Legal
Effective date: June 2, 2026
This Privacy Policy explains how KodeKind S.R.L. ("SRLeads", "we", "us", "our"), a company registered in Romania, collects, uses, shares, and protects personal data when you use our lead management platform (the "Service").
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and applicable Romanian data protection law.
KodeKind S.R.L. is the data controller for personal data we collect about our users (account holders). When our customers ("Organizations") use the Service to manage leads, the Organization is the data controller for the personal data in those leads, and we act as a data processor on their behalf.
We have not appointed a Data Protection Officer (DPO), as we do not meet the mandatory appointment thresholds under GDPR Art. 37. For all privacy inquiries and to exercise your data protection rights, contact us at [email protected].
When your Organization creates and manages leads, the following personal data may be stored:
Your Organization is the data controller for lead data. We process it solely on your Organization's behalf and in accordance with their instructions.
We maintain a database of approximately 5.6 million Romanian registered companies sourced from government open datasets:
We obtain personal data about legal representatives of Romanian companies (names and roles) indirectly from the National Trade Registry (ONRC) via data.gov.ro. This data is published by ONRC as a public government open dataset under Law 26/1990 (Trade Register) and the Open Government License Romania.
We process this data under the legal basis of public interest (Art. 6(1)(e) GDPR), as it is derived from officially published government open data made available for purposes of commercial transparency. This data is used to display company information in our discovery and search features.
Providing individual notice to all data subjects would involve disproportionate effort given the scale (millions of records with no direct contact details available), as recognized by Art. 14(5)(b) GDPR. If you are a legal representative whose data appears in our database, you may exercise your rights (including objection and erasure) by contacting us at [email protected]. We will respond within one month.
If you received an SMS or email through our platform and believe it was sent without your consent, you can: (a) reply STOP to the SMS to immediately withdraw consent; (b) use the opt-in/opt-out page linked in the message to manage your preferences; or (c) report the abuse to us at [email protected].
When we receive such a report, we will identify the sending Organization, request evidence of consent, and suspend their access to the communication channel if consent cannot be demonstrated. We act as a data processor — the Organization that contacted you is the data controller responsible for obtaining your consent.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide and operate the Service | Account data, usage data | Contract performance (Art. 6(1)(b)) |
| Process payments and generate invoices | Billing data, payment data | Contract performance + Legal obligation (Art. 6(1)(b) + (c)) |
| Send transactional emails (welcome, receipts, alerts) | Email address, first name | Contract performance (Art. 6(1)(b)) |
| Send marketing emails | Email address, first name | Consent (Art. 6(1)(a)) — opt-in at signup |
| Manage lead data on behalf of Organizations | Lead contact data, consent states | Contract performance (Art. 6(1)(b)) — processor role |
| Deliver SMS via Android relay on behalf of Organizations | Phone number, message body (nulled after delivery) | Consent of the lead (Art. 6(1)(a)) — managed by Organization |
| Maintain security and prevent abuse | IP address, session data, audit logs | Legitimate interest (Art. 6(1)(f)) |
| Provide company discovery and search | Company Data from government sources | Public interest (Art. 6(1)(e)) |
| Display legal representative data | Names and roles from ONRC | Public interest (Art. 6(1)(e)) |
| Analyze website usage (if consented) | Page views, interactions (anonymized) | Consent (Art. 6(1)(a)) — cookie consent |
| Push notifications | Push subscription endpoint + keys | Consent (Art. 6(1)(a)) — browser permission |
| Enforce rate limits and quotas | IP address, API key, request counts | Legitimate interest (Art. 6(1)(f)) |
| Audit trail and legal compliance | User actions, IP addresses, timestamps | Legitimate interest (Art. 6(1)(f)) |
| Automated lead creation (auto-add) | Company data matching filter criteria | Legitimate interest of the Organization (Art. 6(1)(f)) |
| Email verification | Email address, OTP codes (15-min TTL) | Contract performance (Art. 6(1)(b)) |
We do not sell your personal data. We share data only with the following categories of recipients, each acting as a data processor or sub-processor under appropriate agreements:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing, subscription management | Organization name, email, payment method, invoice amounts | US/EU (EU data processing) |
| SmartBill | Romanian fiscal invoice generation | Billing company name, tax ID, VAT number, address, owner email, invoice amounts | Romania |
| Resend | Transactional and marketing email delivery | Recipient email, first name, email content | US |
| Cloudflare | CDN, DNS, object storage (R2), CAPTCHA (Turnstile) | All proxied HTTP traffic, organization logos, CAPTCHA tokens + IP | US/EU (global network) |
| Google Analytics | Website analytics (only if consented) | Page views, interactions, anonymized data | US/EU |
Google Analytics is loaded only when you grant analytics consent via our cookie banner. No analytics scripts are loaded and no data is sent to Google until you explicitly opt in.
We receive data from Romanian government APIs and open data portals (ANAF, ONRC, Ministry of Finance). We do not share your personal data with these sources.
