Privacy Policy

1. Who We Are and What We Do

EnterLeads is a B2B lead discovery and AI-assisted email composition platform based in Texas, United States.

In plain language: we discover business information from public sources (Google Maps, Yelp, BBB, government permit databases, business directories), help you research those businesses using AI, and assist you in drafting personalized outreach emails sent from your own email account.

How your data flows: Public directories → our database → you search → AI researches & drafts → you review and send (or authorize automated sending from) your own Gmail or Outlook.

2. Data We Collect About You (Account Holders)

• Identity: Name, email address, phone number (optional, for 2FA).
• Authentication: Password (hashed with Argon2id, never stored in plain text), Google OAuth tokens (for sign-in only — grants access to your name and email address, not your inbox), SMS verification codes (via Twilio, single-use, 5-minute expiry).
• Business profile: Industry, services offered, location, service area, business address, goals, differentiators (collected during onboarding intake).
• Payment: Processed by Stripe and PayPal — we never see, store, or have access to card numbers. We store: subscription tier, billing dates, payment history, Stripe customer ID.
• Email account connection: When you connect Gmail or Outlook, we use Nylas (a third-party email API) to send emails on your behalf. We store OAuth tokens (encrypted) for your email provider. We can read sent status and replies to emails sent through our platform. We do NOT read your personal emails or access your inbox beyond what's needed for outreach delivery and reply tracking.
• Account activity: Login history, IP addresses, pipeline runs, email send counts, agent chat conversations.
• AI usage: Token consumption per conversation, model selections, chat history with the AI agent.

3. Data We Collect About Businesses (Lead Data)

This is the core product. We aggregate publicly available business information from multiple sources:

• Google Maps: Company name, address, phone, website, Google rating, review count, business hours, categories.
• Yelp Fusion API: Business details, ratings, review counts, categories.
• BBB (Better Business Bureau): Accreditation status, BBB rating (A+ to F), complaint count, years in business.
• Yellow Pages: Business listings, phone numbers, categories.
• State permit databases: Building permits (contractor name, permit type, project address, issue date, estimated value) from public government records in Texas, Arizona, and other jurisdictions.
• State license databases: Professional license numbers, status (active/expired), issue and expiry dates, license holder names from public government records (e.g., Texas TDLR, California CSLB).
• Company websites: Publicly visible information including services offered, team pages, contact information.
• Social media: Publicly visible business profiles on Facebook, Instagram, LinkedIn, Twitter (handles, follower counts — no private data).
• Job boards: Public job postings via Fantastic.jobs and similar aggregators (as hiring activity signals).

AI-generated research: We use AI to compile publicly available information into research dossiers. These dossiers summarize what we found — they do not contain private data.

Contact information: Business email addresses and phone numbers from public listings. We do NOT purchase email lists or scrape private/personal data.

All business data is from public sources — government records, public APIs, business directories, and company websites.

4. How We Use Data

• User account data: Account management, authentication, billing, service delivery, customer support, usage analytics.
• Business data: Displayed to you for lead discovery, used as context in AI-drafted emails, scored for relevance to your industry and goals.
• Email metadata: We track delivery status, open rates (via tracking pixel at track.enterleads.pro), and reply classification. Reply classification is used to honor opt-outs — if a recipient says "stop" or "not interested," we automatically suppress future emails to them.
• AI processing: To provide our service, we send target business data and your business profile information (name, company, industry, services, location, differentiators) to AI providers (Anthropic, Google) for email drafting, research dossiers, reply classification, and the AI chat agent. We do NOT send your login credentials, password, payment information, or email account tokens to AI providers. Your data is sent only for real-time processing (inference) and is not used by AI providers for model training per our data processing agreements with those providers.
• Additional AI providers: We may use additional AI model providers (such as Groq, Fireworks, Mistral, and others) as backup or fallback providers for service reliability. These providers receive the same data as our primary providers (target business data and your business profile) and are subject to the same constraints — no credential or payment data is shared, and no data is used for model training.
• AI chat agent: When you use the AI assistant, your messages, relevant business profile context, lead data you are discussing, and conversation history are sent to AI providers to generate responses. Chat logs are stored per our retention schedule (see Section 10). The same data sharing constraints apply — no credentials or payment data is sent, no data is used for model training without your explicit consent.

