Privacy Policy

LeadFlow ("we", "our", "us") operates the LeadFlow SaaS platform. This Privacy Policy explains how we collect, use, and protect your information when you use our service.

1. Information We Collect

We collect the following types of information:

• Account information: Name, email address, password (hashed), and business profile details you provide during registration.
• Billing information: Processed by Stripe. We do not store credit card numbers. We store Stripe customer IDs and subscription status.
• API credentials: WhatsApp API keys, OpenAI API keys, Google Places API keys, and SMTP credentials you add to your account. These are stored encrypted and used solely to operate your campaigns.
• Usage data: Campaigns you create, leads you import or scrape, messages sent and received, and platform analytics.
• Lead data: Business names, phone numbers, email addresses, websites, and other contact information you collect through our platform. You are the data controller for this information.

2. How We Use Your Information

• To provide and operate the LeadFlow platform and all its features
• To process payments via Stripe
• To send you account-related emails (password resets, billing alerts)
• To operate your automated messaging campaigns using the credentials you provide
• To calculate and pay affiliate commissions
• To improve the platform and fix bugs
• To comply with legal obligations

3. Lead Data and Third-Party Contacts

When you use our platform to collect leads from Google Maps or import CSV files, you become the data controller for that contact information. You are responsible for:

• Ensuring you have a legitimate basis to contact leads under applicable laws (GDPR, CAN-SPAM, CASL, etc.)
• Complying with WhatsApp Business API terms regarding commercial messaging
• Honoring unsubscribe requests promptly
• Not using the platform to send spam, unsolicited bulk messages, or illegal content

4. Data Sharing

We do not sell your data. We share data only with:

• Stripe — Payment processing
• Meta/WhatsApp — Message delivery via your connected WhatsApp Business API
• OpenAI — AI message generation using your API key
• Google — Lead scraping via Google Places API using your API key
• SendGrid/SMTP providers — Email delivery using your configured credentials
• Legal authorities — If required by law or court order

5. Data Security

We implement industry-standard security measures including:

• All connections over HTTPS/TLS
• Passwords hashed with bcrypt
• API keys stored encrypted in the database
• CSRF protection on all forms
• SQL injection protection via prepared statements
• Rate limiting on authentication endpoints

6. Data Retention

We retain your account data for as long as your account is active. If you cancel your account, we delete your data within 30 days, except where we are required by law to retain it (e.g., billing records for tax purposes — retained for 7 years).

7. Your Rights

Depending on your location, you may have the right to:

• Access, correct, or delete your personal data
• Export your data in a portable format
• Object to or restrict processing
• Withdraw consent at any time

To exercise these rights, contact us at admin@yourdomain.com.

8. Cookies

We use only essential session cookies required to operate the platform (authentication). We do not use tracking cookies, analytics cookies, or advertising cookies.

9. Children's Privacy

Our service is not directed to persons under 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via a notice in the platform. Continued use of the platform after changes constitutes acceptance.

11. Contact

For privacy questions or to exercise your rights, contact us at: admin@yourdomain.com