Privacy Policy
Last updated: July 6, 2026
1. Introduction
LeadClaw ("we," "us," or "our") operates an AI marketing platform for service businesses. Your dedicated AI agent finds leads, writes and sends personalized outreach email, builds paid ad campaigns for your approval, and drafts and schedules social media content across your connected accounts. This Privacy Policy describes how we collect, use, store, and protect your information when you use our platform.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your name, email address, and authentication credentials (managed by Supabase Auth). You may sign up or sign in with Google ("Continue with Google"), in which case Google shares your name and email address with us for the sole purpose of authenticating you. Signing in with Google gives us access to your basic profile only — it does not give us access to your Gmail mailbox, contacts, or any other Google service.
2.2 Business Profile Data
During onboarding, our AI assistant collects information about your business through conversation: business name, type, location, service area, offerings, pricing, website URL, brand voice, and visual style. We may also scrape publicly available information and images from your business website to build your profile and brand context.
2.3 Email Sending and Communications
Your AI agent sends outreach email through our email provider (Resend) from a dedicated sending address on an authenticated LeadClaw domain (for example, you@leadclaw.io), or from your own custom domain if you connect one. We do not access, read, or send from your personal Gmail, Outlook, or other mailboxes. We store the outbound emails your agent sends, inbound replies from leads (received via provider webhooks), and conversations between you and your AI agent. This data is used to track lead engagement, manage follow-ups, and measure results.
2.4 Lead Data
Our AI agent generates leads from publicly available sources including Google Maps listings, business directories, and public business websites, and verifies email addresses before outreach. We collect business names, publicly listed email addresses, phone numbers, website URLs, and business descriptions. If you upload your own list, we scan it for sensitive personal information before it is stored. We do not purchase email lists or scrape data from behind login walls.
2.5 Connected Accounts (Ads & Social)
To run paid ads or publish social content, you may connect third-party accounts using their official authorization (OAuth):
- Ad platforms — Google Ads and Meta (Facebook) Ads, so your agent can build and submit ad campaigns
- Social platforms — Facebook, Instagram, LinkedIn, and X, so your agent can schedule and publish approved posts
We never see or store your passwords for these accounts. We store only the access tokens returned by each platform, encrypted (see Section 5). You can disconnect any account at any time from your Settings, which revokes the token. Your approval is required before any ad spend or any social post goes live.
2.6 Generated Content and Creative Assets
When your agent generates marketing content — ad copy, social posts, images, short videos, and voiceovers — we store those assets, along with any photos or media you upload, so they can be reviewed, reused, and published. Generation is powered by the third-party AI providers listed in Section 6.
2.7 Payment Information
Payment processing is handled by Stripe. We do not store credit card numbers or bank account details on our servers. Stripe's privacy practices are governed by their own privacy policy.
2.8 Usage Data
We collect standard usage data including page views, feature usage, and performance metrics to improve our service.
3. How We Use Your Information
We use collected information to:
- Provide and operate the LeadClaw platform
- Find leads, write and send outreach email, and manage follow-ups on your behalf
- Build paid ad campaigns and draft social content for your approval
- Monitor for lead replies and surface the ones that need you
- Generate progress reports and results
- Learn what works for your business — which emails, ads, and posts get results, and what you approve or edit — to improve future output
- Provide customer support
- Process payments and manage billing
- Send transactional notifications (reports, hot-lead alerts)
- Ensure compliance with email sending regulations
- Detect and prevent abuse of our platform
4. Google API Services User Data Policy
LeadClaw's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
We use Google APIs for two purposes only:
- Sign-in (name and email):If you choose "Continue with Google," we receive your basic profile (name and email address) solely to create and authenticate your account. We do not request access to your Gmail, Drive, Calendar, Contacts, or any other Google data.
- Google Ads (only if you connect it): If you connect a Google Ads account, we use the authorization you grant solely to build and submit ad campaigns you approve.
We do not use Google user data for advertising, do not sell it, and do not transfer it to third parties except as necessary to provide the service, with your consent, or as required by law. No Google user data is used to train AI models.
