulnerability scanning, and penetration testing on production releases.

No system is impenetrable. If we become aware of a personal-data breach affecting you we will notify you and the relevant supervisory authority within 72 hours, as required by Art. 33 GDPR.

13. Children

The Service is intended for business users aged 18 and over. We do not knowingly collect personal data from children under 16. If you believe we have done so, contact us and we will delete it.