LeadPost Privacy Policy

Last Updated 11.24.2025

SECTION 1.      INTRODUCTION.

This Comprehensive Notice and Regulatory Addendum (“Notice”) describes in detail how LeadPost, LLC (“Company,” “we,” “us,” or “our”) collects, acquires, uses, sells, shares, discloses, retains, and protects personal data on their own behalf and as a registered data broker operating across multiple U.S. jurisdictions. Because we process personal data obtained both directly from consumers and indirectly from commercial providers, public sources, and third-party data suppliers, this Notice is intentionally written at a level of detail suitable for consumers, regulators, auditors, and compliance professionals. This policy does not govern employees, those seeking employment or our clients.

As a data broker, we obtain personal data in ways distinct from businesses that collect information only from direct consumer interactions. Our activities include identity resolution, cross-device matching, advertising and analytics, market insights, audience segmentation, profiling, automated decision-making (“ADMT”), and disclosures to Resource Providers, downstream recipients, and commercial partners.

This Notice applies to all personal data, regardless of the source of acquisition, the technology used to collect it, the jurisdiction in which the consumer resides, or the method by which it is used or shared.

This Notice does not apply to aggregated, deidentified, anonymized, or publicly available data where exempt under applicable law.  This Notice does not apply to our employees or clients as that policy is provided separately to those parties.

SECTION 2.      DEFINITIONS.

For purposes of this Notice, the following definitions apply:

“Personal Data.” Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household. This includes identifiers, device data, behavioral data, commercial data, geolocation (if collected), and inferences.

“Sensitive Personal Data.” Personal Data revealing a consumer’s:

  • race, ethnicity, national origin;
  • citizenship or immigration status;
  • precise geolocation;
  • government ID numbers;
  • precise geolocation (if ever collected);
  • health or medical information;
  • sexual orientation;
  • certain financial information; or
  • other categories designated as “sensitive” under state law.

“Sale” or “Selling.” Disclosing personal data to a third-party for monetary or other valuable consideration, as broadly defined under CPRA, Colorado CPA, Minnesota MCDPA, and other state statutes.

“Sharing.” Disclosing personal data for targeted advertising or cross-context behavioral advertising, regardless of monetary consideration.

“Profiling.” Automated processing to evaluate personal aspects of an individual, including predicting interests, behaviors, preferences, income ranges, eligibility likelihood, or engagement propensities.

“Automated Decision-Making Technology (“ADMT”).” Algorithms or models that produce legal or similarly significant effects, including fraud screening, eligibility-driven scoring, affinity modeling, clustering, and automated routing.

“Data Broker.” A business that knowingly collects and sells or licenses personal data of consumers with whom it does not have a direct relationship.

“Downstream Recipient.” Any third-party to whom personal data is sold, shared, licensed, transmitted, or otherwise made available.

SECTION 3.      CATEGORIES OF PERSONAL DATA COLLECTED.

We may collect a wide range of personal data about consumers from both direct and indirect sources. The specific categories include:

3.1.      Identifiers. Name, Postal address, Email address, Phone or mobile number, IP address and device identifiers, Unique advertising IDs (IDFA, GAID, MAID), Cookie IDs and pixel tags, and Hashed or encrypted identifiers.

3.2.      Contact Information. Personal and business contact details.

3.3.      Commercial and Transactional Data. Products or services viewed, Pages visited, Consumer interest categories, Lead form submissions, Interaction with marketing content, and Consumer-provided purchase intent indicators.

3.4.      Online Activity and Device Data. Browsing history, Log files, Session data, App usage, Characteristics of devices, Operating system information, Referrers, timestamps, and clickstream data.

3.5.      Inferences and Audience Segments. Propensity scores, Modeled demographics, Likelihood-to-engage or likelihood-to-qualify indicators, Behavioral segments, and Interests and affinities.

3.6.      Public Records and Government Data. Collected only where permitted by law, we may collect or derive: Property ownership information, Licensing information, Business registrations, Court or administrative filings, and Voter registration (where legal).

