lemlist follows GDPR regulations by storing data in the EEA, using only publicly available information, requiring user consent for contact exports, and providing tools to help users implement opt-out mechanisms. All data stays on French servers hosted by OVH. Users act as data controllers while lemlist acts as the processor. Recipients can unsubscribe when an unsubscribe link is included in the email, or they can request deletion by contacting [email protected].

GDPR (General Data Protection Regulation) compliance means lemlist handles personal data according to European privacy laws. This protects both lemlist users and the people they contact through campaigns.

lemlist operates as a data processor under GDPR, while users are data controllers responsible for ensuring their outreach complies with privacy regulations.

GDPR compliance protects you from legal risks when running cold outreach campaigns. Non-compliance can result in significant fines and damage to your business reputation.

For recipients, GDPR gives them control over their personal data. They can request deletion, understand how their data is used, and opt out of communications. lemlist's compliance framework respects these rights while enabling effective outreach.

All lemlist data is stored within the European Economic Area (EEA) on servers located exclusively in France and hosted by OVH. No personal data is exported outside the EEA, ensuring full compliance with GDPR data residency requirements.

lemlist's database contains only publicly available information from LinkedIn profiles, including:

Email addresses and phone numbers are not stored in the database unless explicitly provided by users during contact enrichment.

When users export contacts using lemlist credits, they explicitly agree to follow lemlist's privacy and sending policies. This consent mechanism ensures:

lemlist provides an in-app GDPR certification setting where users confirm their data collection follows GDPR principles.

lemlist allows users to include an unsubscribe link in their emails, and it is strongly recommended to do so to support GDPR/CAN-SPAM compliance and good sending practices. When an unsubscribe link is included and a recipient clicks it, they're removed from that campaign and cannot be contacted again by that user.

lemlist offers a Data Processing Agreement that defines the relationship between lemlist (processor) and users (controllers). The DPA is available for review and signing online at lemlist's official website.

If you want your information removed from lemlist's database, you have two options:

If you received an email from a lemlist user, you can contact them directly to request removal from their contact list. Depending on how the sender configured their email, the message may include sender information and an unsubscribe link.

When users spend credits to enrich contacts, lemlist searches for email addresses using:

This process respects privacy by using non-intrusive methods and only providing verified contact information to users who've agreed to GDPR-compliant use.

For more information about lemlist's data practices:

Important: GDPR is just one privacy regulation. Other laws like CAN-SPAM (US), CASL (Canada), and PECR (UK) may also apply to your outreach. Laws vary by country, so consult legal professionals familiar with your target markets to ensure full compliance.