LEAD RECON circular logoLEAD RECONAI Growth OSBook Call

LEAD RECON

Data Protection

How LEAD RECON approaches data boundaries, AI workflow controls, access, retention, and client implementation risk.

Last updated: 7 July 2026

Data boundary principle

LEAD RECON designs automation and AI systems around clear data boundaries. Client records should stay in the approved client workspace, CRM, SaaS product, or authorised integration path.

We avoid unnecessary copying of production records into generic documents, prompts, spreadsheets, or unmanaged channels.

Controller and processor roles

For our website, sales pipeline, and direct business operations, LEAD RECON LTD normally acts as controller.

For client implementation work, we may act as a processor where we handle personal data only on the client's documented instructions and under an agreed scope.

Project onboarding

Before implementation, we identify data sources, account owners, user permissions, integration routes, retention needs, high-risk data, and approval responsibilities.

Where a project involves sensitive categories, regulated workflows, children's data, healthcare, finance, employment, or high-impact automated decisions, we expect additional review before build or launch.

Access control

Access should be limited to people and systems that need it for delivery, support, security, reporting, or audit.

Client credentials should be shared through approved secure methods, not pasted into public tickets, chat threads, or unprotected documents.

AI workflow controls

AI workflows should be scoped to the minimum data needed for the task and should avoid exposing unnecessary personal, confidential, financial, or sensitive information.

For higher-risk workflows, we favour human approval gates, audit trails, restricted actions, and explicit escalation paths before external publication, sending, spending, or record-changing operations.

Security measures

Appropriate measures may include HTTPS, access controls, least-privilege permissions, environment separation, logging, backup discipline, vendor review, and secure deployment processes.

No internet-connected system is risk-free, but security decisions should be proportionate to the data, workflow, and potential impact.

Retention and deletion

Client project data should be retained only for agreed delivery, support, legal, accounting, audit, or security purposes.

At the end of a project, deletion, export, handover, or continued support arrangements should be agreed based on the client's operational needs and applicable obligations.

Subprocessors and vendors

Implementation may involve hosting, storage, email, analytics, CRM, automation, advertising, AI, monitoring, and payment vendors.

Where vendor selection matters for compliance, security, or data residency, it should be agreed before production data is connected.

Data requests and incidents

Privacy and data protection requests can be sent to [email protected].

Suspected incidents should be reported promptly with the affected system, timeline, data type, and any immediate containment steps already taken.

Privacy choices

We use essential storage for the site. With your permission, GTM helps measure visits, conversions, and paid-social learning.