3.7.      Sensitive Personal Data. Only if voluntarily provided or lawfully obtained and includes health-related information for government-benefit resources, race or ethnicity, and address where required for certain service matching.  We do not sell or share Sensitive Personal Data without consent.

SECTION 4.      SOURCES AND ACQUISITION METHODS.

We may collect personal data from a variety of sources, including but not limited to:

4.1.      Direct Consumer Interactions. Form submissions, survey responses, requests for Resource Provider connections, and customer service calls.

4.2.      Automated Technologies. Cookies, web beacons, pixels, SDKs, server logs, mobile identifiers, device fingerprinting (non-invasive), IP-based general geolocation, and JavaScript event tracking.

4.3.      Third-Party Data Providers.  We may obtain data from other data brokers, lead generation partners, commercial data aggregators, identity resolution vendors, advertising and attribution networks, semantic data enrichment partners, and marketing platforms.

4.4.      Public and Government Sources. Government registries, professional licensing databases, publicly accessible webpages and documents.

4.5.      Social Media (Public Only). We may collect social media content only where it is publicly posted and legally accessible.

SECTION 5.      PURPOSES FOR PROCESSING PERSONAL DATA.

We may use personal data for a variety of operational, commercial, analytical, and compliance purposes, including:

5.1.      Advertising and Marketing. Personalized advertising, Cross-context behavioral advertising, Audience targeting, Optimization and reporting.

5.2.      Lead Generation and Consumer Matching. Matching consumers with Resource Providers, Consulting scoring systems to determine potential interest, or Routing leads to appropriate programs or service categories.

5.3.      Analytics, Measurement, and Attribution. Engagement measurement, market trend analysis, statistical modeling and forecasting, and conversion tracking.

5.4.      Identity Resolution and Cross-Device Linkage. Deterministic linking (hashed emails, login signals), and probabilistic linkage (statistical modeling).

5.5.      Fraud Prevention and Security. Bot detection, duplicate lead suppression, abuse mitigation, and security event logging.

5.6.      Compliance and Governance. Maintaining suppression lists, responding to consumer privacy requests, fulfilling statutory and regulatory obligations, and conducting risk assessments and audits.

SECTION 6.      SENSITIVE PERSONAL DATA PRACTICES.

We collect, process, and disclose Sensitive Personal Data only in limited circumstances and only when permitted by law. Sensitive Personal Data is managed differently from standard data and is subject to heightened protections and narrower permissible uses.

6.1.      Categories of Sensitive Personal Data We Collect. We may collect or receive Sensitive Personal Data only when:

  • The consumer voluntarily provides the information in connection with a specific request for services (e.g., health-related information for government benefits programs).
  • The data is obtained from a third-party who is legally permitted to disclose it, including government registrations.
  • The information relates to protected characteristics required for specific program eligibility (e.g., age, veteran status, disability indicators).

We do not collect or use biometric identifiers, genetic information, immigration status, or children’s data under 18.

6.2.      How We Use Sensitive Personal Data.  We use Sensitive Personal Data only where reasonably necessary and proportionate to provide the services a consumer requests, verify identity (e.g., age or eligibility confirmation), prevent fraud or abusive activity, conduct internal compliance, audits, and security assessments, comply with legal or regulatory obligations. We do not use Sensitive Personal Data for targeted advertising or to build generalized marketing profiles.

6.3.      Prohibition on Selling or Sharing Sensitive Data.  We do not sell or share Sensitive Personal Data for cross-context behavioral advertising without explicit consent. In states requiring opt-in (e.g., Minnesota, Colorado for certain categories), we collect and process such data only after obtaining demonstrable consumer permission.

6.4.      Retention of Sensitive Personal Data.  Sensitive Personal Data is retained no longer than two (2) years after fulfillment of the purpose or sooner if legally mandated, unless retention is required for fraud prevention, security, litigation holds, or statutory obligations.

