Privacy Policy | DetailinLeads AI

01Information We Collect

DetailinLeads AI ("we," "us," or "our") operates a multi-tenant SaaS platform that helps automotive detailing businesses capture, qualify, and convert leads using AI automation. We collect information in the following categories:

Account & Registration Data

Name, email address, phone number, and password (hashed — never stored in plain text)
Business name, business address, city, and service offerings
Profile photo or logo (if uploaded)
Billing name and address associated with subscription payments
OAuth identity tokens when signing in with Google (we receive only your name, email, and profile picture)

Usage & Platform Data

Actions taken within the platform (pages visited, features used, buttons clicked)
AI configuration settings, custom prompts, and automation preferences you create
Conversation histories between the AI and leads on your account
Quote templates, booking data, follow-up schedules, and notes you enter
API response logs (stripped of sensitive lead PII) for debugging and quality purposes

Technical & Device Data

IP address, browser type, and operating system (collected automatically on login)
Device identifiers for session management
Timestamps of logins, API calls, and key platform actions
Error logs and crash reports used to improve platform stability

Customer Lead Data (Processed on Your Behalf)

When you connect a Meta lead form or WhatsApp Business account, we receive and process lead data submitted by your end customers (e.g., name, phone number, email, vehicle type, service interest). This data is collected on your behalf — you are the data controller and we act as your data processor. See Section 2 for full details.

02Lead Data Handling

Important: DetailinLeads AI acts as a data processor for all customer lead data. You, as the business operator using our platform, are the data controller. You own your customer lead data entirely. We process it solely to provide you the platform service.

Lead data includes any information submitted by your customers through Meta lead forms, WhatsApp conversations, or other connected channels. This typically includes:

Full name and phone number
Email address (when provided)
Vehicle make, model, or year (from form fields you define)
Service interest and budget signals
Location or zip code
Message content from WhatsApp threads

How We Use Lead Data

To route incoming leads to your dashboard in real time
To trigger AI-generated outreach messages via WhatsApp on your behalf
To qualify, score, and categorise leads according to your configured rules
To generate quotes, schedule follow-ups, and maintain conversation history
To populate analytics and reporting dashboards visible only to you

What We Do Not Do With Lead Data

We do not sell lead data to any third party
We do not use lead data to train our AI models without explicit opt-in consent from you
We do not share lead data between tenant accounts (strict multi-tenant isolation)
We do not use lead data for advertising purposes

You are responsible for ensuring that your end customers have consented to receiving automated WhatsApp messages from your business. Your Meta lead form and WhatsApp Business configuration must comply with applicable consent requirements in your jurisdiction.

03WhatsApp & Meta Integrations

DetailinLeads AI integrates with Meta's platforms (Facebook, Instagram, WhatsApp Business API) to enable lead capture and automated messaging. These integrations involve data flows governed by Meta's own policies in addition to ours.

Meta Lead Ads Integration

When you connect a Facebook Page and Meta lead form to DetailinLeads AI, we request the following permissions via the Meta for Developers OAuth flow:

pages_show_list — to list your Facebook Pages
pages_read_engagement — to access page-level tokens needed to read lead submissions
whatsapp_business_management — to manage your WhatsApp Business Account
whatsapp_business_messaging — to send outbound WhatsApp messages
business_management — to access your Meta Business Suite account

Meta and Facebook operate under their own independent privacy policies and terms of service. We strongly encourage you to review Meta's Privacy Policy and WhatsApp's Privacy Policy to understand how those platforms handle data independently of DetailinLeads.

WhatsApp Business Messaging

Messages sent through our platform on your behalf are transmitted via the WhatsApp Business API. This means message metadata (sender ID, timestamp, delivery status) is visible to Meta. Message content passes through Meta's infrastructure before reaching your lead's device. You are responsible for ensuring your WhatsApp messaging practices comply with WhatsApp's Business Policy and applicable anti-spam regulations in your region.

Token Storage

We store encrypted OAuth access tokens (Page access tokens, WhatsApp Business account IDs) in our secure database to facilitate ongoing automation without requiring you to re-authenticate daily. Tokens are encrypted at rest and accessible only by our backend systems on your behalf.

04AI Processing & Automation

AI-generated replies are produced automatically. While our AI is designed to be helpful and accurate, AI-generated messages may occasionally be incorrect, incomplete, or tonally inappropriate. We strongly recommend reviewing AI replies before sending in high-stakes situations, and enabling human review mode for sensitive conversations.

How the AI Works

Your business profile, services, pricing, and tone settings are used to configure the AI's persona
Incoming lead messages are processed by large language models (LLMs) via our AI provider to generate contextually appropriate replies
Generated replies are sent as WhatsApp messages on your behalf or queued for your approval depending on your settings
Lead qualification, scoring, and follow-up triggers are generated by AI analysis of conversation content

AI & Lead Data

Lead message content is sent to our AI provider's API for the sole purpose of generating replies
Our AI provider is contractually prohibited from using your data to train their general models
We do not build or train proprietary AI models on your lead data without your explicit consent
AI processing occurs in real time; we do not retain raw message content in AI provider systems beyond the API call

Human Review Capability

Depending on your plan and settings, you may enable "AI Assist" mode where the AI drafts replies for your manual review before sending, rather than auto-sending. We recommend this mode for complex quotes, dispute resolution, or legally sensitive conversations.

