Privacy Policy

LeadCredit Pro ("LeadCredit Pro", "we", "us") is operated by [LEGAL ENTITY NAME], a [STATE] limited liability company with offices at [ADDRESS]. You can reach us at privacy@leadcreditpro.com.

2.1 Account data

Name, email address, organization name, role, and authentication metadata. Authentication is provided by Clerk; we never store passwords ourselves.

2.2 Lead data you upload

When you upload a Local Services Ads CSV (or, in a future release, connect your Google Ads account), we receive the lead records that file or API contains. This includes the customer's name, phone number, email address, job type, service area, lead date and time, and any cost figures Google has reported.

Phone numbers and email addresses are encrypted at rest using AES-256-GCM before they are written to our database. We also store a one-way HMAC-SHA-256 hash of each value, salted with a server-side pepper, so we can detect duplicates without ever storing the raw value in a searchable form. Decryption happens only when you, an authorized member of your organization, or a documented support request opens a specific lead in your dashboard.

2.3 Usage and operational data

Standard request logs (timestamps, route, status code, request id), audit-log entries for security-sensitive actions (logins, role changes, exports, deletions, integration connect/disconnect, billing changes), and product telemetry (feature usage, error events). Logs and telemetry are scrubbed of PII via a deny-list redactor before they are written.

2.4 Payment data

Billing is processed by Stripe. We never see or store full card numbers. Stripe sends us an opaque customer id and the public attributes of your subscription (status, plan, trial end, period end).

• To provide the audit, classification, and reporting features you signed up for.
• To detect and prevent fraud, abuse, and security incidents.
• To bill you for the plan you have chosen.
• To communicate with you about your account, security alerts, and material changes to this policy.
• To comply with legal obligations.

We do not sell your data, do not use lead PII to train machine-learning models, and do not use your data to advertise to you or to third parties.

We rely on the following service providers to operate the product:

Each subprocessor has its own privacy policy and security commitments. We periodically review their compliance. We will update this list before adding a new subprocessor that processes customer data.

• Lead data: retained while your subscription is active. The original uploaded CSV file is deleted from object storage as soon as the import job completes; only the parsed, encrypted lead rows persist.
• Audit logs: retained for 18 months for security and compliance.
• Account closure: when you delete your organization, lead rows and uploaded artifacts are erased within 30 days. Backups roll off within 35 days.

Depending on where you live (CCPA, GDPR, or similar), you have the right to access, correct, export, or delete your personal data. Owners can perform most of these actions directly from Settings. For everything else, email privacy@leadcreditpro.com and we will respond within 30 days.

When you connect a Google Ads account to LeadCredit Pro, our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

7.1 Scopes we request

7.2 What we store

• Refresh token: encrypted at rest with AES-256-GCM. Used only to mint short-lived access tokens to call the Google Ads API on your behalf during a sync.
• Connected Google account email and customer id: shown in Settings so you know which account is connected.
• Lead records returned by the API: stored under the same encryption and retention rules as Section 2.2.

7.3 What we do not do

• We do not transfer Google user data to third parties for advertising or resale.
• We do not use Google user data to train generalized AI or ML models.
• We do not allow humans to read your Google user data except (a) with your explicit consent for support, (b) for security investigations, or (c) when required by law.
• We do not request or store your Google account password.

7.4 How to revoke access

You can disconnect at any time from Settings → Integrations. Disconnecting revokes the refresh token at Google and nulls our encrypted copy. You can also revoke at any time directly from your Google Account at myaccount.google.com/permissions.

Data is encrypted in transit (TLS 1.2+) and at rest. PII fields use envelope encryption with KMS-managed keys. Access to production systems is limited to engineers on call, gated by SSO with hardware-key MFA, and audit-logged. We run continuous dependency scanning and respond to high-severity advisories on a target SLA of seven days.

Our infrastructure is primarily located in the United States. If you access the product from outside the United States, you understand that your data may be transferred to and processed in the United States. Where required, we rely on Standard Contractual Clauses for the transfer of personal data to a third country.

The product is intended for use by businesses. We do not knowingly collect personal data from anyone under the age of 16.

We will post material changes to this policy on this page and, where required, notify you by email. The "Effective" date at the top reflects the most recent change.

Questions or requests: privacy@leadcreditpro.com.