6.5.      Consumer Rights Over Sensitive Data.  Consumers may Request deletion, limit or restrict processing, withdraw consent (where required for collection), and/or request a description of how we use and store such data.

SECTION 7.      CROSS-DEVICE IDENTITY RESOLUTION.

We use cross-device identity resolution to better understand interactions across browsers, devices, and sessions. This supports accurate advertising measurement, fraud reduction, and service delivery.

7.1.      Deterministic Linking. Deterministic methods rely on stable identifiers such as Hashed email addresses, phone numbers (if provided), login signals on partner sites, account-level identifiers shared by partners. These methods provide high-confidence linking of devices to a single user.

7.2.      Probabilistic Linking. Probabilistic models rely on IP address patterns, browser configurations, device characteristics, behavioral patterns, temporal and geographic patterns.  These are statistical and may involve uncertainty.

7.3.      Opt-Out Rights. Consumers may opt-out of cross-device linking and targeted advertising.  Opt-outs apply to future processing and, where technically feasible, to existing linked identifiers.

SECTION 8.      PROFILING AND AUTOMATED DECISION-MAKING.

We engage in Profiling and Automated Decision-Making Technology (“ADMT”) in limited contexts. States including California (“CPRA”), Minnesota (“MCDPA”), and Colorado (“CPA”) require specific disclosures.

8.1.      Types of Profiling We Conduct. We may use profiling for fraud detection, quality scoring, consumer routing and matching, lead or data enrichment, interest and affinity scoring, and predictive behavior modeling.

8.2.      Inputs Used in Profiling. Model inputs may include Interaction data (clicks, browsing), audience segment indicators, commercial interest categories, identity graph matches, basic demographic estimates, and historical performance of similar audiences.  We do not use Sensitive Personal Data for advertising, data about children under 18, biometric data.

8.3.      Effects of Automated Decision-Making.  Automated decisions may influence the type of Resource Providers a consumer is connected with, whether data is flagged as potentially fraudulent, advertising relevancy and frequency, and routing priority within a category.

8.4.      Consumer Rights. Depending on the jurisdiction, consumers may:

  • Request an explanation of how a decision was made.
  • Request correction of data used in the model..
  • Contest the decision derived from Automated Decision Making
  • Request human review of the decision.
  • Opt-out of profiling used for decisions with “legal or similarly significant effects”.

8.5.      Data Protection Assessments. We conduct Data Protection Assessments (“DPAs”) prior to initiating high-risk profiling, annually or when material changes occur, when required by Minnesota MCDPA and Colorado CPA, and upon request from regulators.

SECTION 9.      SALE & SHARING DISCLOSURES.

Under multiple state laws, we must disclose whether we “sell” or “share” personal data.

9.1.      What Constitutes a Sale.  A sale occurs when we may receive an affiliate fee, commission payment, lead delivery compensation, and monetization tied to audience matching.  These may qualify as “sales” of personal data depending on jurisdiction.

9.2.      What Constitutes Sharing.  Sharing refers to disclosing personal data for targeted advertising or using third-party platforms to deliver personalized ads or participation in audience networks or identity graphs.

9.3.      Categories of Data Sold or Shared.  Identifiers, device data, commercial information, online activity, or inferences.

9.4.      Opt-Out Options.  Consumers may opt-out of our sharing or sales through our “Do Not Sell My Personal Information” link or use of universal opt-out signals (“GPC”) at or our privacy portal.

9.5.      Downstream Recipient Controls.  To the extent the situation or law requires it, we require contractual restrictions for all downstream recipients, including prohibitions against secondary sales, no re-disclosure outside permitted purposes, obligation to delete data when required, and cooperation with Delete Act “Drop” requests.

SECTION 10.    CONSUMER RIGHTS

Consumers may exercise the following rights, subject to state laws in the jurisdiction of their residency:

10.1.    Right to Access.  Consumers may request: (i) the categories and specific pieces of Personal Data held; (ii) sources of data; (iii) purposes of processing; and (iv) categories of third-party disclosures.

