Privacy Policy
LeadX.ai is a CRM built for AeroBarrier air-sealing dealers. This policy explains what information we collect when you use LeadX, how we use it, who we share it with, and the choices you have. Plain language, no dark patterns.
Data controller. LeadX.ai is operated by Okanagan AeroBarrier Inc., a British Columbia corporation (“LeadX,” “we,” “us”). Contact: [email protected].
1. Who this applies to
This policy covers two groups:
- Dealers — the AeroBarrier contractors who subscribe to LeadX and use it to run their sales pipeline.
- End users of the dealer’s pipeline — builders, property owners, and other leads whose information a dealer imports into LeadX so they can be contacted about air-sealing services.
If you are an end user, the dealer you have been in contact with is the controller of your data. LeadX is the processor that stores and moves that data on the dealer’s behalf. Direct data-access or deletion requests to the dealer first.
2. Information we collect
From dealers (when you sign up and use LeadX)
| Category | Examples |
|---|---|
| Account | Email, name, company name, territory, password hash (via Supabase Auth), Stripe customer ID. |
| Billing | Payment method (stored by Stripe, never by us), subscription tier, invoice history. |
| Usage | App interactions, feature usage, IP address, browser/device metadata, error logs. |
| Integrations | OAuth tokens for Google (Gmail send), Microsoft (Outlook draft), QuickBooks — stored only if you explicitly connect them. |
From dealers (about their leads and builders)
Dealers import or generate the following about the builders and property owners in their pipeline:
- Name, company, email, phone number, address, permit details
- SMS and email conversation history between the dealer and the lead
- Meeting notes, quotes, invoices, blower-door test results, certificates
LeadX does not independently source this data — it comes from municipal permit feeds, the dealer’s own outreach, or other sources the dealer provides.
Automatically collected
- Cookies and local storage used to keep you signed in and remember UI preferences.
- Server logs (timestamp, IP, user-agent, request path) retained for 30 days for security and debugging.
3. How we use your information
- Deliver the service. Run the pipeline, send SMS via Twilio, draft emails via Gmail/Outlook, generate AI outreach via Anthropic, process payments via Stripe.
- Support. Respond to emails you send us and troubleshoot issues you report.
- Product improvement. Aggregate and anonymize usage data to understand which features work. We never use your leads’ personal data to train our AI models.
- Security and fraud prevention. Monitor sign-ins, detect abuse, comply with our acceptable-use policy.
- Legal obligations. Comply with Canadian PIPEDA, applicable provincial privacy law, subpoenas, and lawful requests.
4. Google user data specifically
Scope: gmail.send — permission to send email on your behalf.
What we do with it: When you click “Send” on a draft email inside LeadX, we call the Gmail API using your OAuth token to send that one message. That’s it.
What we do NOT do: We do not read your inbox. We do not scan email contents. We do not store the body of sent emails beyond what is already in your Gmail Sent folder. We do not share Google user data with third parties for advertising, training AI, or any other purpose.
Your refresh token is encrypted at rest in our database (Supabase Postgres, AES-256 via pgcrypto). Revoke access at any time from your Google account or by clicking “Disconnect Google” in LeadX Settings.
LeadX’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
5. Who we share with
We don’t sell your data. We share it only with vendors who power parts of LeadX, each under a data-processing agreement:
| Vendor | Purpose | Location |
|---|---|---|
| Supabase | Database, auth, file storage, edge functions | US (AWS us-east-1) |
| Cloudflare | CDN, DNS, static hosting | Global edge network |
| Stripe | Payment processing, subscription billing | US |
| Twilio | SMS delivery | US |
| Anthropic | AI features (outreach drafts, call briefs) — zero data retention on API calls | US |
| Google / Microsoft | Email sending via your own OAuth connection (only if you enable) | US |
We also share data when legally required (court order, subpoena) and in the event of a corporate transaction such as a merger or sale — with continuity of this policy guaranteed to you.
6. International transfers
We are based in Canada but our primary hosting provider (Supabase) is in the United States. If you are in the EU, UK, or outside North America, your data will be transferred across borders. We rely on Standard Contractual Clauses and our vendors’ certifications where applicable.
7. Retention
- Active account: We keep your data while your account is active.
- Closed account: 90 days after cancellation, we permanently delete dealer-specific data. Aggregate/anonymized analytics may persist.
- Legal holds: We retain data longer if required by law (tax records 7 years in Canada, for example).
- Backups: Daily encrypted backups for 30 days.
8. Your rights
Depending on where you live, you may have the right to:
- Access the personal information we hold about you
- Correct inaccurate information
- Delete your data (right to be forgotten)
- Export your data in a portable format
- Withdraw consent for specific processing
- Lodge a complaint with your data-protection authority
To exercise any of these rights, email [email protected]. We respond within 30 days.
If you are an end user (a lead in a dealer’s pipeline), direct your request to the dealer. We will support the dealer in fulfilling it.
9. Security
- All traffic encrypted in transit (TLS 1.3)
- Database encrypted at rest (AES-256)
- OAuth tokens encrypted at rest via Postgres pgcrypto
- Row-level security (RLS) enforces dealer-level isolation — one dealer cannot see another dealer’s data, ever
- No production database access without MFA
- Security issues: [email protected]
10. Children
LeadX is a B2B product. We do not knowingly collect information from anyone under 16.
11. Changes to this policy
We will post material changes here with a new effective date and, if you are a dealer, email you at least 30 days before they take effect.
12. Contact
Questions, requests, complaints:
LeadX.ai · operated by Okanagan AeroBarrier Inc.
Email: [email protected]
Security: [email protected]