Privacy Policy

Effective Date: March 25, 2026

1. Our Privacy Promise

Leads That Learn ("LGAAS," "we," "us," or "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and what rights you have.

Our core commitments:

• We never sell your data. Not to advertisers, data brokers, or anyone else.
• We never use your data to train AI models. Your conversations and content are used only to operate the Service for you.
• Cross-client learning is fully anonymized. No personally identifiable information ever crosses client boundaries.
• Your Members never see our brand. The white-label Member Portal operates entirely under your brand.
• You can delete your data. Request deletion anytime and we will comply within 30 days.

2. Information We Collect

Account Information

• Name, email address, and business name (provided during registration)
• Password (stored hashed, never in plain text)
• Billing information (processed by Stripe; we do not store credit card numbers)

Business Profile Data

During onboarding, AriaStar collects facts about your business through conversation. This includes:

• What your business does, your industry, and your services/products
• Your target audience, customer demographics, and psychographics
• Competitive landscape and differentiators
• Pain points your customers experience
• Success stories and results you have achieved
• Digital presence and content preferences
• Business ecosystem, partnerships, and boundaries
• Service area (for local service businesses)

Conversation Data

• Messages exchanged with AriaStar (the AI strategic advisor)
• Messages exchanged by your Members with Specialist Agents
• Widget conversations between your website visitors and your AI chatbot

Content Data

• AI-generated blog posts, social media posts, email sequences, Reddit responses, and landing page copy
• Images generated for your social media content
• Performance metrics for published content (engagement, clicks, conversions)

Usage Data

• Platform feature usage and interaction patterns
• AI API usage (model, token counts, feature context) for cost tracking
• Login timestamps and session information

Third-Party Platform Data

• Reddit: subreddit activity, post content, engagement metrics for posts you interact with
• TikTok: OAuth tokens (encrypted), draft upload metadata, video performance data
• Google Analytics: anonymized website traffic data (if you opt in)

3. How We Use Your Information

• Service Delivery: Generating content, powering AI conversations, managing your lead generation strategy, and providing strategic advice through AriaStar.
• Personalization: Tailoring content, chatbot behavior, and recommendations to your specific business based on the facts you provide.
• Quality Improvement: Evaluating AI output quality, detecting and filtering AI patterns, and ensuring content meets our human voice standards.
• Cross-Client Learning: Extracting anonymized patterns that benefit all subscribers in the same industry (see Section 5).
• Cost Management: Tracking AI API usage per subscriber and per feature to manage platform costs and ensure service sustainability.
• Security: Detecting abuse, preventing fraud, and enforcing rate limits.
• Communication: Sending transactional emails (welcome sequences, password resets, payment receipts) and platform alerts.

4. Multi-Tenant Data Isolation

Leads That Learn is a multi-tenant platform. Your data is architecturally isolated from other subscribers.

• Row Level Security (RLS): All subscriber-specific database tables enforce Row Level Security at the database level, meaning queries can only return data belonging to the authenticated subscriber.
• Client ID Isolation: Every record is tagged with a client_id foreign key. This is enforced at the database layer, not just the application layer.
• No Cross-Tenant Access: No subscriber can view, query, or access another subscriber's data through the Platform. There is no admin backdoor that exposes one subscriber's data to another.
• Service Role: Server-side operations use a service role key that bypasses RLS only for authorized system operations (crons, webhooks, admin functions). This key is never exposed to frontend code or subscribers.

5. Cross-Client Learning

Our learning engine extracts anonymized patterns from content performance across all subscribers to improve the platform for everyone.

What Gets Anonymized and Shared

• Content structure patterns (e.g., "blog posts with question-based headlines perform 23% better in the coaching industry")
• Engagement timing patterns (e.g., "LinkedIn posts perform best on Tuesday mornings for B2B services")
• Topic effectiveness trends
• Lead qualification scoring calibrations
• Platform best practices (formatting, length, style patterns)

What Is NEVER Shared

• Your business name, brand, or any identifying information
• Conversation content (with AriaStar, Members, or widget visitors)
• Customer or member information
• Proprietary strategies, pricing, or competitive intelligence
• Ecosystem data (partners, internal operations)
• Any data that could be used to identify your specific business

Anonymization is enforced at the extraction layer. Raw data never enters the cross-client pipeline.