10.2.    Right to Deletion.  Consumers may request deletion of personal data, subject to: (i) legal exceptions; (ii) security retention; (iii) fraud prevention obligations; and (iv) contractual requirements.

10.3.    Right to Correction.  Consumers may request correction of inaccurate data.

10.4.    Right to Opt-Out. Consumers may opt-out of: (i) Sale; (ii) Sharing; (iii) Targeted advertising; (iv) Profiling used for significant decisions.

10.5.    Right to Limit Sensitive Data.  Where applicable, consumers may restrict Sensitive Personal Data processing.

10.6.    Right to Portability. Consumers may request a portable copy of certain types of personal data.

10.7.    Right to Appeal. If a request is denied, consumers may submit an appeal to privacy@leadpost.com. We respond within statutory timelines.

SECTION 11.    IDENTITY VERIFICATION PROCEDURES

To protect consumer privacy, we verify identity before processing certain requests.

11.1.    Verification Methods.  We may verify through email verification links, or Phone/SMS confirmation, and IP address consistency.  We may also verify through public records matching and/or Knowledge-based questions (where legally permitted).

11.2.    Additional Requirements for Sensitive Requests.  Deletion and access requests require higher verification thresholds and Authorized agents must provide notarized or documented authorization.

11.3.    Use of Verification Data. Data collected for verification is used solely for identity confirmation, stored separately from general profiles, and never used for marketing or advertising.

11.4.    Denials.  We may deny a request if your identity cannot be verified, or the request is fraudulent, or abusive, or legal requirements prevent fulfilling the request.  Consumers may appeal any denial by submitting the appeal to privacy@leadpost.com

SECTION 12.    CALIFORNIA DELETE ACT COMPLIANCE

The California Delete Act imposes new and heightened obligations on registered data brokers. As a registered data broker, we comply with all requirements of the Delete Act and outline them here for transparency and regulatory readiness.

12.1.    Consumer-Initiated Statewide Deletion (“Drop”) Requests. Beginning in 2026, California residents may submit a single statewide deletion request through the California Privacy Protection Agency (“CPPA”). When we receive a Drop request from the CPPA, we will:

  1. Delete all personal data we hold about the consumer within 45 days unless an exception applies.
  2. Delete personal data stored in archives, backups, and cold storage within the next regularly scheduled deletion cycle.
  3. Notify all downstream recipients or purchasers of the personal data and direct them to also delete the consumer’s data.
  4. Flag the consumer as permanently suppressed, preventing future collection unless the consumer re-consents.
  5. Retain proof of our deletion action in an audit log, without retaining any personal data but we will retain the email address for suppression purposes only.
  6. Treat any re-collection of data as prohibited until explicit renewed consumer consent is obtained.

12.2.    Annual Data Broker Registration.  We comply with the Delete Act and each state’s Data Broker annual requirements, including:

  • Renewal of registration.
  • Payment of associated fees.
  • Posting a public-facing “do not sell my information”.
  • Providing clear disclosure of:
    • Categories of data collected;
    • Sources of data;
    • Whether we sell/share the data;
    • Whether we collect minors’ data;
    • Whether we use automated decision-making;
    • Retention schedules; and
    • Sensitive data practices.

12.3.    Audit and Documentation Requirements.  We maintain:

  • Comprehensive logs of all deletion activity;
  • Downstream deletion confirmations when provided;
  • Documentation of exceptions invoked;
  • Records of data minimization practices; and
  • Suppression lists exempt from deletion under CPRA and Delete Act rules and related state laws.

SECTION 13.    DATA RETENTION SCHEDULES.

We retain personal data only for as long as is reasonably necessary for the purposes described in this Notice or as required by law. Retention periods vary depending on the category and use of the data.

