Skip to main content

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") is between AppJaw Ltd t/a LeadJaw, 12, Melbourne Business Court, Millennium Way, Derby DE24 8LZ ("LeadJaw", "Processor") and the customer identified in the LeadJaw account ("Customer", "Controller").

By creating a LeadJaw account the Customer accepts the terms of this DPA. The date of acceptance is logged against the Customer's account record.

 

1. Definitions

In this DPA the following terms have the meanings given below.

  • Data Protection Law means UK GDPR, the Data Protection Act 2018 and any successor legislation.
  • Personal Data has the meaning given in UK GDPR.
  • Processing has the meaning given in UK GDPR.
  • Controller means the Customer, who determines the purposes and means of processing.
  • Processor means LeadJaw, a trading company of AppJaw Ltd, who processes personal data on behalf of the Controller.
  • Sub-processor means any third party engaged by LeadJaw to process personal data in connection with the service.
  • Service means the LeadJaw B2B website visitor intelligence platform.

 

 

2. Subject matter and nature of processing

LeadJaw processes personal data on behalf of the Customer as part of delivering the Service. The processing involves matching business IP addresses from the Customer's website visitors against business network data to identify the visiting company.

When a visitor lands on the Customer’s website, their IP address is collected and LeadJaw attempts to match it against business network data. IP addresses that resolve to residential, mobile or consumer connections do not produce a match and no data about those visits is returned to the Customer’s dashboard. Visitors whose IP addresses cannot be matched to a business network are recorded as anonymous. No personal data about those visitors is returned to the Customer’s dashboard through the IP identification process.

The categories of personal data processed are:

  • Business IP addresses -- retained for the same period as other visitor data and deleted within 30 days of account closure.
  • Company names, domains, sectors and locations (returned to the dashboard where a business match is found).
  • Business contact data including job titles and business email addresses, sourced from third-party enrichment providers where enrichment is active on the account.
  • Form fill data submitted by visitors through forms on the Customer's website. This data may include personal data relating to identifiable individuals. The Customer is the data controller for form fill data. LeadJaw processes it solely as a data processor on the Customer's behalf.

 

The categories of data subjects are: employees, directors and representatives of companies that visit the Customer's website, and individuals who submit forms on the Customer's website.

The duration of processing is the term of the Customer's active subscription.

 

3. Instructions

LeadJaw will process personal data only on the documented instructions of the Customer, as set out in these terms and as configured by the Customer within the platform. If LeadJaw is required by law to process data in a way that goes beyond those instructions, it will notify the Customer before doing so unless prohibited by law.

 

4. Confidentiality

LeadJaw will ensure that any person authorised to process personal data under this DPA is subject to an obligation of confidentiality.

 

5. Security

LeadJaw will implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include encrypted data transmission, access controls, regular backups and server-level security monitoring.

 

6. Sub-processors

The Customer grants LeadJaw general authorisation to engage sub-processors to assist in delivering the Service. The current list of sub-processors is published at leadjaw.com/gdpr. LeadJaw will give reasonable notice of any change to sub-processors. Sub-processors are subject to contractual data protection obligations no less protective than those in this DPA.

 

7. Assistance to the Controller

LeadJaw will provide reasonable assistance to the Customer in responding to data subject rights requests and in meeting obligations under Articles 32 to 36 of UK GDPR, taking into account the nature of the processing and the information available to LeadJaw.

 

8. Deletion and return of data

On termination of the Customer's account, LeadJaw will delete all visitor intelligence data associated with that account within 30 days. LeadJaw will retain the minimum data necessary to meet its own legal obligations, including billing records required under tax law.

 

9. Audits

LeadJaw will make available to the Customer, on reasonable written request, the information necessary to demonstrate compliance with this DPA. The Customer may request an audit of LeadJaw's data processing practices no more than once per calendar year, giving at least 30 days written notice. The Customer bears the cost of any audit.

 

10. Personal data breaches

LeadJaw will notify the Customer without undue delay, and in any event within 72 hours, upon becoming aware of a personal data breach affecting Customer data. The notification will include the nature of the breach, the categories and approximate volume of data affected, likely consequences and the measures taken or proposed to address it.

 

11. International transfers

LeadJaw processes data primarily within the UK. Where any sub-processor transfers data outside the UK and EEA, LeadJaw ensures that an appropriate safeguard is in place, including standard contractual clauses approved by the ICO where required.

 

12. Controller obligations

The Customer confirms that it has a lawful basis for instructing LeadJaw to process personal data under this DPA. The Customer is responsible for:

  • Disclosing its use of LeadJaw in its own website privacy policy.
  • Conducting any required legitimate interests assessment for its own processing.
  • Ensuring its use of the data provided by LeadJaw complies with applicable law including UK GDPR and the Privacy and Electronic Communications Regulations (PECR).
  • Being aware that LeadJaw is a B2B tool designed for company-level identification only. The Customer must not attempt to use the service to identify or target individuals. See the Terms of Service for the full acceptable use policy.

 

 

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the LeadJaw Terms of Service. LeadJaw is not liable for any processing carried out by the Customer using data provided through the Service.

 

14. Governing law

This DPA is governed by the laws of England and Wales.

 

15. Updates

LeadJaw may update this DPA from time to time to reflect changes in Data Protection Law or in the Service. We will notify Customers of material changes by email at least 30 days before they take effect. Continued use of the Service after that date constitutes acceptance of the updated DPA.

 

Contact

For any questions about this agreement please contact us at [email protected] or by post at AppJaw Ltd t/a LeadJaw, 12, Melbourne Business Court, Millennium Way, Derby DE24 8LZ.

 

Ready to see who visits your site?

Free trial, no credit card required.

Start free trial