You (the engineer or trade business who signed up) are the data controller for the personal data of your customers, prospects and tenants that flows through Quick Lead — names, addresses, phone numbers, email addresses, property details, certificate information, photos, and anything else you collect through booking links, certificates, invoices or inbound emails.
Quick Lead Ltd ("we", "us") is your data processor. We process that data only on your written instructions, which are: the configuration choices you make in the app, plus this agreement.
We process customer data only to provide the Quick Lead service to you: storing bookings, parsing emails into job records, generating certificates and invoices, sending notifications you trigger (SMS, email), and producing the analytics shown in your dashboard. We do not sell customer data, do not share it with advertisers, and do not use it to train AI models.
We use the following sub-processors. By accepting this DPA you authorise their use; we will give you 30 days' notice before adding or replacing one:
Each is contracted under terms at least as protective as this agreement.
We hold customer data with industry-standard safeguards: encryption in transit (TLS 1.2+), encryption at rest in Firestore and Cloudflare KV, AES-GCM encryption for any third-party API credentials you save with us, HttpOnly session cookies, Firebase ID-token authentication on every server endpoint, per-user rate limits, and a documented incident response process.
If we discover a personal data breach affecting your customer data, we will notify you without undue delay and in any event within 72 hours of becoming aware, by email to the address on file. As controller, you are responsible for any onward notification to the ICO and to your affected customers.
We will assist you to respond to data-subject requests from your customers within five working days, using the in-app export and delete tools.
When you close your Quick Lead account, we delete your customer data from our active systems within 30 days, with backups overwritten within 90 days. You can also export your data at any time from Settings.
On reasonable written request (no more than once per 12 months), we will provide written answers to your audit questions and the most recent sub-processor SOC 2 / ISO 27001 reports where available.
Where any sub-processor stores data outside the UK, we rely on UK International Data Transfer Agreements or UK Addenda to the EU SCCs.
We will tell you at least 30 days before any material change and require you to re-accept the new version before the change takes effect.
The DPA is the contractual basis on which Quick Lead processes data on your behalf. If you withdraw acceptance, you cannot continue to use the service — the only route to stop processing is to close your account from Settings → Account → Delete My Account. You can re-sign-up at any time by accepting the current version.
Data-protection enquiries Email [email protected] and we will respond within 5 business days.