GDPR & data processing

LeadPulse is designed for handling patient data under UK GDPR. Practices act as the data controller for the patient records they store; LeadPulse acts as the data processor on their behalf.

Lawful basis

Practices must establish a lawful basis (consent or legitimate interest) before importing or capturing patient data through LeadPulse webhooks, embed forms, or manual entry.

Storage and security

• EU-region Supabase Postgres + S3-compatible storage
• Row-level security so practices only see their own data
• HTTPS enforced everywhere; private storage buckets for consent PDFs
• Service role keys never exposed to browsers

Data subject rights

Patients can request access, rectification, or erasure via the practice. Practice admins can satisfy these requests directly via the Leads page (delete/edit) and Settings → Team for staff data.

Sub-processors

• Supabase (database + storage)
• Vercel (application hosting)
• Resend (transactional email)
• 360Dialog (WhatsApp Business API)
• Google Cloud (analytics, optional)
• Meta (Pixel, optional)

Data Processing Agreement

A Data Processing Agreement (DPA) template is available on request. Email hello@lead-pulse.co.uk and we'll send a signed copy.

Breach notification

We will notify affected practices within 72 hours of becoming aware of any incident that compromises the security of personal data.

Contact

DPO equivalent contact: hello@lead-pulse.co.uk