Privacy Notice for California Residents

Last Updated: May 29, 2023

This Privacy Notice for California residents (“Privacy Notice“) supplements the information contained in our Privacy Policy and addresses the requirements under the California Consumer Privacy Act of 2018 (Cal. Civ. §§ 1789.100–1798.199) and the California Consumer Privacy Act Regulations by the Attorney General (the “CCPA“).

This Privacy Notice applies to Contacts and End-Users (as these terms are defined in Lusha’s Privacy Policy), who reside in the State of California (“consumer” or “you“).

If you have a disability, you may access this Privacy Notice in an alternative format by contacting our Privacy Team.

Who We Are

Lusha Systems Inc. is an incorporated company established in Delaware, with its registered office at 800 Boylston Street, Suite 1410, Boston, MA 02199 USA. 

Lusha Systems Inc. and/or its affiliates (“Lusha”, “we”, “us”) are responsible for processing Data as described in our Privacy Notice.

To contact us, and for more information, see Contact Us.

Types of Information We Collect From or About You

We collect and process Data as per the following:

3.1 Data about Contacts

We process business-related Data about Contacts. This Data is limited to what you would normally find on a business card or in a business email signature block, or to what is necessary to contact an individual with a business social network profile or to verify the authenticity of such a profile. We then provide this Data to our Licensees in the Lusha B2B Database.

To learn more about this Data, see the Data we process under “Contact Attributes” and “Company Attributes”.

Our Lusha B2B Database relies on Data retrieved or derived from information from the following sources:

  • Our Community Program: Our community members may share Data of their professional business network with us, such as email header, and signature blocks from their business email. Please note that community members must opt-in to sharing the Data of their professional business network with us in accordance with the Community Program terms. You can learn more about Lusha’s Community Program.
  • Our email composing features: Where Lusha End Users provide us access to their email account for the purposes of using our email composing features, we obtain Data using Google’s or Microsoft’s APIs. Click here for more information about the protections we implement when we use this Data.
  • Our affiliates and group members: We receive Data from affiliates, i.e. subsidiaries, parent companies, joint ventures, and other corporate entities under common ownership or in the same corporate group.
  • Publicly available sources: Our proprietary algorithm scans publicly available sources and retrieves public information to understand standard corporate email patterns (e.g. firstname.lastname@company.com). We use this Data only after we have verified it in accordance with our internal processes.
  • Business social network profiles: When an End User uses our browser extension while using LinkedIn, we read the minimum Data presented on the LinkedIn profile pages that the End User is browsing for providing the Service( e.g. name, position, company, contact details if public)
  • Third parties (for information about companies): We rely on business partners to collect company information about and maintain a verified list of existing companies. We use this information to ensure that the Data we process relates to business details obtained from the above is only added to the Lusha B2B Database if it relates to business details (as opposed to personal contact details). If we detect personal contact details, we will not add this to the Lusha B2B Database.

Learn more about Our Data Sources.

All of the Data collected from our sources described above is analyzed by Lusha’s proprietary algorithm to organize, scan, and merge certain Data attributes into a unique identifiable “Business Contact Card” which is published on the Lusha B2B Database. [We suppress any Data that our algorithms detect as non-business Data.]

We are focused on providing business Data only in the Lusha B2B Database, so we have implemented measures to exclude contacts who are public servants or otherwise public figures. If you opt-out, we will also remove your Data from the Lusha B2B Database and hold it on our suppression list.

3.2 Information we collect about and from End Users

Data we process about End Users

We collect Data directly from End Users where they interact with us. For example, this is the case when End Users create an account, use our Services, contact us via our website or support channels. The Data includes:

name

professional email address

professional phone number

professional mailing address

location

user activity

referred friend’s professional email address and name (only if you use our referral service)

any other information you provide us voluntarily when you communicate with us.

We do not sell any Data shared with us by our paying Licensees, End Users, or customers.

Data we collect through Lusha Integrations

As part of the Services, End Users or Licensees may integrate Lusha with certain platforms (“Integrations”). When using Lusha’s Integrations, Data from End Users’ or Licensee’s CRM tools, email, browser extension (such as Chrome add-on) or other software will be transmitted to Lusha, so Lusha can match or cleanse a this data against Data held in the Lusha B2B Database.

For example, End Users can use our Integration browser extension while browsing the profile pages of Contacts on business social networks, such as LinkedIn. When an End User does this, our browser extension collects the Data about Contacts presented on the profile pages that you are browsing.

Through these Integrations, Lusha may also collect Data about Contacts and Lusha may run these through its proprietary algorithm to organize, scan, merge and update certain Data into an existing “Business Contact Card” on the Lusha B2B Database, or otherwise improve Lusha’s research processes and the content provided by its Services.

We do not sell any information shared with us by our paying Licensees, End Users, or customers.

Data our Payment Partner collects

For End Users and Licensees that pay for the Services by credit cards, our service provider Stripe Inc. processes your payment information, while Lusha does not have direct access to it. We have an agreement with Stripe to ensure that your payment information is processed in a secure and confidential way.

3.3 Information we process about End Users and Visitors alike

If you are an End User using our Services as an authorized user of a Lusha Licensee or a Visitor that visits our website or Service, we automatically collect information sent to us by your computer, mobile phone, or other access devices. This information includes:

  • Your device information (for example, the type of browser and operating system your device uses, your language preference, your domain name, and the time you accessed the website)
  • Your mobile network information
  • Your IP address
  • Alerts for troubleshooting errors and bugs
  • Where you are not logged into your account, this information is unidentified to you and we are not aware of the identity of the user from which this information is collected.