6. AI Processing

The Platform uses AI extensively. Here is how your data interacts with AI systems:

• Anthropic (Claude): Your conversations and content requests are sent to Anthropic's Claude API for processing. Anthropic does not use API inputs or outputs to train their models. See Anthropic's Privacy Policy.
• Google (Gemini): Image generation requests (social media images, visual content) are sent to Google's Gemini API. Text prompts describing the desired image are sent; your raw business data is not. See Google's Privacy Policy.
• No Model Training: We do not fine-tune or train AI models on your data. All AI interactions use pre-trained models via API calls.
• Prompt Engineering: Your business profile data is included in AI prompts to personalize responses. These prompts are constructed server-side and are never exposed to other users or stored by AI providers beyond their standard API processing.

7. Third-Party Services

We use the following third-party services to operate the Platform:

Service	Purpose	Data Shared
Anthropic (Claude)	AI conversations, content generation, data extraction	Conversation messages, business profile data (in prompts)
Google (Gemini)	Image generation	Text prompts describing desired images
Supabase	Database, authentication, file storage	All platform data (stored with RLS isolation)
Stripe	Payment processing, subscription management	Name, email, payment method (processed by Stripe)
Vercel	Application hosting, serverless functions	Application code, request logs
HCTI (htmlcsstoimage)	Quote card and image rendering	HTML/CSS markup for image rendering (no PII)
Resend	Transactional email delivery	Recipient email, email content
Google Analytics 4	Website analytics (opt-in per subscriber)	Anonymized visitor behavior on subscriber landing pages
TikTok API	Carousel draft uploads	OAuth tokens, carousel content, draft metadata
Reddit API	Post discovery and response posting	Response content posted to public Reddit threads

Each third-party service has its own privacy policy. We encourage you to review them. We select services that meet our security and privacy standards and do not sell data.

8. TikTok Integration

If you connect your TikTok account to the Platform:

• OAuth Tokens: Your TikTok OAuth access and refresh tokens are stored encrypted in our database. They are used solely to upload carousel drafts to your TikTok account on your behalf.
• Draft-Only Uploads: We only upload content as drafts. You must manually review and publish from the TikTok app. We never publish directly to your account without your action.
• Scope: We request only the minimum TikTok API permissions needed for draft content uploads.
• Revocation: You can disconnect your TikTok account at any time through the Platform dashboard or by revoking access in your TikTok settings. Upon disconnection, we delete your stored OAuth tokens.
• Performance Data: If you grant permission, we may access video performance metrics to feed into the learning loop and improve future content recommendations.

9. Member Data & White-Label Portal

When Subscribers use the Member Portal, their Members' data is handled as follows:

• Data Controller: The Subscriber is the data controller for their Members' data. Leads That Learn acts as a data processor, processing Member data on the Subscriber's behalf.
• White-Label: Members interact with AI Specialist Agents under the Subscriber's brand. Members never see "Leads That Learn" or "LGAAS" branding. All emails are sent from the Subscriber's branded address.
• Member Data Collected: Name, email address, conversation history with Specialist Agents, subscription status, and engagement metrics.
• Member Data Isolation: Member data is isolated to the Subscriber's tenant. Other Subscribers cannot access it.
• AI Processing: Member conversations are processed through the same AI systems described in Section 6. Insights extracted from member conversations may contribute to the Subscriber's strategy, but never cross to other Subscribers except as anonymized industry patterns.
• Member Rights: Members should contact the Subscriber directly regarding their data rights. Subscribers should contact us if they need assistance fulfilling member data requests.

10. Data Retention

• Active Subscribers: All data is retained for the duration of your subscription.
• After Cancellation: Your data is retained for 90 days to allow for data export requests or account reactivation. After 90 days, personally identifiable data may be permanently deleted.
• Anonymized Data: Anonymized patterns already incorporated into the cross-client learning engine are retained indefinitely, as they contain no personally identifiable information.
• Billing Records: Transaction records are retained for 7 years as required by tax and financial regulations.
• Conversation Logs: AI conversation logs are retained for the duration of your subscription plus the 90-day post-cancellation window.
• Backups: Encrypted backups may retain data for up to 30 days beyond the deletion date as part of standard disaster recovery procedures.

