Pop the Lead
Sign inStart free — no card
popthelead.com

Security & privacy

Built to keep your visitors’ data safe.

We treat subscriber data like we’d want our own treated: encrypted, minimised, never sold, and handed back to you on request.

Our principles

Six things we promise.

Encryption everywhere

All traffic to popthelead.com and the embed script is served over TLS 1.2+. Data at rest is encrypted by our hosting providers (Vercel and Supabase) using AES-256-GCM.

GDPR-friendly by default

We store only what's needed to deliver the service, honor data-subject requests, and never sell visitor data. EU customers can request a DPA.

Reliable infrastructure

We host on Vercel (edge-distributed) and Supabase (Postgres) — both providers run SOC 2 Type II-certified infrastructure and offer EU regions. Pop the Lead itself is GDPR-compliant; our own SOC 2 audit is on the roadmap.

Transparent data practices

Subscriber data is yours. We push it to your destination (Klaviyo, Mailchimp, webhook) and you remain the data controller. We act as a processor.

Clean cookie story

The embed sets only the cookies needed to remember which popups a visitor has already seen. No third-party trackers, no ad tech, no surprise pixels.

Built for the modern web

The embed is a single lightweight script that lazy-loads after the page is interactive — no impact on your Core Web Vitals or SEO.

The details

Facts, not vibes.

Data processor
We're a processor — you remain the controller of your subscribers' data.
Subprocessors
Vercel (hosting), Supabase (database), Dodo Payments (billing / merchant of record), Resend (transactional email).
Data residency
Production data is stored in the EU on request for GDPR customers. Default region is US-East.
Backups
Database is backed up daily with point-in-time recovery for 7 days.
Access control
Production access is limited to founders, behind 2FA. No third-party access without a signed DPA.
Vulnerability reporting
Report security issues via the contact page — we respond within 48 hours.

Privacy policy

What we collect and why.

Terms of service

Your agreement with us.

Report an issue

48-hour response on the contact page.

Need a DPA or custom security review.

We sign DPAs for EU customers and answer security questionnaires for enterprise plans. Get in touch.

Talk to us
Security & Privacy — Pop the Lead — Pop the Lead