GDPR posture

CogniLead operates under GDPR Article 6(1)(f) — legitimate interest — for outbound B2B contact. This is not an arbitrary choice; it is the only basis that survives scrutiny for cold prospecting that has not yet earned consent. The trade-off is that legitimate interest requires a documented Legitimate Interest Assessment that the data subject can request, and it requires real mitigations.

The legitimate-interest case

• Purpose — B2B contact targeting employees of companies whose public artifacts indicate a specific technical need our customer can fulfill.
• Necessity — there is no less-intrusive way to surface this opportunity. The recipient cannot opt in to a service they have not heard of.
• Balancing test — corporate inboxes only, one-click opt-out honored within 60 seconds, audit chain produced on demand, no special-category data.

Mitigations we ship

• RFC 8058 one-click unsubscribe in List-Unsubscribe-Post. Honored across all pools within 60 seconds via the suppression worker.
• Suppression list is global per tenant. A complaint against one campaign suppresses across all campaigns.
• No third-party trackers in the body. No open pixels by default. Click tracking is opt-in per campaign.
• EU-resident inference for EU recipients (see /docs/personalize).
• Evidence pack PDF rendered on demand for the data subject under Article 15.

Retention

• Signals — 90 days from observed_at.
• Leads (post-suppression) — 30 days for forensic visibility, then purge.
• Sends — 7 years (DPA audit lookback).
• Chainlog events — lifetime of the tenant.