5. Data Storage and Security
5.1 Infrastructure
Your data is stored across our secure infrastructure:
- Supabase (PostgreSQL) — Account data, campaign data, lead records, generated content, and email logs. Protected by Row Level Security so you can only access your own data.
- Supabase Storage — Uploaded and generated media (images, video, audio), scoped to your account.
- Isolated VPS— Each user's AI agent runs on a dedicated, isolated cloud server. No data is shared between users.
- Supabase Auth — Authentication managed by Supabase with industry-standard security.
5.2 Encryption
- All data transmitted over HTTPS/TLS
- Database encryption at rest (Supabase default)
- Access tokens for your connected ad and social accounts are encrypted with AES-256 using per-user encryption keys. Encryption keys are derived from your account ID and a server secret — they are never stored in the database.
- Agent API keys are hashed before storage
5.3 Isolation
Each user's AI agent operates on a dedicated, isolated cloud server. There is no shared memory, processes, or data between users. The agent server firewall only allows HTTPS (port 443) and management SSH (port 22) traffic.
6. Third-Party Services
We use the following third-party services (sub-processors) to operate LeadClaw. Each processes only the minimum data necessary for its function:
- Google (Gemini) — Primary AI model for writing email, ad copy, and social content, and for generating images, video, and voiceovers
- Anthropic — AI model used for reply classification and complex reasoning
- fal.ai — AI image and video generation
- Resend — Outbound and transactional email delivery, and inbound reply routing
- Postiz — Delivery of approved posts to your connected social accounts
- Google & Meta — Ad platforms and social networks you connect (used only with your authorization)
- Supabase — Database, authentication, real-time subscriptions, and file storage
- Stripe — Payment processing and subscription management
- ZeroBounce — Email address verification before sending outreach
- Twilio — Phone number verification (and owner-agent SMS where available)
- Hetzner — Cloud server hosting for AI agents
- Vercel — Web application hosting
- Inngest — Background job processing
We encourage you to review each service's privacy policy.
7. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account closure.
- Campaign, lead, and content data: Retained while your account is active. You may request deletion at any time.
- Email logs: Retained for the duration of the campaign retention period. Deleted with campaign data.
- Connected-account tokens: Revoked and deleted when you disconnect an ad or social account, or close your account.
- Agent memory: AI agent learnings are stored on your isolated server and in our database. Deleted when your account is closed.
- Payment records: Retained as required by tax and financial regulations.
8. Your Rights
8.1 All Users
- Access: Request a copy of all data we hold about you
- Correction: Update or correct inaccurate information
- Deletion: Request deletion of your account and all associated data
- Disconnect accounts:Revoke any connected ad or social account at any time from your Settings, or from that platform's own settings
- Export: Request an export of your campaign data, lead data, and email logs
8.2 GDPR Rights (EU/UK Users)
If you are in the European Union or United Kingdom, you have additional rights under GDPR:
- Right to data portability
- Right to restrict processing
- Right to object to processing
- Right to withdraw consent
- Right to lodge a complaint with a supervisory authority
8.3 Lead Data Rights
Leads contacted by your AI agent can unsubscribe from all future communications at any time using the one-click unsubscribe link included in every email. Unsubscribe requests are honored immediately and apply globally across all campaigns.
9. Email Compliance
LeadClaw is designed to comply with email regulations:
- CAN-SPAM Act: Every email includes clear sender identity, physical mailing address, and unsubscribe mechanism
- GDPR: Lead data processing compliant with EU data protection requirements
- RFC 8058: One-click unsubscribe headers included in all outreach emails
- Rate limiting: Automatic sending limits to protect sender reputation
- Auto-pause: Sending automatically pauses if bounce rate exceeds 2% or complaint rate exceeds 0.1%
10. Children's Privacy
LeadClaw is not intended for use by anyone under the age of 18. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on our platform. Your continued use of LeadClaw after changes constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at: privacy@leadclaw.io