13.1.    Standard Retention Durations.

Category of Personal Data

Retention Period

Notes / Legal Basis

Identifiers (name, email, phone)

2–5 years

Needed for suppression lists, fraud prevention, reporting

Device/Online Activity

1–3 years

Shorter retention for logs and cookies; security & analytics

Commercial Information

3–7 years

Audit obligations, marketing performance, legal claims

Public Record Data

As required by law

Retention aligned with public data source

Employment Data

3–7 years

Where used for job matching; subject to labor laws

Inferences & Audience Segments

1–3 years

Deleted or refreshed when stale or inaccurate

Sensitive Personal Data

≤ 2 years

Unless required by law; strict limits applied

Suppression Lists

Indefinite

Mandated by CPRA/DELETE ACT for opt-out enforcement

Verification Data

Max. 90 days

Then permanently deleted

 

13.2.    Criteria Used to Determine Retention Periods. Retention periods are determined by: (i) Statutory and regulatory obligations; (ii) Fraud detection and security needs; (iii) Operational requirements; (iv) Business necessity; (v) Data minimization principles; (vi) Litigation hold requirements; and (vii) Contractual requirements from downstream recipients.

13.3.    Secure Disposal.  When data reaches the end of its retention lifecycle, it is securely deleted, deidentified, or aggregated.

SECTION 14.    SECURITY MEASURES.

We maintain a comprehensive, risk-based information security program designed to protect personal data against unauthorized access, disclosure, alteration, and destruction.  We use the following security measures:

14.1.    Administrative Safeguards. We have a: (i) privacy and security governance framework; (ii) role-based access controls (least privilege); (iii) employee training and annual certifications; (iv) vendor management and oversight; (v) internal privacy audits; and (vi) annual review of policies and controls.

14.2.    Technical Safeguards.  We use the following technology to safeguard the data: (i) Encryption of data in transit; (ii) Encryption at rest; (iii) Network segmentation; (iv) Multi-factor authentication (“MFA”); (v) Firewalls and intrusion detection systems; (vi) Endpoint detection and response (“EDR”); (vii) Logging and monitoring of security events; and (viii) Secure development lifecycle (“SDLC”).

14.3.    Physical Safeguards. In addition, we have the following physical safety factors in place: (i) Secured facilities and access logs; (ii) Secure disposal of physical media; and (iii) visitor restrictions.

14.4.    Incident Response. We maintain a written incident response plan, including: (i) Detection and triage; (ii) Containment and mitigation; (iii) Regulatory notifications when required: (iv) Consumer notifications when required; (v) Root-cause analysis; and (vi) Post-incident review and improvement.

SECTION 15.    PROCESSOR & VENDOR OVERSIGHT.

We engage processors and service providers to perform services on our behalf. Each relationship is governed by a written agreement that imposes strict privacy, security, and compliance obligations.

15.1.    Contract Requirements.  We use written contracts with our vendors and processors which include data processing instructions, purpose limitations, confidentiality obligations, security requirements, sub processor restrictions, deletion/return requirements, and compliance with all applicable laws.  We also require assistance with consumer rights requests and in some cases audit and assessment rights.

15.2.    Vendor Due Diligence.  Before onboarding, vendors undergo:

  • Security assessments;
  • Privacy and compliance reviews;
  • ADMT and profiling risk analysis (if applicable); and
  • Data minimization evaluations.

Ongoing monitoring occurs annually or when material changes are identified.

15.3.    Downstream Recipient Controls. Recipients of data (e.g., Resource Providers, analytics partners, ad networks) must:

  • Use data solely for permitted purposes;
  • Restrict secondary sales;
  • Comply with state privacy laws;
  • Honor deletion and opt-out requests; and
  • Provide deletion confirmations when asked.

SECTION 16.    CHILDREN’S INFORMATION.

We do not knowingly collect, sell, or share personal data from: (i) Children under 13 years of age (“COPPA”); and (ii) Minors under 18 years of age for purposes of sale or targeted advertising.  If we learn that data was collected in violation of these principles, we will: (i) promptly delete the data; (ii) suppress future collection; (iii) notify any downstream recipients to delete the data.