If your Organization configures webhooks, quick actions, or API integrations, lead data may be transmitted to third-party URLs specified by the Organization. The Organization is responsible for these integrations.
Some of our sub-processors are based in the United States (Stripe, Resend, Cloudflare, Google). These transfers are protected by:
We monitor developments in international data transfer law and conduct Transfer Impact Assessments for our US-based sub-processors. You may request a copy of the relevant transfer safeguards by contacting us at [email protected].
We retain your data only for as long as necessary for the purposes described in this policy, or as required by law.
| Data | Retention Period | Reason |
|---|---|---|
| Account data | Until you delete your account + 30 days | Contract performance + export window |
| Sessions | 24 hours | Security |
| Email verification OTPs | 15 minutes | Security |
| Call tokens | 90 seconds | Security |
| SMS phone numbers & message bodies | Nulled immediately on delivery/failure | Data minimization |
| SMS consent tokens | Until lead is deleted | Ongoing consent management |
| Interaction log (consent events) | Permanent (immutable) | Legal compliance audit trail |
| Audit log (org operations) | Permanent | Legal compliance audit trail |
| API request logs | 7 days (auto-cleanup) | Operational monitoring |
| Webhook delivery logs | 90 days | Debugging and audit |
| Invoices | 10 years | Romanian fiscal law (Law 82/1991) |
| Company Data (pipeline) | Continuously updated | Core product data |
| Organization logos | Until deleted by user | User-controlled |
| Cookie consent preferences | 1 year | GDPR consent record |
We use a minimal set of cookies and client-side storage to operate the Service. We do not use tracking cookies by default.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| connect.sid | Session authentication (httpOnly, secure) | 24 hours | Strictly necessary |
| cookie_consent | Your cookie preferences (JSON) | 1 year | Strictly necessary |
| Storage | Key | Purpose | Duration |
|---|---|---|---|
| Session Storage | project_setup_draft | Preserves project setup wizard state | Tab session |
| Session Storage | __chunk_reload | Prevents infinite reload on script errors | Tab session |
| Cache API | srleads-v1 | Service worker caches static assets for performance | Until cleared |
No localStorage is used.
We use Google Analytics 4 on our marketing pages (not in the dashboard) to understand how visitors interact with our website. Google Analytics is only loaded after you explicitly grant analytics consent through our cookie banner. If you do not consent, no analytics scripts are loaded and no data is sent to Google.
When analytics consent is granted, we use Google Consent Mode v2 with the following settings:
analytics_storage: granted — allows Google Analytics cookies.ad_storage: denied — no advertising cookies are ever used.ad_user_data: denied — no user data is shared for advertising.ad_personalization: denied — no ad personalization.You can withdraw your analytics consent at any time by adjusting the cookie settings in the consent banner that appears at the bottom of the page.
We use Cloudflare Turnstile on our signup form to prevent automated abuse. Turnstile may process your IP address and browser characteristics. This is strictly necessary for security and does not require consent.
Under the GDPR, you have the following rights regarding your personal data:
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you. | Use the "Download data" button in Profile > Data & Privacy, or email us. |
| Rectification (Art. 16) | Correct inaccurate personal data. | Edit your profile in the dashboard, or email us. |
| Erasure (Art. 17) | Request deletion of your personal data. | Use the "Delete account" button in Profile > Data & Privacy. You must first delete any Organization you own. |
| Restriction (Art. 18) | Request that we limit how we process your data. | Email us at the address below. |
| Portability (Art. 20) | Receive your data in a machine-readable format (JSON). | Use the "Download data" button in Profile > Data & Privacy. |
| Object (Art. 21) | Object to processing based on legitimate interest. | Email us. For marketing emails, use the unsubscribe link. |
| Withdraw consent (Art. 7(3)) | Withdraw any consent you have given. | Cookie consent: adjust via the cookie banner. SMS/email consent for leads: use the opt-in/opt-out page. Marketing emails: unsubscribe link. |
To exercise any of these rights, contact us at [email protected]. We will respond within one month. This period may be extended by two further months for complex or numerous requests, in which case we will inform you of the extension within the first month. We may ask you to verify your identity before processing your request.
Certain data is retained even after account deletion, as required by law:
If you lodge a privacy complaint with us, we will acknowledge it within 5 business days and provide a substantive response within 30 days.
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):
ANSPDCP — Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal
Website: www.dataprotection.ro
We implement appropriate technical and organizational measures to protect your personal data, including:
No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to [email protected].
The Service includes the following automated processing features:
None of these features involve automated decision-making that produces legal effects or significantly affects individuals (Art. 22 GDPR). They operate on business entity data, not personal profiling.
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. The "Effective date" at the top of this page indicates when the policy was last updated.
If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, contact us at:
KodeKind S.R.L.
CUI: RO54603957
ONRC: J2026028952000
Address: Str. Mihail Kogalniceanu, Camera 1, Bl.C8, Et.4, Ap.16, Timisoara, Timis, Romania
Phone: +40 729 041 296
Privacy inquiries: [email protected]
General inquiries: [email protected]