We, at lemonreach, are dedicated to serving our customers and contacts to the best of our abilities. Part of our commitment involves the responsible management of personal information collected through our website lemonreach.com, and any related interactions.

Our primary goals in processing personal information include:

• Enhancing the user experience on our platform by understanding customer needs and preferences
• Providing timely support and responding to inquiries or service requests
• Improving our products and services to meet the evolving demands of our users
• Conducting necessary business operations, such as billing and account management

We process personal information with the utmost respect for privacy and security. We adhere to all relevant regulations and guidelines, including the General Data Protection Regulation (GDPR), to ensure that the data we handle is protected against unauthorised access, disclosure, alteration, and destruction.

lemonreach is operated by lemonreach AB, registered in Sweden, with its registered address at Industrigatan 4A, 212 14 Malmö, Sweden. We do not have a designated Data Protection Officer (DPO) but remain fully committed to addressing your privacy concerns. For questions, contact us at [email protected].

This privacy policy applies to all stakeholders who interact with lemonreach, including website visitors, registered users, and customers. Whether you are browsing our website, using our services as a registered user, or engaging with us as a customer, we ensure that your personal data is processed with the highest standards of privacy and security.

lemonreach acts as a data controller in respect of personal data we collect directly from you, such as account, billing, and usage information. Where you use lemonreach to retrieve or process personal data of third parties (such as prospects), lemonreach acts as a data processor on your behalf. In that capacity, you are the data controller and are responsible for ensuring that your use of such data complies with applicable law. This distinction is explained further in Section 3.

3.1 Account Information

When you create an account, we collect:

• First name and last name
• Email address
• Company information (where provided)

3.2 Payment Information

When you subscribe or purchase credits, we collect payment-related data through our payment processor, including:

• Payment method details (e.g. credit card information, processed and stored by our payment provider)
• Payment method and billing history
• Purchase history (subscriptions, top-ups, plan changes)

3.3 Prospect & Contact Data (as Data Processor)

When you use lemonreach's prospecting or enrichment features, our platform retrieves and processes business contact information on your behalf. This may include:

• Names, business email addresses, and job titles of individuals you search for or import
• Company names and other professional information associated with those individuals
• Publicly available professional profile data retrieved via our enrichment feature

This data is processed solely on your instructions and for the purpose of providing the Service. You are the data controller in respect of this data, and you are responsible for ensuring you have a lawful basis for processing it. We do not use this data for our own purposes or share it beyond what is necessary to provide the Service.

3.4 Technical and Usage Data

When you use our website and application, we automatically collect:

• IP address
• Browser information and language
• Device identifiers
• Interaction logs (e.g. clicks, pages visited, features used)

3.5 Browser Extension and LinkedIn Session

We offer an optional browser extension that lets you run enrichment and outreach tasks from within your own LinkedIn session. To carry out the actions you initiate, the extension accesses the authentication data associated with your active LinkedIn session, so that enrichment is performed on your behalf, through your own account, rather than through a shared or third-party account.

Where this access is used, the session data is:

• Transmitted over encrypted connections and held in encrypted form
• Scoped strictly to your individual account and used only to perform actions you request
• Never shared with, or accessible to, other users, and never used to enrich on behalf of anyone but you

You can withdraw this access at any time by removing the extension or signing out of LinkedIn. You remain responsible for ensuring that your use of the extension is consistent with LinkedIn's terms and any applicable law.

We use the personal information we collect for the following purposes:

• Authentication and security: to verify your identity and secure your account
• Service delivery: to provide the core lemonreach platform, including AI-powered email generation, prospect data enrichment, and contact prospecting
• Payment processing: to manage subscriptions, process payments, and handle billing
• Analytics and performance tracking: to understand how users interact with our platform, enabling us to improve the user experience
• Communication: to send transactional emails (e.g. password resets, billing confirmations) and, with your consent, marketing communications
• Compliance with legal obligations: to meet our obligations under GDPR and other applicable laws
• Customer support: to respond to your enquiries and resolve issues

Prospect and contact data retrieved through our prospecting or enrichment features is used solely to deliver those features to you. We do not use this data for our own marketing, analytics, or any other internal purpose.

5.1 Data Storage Locations

Your personal information is stored on secure servers, primarily within the European Union:

• European Union (Frankfurt): our primary infrastructure, including storage of account, usage, and prospect data, is hosted on secure cloud servers within the EU (AWS Frankfurt region)
• Outside the EU: a limited number of service providers are located in the United Kingdom, Canada, Israel, and the United States, as listed in Section 6.1. These transfers are protected by the safeguards described in Section 7

5.2 Data Protection Measures

We implement the following security measures to protect your data:

• Encryption: all data is encrypted in transit (TLS/HTTPS) and at rest
• Access control: access to personal information is strictly limited to authorised personnel with a legitimate business need. We enforce strict access controls and regularly review permissions
• Secure authentication: user authentication is managed with industry-standard security practices

5.3 Data Retention

We retain personal data only for as long as necessary for the purposes set out in this policy:

• Account data: for the duration of your account and for up to 90 days after closure, after which it is deleted
• Billing and transaction records: for as long as required by Swedish accounting law (currently seven years)
• Prospect and contact data processed on your behalf: only for as long as needed to provide the Service, and deleted or returned on termination in accordance with our Data Processing Agreement
• Usage and analytics data: for up to 12 months, after which it is deleted or aggregated

We may share your information with third-party service providers who perform services on our behalf. These parties have access to personal information on a need-to-know basis and are contractually obliged to keep your information confidential.

