Privacy policy

This Privacy Policy explains how Leadably ("Leadably", "we", "us" or "our") collects, uses, stores, discloses and protects Personal Information when you visit leadably.io (the "Site"), contact us, or engage us for services (the "Services"). It is written in plain English while complying with the Privacy Act 1988 (Cth), the Australian Privacy Principles ("APPs"), the EU General Data Protection Regulation 2016/679 ("GDPR") and UK GDPR where applicable, and the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA") for Californian residents.

By using the Site or providing us with Personal Information you acknowledge that you have read and understood this policy. If you do not agree with any part of it, please do not use the Site or submit information to us.

1. Who we are and how to contact us

Leadably is an Australian-based digital design and development studio operated by Lawrence Lugtu (sole trader, ABN issued in Australia). For all privacy matters you can reach us at:

• Email: hello@leadably.io (subject line: "Privacy request")
• Postal: available on request

We act as the "data controller" of Personal Information collected via the Site, and as a "data processor" where we handle data on a client's behalf as part of a Services engagement.

2. The information we collect

We only collect Personal Information that is reasonably necessary to perform our functions and activities. The categories below cover everything we currently collect:

2.1 Information you give us

• Contact form submissions: your name, business name, email address, optional phone number, tier preference(s), and the free-text "brief" you provide.
• Direct correspondence: emails, calendar invitations, call notes, files, screenshots, brand assets, and anything else you voluntarily share during a discovery call or engagement.
• Engagement records: invoicing details, payment receipts (we do not store full card numbers — these are handled by our payment processor), and tax records we are required to retain under Australian law.

2.2 Information we collect automatically

• Server logs: our hosting provider Vercel Inc. records standard request metadata (URL, HTTP method, response status, timestamp, truncated IP address, user-agent string, referrer header) for up to thirty (30) days for security, uptime, abuse prevention and aggregate performance monitoring.
• Strictly-necessary cookies and local storage: small data items used to remember session state and your motion-preference setting. These cannot be disabled without breaking the Site.
• Anti-spam signals: a hidden honeypot field on our contact form. We do not embed third-party CAPTCHA pixels.

2.3 Information we do not collect

We do not knowingly collect biometric data, government identifiers (such as TFNs, passport numbers, or driver licence numbers), health information, sexual orientation, racial or ethnic origin, religious beliefs, political views, union membership, or information about children under the age of 16. If you provide such information voluntarily we will delete it on request and will not act on it.

3. How and why we use your information

We use Personal Information only for the purposes set out below, and only on the lawful bases described in the table at section 3.2.

3.1 Purposes

• To respond to your enquiry and prepare a written estimate.
• To deliver, manage and invoice for the Services you engage us for.
• To send transactional emails (e.g. a contact-form receipt, project status updates, invoices).
• To maintain the security, availability and integrity of the Site.
• To comply with our legal, tax, accounting and regulatory obligations under Australian law.
• To establish, exercise or defend legal claims.
• To improve the Site and our offerings, using aggregated and de-identified data only.

We do not use your Personal Information for automated decision-making that produces legal or similarly significant effects, profiling, behavioural advertising, lead scoring, or data brokering.

3.2 Lawful bases (GDPR / UK GDPR)

• Contractual necessity — to respond to your request and perform the Services.
• Legitimate interests — to operate the Site securely, to prevent fraud, and to keep records of our correspondence. We have balanced these interests against your rights and freedoms.
• Legal obligation — to retain tax, invoicing and corporate records required by Australian, EEA or UK law.
• Consent — for any optional communication you specifically opt in to (e.g. a future newsletter). You can withdraw consent at any time.

4. Disclosure to third parties

We do not sell, rent, trade, or share your Personal Information with third parties for their marketing or advertising. We disclose Personal Information only to the limited set of service providers who help us operate the Site and deliver the Services, and only to the extent strictly necessary. Each of these processors is bound by contract or by their published terms to maintain confidentiality and adequate security:

• Vercel Inc. — Site hosting, server logs, edge delivery and deployment infrastructure (USA, with regional processing).
• Google LLC (Google Workspace / Gmail) — outbound and inbound email, including contact-form notifications and receipts.
• GitHub Inc. — source-code hosting (no client Personal Information is stored in code repositories).
• Domain and DNS providers — operating the leadably.io domain.
• Accounting, banking and tax professionals — for invoicing, reconciliation and statutory tax filings.
• Legal and insurance advisors — where required to obtain advice or pursue/defend a claim.

We may also disclose Personal Information where we are required or authorised by law (for example, in response to a valid court order, subpoena, or regulatory request), where disclosure is necessary to prevent serious harm to life or safety, or in connection with a sale, merger or restructure of our business — in which case we will require the recipient to honour the obligations in this policy.

5. Cross-border data transfers

Some of the processors listed above are located outside Australia, including in the United States, the European Economic Area and the United Kingdom. By submitting Personal Information you consent to its transfer, storage and processing in those jurisdictions. Where we transfer Personal Information from Australia, we take reasonable steps under APP 8 to ensure the overseas recipient handles the information consistently with the APPs. Where we transfer Personal Information from the EEA or UK we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) and on published adequacy decisions in force at the time.

6. Security

We take the security of Personal Information seriously and use reasonable technical and organisational measures to protect it against loss, misuse, unauthorised access, modification, or disclosure. These include transport-layer encryption (HTTPS/TLS), multi-factor authentication on administrative accounts, principle of least privilege for processors, encrypted device storage, secret rotation, and isolation of production credentials.

No system is perfectly secure. If a notifiable data breach occurs and is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner ("OAIC") within the timeframes required by the Privacy Act and (if you are an EEA/UK resident) the relevant supervisory authority within 72 hours where required by the GDPR.

7. Data retention

We retain Personal Information only for as long as is necessary for the purposes for which it was collected, plus any period required by law. Indicative retention periods are:

• Contact-form enquiries that do not become engagements: up to 24 months from the date of submission.
• Client correspondence and project artefacts: for the life of the engagement plus 7 years (to satisfy Australian tax and limitation-period requirements).
• Tax and invoicing records: at least 5 years from the date of issue, per the Australian Taxation Office's record-keeping rules.
• Vercel server logs: up to 30 days, per Vercel's published retention policy.

After the applicable retention period, Personal Information is deleted or irreversibly de-identified.

8. Your rights

Depending on where you live, you may have the following rights:

• Access — request a copy of the Personal Information we hold about you.
• Correction / rectification — ask us to fix information that is inaccurate, incomplete or out of date.
• Deletion / erasure — ask us to delete Personal Information, subject to legal retention requirements.
• Restriction — ask us to limit how we use your Personal Information while we deal with a request or objection.
• Portability — receive a copy of certain Personal Information in a structured, commonly used, machine-readable format.
• Objection / opt-out — object to processing based on legitimate interests, or opt out of any direct marketing.
• Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing already carried out.
• CCPA/CPRA rights — Californian residents may additionally request a list of categories of Personal Information disclosed in the previous 12 months, the right to non-discrimination for exercising these rights, and the right to opt out of any "sale" or "sharing" (we do not sell or share Personal Information as those terms are defined under the CCPA/CPRA).

To exercise any right, email hello@leadably.io with the subject "Privacy request" and a clear description of what you are asking for. We may need to verify your identity before acting. We will respond within 30 days, or as required by applicable law.

9. Cookies and similar technologies

We use only the minimum cookies and local-storage items required for the Site to function (e.g. session continuity, motion preference). We do not currently use third-party analytics, advertising or tracking technologies. If we add any non-essential cookies in future, we will update this policy and present a clear consent banner before any non-essential cookie is set.

10. Children's privacy

The Site is intended for individuals aged 16 and over. We do not knowingly collect Personal Information from children. If you believe a child has provided Personal Information to us, please contact us and we will delete the information.

11. Third-party links

The Site may link to third-party websites, products and services. We do not control, endorse, or accept responsibility for the privacy practices of those third parties. Please review their privacy notices separately.

12. Updates to this policy

We may update this policy from time to time to reflect changes in our practices, technologies or legal requirements. When we do, we will revise the "Effective date" at the top of this page and bump the version number. Material changes will be flagged on the Site for at least 30 days. Continuing to use the Site after the effective date constitutes acceptance of the revised policy.

13. Complaints

If you believe we have breached the APPs, GDPR/UK GDPR, or any other applicable privacy law, please contact us first at hello@leadably.io with the subject "Privacy complaint". We will acknowledge within 7 days and aim to resolve the matter within 30 days.

If you are not satisfied with our response you may escalate to the relevant supervisory authority:

• Australia — Office of the Australian Information Commissioner (OAIC), oaic.gov.au.
• European Economic Area — your local Data Protection Authority. A list is maintained by the European Data Protection Board.
• United Kingdom — Information Commissioner's Office (ICO), ico.org.uk.
• California, United States — California Privacy Protection Agency (CPPA) or the Office of the Attorney General.

This policy is provided for transparency and does not create a contractual obligation outside the scope of applicable law. Where this policy conflicts with mandatory provisions of Australian law, the law prevails.