By default, we do not use your content to train AI models. Our AI training policy is opt-in — your data is never shared for training purposes unless you explicitly consent. If you opt in, your data is anonymized before any training use, and you may withdraw consent at any time.

5. Third-Party Services

We use the following third-party services to deliver EnterLeads. Each has access only to the data needed for its specific function:

• Nylas — Connects your Gmail/Outlook account for sending emails and tracking replies. Nylas has access to send emails from your account and read replies to those emails. [Nylas Privacy Policy link]
• Stripe — Processes credit card payments. PCI-DSS Level 1 compliant. We never see or store your card number. [Stripe Privacy Policy link]
• PayPal — Alternative payment processing. [PayPal Privacy Policy link]
• Klarna — Buy-now-pay-later payment option available through Stripe. When you choose Klarna, your name, email, and purchase amount are shared with Klarna for credit assessment. [Klarna Privacy Policy link]
• SendGrid — Sends transactional emails (signup verification, password resets, billing notifications). Also handles inbound reply parsing for email tracking via reply.enterleads.pro. [SendGrid Privacy Policy link]
• Twilio — Sends SMS verification codes for two-factor authentication. We share your phone number with Twilio for this purpose only. [Twilio Privacy Policy link]
• Anthropic (Claude) — Powers AI email drafting, company research, and reply classification. We send target business data and your business profile (name, company, industry, services, location) to Anthropic's API. We do not send your login credentials, payment data, or email account tokens. [Anthropic Privacy Policy link]
• Google (Gemini) — Backup AI provider used when primary provider is unavailable. Same data sharing as Anthropic — target business data and your business profile for drafting, no credentials or payment data. [Google AI Privacy link]
• Additional AI providers (such as Groq, Fireworks, Mistral, and others) — Backup AI providers used for service reliability when primary providers are unavailable. Same data sharing constraints as Anthropic and Google — target business data and business profile only, no credentials or payment data, no model training.
• Google Maps Platform — Business discovery via Places API. We send search queries (location + business type). [Google Privacy Policy link]
• Railway — Cloud hosting infrastructure. All application data, databases, and services are hosted on Railway in the United States. [Railway Privacy Policy link]

6. Cookies and Tracking

• g_state cookie — Set by Google Identity Services for the Google Sign-In button. Set automatically before any user interaction.
• enterleads_session cookie — Session authentication token. HttpOnly, Secure, SameSite=Lax. Expires after 30 days.
• Email open tracking — When an email is sent through our platform, it may include a 1x1 tracking pixel at track.enterleads.pro to detect when the recipient opens the email. Note: Apple Mail Privacy Protection pre-fetches all images, making open tracking unreliable for Apple Mail users.
• Email click tracking — Links in sent emails may be routed through track.enterleads.pro to track clicks. Unsubscribe links are excluded from click tracking — they always work directly.
• What we do NOT use: Google Analytics, Facebook Pixel, Hotjar, Mixpanel, Amplitude, or any third-party advertising trackers.
• IP address handling: For GDPR compliance, IP addresses in visitor tracking are truncated (last octet removed).
• Do Not Track: We honor the Do Not Track (DNT) browser signal. When your browser sends a DNT request, we disable non-essential visitor tracking.
• Cookie consent: We display a cookie consent banner when you first visit our site. Non-essential tracking does not begin until you accept. You can withdraw consent at any time through the cookie settings on our website.

7. Data Sharing

We do NOT sell personal data. Not to data brokers, not to advertisers, not to anyone.

• Service providers: We share data with the third-party services listed in Section 5 only as necessary to deliver the service. Each provider is bound by their own privacy policy and data processing agreements.
• Business data shared with users: The core product displays publicly sourced business data to platform users. This data was collected from public sources and is displayed for legitimate business outreach purposes.
• Legal requirements: We may disclose data if required by law, court order, or legal process.
• Business transfers: In the event of a merger, acquisition, or asset sale, user data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
• Aggregated data: We may share anonymized, aggregated statistics that cannot identify any individual (e.g., "X% of users are in the construction industry").