6.1 Third-Party Service Providers

6.2 Data Processing Agreements

When we share your data with third-party service providers, we do so under the protection of Data Processing Agreements (DPAs) that ensure your information is managed in accordance with GDPR and other relevant data protection laws.

Where we process prospect or contact data on your behalf, our own Data Processing Agreement governs that relationship. If we add or replace a sub-processor that handles data we process on your behalf, we will give you prior notice and an opportunity to object on reasonable data protection grounds, as set out in that agreement.

6.3 Transparency and Control

You will always be informed about significant changes to our data sharing practices. Your trust is important to us, and we ensure that your personal information is disclosed only in accordance with this policy and when there is a justified reason to do so.

6.4 Integrations You Connect

The Service lets you connect third-party tools that you control and authorise. When you connect one, you direct us to share the relevant data with that tool, and to receive data back from it, so we can provide the feature you enabled. These providers act on your behalf under your own agreement with them, and you remain responsible for your use of them, including any transfer of data outside the EEA they carry out:

• Email (Google, Microsoft): when you connect your mailbox, outreach is sent from your own email account and replies are read back into the Service. We store your mailbox access credentials in encrypted form.
• CRM (HubSpot, Salesforce): when you connect your CRM, prospect and activity data syncs between lemonreach and your CRM according to the settings you choose.
• Calling (Aircall): when you connect Aircall, prospect phone numbers are passed to Aircall to place calls, and call details, which may include recordings where your Aircall account records calls, are handled by Aircall.

Because these tools are configured and controlled by you, they are not lemonreach sub-processors. We recommend reviewing each provider's own privacy terms before connecting it.

Our primary infrastructure is hosted within the European Union. Some of our service providers are located outside the EEA, as shown in the table in Section 6.1. Any transfer of personal data outside the EEA is made under an appropriate safeguard:

• Adequacy decisions: for providers in the United Kingdom, Canada (for recipients subject to PIPEDA), and Israel, we rely on the European Commission's adequacy decisions, which recognise that those countries provide an equivalent level of data protection
• Standard Contractual Clauses: for transfers to the United States (such as our payment processor), we rely on the European Commission's Standard Contractual Clauses (SCCs), supplemented where relevant by the EU-US Data Privacy Framework

Prospect and contact data that we process on your behalf is hosted in the EU and, where enrichment requires a specialist provider, is only sent to countries covered by an adequacy decision (currently Canada and Israel). It is not transferred to jurisdictions without that recognition.

Under GDPR and other applicable data protection laws, you have the following rights regarding your personal information:

• Right of access (Art. 15 GDPR): request access to the personal information we hold about you
• Right to rectification (Art. 16 GDPR): request correction of inaccurate or incomplete personal information
• Right to erasure (Art. 17 GDPR): request deletion of your personal information when it is no longer necessary
• Right to restriction of processing (Art. 18 GDPR): request that we restrict processing under certain conditions
• Right to data portability (Art. 20 GDPR): receive your personal information in a structured, machine-readable format
• Right to object (Art. 21 GDPR): object to processing, including for direct marketing purposes
• Right to withdraw consent (Art. 7(3) GDPR): withdraw consent at any time where processing is based on consent
• Right to lodge a complaint (Art. 77 GDPR): lodge a complaint with a supervisory authority if you believe our processing violates data protection laws

To exercise any of these rights, please contact us at [email protected]. We will respond within the timeframes stipulated by applicable law. In some cases, we may need to verify your identity before processing your request.

We use cookies and similar tracking technologies on our website to ensure functionality and improve your experience. For full details on the cookies we use and how to manage your preferences, please see our Cookie Policy.

Upon your first visit, our website will present you with a cookie consent banner where you can accept all cookies, reject non-essential cookies, or customise your preferences.

Our services are not intended for children under the age of 18. We do not knowingly collect personal information from children. If you are under the age of 18, please do not use our services or provide any personal information to us.

If we become aware that we have inadvertently collected personal information from a child under the age of 18, we will take prompt steps to delete such information. If you believe we may have collected information from a child, please contact us immediately at [email protected].

We may use your personal information to send you direct marketing communications about our products, services, and promotions. We are committed to transparent and lawful marketing practices in compliance with GDPR and the ePrivacy Directive.

• Opt-in consent: we will obtain your explicit consent before sending marketing communications, where required by law
• Unsubscribe option: every marketing communication will include clear instructions on how to opt out. You can exercise your right to unsubscribe at any time

In the event of a personal data breach that poses a risk to privacy rights and freedoms, we have established procedures for promptly identifying, assessing, and mitigating the impact.

• Internal monitoring: we employ security measures and monitoring systems to detect and respond to potential breaches promptly
• Data we control: where we act as data controller (for example account and billing data) and a breach is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, and notify affected individuals where the risk is high
• Data we process on your behalf: where we act as data processor (for example prospect and contact data), we will notify you, as the data controller, without undue delay after becoming aware of a breach, so that you can meet your own notification obligations. This is set out in our Data Processing Agreement

If you have any concerns about a potential data breach, please contact us immediately at [email protected].

We may update this privacy policy from time to time to reflect changes in legal requirements, industry standards, or our business operations. When we make significant changes that may affect your rights, we will notify you by email or through a prominent notice on our website.

We encourage you to review this policy periodically. Your continued use of our services after any changes signifies your acceptance of the updated terms.

If you have any questions or concerns about this privacy policy, please contact us: