Privacy Policy
Effective May 19, 2026 · plain English · we collect the minimum.
This is how LeadDevise ("LeadDevise", "we", "us") handles your data when you use our website at leaddevise.com or our API. It applies to everyone who signs up, runs a search, connects an outbound integration, or just browses the landing page. If something here is unclear, email [email protected]and we'll fix it.
1. What we collect
We only collect what we need to run the service:
- Account data — email address, name (optional), encrypted password or OAuth identifier (Google). Stored by our auth provider (Supabase).
- Billing data — name, billing email, country, last 4 digits and brand of your card. We never see your full card number — it goes directly to Stripe / PayPal.
- Service usage — the search queries you run (keyword + optional location), the platforms you scrape, request timestamps, and the row counts each query delivered.
- Delivered lead rows — the public-data results returned to your account (names, profile URLs, business emails, phone numbers, business hours, etc.). Stored in your workspace until you delete them or close your account.
- Integration credentials — when you connect an outbound webhook URL or CRM endpoint (HubSpot, Pipedrive, Close, Zapier, n8n, etc.) we store the endpoint URL + signing secret encrypted at rest (Fernet). We use them only to forward your delivered leads to the destination you configured.
- Support tickets — the messages you send us via the in-app support form, plus our replies.
- Analytics / product telemetry — page views, click events, and session replays via PostHog. We capture IP at network ingress so PostHog can derive your country (we never display the raw IP back to anyone). Input fields are automatically masked from session replays.
- Logs — request method, path, response code, IP, user-agent, and for errors a stack trace. Retained 30 days for debugging and security forensics.
2. What we do with it
- Deliver the service you signed up for (run searches, return lead rows, forward them to your CRM/webhook, send invoices).
- Send transactional email (account confirmations, payment receipts, scrape-job completion alerts).
- Improve the product based on aggregate usage patterns.
- Detect abuse (e.g. queries designed to harass, dox, or violate the Terms).
- Comply with legal obligations (tax records, lawful requests from authorities).
We do not sell your data, share it with advertisers, or use it to train AI models. We do not run ad pixels (no Meta Pixel, no Google Ads remarketing).
3. Subprocessors
We rely on the following third-party providers ("subprocessors") to operate. Each handles a narrow slice of data under their own privacy policy. We update this table whenever we add or remove a vendor.
| Provider | Purpose | Region | Data passed |
|---|---|---|---|
| Supabase | Authentication + user database | EU (Frankfurt) | Email, encrypted password, OAuth identifiers |
| Stripe | Payment processing | USA / IE | Name, email, billing address, card metadata (we never see the card number) |
| PayPal | Alternative payment processing | USA / LU | Email + PayPal account identifier |
| Resend | Transactional email delivery | USA / EU | Email address + message content |
| PostHog | Product analytics + session replay | EU (Frankfurt) | Page views, click events, IP (used to derive country), anonymized user ID |
| Public-data infrastructure | Powering lead-extraction queries against public sources | Global edge | Your search keywords + locations (never your account credentials) |
| Cloudflare | DDoS protection + CDN | Global edge network | Request metadata (IP, user-agent) at the network layer |
| Linode (Akamai) | Application hosting | Germany (Frankfurt) | All processed data resides here at rest |
| Sentry (optional) | Backend error monitoring | EU | Stack traces — may include URL paths but never request bodies |
4. Cookies & similar technologies
We use a small number of first-party cookies:
- Authentication cookies (Supabase) — required to keep you signed in. Cannot be disabled without breaking sign-in.
- PostHog cookies / localStorage — used to stitch your anonymous sessions together so we can debug funnels. Honored if you set a Do-Not-Track header or use an ad-blocker. EU visitors can opt out via the cookie banner.
- Cloudflare cookies — set by our CDN for security (e.g. detecting bot abuse on the login form).
We do not use cross-site tracking cookies (no Facebook Pixel, no Google Ads tag).
5. Data retention
- Account data — kept while your account is active. Deleted within 30 days of account closure.
- Billing records — kept 7 years (tax legal requirement) even after account closure.
- Search history + delivered lead rows — kept while your account is active. Deleted on account closure.
- Server logs — 30 days, then auto-purged.
- Session replays — 30 days, then auto-purged by PostHog.
- Support tickets — kept while your account is active so context isn't lost between conversations.
6. Your rights (GDPR & equivalents)
If you're in the EU/EEA, UK, or California, you have the right to:
- Access — request a copy of every piece of data we have on you.
- Rectify — fix anything inaccurate.
- Delete — close your account and have your data erased (subject to the billing-records exception above).
- Restrict — limit how we process your data (e.g. pause notifications without deleting the account).
- Port — export your data in a machine-readable format.
- Object — opt out of analytics, session replay, or product-update emails.
- Withdraw consent — at any time, with no penalty.
To exercise any of these rights, email [email protected]. We respond within 30 days (usually within 48 hours). You can also lodge a complaint with your local data protection authority — in Morocco, that's the CNDP.
7. International data transfers
Some subprocessors (Stripe, ScraperAPI, Google APIs) operate from the United States. Where required, we rely on Standard Contractual Clauses and the EU-US Data Privacy Framework to lawfully transfer EU data outside the EU.
8. Security
How we protect your data day-to-day:
- All connections force HTTPS (Cloudflare-issued TLS).
- OAuth tokens and integration credentials are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256).
- Database hosted in a private network; no public Postgres listener.
- Admin actions are logged to an append-only audit table.
- We run security updates on the host weekly and rotate secrets when staff leaves (currently no other staff).
We have not had a known data breach. If we do, we'll notify affected users by email within 72 hours, as required by GDPR.
9. Children
LeadDevise is a B2B service. It is not directed at anyone under 16. We do not knowingly collect data from children. If you believe a child has created an account, email [email protected] and we will delete it.
10. Changes
We'll update this page whenever we add a subprocessor, change retention periods, or roll out a feature that materially affects how we process data. We'll notify active users by email at least 14 days before changes take effect.
11. Contact
Data Controller: Imad Benzrak, Tangier, Morocco.
Email: [email protected].