SECTION 17.    STATE-SPECIFIC DISCLOSURES.

This Notice incorporates the requirements of all U.S. consumer data privacy laws currently enacted. The following supplemental disclosures apply to residents of particular states.

17.1.    California (CPRA & Delete Act). California residents have the rights to:

  • Know/access data;
  • Delete data;
  • Correct data;
  • Opt-out of sale and sharing;
  • Limit Sensitive Personal Data use;
  • Opt-out of profiling (ADMT rules forthcoming);
  • Use universal opt-out signals (“GPC”); and
  • Submit statewide deletion requests (“Drop”).

We maintain:

  • “Do Not Sell or Share My Personal Information” link;
  • Sensitive data limitation mechanisms; and
  • Annual data broker registration.

 Pursuant to the California Delete Act of 2023, SB 362, you may find a summary of the requests received and processed at https://leadpost.com/PrivacyComplianceSummary.

17.2.    Colorado (CPA). Colorado residents have rights to:

  • Access, correct, delete;
  • Opt-out of sale, targeted advertising, and profiling;
  • Appeal denied requests;
  • Utilize recognized universal opt-out mechanisms via browser ad on; and
  • Recognize Colorado AG-certified universal opt-out mechanisms.

17.3.    Minnesota (MCDPA). Minnesota residents may avail themselves to the following additional rights:

  • Confirm whether we process personal data about you and access that data;
  • Correct inaccurate personal data;
  • Delete personal data;
  • Obtain a portable copy of personal data you provided to us when processed by automated means; and
  • Opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects, including the related right to question and obtain an explanation of such decisions and, when feasible, to understand what actions could lead to a different outcome.

You may exercise these rights using the methods through our Privacy Request Portal.  We will respond to your request within 45 days and may extend once by up to 45 additional days when reasonably necessary, with notice of the extension.

If we decline to act or you disagree with out actions, You may appeal any denial through our internal appeal process, which is easy to use and similar to the method you used to make your request. We will provide a written decision on your appeal within 45 days, which we may extend by up to 60 additional days when reasonably necessary, with notice of any extension. If your appeal is denied, our response will explain how you may file a complaint with the Minnesota Office of the Attorney General, including the online complaint form at https://www.ag.state.mn.us/Data-Privacy/Complaint/.   We keep records of appeals and our responses for at least 24 months and will provide them to the Minnesota Attorney General upon request.

17.4.    Virginia, Connecticut, Utah, Tennessee, Indiana, Iowa, Delaware, Montana, New Hampshire. Residents have the following rights:

  • Access, Correction, Deletion, Portability;
  • Opt-out of targeted advertising, sale, and profiling; and
  • Appeal rights.

We comply with statutory timelines (typically 45 days + extension).

17.5.    Texas (TDPSA). Texas residents have:

  • Access, correction, deletion, portability, and opt-out rights;
  • Mandatory opt-out for sale, targeted advertising, and profiling; and
  • Right to use universal opt-out signals.

We maintain Texas data broker registration where applicable.

17.6.    Oregon Consumer Privacy Act. Oregon residents may:

  • Access, delete, correct, and port data;
  • Opt-out of sale and targeted advertising;
  • Opt-out of profiling; and
  • Appeal decisions.

We maintain heightened protection for Sensitive Personal Data.

17.7.    Vermont Data Broker Act. As a Vermont-registered data broker, we disclose:

  • Categories of data collected and Data sources;
  • Whether data is sold;
  • Opt-out mechanisms; and
  • Security breaches occurring during the prior year.

Vermont residents may request a list of data broker filings.

SECTION 18.    GOVERNANCE, RISK MANAGEMENT, & INTERNAL COMPLIANCE.

We maintain a comprehensive privacy and data governance framework designed to ensure ongoing compliance with U.S. consumer data privacy statutes, data broker laws, and technical security standards. This framework includes documented policies, internal controls, formal review cycles, and structured oversight by designated personnel.

