LeadClaw

Privacy Policy

Last updated: February 14, 2026

1. Introduction

LeadClaw ("we," "us," or "our") operates an autonomous AI sales outreach platform that helps service-based businesses find leads and send personalized outreach emails. This Privacy Policy describes how we collect, use, store, and protect your information when you use our platform.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and authentication credentials (managed by Supabase Auth). If you sign up with Google OAuth, we receive your name and email from Google.

2.2 Business Profile Data

During onboarding, our AI assistant collects information about your business through conversation: business name, type, location, service area, offerings, pricing, website URL, and communication tone. We may also scrape publicly available information from your business website to build your profile.

2.3 Gmail Data (via Google OAuth)

When you connect a Gmail account for your AI agent, we request access to the following Google API scopes:

  • gmail.send — to send outreach emails and replies on behalf of your business
  • gmail.readonly — to monitor your agent's inbox for lead replies and classify responses
  • gmail.modify — to manage email labels and thread state for organizational purposes

We only access the Gmail account you specifically authorize for your AI agent. We do not access your personal Gmail account unless you choose to use it as your agent's email.

2.4 Lead Data

Our AI agent generates leads from publicly available sources including Google Maps listings, business directories, Yelp, and public business websites. We collect business names, publicly listed email addresses, phone numbers, website URLs, and business descriptions. We do not purchase email lists or scrape data from behind login walls.

2.5 Email Content and Communications

We store outbound emails sent by your AI agent, inbound replies from leads, and conversations between you and your AI agent (via chat, email, or SMS). This data is used to track lead engagement, improve outreach effectiveness, and provide campaign analytics.

2.6 Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers or bank account details on our servers. Stripe's privacy practices are governed by their own privacy policy.

2.7 Usage Data

We collect standard usage data including page views, feature usage, and performance metrics to improve our service.

3. How We Use Your Information

We use collected information to:

  • Provide and operate the LeadClaw platform
  • Send outreach emails and manage campaigns on your behalf
  • Monitor your agent's inbox for lead replies
  • Generate daily and weekly campaign reports
  • Improve AI outreach effectiveness through learning
  • Provide customer support
  • Process payments and manage billing
  • Send transactional notifications (daily reports, hot lead alerts)
  • Ensure compliance with email sending regulations
  • Detect and prevent abuse of our platform

4. Google API Services User Data Policy

LeadClaw's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4.1 Limited Use Disclosure

Our use of data obtained through Google APIs is limited as follows:

  • Limited to user-facing features: We only use Gmail data to provide the core service you signed up for — sending outreach emails, monitoring replies, and managing email threads for your campaigns.
  • No third-party transfers: We do not transfer Gmail data to third parties except as necessary to provide the service (e.g., Anthropic's AI processes email content for sentiment classification), with your consent, or as required by law.
  • No advertising: We do not use Gmail data for serving advertisements, ad targeting, or any advertising purpose.
  • No human access without consent: Our team does not read your email content unless you provide explicit consent for support purposes, it is necessary for security investigation, or we are required by law.

4.2 AI Processing of Email Data

Inbound emails to your agent's Gmail are processed by Anthropic's Claude AI for sentiment classification (e.g., determining if a reply indicates interest, a question, or an unsubscribe request). This processing is automated, performed solely to provide the service, and Anthropic does not retain your email data beyond the API request. No email content is used to train AI models.

5. Data Storage and Security

5.1 Infrastructure

Your data is stored across our secure infrastructure:

  • Supabase (PostgreSQL) — Account data, campaign data, lead records, email logs. Protected by Row Level Security ensuring you can only access your own data.
  • Isolated VPS — Each user's AI agent runs on a dedicated, isolated cloud server. No data is shared between users.
  • Supabase Auth — Authentication managed by Supabase with industry-standard security.

5.2 Encryption

  • All data transmitted over HTTPS/TLS
  • Database encryption at rest (Supabase default)
  • Gmail OAuth tokens encrypted with AES-256 using per-user encryption keys. Encryption keys are derived from your account ID and a server secret — they are never stored in the database.
  • Agent API keys are hashed before storage

5.3 Isolation

Each user's AI agent operates on a dedicated, isolated cloud server. There is no shared memory, processes, or data between users. The agent server firewall only allows HTTPS (port 443) and management SSH (port 22) traffic.

6. Third-Party Services

We use the following third-party services to operate LeadClaw:

  • Anthropic — AI processing for email drafting, sentiment classification, and campaign planning
  • Google — Gmail API for sending and receiving emails via OAuth
  • Supabase Auth — User authentication and account management (included in Supabase platform)
  • Supabase — Database, real-time subscriptions, and file storage
  • Stripe — Payment processing and subscription management
  • Twilio — SMS communication between you and your AI agent
  • ZeroBounce — Email address verification before sending outreach
  • Hetzner — Cloud server hosting for AI agents
  • Vercel — Web application hosting
  • Inngest — Background job processing

Each service processes only the minimum data necessary for its function. We encourage you to review each service's privacy policy.

7. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account closure.
  • Campaign and lead data: Retained while your account is active. You may request deletion at any time.
  • Email logs: Retained for the duration of the campaign retention period. Deleted with campaign data.
  • Gmail OAuth tokens: Revoked and deleted when you disconnect your Gmail account or close your account.
  • Agent memory: AI agent learnings are stored on your isolated server and in our database. Deleted when your account is closed.
  • Payment records: Retained as required by tax and financial regulations.

8. Your Rights

8.1 All Users

  • Access: Request a copy of all data we hold about you
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and all associated data
  • Gmail disconnection: Revoke Gmail access at any time via your Google account settings or our Settings page
  • Export: Request an export of your campaign data, lead data, and email logs

8.2 GDPR Rights (EU/UK Users)

If you are in the European Union or United Kingdom, you have additional rights under GDPR:

  • Right to data portability
  • Right to restrict processing
  • Right to object to processing
  • Right to withdraw consent
  • Right to lodge a complaint with a supervisory authority

8.3 Lead Data Rights

Leads contacted by your AI agent can unsubscribe from all future communications at any time using the one-click unsubscribe link included in every email. Unsubscribe requests are honored immediately and apply globally across all campaigns.

9. Email Compliance

LeadClaw is designed to comply with email regulations:

  • CAN-SPAM Act: Every email includes clear sender identity, physical mailing address, and unsubscribe mechanism
  • GDPR: Lead data processing compliant with EU data protection requirements
  • RFC 8058: One-click unsubscribe headers included in all outreach emails
  • Rate limiting: Automatic sending limits and warmup protocols to protect sender reputation
  • Auto-pause: Sending automatically pauses if bounce rate exceeds 2% or complaint rate exceeds 0.1%

10. Children's Privacy

LeadClaw is not intended for use by anyone under the age of 18. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on our platform. Your continued use of LeadClaw after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at: privacy@leadclaw.io