Trust Center
Security & Trust
LeadPilot is a hosted SaaS that finds verified business leads, drafts AI cold outreach, and runs multi-step email sequences. This page documents exactly what data we collect, where it goes, how long we keep it, and how to get it deleted. If your procurement team needs a signed DPA, an opt-out endpoint, or a list of every third party that ever touches your data — it's all here.
Last reviewed: 13 May 2026. We update this page whenever a subprocessor changes — bookmark it.
Current posture
Live compliance status
Subprocessors
Every third-party service that ever processes your data. We pre-sign DPAs with each of these. We notify customers 30 days before adding a new subprocessor.
| Service | Purpose | Region | Stores PII |
|---|---|---|---|
| Neon (Postgres) | Primary application database | AWS · us-east-1 | Yes |
| Vercel | Application hosting + serverless functions | Global edge | Yes |
| OpenRouter | LLM proxy (Claude, Groq, Gemini fallback chain) | US | No |
| Perplexity (via OpenRouter) | B2B Finder live web search | US | No |
| Hunter.io | Verified-data enrichment + email finder | EU | No |
| NeverBounce | Primary email verification | US | No |
| Google Places API | Business-listing lead source | US | No |
| Yelp Fusion API | Supplemental lead source | US | No |
| Inngest | Background job queue + crons | US | Yes |
| Gmail / Outlook SMTP | Outbound outreach mail (user-owned credentials) | Global | Yes |
| Stripe | Billing + subscription management | Global | Yes |
Data flow
- 1Lead generation
A user submits a search → Google Places (and optionally Yelp / Hunter / on-domain scraper) is queried for businesses in that niche/country/city → results are deduplicated and quality-scored.
- 2Email verification
Every email runs through a 3-tier cascade: NeverBounce → SMTP RCPT probe → MX + disposable-domain check. STRICT mode marks borderline results as Unverified rather than guessing.
- 3AI enrichment
On-demand: an LLM (Claude via OpenRouter, falls back to Groq → Gemini) is queried for decision-makers, tech stack, intent signals. Only the lead's public business name + website is sent — no end-user PII.
- 4Verified-data enrichment (Hunter.io)
On the user's explicit click, the lead's email or website is sent to Hunter for verified person + company data. Hunter's ToS permits reseller use; results are persisted to the lead.
- 5Outreach
Drafts are generated server-side via the LLM proxy. Sending uses the user's own SMTP credentials (encrypted AES-256-GCM at rest) — we never see the recipient's reply unless reply-tracking is explicitly enabled.
- 6Storage
Leads + sequences + outreach drafts live in our Neon Postgres database (encrypted at rest). IMAP credentials are encrypted before write with an HMAC of NEXTAUTH_SECRET as the AES-GCM key.
Retention
| Data type | Retention |
|---|---|
| Leads (business records) | For lifetime of the workspace, deleted within 30 days of account closure. |
| Outreach drafts + sent messages | 24 months, then archived. Customers can purge any time via the dashboard. |
| IMAP credentials (warm-up) | Encrypted at rest; deleted immediately when the user disconnects the inbox. |
| Account / billing records | Retained for the duration of the legal-record period (7 years for tax/audit). |
| Backups | Daily encrypted snapshots of Postgres for 30 days, then rolled. |
| Server logs (errors, performance) | 30 days, never include PII payloads. |
Data Processing Agreement (DPA)
Every paid plan ships with a pre-signed DPA available via the dashboard under Settings → Legal. The DPA covers:
- Article 28 GDPR processor obligations
- EU-US Data Privacy Framework (DPF) compliance for transatlantic data transfers
- Standard Contractual Clauses (SCCs) when DPF is unavailable
- UK addendum for GDPR-UK alignment
- Sub-processor notification (30-day window before adding)
- Audit rights + annual SOC 2 report sharing once certified
Need the DPA before signing up? Email legal@leadpilot.app and we'll send a click-through link.
GDPR + CCPA matrix
| Right | GDPR | CCPA | How to exercise |
|---|---|---|---|
| Right to access | ✓ | ✓ | Dashboard → Settings → Data export. Returns full JSON within 30 days. |
| Right to rectification | ✓ | — | Dashboard → Lead → Edit. Self-serve. |
| Right to erasure (deletion) | ✓ | ✓ | POST /api/leads/opt-out (public, no auth) OR Settings → Delete account. |
| Right to restrict processing | ✓ | — | Email privacy@leadpilot.app — actioned within 14 days. |
| Right to data portability | ✓ | ✓ | Settings → Export → CSV or JSON. |
| Right to object | ✓ | — | Settings → Opt out of profiling / sale flags both apply. |
| Right to opt out of sale | — | ✓ | We do not sell personal data; the toggle is set off by default. |
| Right to non-discrimination | — | ✓ | Exercise of CCPA rights never affects pricing or service. |
Incident response
Process is documented in our internal Incident Response Playbook. Reach security@leadpilot.app any time of day. PGP key fingerprint published at /.well-known/security.txt.
| Severity | Notification SLA |
|---|---|
| P0 (data breach affecting PII) | Affected customers within 24 hours; regulator notification per GDPR Art. 33 within 72 hours. |
| P1 (service outage) | Status page updated within 15 minutes; root-cause analysis within 5 business days. |
| P2 (security finding without exposure) | Customers notified within 7 days; patch released within 30 days. |
| P3 (informational) | Tracked publicly via /changelog. |