We use cookies and other similar technologies (e.g. web beacons, log files, scripts and eTags) (“Cookies”) to enhance your experience using the Service. Cookies are small files which, when placed on your device, enable us to provide certain features and functionality. For more information, please read our cookie policy.

Sharing Personal Information

We disclose your Personal Information to third parties for a business purpose (as it is defined under the CCPA). When we disclose Personal Information for a business purpose, we enter into a contract that describes the purpose and requires both parties to keep that Personal Information confidential and not use it for any purpose except in the performance of the contract.

In the preceding twelve (12) months, we have disclosed the above-mentioned categories of Personal Information with the following categories of recipients for a business purpose:

  • Service Providers;

Selling Personal Information

In the preceding twelve (12) months, we may have sold the following categories of Personal Information to third parties or businesses for commercial purposes:

  • Identifiers;

We do not sell any information shared with us by our Customers. For more information, please read our Privacy Policy.

Rights Under the CCPA

Access to Personal Information

You may request that we disclose to you the categories and specific pieces of Personal Information that we have collected about you, the categories of sources from which your Personal Information is collected, the business or commercial purpose for collecting your Personal Information, the categories of Personal Information that we disclosed for a business purpose, any categories of Personal Information about you that we sold, the categories of third-parties with whom we have shared your Personal Information, and the business or commercial purpose for selling your Personal Information, if applicable.

Deletion Requests

You have the right to request that we delete any Personal Information collected from you and retained unless retaining the information is necessary for us or for our service providers to:

  • Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products to identify and repair errors that impair existing or intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546).
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers, subcontractors and consultants to delete) your Personal Information, unless an exception applies.

Right to Opt-Out

You have the right, at any time, to direct us not to sell your personal information to third parties, as defined under the CCPA. This is also referred to as your right to opt-out.
You have the right to opt-out of sales, within the meaning of the CCPA, of certain information subject to the CCPA. You are not required to have an account with us to exercise your right to opt-out of the sale of your personal information to third parties. 

Please submit your request to our Privacy Team or online, by visiting the following link: “DO NOT SELL MY PERSONAL INFORMATION“.


The products and services of Lusha are not targeted to or intended for children under the age of 18. In the event that we become aware that a Contact or End User is under the age of 18, we will discard such information. If you have any reasons to believe that a minor has shared any information with us, please contact us at support@lusha.com

Exercising Your Rights

You can exercise your rights (such as access and deletion) by submitting a verifiable consumer request to our Privacy Team.

Only you or a person authorized to act on your behalf may make a consumer request related to your Personal Information.

The request must:

  • Provide sufficient information to allow us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
  • Describe your request with sufficient details to allow us to properly understand, evaluate, and respond to it.
  • We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

You may only request a copy of your data twice within a 12-month period. If you have any general questions about the Personal Information that we collect about you and how we use it, please contact our Privacy Team.

Response Timing and Format

Our goal is to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, we will inform you of the reason and extension period in writing within the 45 days period. If you are a User or Customer, we will deliver our written response to you through your Customer account. If you are a Site visitor, we will deliver our response by mail or electronically, at your option. 

Any disclosures we provide will cover only the 12-month period preceding the request. If reasonably possible, we will provide your Personal Information in a format that is readily usable and should allow you to transmit the information without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

In case of rejection, the response we provide will explain the reasons for which we cannot comply with your request.

Please note that these CCPA rights are not absolute and requests are subject to any applicable legal requirements, including legal and ethical reporting or document retention obligations.

Designating Agents

You can designate an authorized agent to make a request under the CCPA on your behalf if:

  • The authorized agent is a natural person or a business entity registered with the Secretary of State of California; and
  • You sign a written declaration that you authorize the authorized agent to act on your behalf.

If you use an authorized agent to submit a request to exercise your right to know or your right to request deletion, please mail a certified copy of your written declaration authorizing the authorized agent to act on your behalf using the contact information below. If you provide an authorized agent with power of attorney pursuant to Probate Code §§ 4000–4465, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Deny your goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Statistical Information

We publish metrics regarding the number of requests we have received, complied with (in whole or in part) or denied, and also the median number of days in which we responded to such requests, in the previous year, as applicable to the time period in which the CCPA was in effect. 

As of the date of publishing this Privacy Notice, such data has yet to have been received. Once such data is received, it will be published on a dedicated Consumer Requests Metrics page which will be available within this Privacy Notice.

Changes To This Policy

Lusha may modify this Privacy Notice from time to time to reflect eventual changes in the way we process Data. If we make material changes to this policy (such as a change in our processing purposes, a change in the identity of the controller, or even a change regarding the way you can exercise your rights in relation to our processing activities), we will notify you, as appropriate, depending on the substance of the change, by email or by means of a notice on our homepage, prior to the changes becoming effective.

Contact Us

Should you have any queries regarding this Privacy Notice or about how Lusha uses your data that are not answered here, please contact our Data Protection Officer, Assaf Gilad, by email.

If you are a Contact or Visitor, Lusha Systems Inc. and Lusha Systems Ltd. (a company incorporated in Israel with registered address at 132 Derech Menachem Begin, Tel Aviv 6701101) are joint controllers of your Data. You can find out more information about the joint controller arrangement by contacting our Data Protection Officer by email.

If you are an End User, the relevant data controller is the Lusha entity that your company contracts with, as set out in the Agreement.