Legal

Privacy policy

Last updated: 2026-04-17.

This Privacy Policy explains how LeadsRally ("we") collects, uses, and protects personal data when you use our platform. It applies to the customers who sign up for accounts and to the end-contacts who receive messages through the platform.

1. Data we collect

  • Account data: email, password hash, organization name, role.
  • Contact data imported by customers: name, phone number, email, tags, custom fields, consent state.
  • Message content: SMS and WhatsApp exchanges routed through Twilio and Meta.
  • AI analysis metadata: intent labels, interest scores, and reply suggestions generated from message content.
  • Operational telemetry: IP address, request timestamps, error traces (via Sentry), webhook delivery logs.

2. How we use it

  • Delivering the messaging, analytics, and automation features the customer configured.
  • Generating AI responses, lead scoring, and reply suggestions on your behalf.
  • Service reliability, abuse prevention, fraud detection, and billing.
  • Notifying account owners about service changes, security alerts, and transactional matters.

3. Legal basis (GDPR art. 6)

  • Contract — to provide the service customers signed up for.
  • Legitimate interest — securing the platform, preventing abuse, improving reliability.
  • Consent — where required (e.g. marketing communications to you). Customers who use the platform to contact their own audience are responsible for obtaining consent from those contacts.
  • Legal obligation — tax, accounting, and regulatory record-keeping.

4. Sharing with third parties (subprocessors)

  • Twilio (US) — SMS delivery and phone number management.
  • Meta (US/IE) — WhatsApp Business messaging and Lead Ads ingestion.
  • Anthropic (US) — AI inference on conversation snippets when AI features are enabled.
  • Sentry (US) — error monitoring and performance traces.
  • Resend (US) — transactional email (password reset, notifications).
  • Railway (US) — application hosting and managed Postgres.

We do not sell personal data. We share data with subprocessors only to the extent needed to deliver the service you requested.

5. International data transfers

Our infrastructure and most subprocessors are based in the United States. If you are located in the EEA, UK, or Switzerland, your data is transferred to the US under Standard Contractual Clauses with each subprocessor, and we implement the supplementary technical measures required by Schrems II (encryption in transit and at rest, access controls, short-lived credentials).

6. Retention

  • Account data — while the account is active, plus 30 days after deletion for reversal and audit.
  • Message content and conversations — retained until the customer deletes them, subject to any provider-mandated retention (e.g. Twilio 13-month log retention).
  • Error telemetry (Sentry) — 30 days.
  • Webhook delivery logs — 90 days.
  • Billing records — 7 years, for tax and accounting obligations.
  • Backup snapshots — up to 30 days; deletions propagate when a snapshot rolls off.

7. Your rights

  • Access and portability: download your data from Settings → Privacy & Account → Export.
  • Erasure: delete your account from Settings → Privacy & Account → Delete account.
  • Correction: edit your contact and profile details inside the product at any time.
  • Opt-out: end-contacts can reply STOP to any marketing message, or use the unsubscribe link in a message, to opt out of further communications.
  • Complaint: EEA/UK residents can lodge a complaint with their supervisory authority; if you're unsure which one applies, contact us first and we'll help.

8. Security

Access tokens and refresh tokens are scoped and short-lived. Passwords are stored with bcrypt. Database traffic is TLS-encrypted. Customer credentials for Twilio and Meta are encrypted at rest. We maintain an incident response process and notify affected customers within 72 hours of a confirmed breach involving their data.

9. Children

LeadsRally is a B2B platform and is not directed at children under 16. We do not knowingly collect personal data from children.

10. Changes to this policy

We may update this policy to reflect new features, subprocessors, or legal requirements. Material changes will be announced in-product and via email to account owners at least 14 days before they take effect.

11. Contact

For privacy questions, contact us at privacy@leadsrally.com. For general support, email support@leadsrally.com.