8. Your Rights (Account Holders)

• Right to access: Request a copy of all data we hold about you. Response within 30 days.
• Right to correction: Request correction of inaccurate personal data.
• Right to deletion: Request deletion of your account and personal data. Process: 7-day cooling off → 30-day export window → soft delete → hard delete at day 90. Some data retained for legal reasons (financial records for 7 years per tax law, suppression records to prevent re-contacting opted-out contacts).
• Right to data portability: Export your data in machine-readable format during the 30-day export window.
• Right to restrict processing: Request that we limit how we use your data.
• Right to object: Object to processing based on legitimate interest.
• Right to withdraw consent: Withdraw consent at any time (e.g., disconnect your email account).
• Right regarding automated decisions: You have the right to not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our platform uses AI to score leads, classify email replies, and in automation mode may send emails without per-message human review. You may request human review of any automated decision affecting your account or communications at any time by contacting privacy@enterleads.pro.

California Residents (CCPA)

You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise these rights, contact privacy@enterleads.pro.

EU Residents (GDPR)

Legal basis for processing: contract performance (for service delivery), legitimate interest (for B2B business data aggregation), consent (for optional features like SMS 2FA), and legal obligation (for tax record retention, breach notification, and suppression record keeping as required by law). Data transferred to the US under Standard Contractual Clauses. You may lodge a complaint with your local supervisory authority.

How to Exercise Your Rights

Email privacy@enterleads.pro or use the in-app account settings. Response within 30 days. Identity verification required for deletion and export requests.

9. Rights of People Whose Business Data We Collect

If your business information appears in our system and you want it removed:

• Email: privacy@enterleads.pro with "Data Removal Request" in the subject.
• What we need: Your business name, address, and the email address associated with the listing.
• Timeframe: We will process removal requests within 10 business days.
• What happens: Your business data is suppressed from our database. It will not appear in future search results or be used in outreach emails. Suppression records are retained permanently to ensure we don't re-add your data from future scrapes.

We only collect data from public sources — government records, public APIs (Google Maps, Yelp), business directories, and publicly visible websites. We do not access private databases, gated content, or data behind login walls.

GDPR Article 17 (Right to Erasure): Contact privacy@enterleads.pro or use the data deletion option in your account settings. PII is nullified, all consent channels opted out. Suppression records retained for compliance.

GDPR Article 20 (Data Portability): Contact privacy@enterleads.pro or use the data export option in your account settings. Returns all data held about you in machine-readable format.

10. Data Retention

• Automated enforcement: Retention schedules are enforced by automated scheduled jobs. Data past retention windows is soft-deleted, then hard-deleted after a 30-day grace period.
• Retention clocks are suspended during account pause. No data is auto-purged while a subscription is paused. Clocks resume when you either reactivate or the pause period expires and converts to cancellation.
• Backups: Purged 30 days after hard delete. No recovery is possible after backup purge.

11. Data Security

• Encryption in transit: TLS 1.3 for all connections.
• Encryption at rest: AES-256 for database storage.
• Database connections: SSL enforced (sslmode=require) for all non-localhost PostgreSQL connections.
• Password storage: Argon2id hashing (never stored in plain text).
• OAuth tokens: Encrypted storage in database, auto-refreshed every hour (Nylas), health-checked every 6 hours.
• Payment data: PCI-DSS compliant via Stripe/PayPal — we never see, store, or process card numbers.
• API keys: Stored in environment variables, never hardcoded in source code.
• Access controls: Role-based access control (RBAC) with principle of least privilege.
• Rate limiting: Tier-based API rate limits (Free: 30 req/min, Pro: 100 req/min, Business: 500 req/min) via Redis sliding window.
• Session security: SHA-256 hashed tokens, 30-day expiry, immediate revocation on password change.
• Brute force protection: 5 failed login attempts triggers a 15-minute lockout.
• Data breach notification: In the event of a data breach that poses a risk to individuals, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. If the breach poses a high risk to your rights and freedoms, we will notify affected users without undue delay as required by GDPR Article 34. Incident tracking and breach notification workflows are automated.
• Data Protection Impact Assessments: We conduct DPIAs before implementing processing activities that may pose high risk to individuals' rights, as required by GDPR Article 35.

