← Back to app
Legal

Privacy Policy

Effective June 2025 — Last updated June 2026

LeadFlow is a private CRM tool. We collect only what is necessary to operate the service and do not sell or share your data with advertisers or third parties.

1. Who we are

LeadFlow is a SaaS CRM application for managing leads, follow-ups, and pipeline data. References to "we," "us," or "LeadFlow" mean the operators of this service.

For privacy questions, contact us at leadflow.app1@gmail.com.

2. Information we collect

Account information: When you register, we store your username, email address, and a bcrypt hash of your password. Your plain-text password is never stored.

Lead data: Contact names, companies, emails, phone numbers, deal values, notes, and pipeline status that you enter into the CRM.

Usage data: Timestamps for account creation, last login, and lead activity. We do not run third-party analytics or ad tracking.

Session data: A secure, encrypted session cookie that identifies your logged-in session. See the Cookies section below.

3. How we use your information

  • To authenticate you and keep your session secure
  • To store and display your CRM data
  • To send password reset emails when you request them
  • To enforce rate limits and prevent abuse

We do not use your data for advertising, profiling, or sale to third parties.

4. Cookies

Session cookie (leadflow-sid / __Host-leadflow-sid): Required to keep you signed in. HttpOnly (not readable by JavaScript), Secure in production, SameSite=Strict. Expires after 7 days of inactivity.

CSRF cookie (csrf_token): A short-lived anti-forgery token tied to your session. Expires after 1 hour and is refreshed on each request.

We do not use tracking, advertising, or analytics cookies.

5. Password reset

If you request a password reset, we generate a cryptographically random token, store a SHA-256 hash of it (never the raw token), and email you a link containing the raw token. The link expires in 1 hour and can only be used once. Requesting a reset does not reveal whether your email address is registered.

6. Security

Passwords are hashed with bcrypt (cost factor 13). The application enforces HTTPS in production, sets strict security headers (Content-Security-Policy, X-Frame-Options, Referrer-Policy), applies CSRF protection on all state-changing requests, and rate-limits authentication endpoints.

No security measure is perfect. In the event of a data breach affecting your account, we will notify you promptly.

7. Data storage and hosting

Data is stored in a PostgreSQL database hosted on Render.com (or a compatible cloud provider). Connections use TLS. If AI features are enabled, lead content may be sent to a third-party AI provider (such as Anthropic or OpenAI) for processing. No data is stored by the AI provider beyond the duration of the request.

8. Data retention

Your account and lead data are retained for as long as your account is active. Password reset tokens expire after 1 hour and are deleted when used. If you wish to delete your account or export your data, contact us at leadflow.app1@gmail.com.

9. Your rights

You may request access to, correction of, or deletion of your personal data at any time by emailing leadflow.app1@gmail.com. We will respond within a reasonable time.

10. Children

LeadFlow is not directed at anyone under 16 years of age. We do not knowingly collect personal data from children.

11. Changes to this policy

We may update this policy periodically. Continued use of the service after changes constitutes acceptance. The effective date at the top of this page will reflect the most recent revision.

12. Contact

Privacy questions: leadflow.app1@gmail.com