18.1.    Privacy Governance Structure.

18.1.1.       Privacy Officer.  We maintain a designated Privacy Officer responsible for:

  • Overseeing this Notice;
  • Monitoring legal and regulatory developments;
  • Ensuring the completion of Data Protection Impact Assessments (DPIAs);
  • Managing consumer privacy requests and appeals;
  • Coordinating with legal counsel, executives, and product owners; and
  • Serving as the primary point of contact for regulators.

18.1.2.       Interdepartmental Compliance. Privacy governance spans across technology and engineering, product and marketing, legal and compliance, security operations, data science and analytics, and vendor operations. Each business function is responsible for ensuring compliance with this Notice.

18.2.    Data Mapping & Record of Processing Activities (“ROPA”). We maintain detailed internal documentation, including all categories of personal data processed, data flow maps illustrating acquisition, hosting, transfer, retention, and deletion, jurisdictional applicability matrices, data protection assessments (DPAs/DPIAs), risk scoring and impact categorization, all third-party processors and downstream recipients, retention periods and storage locations, and technical and organizational security measures. These records are updated at least annually or whenever a material change occurs to data uses, collection methods, or technology.

18.3.    Workforce Training. All personnel with access to personal data are trained annually on:

  • Data broker obligations;
  • State privacy law requirements;
  • Profiling and automated decision-making restrictions;
  • Data minimization and retention practices;
  • Security awareness;
  • Incident response and reporting; and
  • Consumer rights and verification procedures.

18.4.    Vendor & Downstream Recipient Management. We maintain a full lifecycle management program for all service providers and downstream recipients, including:

  • Pre-contract due diligence;
  • Annual reassessments;
  • Security and compliance reviews;
  • Sub processor monitoring;
  • Termination and offboarding procedures; and
  • Contract enforcement and remediation procedures.

We document all downstream disclosures, as required by CPRA, the Delete Act, Vermont, Texas, and Minnesota.

SECTION 19.    UPDATES, AMENDMENTS, & VERSION CONTROL.

We may update this Notice from time to time to reflect changes in applicable laws, new or modified data practices, new technologies, regulatory requirements, or evolving industry standards. All updates are provided on this page with a posting date.

19.1.    Prior Notice & Consent Requirements Under certain laws, including CPRA and MCDPA, material expansions of purpose or new sensitive data processing may require:

  • Prior notice;
  • A renewed opportunity to opt-out; and
  • In some cases, opt-in consent.

We adhere to these requirements or only use data pursuant to the permissions granted at the time of collection and do not expend such use.

19.2.    Version Control & Documentation. We maintain internal version control, including historical copies of this Notice, change logs describing revisions, documentation of legal review and implementation tracking for technical updates.

SECTION 20.    CONTACT INFORMATION & SUBMISSION METHODS.

Consumers and regulators may contact us using the methods below to exercise privacy rights, submit inquiries, or raise concerns.

20.1.    Privacy Office.

LeadPost, LLC — Privacy Office
Email: privacy@leadpost.com
Address: 555 Washington Ave, Suite 310, St. Louis, MO 63101
Online Portal: https://leadpost.com/PrivacyRequest

20.2.    Submission Methods.

You may submit privacy requests through:

  • Our online Privacy Request Portal; https://leadpost.com/PrivacyRequest
  • Authorized agent submissions with proper documentation;
  • Universal opt-out signals (e.g., Global Privacy Control); and
  • California’s statewide Delete Act submission mechanism.

We will acknowledge requests within the required timeframe and provide responses according to state law.

20.3.    Appeals.

If your request is denied, you may file an appeal by contacting:

privacy@leadpost.com

We will review the appeal and respond within statutory deadlines (typically 45 days). Our response will identify the Attorney General contract information available to you. If you remain dissatisfied, you may escalate your complaint to your state’s Attorney General or applicable regulatory agency.

Scroll to Top