LEGAL

Data Processing

Last updated: July 16, 2026

This Data Processing overview describes how Conversion Engine handles personal data when we provide Sales-as-a-Service. For website visitors who are not clients, see our Privacy Policy. For an active engagement, a signed Data Processing Agreement (DPA) may apply and prevail if there is a conflict.

1. Roles

Depending on the activity, Conversion Engine may act as an independent controller (for example, our own prospecting CRM and website forms) or as a processor / service provider processing personal data on a client's documented instructions (for example, uploading customer or lead lists into approved outreach tools).

AtomicoLabs affiliates may assist as sub-processors under appropriate contractual controls when needed to deliver the engagement.

2. Categories of data

Typical categories may include business contact data (name, title, work email, LinkedIn URL, company), campaign engagement events, website conversion events, and account credentials or access tokens you authorize us to use. We do not seek to process special-category personal data unless expressly agreed in writing.

3. Purposes of processing

Processing supports agreed growth activities such as ICP research, content distribution, paid media, SEO, outbound sequencing, reporting, and optimization — solely for the client's legitimate business purposes defined in the engagement.

4. Instructions and sub-processors

When we act as a processor, we process personal data only on documented client instructions unless law requires otherwise. We use vetted sub-processors (for example advertising platforms, ESP/sequencing tools, analytics, and infrastructure providers) and will maintain an up-to-date list upon request.

5. Security

We apply administrative, technical, and organizational measures appropriate to the risk: access controls, least-privilege practices, encryption in transit where supported, and vendor due diligence. No method of transmission or storage is perfectly secure; we work to protect data using industry-reasonable practices.

6. International transfers

Tools used in campaigns may process data in the EU, US, or other regions. Where transfers require safeguards, we rely on appropriate transfer mechanisms (such as SCCs) and configure vendors accordingly where feasible.

7. Retention and deletion

Processor data is retained for the engagement duration and a short wind-down period for reporting and dispute resolution, then deleted or returned per client instruction — unless law requires longer retention of specific records we hold as controller.

8. Breach notification

If we become aware of a personal-data breach affecting processor data, we will notify the client without undue delay and provide information reasonably available to support compliance obligations.

9. Assistance with data-subject rights

When acting as a processor, we will assist the client — through appropriate technical and organizational measures — in responding to data-subject requests, insofar as feasible for the services.

10. Contact

For DPA requests or processing questions: hello@conversion-engine.com.