Privacy Policy

Effective February 18, 2026

Introduction

SafeLead Inc. (“SafeLead,” “we,” “us”) operates the SafeLead platform at safelead.ai, including the dashboard, APIs, tracking script, and related services.

This policy explains what data we collect, why we collect it, who can access it, and how long we keep it. It applies to everyone who uses SafeLead — publishers, buyers, and visitors to our website.

Information We Collect

Account data

When you create an account, we collect your name, email address, and organization details (company name and type). This is the minimum we need to identify you and route you to the right features.

Certificate evidence

When a visitor submits a form on a publisher’s website that runs the SafeLead tracking script, we capture consent evidence. This includes:

  • Page URL, referrer, and submission timestamp
  • Consent text visible on the page at the moment of submission
  • Session replay — a DOM recording of the visitor’s session (capped at 5 minutes). All form inputs are masked: replays show that typing occurred, but not what was typed.
  • Scroll depth, time on page, and browser metadata (user agent, viewport size)
  • IP address and derived geolocation (country, region, city, timezone)
  • Email and phone, if present in the form, are stored as irreversible SHA-256 hashes only — we never store these values in plaintext. Hashes allow lead matching without exposing the original data.
  • A content hash that binds all evidence fields together, making the certificate tamper-evident

Usage and analytics

We collect standard usage data — pages visited, features used, error logs — to understand how the product is used and where it breaks. We do not run third-party ad trackers.

Payment information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other payment credentials on our servers. Stripe’s privacy policy governs how they handle your payment data.

How We Use Information

  • Service delivery — operating the platform, generating certificates, processing lookups and retentions
  • Certificate generation — assembling evidence fields into an immutable consent certificate for each form submission
  • Evidence storage — keeping certificate data in hot storage (90 days) and vault (5 years) so it’s available when you need it for compliance
  • Transactional emails — account verification, password resets, billing notifications, and critical service updates
  • Product improvement — aggregated usage patterns help us find bugs, improve performance, and decide what to build next

Information Sharing

We do not sell your data. We do not share it with advertisers. Third-party access is limited to what’s needed to run the service:

  • Stripe — processes payments. Receives only what’s required for billing.
  • Cloudflare — provides infrastructure (Workers, R2 storage, DNS). Data passes through their network as part of normal service delivery.
  • Email provider — delivers transactional emails (account verification, password resets).

Certificates are visible only to the publisher who generated them and the buyer who looks them up. Buyers see hashed URLs to protect publisher landing page IP — they can detect lead source patterns without identifying specific pages.

Data Retention

  • Certificates (hot storage) — available for 90 days after creation. Any buyer with the certificate ID can look them up during this window. After 90 days, unretained certificates and their replays are automatically deleted.
  • Certificates (vault) — when a buyer retains a certificate, it moves to buyer-isolated vault storage for 5 years. This aligns with the TSR record-keeping requirement (16 CFR § 310.5). After 5 years, vault data is permanently deleted.
  • Account data — retained while your account is active, plus 30 days after deletion to allow recovery.
  • Waitlist emails — kept until product launch or until you unsubscribe, whichever comes first.

Security

All data is encrypted in transit (TLS) and at rest. Certificates are bound by content hashes that make tampering detectable. Vault storage is buyer-isolated — no cross-tenant access. PII fields (email, phone) are stored as irreversible SHA-256 hashes, not plaintext.

For a detailed overview of our security practices, see our Security page.

Your Rights

You can request any of the following by emailing us:

  • Access — get a copy of the data we hold about you
  • Correction — fix inaccurate account information
  • Deletion — delete your account and associated data (subject to retention obligations for certificates already in vault storage)
  • Data portability — receive your data in a structured, machine-readable format

Email privacy@safelead.ai to exercise any of these rights. We respond within 30 days.

Cookies and Tracking

We use essential cookies only:

  • Authentication session — keeps you signed in across page loads. Required for the dashboard to work.
  • Analytics — basic, privacy-respecting usage analytics to understand product usage. No third-party ad tracking.

We do not use advertising cookies, retargeting pixels, or any third-party trackers that follow you across the web.

Changes to This Policy

If we make material changes, we’ll update the effective date at the top of this page and notify active users by email. Continued use of SafeLead after changes take effect means you accept the updated policy.

Contact

Questions about this policy? Email privacy@safelead.ai.