11. Cookies & Local Storage

The Platform uses the following browser storage mechanisms:

• Authentication Cookies: Session cookies managed by Supabase Auth for login persistence. These are essential for the Platform to function.
• Local Storage: Used for non-critical UI preferences (e.g., sidebar state, selected tabs). No sensitive data is stored in local storage. Critical data is always fetched from the database.
• Third-Party Cookies: If Google Analytics is enabled on your landing page, Google may set analytics cookies on your visitors' browsers subject to Google's cookie policy.

We do not use advertising cookies or tracking pixels.

12. Children's Privacy

Leads That Learn is a business-to-business (B2B) service designed for businesses and professionals. The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18.

If you believe a child under 18 has provided us with personal information, please contact us at [email protected] and we will promptly delete it.

13. Your California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:

• Right to Know: You can request a summary of the personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing service delivery).
• Right to Opt-Out of Sale: We do not sell personal information. This right is automatically satisfied.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, contact us at [email protected]. We will respond within 45 days.

Categories of Information Collected

• Identifiers: Name, email address, business name
• Commercial Information: Subscription history, payment records
• Internet Activity: Platform usage data, feature interactions
• Professional Information: Business profile data, industry, services offered
• Inferences: AI-derived insights about your business strategy and content performance

14. International Users

Leads That Learn operates from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.

By using the Service, you consent to the transfer of your information to the United States, which may have different data protection laws than your country of residence.

If you are located in the European Economic Area (EEA) or United Kingdom (UK), we process your data based on:

• Contractual Necessity: Processing required to deliver the Service you subscribed to.
• Legitimate Interests: Processing for platform improvement, security, and cross-client learning (with anonymization safeguards).
• Consent: Where required by applicable law, such as for optional integrations.

For GDPR-specific data requests, contact [email protected].

15. Security Measures

We implement the following security measures to protect your data:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted via TLS/HTTPS.
• Encryption at Rest: Database data is encrypted at rest by our infrastructure provider (Supabase/AWS).
• Row Level Security: Database-level tenant isolation prevents cross-subscriber data access.
• Hashed Passwords: All passwords are hashed using industry-standard algorithms. We never store plain-text passwords.
• API Key Scoping: API keys are scoped per subscriber and never exposed in frontend code.
• OAuth Token Security: Third-party OAuth tokens (TikTok, etc.) are stored encrypted and used only for authorized operations.
• Rate Limiting: All public API endpoints are rate-limited to prevent abuse.
• Input Validation: All user input is validated and sanitized at system boundaries to prevent injection attacks.
• Environment Variables: All secrets (API keys, database credentials) are stored as environment variables, never hardcoded in source code.

No system is 100% secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security. If we discover a data breach that affects your personal information, we will notify you in accordance with applicable law.

16. How to Delete Your Data

You can request data deletion in the following ways:

• Account Deletion: Contact [email protected] to request full account deletion. We will process your request within 30 days.
• Conversation History: You can delete individual conversation threads through the Platform dashboard.
• Content Deletion: You can delete generated content (blog posts, social posts, emails) through the respective content management sections of the dashboard.
• Member Data: To delete Member data, contact us or use the Member management features in your dashboard.
• TikTok Disconnection: Disconnect your TikTok account through the dashboard to delete stored OAuth tokens immediately.

Please note that anonymized data already incorporated into cross-client learning patterns cannot be deleted, as it contains no information that could identify you or your business.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Effective Date" at the top of this page.
• Notify you via email or through the Platform dashboard at least 30 days before material changes take effect.
• Provide a summary of what changed.

Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy.

18. Contact Information

For privacy-related questions or requests:

• Privacy Inquiries: [email protected]
• General Support: [email protected]
• Legal Inquiries: [email protected]

Leads That Learn
United States

We aim to respond to all privacy-related inquiries within 30 days.