Privacy Policy
Last updated: July 5, 2026. This policy explains what data LeadX collects, how it is used, who we share it with, and your rights.
Who we are
LeadX (“LeadX”, “we”, “us”) is an AI-native lead-generation and outreach platform operated by an independent developer. LeadX helps its users find local businesses, generate websites for them, and send outreach. You can reach us at support@leadx.dev for any privacy question or request.
Two kinds of people this policy covers
Because LeadX is a tool for finding and contacting businesses, this policy covers two groups:
- Users — people who sign up for and use LeadX. For your account data, LeadX is the data controller.
- Business contacts (“leads”) — the businesses and their publicly-listed contact details that a User discovers and may contact through LeadX. For this data, the User who runs the campaign is the controller; LeadX acts as a processor handling that data on the User's instructions. See “Business-contact (lead) data” below.
What we collect from Users
Information you provide
- Account data — your email address and password, or an OAuth identifier if you sign in with GitHub (via Supabase Auth).
- Campaign configuration — the niche, city, filters, lead counts, outreach templates, and sender identity you set up.
- Connected credentials — if you choose to connect outreach or export tools, the credentials you enter (your SMTP password, Twilio auth token, and any HubSpot / Pipedrive / SuperMailr API tokens). These secrets are encrypted at rest and are never returned to the browser or written to our logs.
- Support messages — the content of any message you send us through the in-app support form or by email.
Collected automatically
- Usage data — campaign runs, lead counts, agent/pipeline events, and feature interactions, used to operate the product and improve reliability.
- Log data — server logs including IP address, request paths, browser type, and timestamps, retained for up to 30 days. Access tokens that appear in a request are redacted from these logs.
- Cookies — a session cookie required to keep you signed in (via Supabase Auth). We do not use advertising or cross-site tracking cookies.
Payment and card details are handled entirely by Stripe. LeadX never sees or stores your full card number.
Business-contact (lead) data
When you run a campaign, LeadX searches publicly available business listings (via the Apify data platform) and returns businesses matching your niche and city. For each business this may include the business name, address, phone number, website, category, rating, review count, and — only if you explicitly enable the paid email-scraping option — a business contact email scraped from the business's own website.
This information is about businesses and their public contact points, not consumer profiles. Where it constitutes personal data (for example, a sole trader's name or email), the User who ran the campaign is the controller of that data and is responsible for having a lawful basis to collect and contact those businesses, and for complying with applicable marketing and anti-spam laws (e.g. GDPR, CAN-SPAM, CASL). LeadX processes this data on the User's behalf.
If you are a business owner and want your details removed from a LeadX user's data, see “If you are a business we contacted” below.
How we use data
We use the information above to:
- Provide, operate, secure, and maintain the LeadX platform and your account.
- Run the Scout (lead discovery), Builder (website generation), and Outreach agents on your behalf.
- Power the in-app AI assistant (“Lex”), which turns your requests into campaign actions.
- Generate and deploy websites and personalize outreach messages using your settings.
- Diagnose errors, prevent abuse, enforce plan limits, and improve stability.
- Send transactional email (e.g. sign-in confirmation, password reset, billing). We do not send marketing email without your opt-in.
We do not sell your personal data, we do not use it to train our own advertising models, and we do not share it with data brokers.
AI features
LeadX uses third-party AI services to power specific features:
- Lex assistant — your chat messages plus a summary of your own campaigns/stats are sent to Groq for inference so it can respond and propose actions.
- Website Builder — a business's public profile data (and, via Apify, its public photos and reviews) is used to generate a website draft.
We instruct these providers to process data only to return a result for your request. We do not authorize them to use your content to train their models; their own terms and privacy policies also apply.
Who we share data with
We share data only with the service providers (sub-processors) needed to run the product, strictly as required:
- Supabase — authentication, database, and file storage.
- Stripe — subscription billing and payment processing (we never store card details).
- Apify — discovery of public business listings, and business photos/reviews for the Builder.
- Groq — AI inference for the Lex assistant.
- Vercel — hosting and deployment of the websites the Builder generates.
- Vultr — cloud servers that run the LeadX application.
Tools you connect yourself — if you enter credentials for outreach or exports, LeadX sends the relevant data to your own accounts on those services at your instruction: your SMTP email provider, Twilio (SMS), and any HubSpot, Pipedrive, or SuperMailr account you connect. Those services process the data under their own terms.
We may also disclose data if required by law, or where necessary to protect the rights, safety, or property of LeadX or its users.
International data transfers
LeadX and its providers may process data in the United States and other countries. Where data is transferred out of your region (for example, from the EU/UK), we rely on the transfer mechanisms offered by our providers, such as Standard Contractual Clauses. By using LeadX you understand your data may be processed in these locations.
How long we keep it
- Account data — kept while your account is active and for up to 30 days after deletion.
- Lead / campaign data — kept until you delete it in the dashboard or close your account.
- Connected credentials — deleted when you remove them in Settings or close your account.
- Server logs — deleted automatically after 30 days.
- Billing records — retained by Stripe and by us as required for tax and accounting.
Outreach
When you use Outreach, email is sent via your own SMTP provider and SMS via your own Twilio account, using the credentials you connected. LeadX stores your message templates and the status of each pitch (e.g. sent / not sent). You are responsible for the content you send and for complying with anti-spam and marketing laws in the recipients' jurisdictions.
Your rights (Users)
Depending on where you live, you may have rights under the GDPR, UK GDPR, CCPA/CPRA, or similar laws, including to:
- Access — get a copy of the data we hold about you.
- Correct — fix inaccurate data.
- Delete — delete your account and associated data.
- Port — receive your data in a machine-readable format (you can also export leads to CSV any time).
- Object / restrict — object to or restrict certain processing.
- Opt out of “sale/share” — we do not sell or share personal information as those terms are defined under California law, so there is nothing to opt out of.
To exercise any right, email support@leadx.dev. We respond within 30 days and will not discriminate against you for exercising a right.
If you are a business we contacted
If you received outreach generated through LeadX, or your business appears in a LeadX user's leads, the LeadX user who ran that campaign is the controller of that data. You can reply directly to opt out of their outreach. You may also email us at support@leadx.dev and we will help route your request to the relevant user and delete the record where we are able.
Security
We use industry-standard safeguards: encrypted connections (TLS), encryption at rest for connected credentials, row-level access controls on the database, and per-user scoping so one account cannot read another's data. No system is perfectly secure, but we work to protect your information and to fix issues quickly.
Children
LeadX is a business tool and is not directed to anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it promptly.
Changes to this policy
We may update this policy from time to time. When we do, we will update the “Last updated” date above and, for material changes, take reasonable steps to notify you. Continued use of LeadX after an update takes effect means you accept the revised policy.
Contact
Questions or requests about your privacy? Email support@leadx.dev.