Compliance

Last updated: 2026-05-07

LeadAce ships compliance defaults that try to keep B2B cold-outreach sends within bounds. This page describes what we enforce server-side, what we leave to the workspace operator, and how to reach us about a complaint or data-subject request.

1. Supported send-target countries (v1.0)

Outbound send paths currently allow recipients in the United States, Canada, and Japan. Other jurisdictions are blocked at send time with HTTP 422; a recipient with no country recorded surfaces a warning but is not blocked. UK, AU, and EU support is on the v1.x roadmap and depends on per-country footer / consent rules we have not finished implementing.

Jurisdiction	Status	Notes
US (CAN-SPAM)	Supported	Footer carries legal name + physical address + unsubscribe.
CA (CASL)	Supported	B2B conspicuous-publication operational stance (see §3).
JP (特定電子メール法 / 特商法)	Supported	Sender identity + opt-out are carried in the same footer block.特商法 disclosure on /legal.
UK (PECR + UK GDPR)	Roadmap (v1.1)	Requires LIA documentation + Article 14 transparency.
AU (Spam Act)	Roadmap (v1.2+)	ABN registration constraints for non-AU senders.
EU / others	Not supported	Send blocked.

2. Required workspace identity

Each workspace must set the following before any outbound send is allowed:

Legal name — the registered company entity.
Physical mailing address — CAN-SPAM §5(a)(5) requires a USPS-deliverable address (street address, registered PO Box, or CMRA-registered private mailbox).
Default sender country — ISO 3166-1 alpha-2. Determines which country-specific footer rules are applied as those ship.

Privacy policy URL and contact email are optional but strongly recommended; when set, the privacy URL is appended to every footer and the contact email is the route surfaced on this page for inbound requests.

These fields are configured per workspace under Workspace settings.

3. CASL operational stance

Canadian recipients are reached only when one of the following applies:

Conspicuous publication (CRTC FAQ): the recipient's business email is publicly listed without a "do not solicit" notice, and the message is relevant to that recipient's business role.
Existing business relationship between the workspace operator and the recipient's organisation.
Express consent on file.

We do not currently store a per-prospect consent basis column; the workspace operator is responsible for sourcing prospects through public B2B channels. Per-prospect consent records ship in a future release.

4. Mandatory footer

Every outbound message — email, web form, or social DM — has the following footer appended server-side. Workspaces cannot disable it; the message body the operator composes is concatenated with this block at send time.

---
<Legal name>
<Physical address>
[Learn more or ask anything: <inquiry-link>]
[Privacy: <privacy-policy-url>]
Unsubscribe: <unsubscribe-link>

The unsubscribe link is also exposed via the RFC 8058 List-Unsubscribe / List-Unsubscribe-Post: List-Unsubscribe=One-Click headers, so Gmail and Yahoo's bulk-sender requirements are met.

5. Unsubscribe and suppression

An unsubscribe is processed immediately and ratchets the prospect's do_not_contact flag on permanently — it does not reset on re-import or workspace edits. CAN-SPAM allows up to 10 business days; we process within seconds. Following ICO guidance, the prospect record itself stays in place — the flag is what suppresses future contact, and removing the record would let the same identity slip back into a fresh import.

6. GDPR Article 17 erasure

Your own account: use Delete account on the Account settings page. Erasure is immediate — your workspace, every project in it, all prospect / outreach / response data, Gmail authorization, and your login are removed. Any active paid subscription is cancelled at the same time (no prorated refund). MCP client tokens you previously issued remain valid for up to 30 days; revoke them by disconnecting LeadAce from each MCP client (automated MCP revocation is on the v1.1 roadmap).

A prospect's record in your workspace: email privacy@leadace.ai with the prospect's email address and we will pseudonymise the record (free-text PII set to NULL, structured DNC keys retained per Article 17(3)(b) and 6(1)(f) so the prospect cannot re-enter the funnel via a future import).

Self-host operators handle prospect-record erasure on their own database directly; an automated pipeline is on the v1.1 roadmap.

7. Self-host responsibility

LeadAce is open source. Operators running their own deployment inherit responsibility for the workspace identity fields, the sender domain's authentication (SPF / DKIM / DMARC), the mailbox the unsubscribe email is addressed to, and the legal regime applicable to their sender country and recipient list. This page does not constitute legal advice.

8. Contact

Compliance complaints, abuse reports, and data-subject requests: privacy@leadace.ai.