Privacy Policy

Leadity ("Leadity", "we", "us") is the data controller for the personal data we process about Operators (the people who sign up for an account). For data about Contacts (the people Operators chat with on connected social platforms), Leadity is a data processor and the Operator is the controller.

Privacy questions, data-rights requests, or general feedback go to business@leadity.io.

We collect personal data in three ways:

• From you directly when you sign up, configure assistants, connect accounts, or contact support. This includes name, work email, billing details, and the prompts/configurations you write for your AI.
• From the platforms you connect via official OAuth. From Instagram and Messenger, this includes the page or business account profile, message metadata and content, contact usernames and avatars, comment text, and (with explicit opt-in) account-level insights such as follower counts and engagement.
• Automatically when you use the dashboard. Includes IP address, browser type, the pages you visit inside the app, and the actions you take. Used for security, abuse-prevention, and product analytics.

For Operators:

• Identity: name, email, organisation, role
• Authentication: hashed password, session tokens, OAuth tokens for connected accounts
• Billing: Stripe customer ID, plan tier, payment status (we never see your card number)
• Configuration: assistant prompts, knowledge bases, automation rules, workflow definitions
• Usage logs: feature interactions, dashboard sessions, API and MCP call traces

For Contacts (the people Operators message):

• Platform-specific user ID, username, display name, profile picture
• Message content (text, attachments, reactions, edits, deletions, read receipts)
• Conversation metadata (timestamps, automation mode, lead status, qualification fields)
• Long-term memory (a JSON list maintained by the AI when the operator opts in to compression)

We use personal data only for purposes you would expect:

• To run the Service — authenticate Operators, route webhooks, generate AI replies, deliver messages, render the inbox and metrics dashboards
• To bill correctly — track per-message and per-AI-turn usage against your plan
• To keep the Service safe — detect abuse, rate-limit, investigate suspected violations of our Terms or platform policies
• To improve the Service — diagnose bugs, measure feature adoption, prioritise the roadmap (in aggregated, de-identified form)
• To communicate — operational emails (billing, security alerts), and product updates you can opt out of

We do not sell personal data. We do not rent or share personal data with third parties for their own marketing purposes. We do not use Customer Data to train models that benefit anyone outside your account.

To generate replies, we send the conversation context to one of our AI sub-processors — currently OpenAI, Anthropic, or Google, depending on the model selected in your assistant settings. Each provider is contractually bound to use the data only to serve our API request and not to train their models on it. We disclose the full list of sub-processors and update it when we add new ones.

We share personal data with:

• Service providers — Railway (hosting), Postgres + Redis (databases), Stripe (billing), Resend or similar (transactional email), the AI providers listed above. Each is bound by a Data Processing Agreement.
• Connected platforms — Meta (Instagram and Messenger), and equivalents as we add them. We send messages on your behalf via their APIs; they receive whatever is needed to deliver them.
• Legal authorities — when compelled by valid legal process or to protect rights, safety, or property. We push back on overbroad requests when we can.
• In a corporate transaction — if Leadity is acquired or merges, your data transfers with the business under at least the protections of this policy.

When you connect a Meta-owned service, the data needed to deliver your messages is processed by Meta under Meta's own terms and privacy policy. By connecting that service to Leadity you hereby additionally consent to, and agree to be bound by, Meta's Terms of Service and platform policies that govern the specific service you connect (for example, the Instagram Terms of Use for an Instagram account, or the Messenger / Facebook Platform Terms for a Messenger or Facebook account), as they apply to your use of that service through Leadity. Our handling of that data is described in this policy; the standards we hold ourselves and Operators to are in the Ethics & Responsible Use Policy.

Depending on where you live, you may have rights to access, correct, export, or delete your personal data; to object to or restrict certain processing; and to lodge a complaint with a supervisory authority. Contact us at business@leadity.io to exercise any of these rights and we'll respond within 30 days.

Operators can also self-serve much of this directly from the dashboard: edit profile data on your account page, disconnect or delete a connected social account from its settings, or close your account from the billing page.

We keep Operator account data for as long as your account is active, plus a short window after closure to handle billing reconciliation and legal-hold obligations. After that we delete it.

Contact and conversation data follows your retention choices: when you disconnect an account, we keep the data so you can reconnect later; when you delete an account, we wipe contacts, conversations, messages, comments, follow-ups, and associated metrics within 30 days. Aggregated, de-identified analytics may be retained beyond that.

We follow industry-standard security practices: TLS in transit, encryption at rest for sensitive columns, scoped OAuth tokens (never your platform passwords), short-lived JWTs for the dashboard, and least-privilege access for Leadity staff. Real-time updates flow over a JWT-authenticated WebSocket; webhook payloads are signed by Meta and verified server-side.

No system is perfectly secure. If we suffer a breach affecting your data, we'll notify you without undue delay and explain what happened, what data was involved, and what you can do.

Leadity is hosted on Railway infrastructure, which may store data in regions including the United States and the EU. Where data leaves your home jurisdiction, we rely on standard contractual clauses or equivalent legal mechanisms.

Leadity is for business use and is not directed at children under 16. We don't knowingly collect personal data from children. If you believe a child has provided us data, contact us and we'll delete it.

EEA / UK / Switzerland. Our legal bases are: contract performance (running the Service for you), legitimate interests (security, abuse-prevention, product analytics in aggregate), legal obligation (tax, accounting), and consent (where required, e.g. non-essential cookies and marketing emails). You can withdraw consent at any time without affecting prior processing.

California (CCPA/CPRA).California residents have rights to know, delete, correct, and opt out of "sales" and "sharing". We do not sell personal information and we do not share it for cross-context behavioural advertising. To exercise rights, email business@leadity.io.

Brazil (LGPD). Equivalent rights apply for residents of Brazil. The same email address handles those requests.

See our Cookies Statement for details on what cookies we set and how to manage them.

We may update this Privacy Policy from time to time. Material changes are announced by email or an in-app notice at least 14 days in advance. The "Effective" date at the top of this page reflects the latest version.

Privacy team: business@leadity.io. We aim to respond within 30 days.