12. Email Communication Compliance

Consent System

Per-channel consent tracking (email marketing, SMS marketing, transactional email, product updates, newsletter). All consent changes logged with audit trail (IP, timestamp, source, consent text shown).

Cold Outreach Opt-Out

One-to-one outreach emails include a natural-language opt-out line (e.g., "If you'd prefer I not reach out, just let me know"). No unsubscribe link or List-Unsubscribe header is added — these are individual business emails sent from the user's own inbox, not bulk marketing. Our AI classifier detects opt-out replies ("stop," "unsubscribe," "remove me," "not interested") and automatically suppresses future contact.

Automated Sequence Opt-Out

Emails sent as part of multi-step follow-up sequences include a one-click unsubscribe link and List-Unsubscribe-Post header. Recipients can also reply with opt-out language — the AI classifier detects these and immediately stops the sequence and suppresses the contact.

Preference Center

Recipients can manage their communication preferences at any time via a token-based preference page (no login required).

Consent Expiry

Email marketing consent expires after 24 months (GDPR data minimization). Re-consent prompts are sent automatically before expiry.

Cold Outreach and Consent

First-touch B2B outreach to publicly listed businesses does not require prior consent under CAN-SPAM (opt-out model). The consent checks apply to ongoing automated sequences, not first-touch cold outreach. Once a recipient opts out via any mechanism (reply, unsubscribe link, or preference center), they are permanently suppressed from all future contact regardless of email type.

Suppression Enforcement

Our system checks consent status before every single email send. Emails are blocked if: no consent recorded (for sequences), globally unsubscribed, on suppression list, or email not verified.

SMS (TCPA)

SMS is used only for authentication (OTP codes). We do not send marketing SMS. If we ever add marketing SMS, prior express written consent will be required per TCPA. Reply STOP is honored immediately.

13. Children's Privacy (COPPA)

EnterLeads is a B2B business tool primarily intended for adults (18+).

• We do not knowingly collect personal information from children under 13. If we learn we have collected data from a child under 13, we will delete the account immediately.
• Users aged 13–17 may use the platform with verified parental or legal guardian consent. Parental controls are available, and data minimization is applied to minor accounts.
• Age verification is performed during account registration.

14. Special Account Situations

Deceased Account Holders

Upon receipt of a valid death certificate, we will either close the account or transfer it to a designated representative. Refunds processed per standard policy. Contact legal@enterleads.pro.

Power of Attorney

Authorized representatives may manage accounts with valid POA documentation. Access levels determined by POA scope. Full audit trail maintained. Revocation honored immediately upon notification.

Hacked Accounts

If we detect or you report unauthorized access, we immediately lock the account, force password reset, revoke all sessions, and notify you. We will verify your identity before restoring access. If unauthorized transactions occurred during the compromise, we will work with you to reverse those transactions. A follow-up review will be conducted within 48 hours.

15. Changes to This Policy

We will notify you of material changes via email at least 30 days before they take effect.

Non-material changes (clarifications, formatting) may be made without notice.

For clarity, the following are always considered material changes requiring 30-day notice: changes to what data we collect, how we use or share data, data retention periods, user rights, third-party service providers that process personal data, and cookie or tracking practices.

Continued use after the notice period means you accept the changes. You may cancel your account without penalty if you disagree.

Previous versions of this policy will be archived and available upon request by emailing legal@enterleads.pro.

16. Contact Information

• General inquiries: support@enterleads.pro
• Privacy requests: privacy@enterleads.pro (data access, deletion, export, removal requests)
• Legal matters: legal@enterleads.pro (ToS questions, disputes, POA, deceased accounts)
• Physical address: 8080 Westpark Drive STE 36444, Houston, TX 77063

We will respond to all inquiries as promptly as possible. Privacy and GDPR requests are processed within 30 days as required by law.