Legal Information
Everything about the legal framework for using Ovalead: publisher, terms, personal data, cookies, and subprocessors.
1. Legal Notice
Site publisher
Ovalead
Company: [TO COMPLETE: legal form — SAS, SASU, SARL]
Share capital: [TO COMPLETE]
Registered office: [TO COMPLETE: full address]
Trade register (RCS): [TO COMPLETE: city + registration number]
SIRET: [TO COMPLETE: 14 digits]
EU VAT number: [TO COMPLETE: FRxx XXX XXX XXX]
Phone: [TO COMPLETE]
Email: hello@ovalead.com
Publication director
Sylvain Boué — hello@ovalead.com
Hosting
Render Services Inc.
525 Brannan Street, Suite 300
San Francisco, CA 94107, United States
render.com
User data (accounts, jobs, enriched contacts) is stored on the Supabase platform (Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992) with infrastructure located in the eu-west-1 (Ireland) region.
Trademark and intellectual property
The "Ovalead" name, the associated logo, the visual identity, and the application source code are the exclusive property of Ovalead. Any unauthorized reproduction or use is prohibited.
Reporting content
For any request regarding content published on Ovalead or to report an issue, write to hello@ovalead.com with the subject line "Legal report".
2. Terms of Service
These Terms of Service govern the use of the Ovalead service. By creating an account or accessing the platform, you acknowledge that you have read and accepted them without reservation.
Article 1 — Purpose
Ovalead is an online application (SaaS) that allows its users to enrich professional contacts with publicly available information from LinkedIn, detect job changes, look up business email addresses through third-party integrations, and synchronize this data with their CRM tools.
Article 2 — Acceptance
Using the service implies full and unreserved acceptance of these Terms of Service as well as the privacy policy and cookie policy. Ovalead reserves the right to modify the Terms at any time; changes are enforceable against users as soon as they are published on this page.
Article 3 — Sign-up and user account
Access to Ovalead's features requires creating an account with a valid business email address and a password meeting the security criteria (minimum 8 characters). The user is responsible for keeping their credentials confidential.
Ovalead is intended exclusively for B2B professional use. Sign-up is reserved for professionals acting in the course of their business activity.
Article 4 — Service description and user obligations
Ovalead operates by using the LinkedIn sessions provided by the user (session cookies). The user represents and warrants that they:
- Are the legitimate owner of the LinkedIn accounts whose cookies they provide, or have the right to use them;
- Have read LinkedIn's terms of use and accept sole responsibility for any consequences;
- Use the service in compliance with applicable laws, in particular regarding the protection of personal data (GDPR);
- Do not use Ovalead for spam, abusive prospecting, harassment, or any unlawful purpose;
- Have a legal basis (legitimate interest or consent) to process the personal data of the prospects they import;
- Respect the right of objection of the people whose data is processed.
Ovalead shall in no event be held liable for any consequences of use that is contrary to LinkedIn's terms, nor for any sanctions LinkedIn may apply to user accounts (suspension, ban, restriction).
Article 5 — Pricing and payment
Ovalead offers several subscription plans described on the public pricing page. Payments are processed by Stripe Payments Europe Limited (Dublin, Ireland). Subscriptions are monthly and renew automatically.
A 14-day free trial is offered upon first subscription. At the end of this period, the subscription switches to active billing unless canceled beforehand from the management portal (Stripe Customer Portal accessible from the app).
Right of withdrawal: in accordance with Article L.221-28 of the French Consumer Code, since the service is provided in digital form with the customer's express consent to begin performance before the end of the withdrawal period, the right of withdrawal does not apply once performance has begun. Cancellation remains possible at any time for future billing periods.
Article 6 — Availability and maintenance
Ovalead strives to ensure 24/7 availability of the service but does not guarantee any contractual SLA on the Free and Pro plans. Interruptions may occur due to maintenance, updates, or causes beyond our control (subprocessor outage, changes to LinkedIn's ToS, etc.).
Article 7 — Suspension and termination
Ovalead reserves the right to suspend or terminate any account without notice in the event of a breach of these Terms, in particular in cases of fraudulent, abusive, or unlawful use. Users may cancel their subscription at any time through the Stripe portal; access is retained until the end of the paid period.
Article 8 — Intellectual property
All elements making up the service (interface, code, logos, content) are protected by copyright. Users retain ownership of the data they import and of the enrichment results obtained through their account.
Article 9 — Limitation of liability
To the maximum extent permitted by law, Ovalead's liability is limited to the amounts actually paid by the user during the twelve months preceding the event giving rise to the damage. Ovalead shall not be held liable for indirect damages, loss of opportunity, loss of profit, or data loss caused by a subprocessor.
Article 10 — Governing law and jurisdiction
These Terms are governed by French law. Any dispute relating to their interpretation or performance shall, failing amicable resolution, fall within the exclusive jurisdiction of the competent courts in the district of Ovalead's registered office.
3. Privacy Policy
This policy describes how Ovalead collects, uses, and protects your personal data within the Ovalead service, in accordance with the General Data Protection Regulation (GDPR, EU 2016/679) and the amended French Data Protection Act.
Data controller
Ovalead, whose contact details appear in the legal notice, is the controller of the data collected through the Ovalead service.
Contact for any GDPR-related question: hello@ovalead.com with the subject line "GDPR".
Data collected and purposes
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| User account | Email, password (hashed), name (optional) | Account creation and authentication | Performance of the contract |
| LinkedIn credentials | Session cookies (li_at, JSESSIONID), account name | Allow the user to enrich their own lists | Performance of the contract |
| Imported data | CSV lists of prospects (name, email, company, LinkedIn URL) | Enrichment and synchronization | Performance of the contract (the user is responsible for their own legal basis) |
| Enriched data | Public professional information (job title, company, location) | Returned to the user | Legitimate interest + user responsibility |
| Payment | Billing data managed by Stripe (card not stored on our side) | Subscription collection | Performance of the contract |
| Technical data | Access logs, IP address, user-agent | Security, audit, fraud prevention | Legitimate interest |
| Application audit log | Actions performed on the workspace (creation, invitation, deletion) | Traceability, security, internal compliance | Legitimate interest |
Data imported by the user — important details
When you import a CSV file of prospects, you are considered the data controller for that data within the meaning of the GDPR. Ovalead acts as a data processor in accordance with Article 28 of the GDPR. A Data Processing Agreement (DPA) can be provided upon request at hello@ovalead.com.
You warrant that you have a legal basis (consent, documented legitimate interest, performance of a contract) to process this data and that you have informed the data subjects in accordance with Articles 13 and 14 of the GDPR.
Retention period
- User account: until the account is deleted, then 6 months in technical archive.
- Imported and enriched data: kept as long as the workspace exists; deleted upon account termination or on request.
- LinkedIn cookies: kept as long as the user keeps them active; deleted on request.
- Billing data: 10 years (accounting and tax obligation).
- Technical logs: 12 months maximum.
- Application audit log: 24 months.
Recipients and subprocessors
Your data may be shared with the subprocessors listed in the Subprocessors section below. Ovalead never sells, rents, or transfers your data to third parties for commercial purposes.
Transfers outside the EU
Some subprocessors (Render, Stripe for certain operations) are based in the United States. Transfers are framed by the European Commission's Standard Contractual Clauses (SCCs) and, for relevant subprocessors, by their certification under the Data Privacy Framework (DPF).
Your rights (GDPR Articles 15 to 22)
You have the following rights:
- Right of access to your data;
- Right of rectification in case of error;
- Right to erasure ("right to be forgotten") under the conditions provided by law;
- Right to restriction of processing;
- Right to portability of your data in a structured format;
- Right to object to processing based on legitimate interest;
- Right to set post-mortem instructions regarding the fate of your data.
To exercise these rights: send an email to hello@ovalead.com. A reply is provided within one month (renewable once in case of complexity).
In case of unresolved disagreement, you may file a complaint with the CNIL (the French Data Protection Authority) — cnil.fr.
Security
Ovalead implements appropriate technical and organizational measures: TLS encryption for transmissions, storage on secure infrastructure (Supabase EU with encryption at rest), JWT authentication, access logging. Passwords are hashed (bcrypt algorithm via Supabase Auth). LinkedIn cookies are stored in the database — additional application-level encryption is being rolled out.
Policy changes
This policy may be amended to reflect changes in the service or in regulations. Any substantial change will be notified to users by email.
5. List of subprocessors
In accordance with Article 28 of the GDPR, here is the up-to-date list of subprocessors used by Ovalead. Each is bound by a contract (DPA) ensuring compliance with the GDPR.
| Subprocessor | Role | Location | Safeguards |
|---|---|---|---|
| Supabase Inc. | Database hosting and authentication | Infrastructure in the eu-west-1 region (Ireland) | Supabase DPA + encryption at rest + SCCs where applicable |
| Render Services Inc. | Application hosting (backend instance) | Frankfurt, Germany (EU region selected) | Render DPA + SCCs (US entity) |
| Stripe Payments Europe Ltd. | Payment processing and subscription management | Dublin, Ireland (Stripe EU) | Stripe DPA + PCI-DSS Level 1 certification |
| Skrapp.io (optional) | Business email lookup (if enabled by the user) | France | GDPR-compliant — only triggered if the user configures the integration |
| HubSpot Ireland Ltd. (optional) | CRM synchronization (if enabled by the user) | Ireland | Configuration directly controlled by the user — Ovalead only sends data the user has authorized |
| LinkedIn (Microsoft Ireland) | Source of enriched data (accessed via user sessions) | Ireland | The user acts with their own credentials; Ovalead has no direct contract with LinkedIn |
Notice of changes
Any change to this list of subprocessors will be notified to users by email at least 30 days in advance. Failing a written objection within that period, the change will be deemed accepted.
To obtain our detailed Data Processing Agreement (DPA), write to hello@ovalead.com with the subject line "DPA".