AI Limitations Disclaimer

DetailinLeads AI's automated messaging is not a substitute for professional legal, financial, or medical advice. The AI is configured specifically for automotive detailing sales conversations and should not be used outside this context without appropriate reconfiguration and review.

05Data Retention

We retain different categories of data for different periods based on business necessity and legal requirements:

Data Type	Retention Period	Reason
Account & profile data	Duration of account + 90 days after deletion	Account recovery window
Lead data	Duration of active subscription	Platform functionality
WhatsApp conversation logs	12 months rolling	Audit & compliance
Billing & payment records	7 years	Tax & legal requirements
AI processing logs	30 days	Quality & debugging
Authentication logs	90 days	Security monitoring
Analytics data	24 months aggregated	Product improvement

Upon account deletion, all personally identifiable data is purged from active systems within 30 days. Aggregated, anonymised analytics data may be retained for product improvement. Billing records are retained for the period required by applicable tax law (typically 7 years).

You can request immediate deletion of all lead data at any time by contacting us at Support@detailinLeads.com. See Section 10 for the full deletion process.

06Security Measures

We implement industry-standard security controls to protect the data entrusted to us:

Technical Safeguards

All data is encrypted at rest using AES-256 encryption
All data in transit is encrypted via TLS 1.2 or higher (HTTPS enforced)
Passwords are hashed using bcrypt with a minimum work factor of 12
OAuth tokens and API keys are encrypted at the database column level
Strict Row-Level Security (RLS) policies enforce multi-tenant data isolation — no tenant can access another's data
API endpoints require valid session tokens; all requests are authenticated and authorised
Production database access is restricted to application-layer connections only

Organisational Safeguards

Access to production systems is limited to engineers with a legitimate business need
All team members complete data handling and security training
Third-party vendors are assessed for security posture before integration
We maintain an incident response plan for security breaches

Breach Notification

In the event of a data breach that affects your account, we will notify you within 72 hours of becoming aware of the breach — consistent with GDPR Article 33 requirements. Notification will be sent to the primary email address on your account.

Despite our best efforts, no system is completely immune to security incidents. We encourage you to use a strong, unique password and enable any available two-factor authentication features on your account.

07Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data and your customers' lead data processed on your behalf. To exercise any of these rights, contact us at Support@detailinLeads.com.

For EU/UK Users (GDPR / UK GDPR)

Right of Access: Request a copy of all personal data we hold about you
Right to Rectification: Correct inaccurate or incomplete personal data
Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
Right to Data Portability: Receive your data in a structured, machine-readable format
Right to Restrict Processing: Limit how we use your data in certain circumstances
Right to Object: Object to processing based on legitimate interests
Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing
Right to Lodge a Complaint: You may lodge a complaint with your national supervisory authority (e.g., ICO in the UK, or your EU member state's DPA)

For California Users (CCPA / CPRA)

Right to know what personal information we collect, use, and share
Right to delete personal information we have collected
Right to correct inaccurate personal information
Right to opt-out of the sale or sharing of personal information (we do not sell data)
Right to limit use of sensitive personal information
Right to non-discrimination for exercising CCPA/CPRA rights

For Indian Users (DPDP Act 2023)

Under India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), if you are a Data Principal (an individual whose personal data is processed), you have the following rights in respect of your personal data held by us:

Right of Access: Obtain a summary of personal data processed and the processing activities undertaken
Right to Correction & Erasure: Request correction, completion, or erasure of personal data that is no longer necessary for the purpose for which it was collected
Right to Grievance Redressal: Raise a grievance with us; we will respond within the timelines specified under applicable law
Right to Nominate: Nominate another individual to exercise rights on your behalf in the event of your death or incapacity

To exercise DPDP rights, contact us at Support@detailinLeads.com. We will acknowledge your request within 48 hours and resolve it within the period prescribed by the DPDP Act and rules notified thereunder. If you are unsatisfied with our response, you may file a complaint with the Data Protection Board of India once it is constituted.

For Other Jurisdictions (Canada · Australia · Others)

Canadian users may have rights under PIPEDA or applicable provincial privacy laws
Australian users may have rights under the Privacy Act 1988 and Australian Privacy Principles
We will make reasonable efforts to honour equivalent rights requests from users in any jurisdiction

To exercise any of these rights, email us at Support@detailinLeads.com. We respond to all verified requests within 30 days (or within the shorter period required by applicable law). We may ask you to verify your identity before processing a request.

08Cookies & Analytics

We use cookies and similar tracking technologies to operate the platform, maintain sessions, and understand how you use our product.

Cookie Type	Purpose	Duration
Session (auth)	Maintains your logged-in state via Supabase auth tokens	Session / 7 days
CSRF state token	Prevents cross-site request forgery during OAuth flows	10 minutes
Preference cookies	Remembers UI settings (sidebar collapsed, dark mode)	1 year
Analytics (1st party)	Aggregated page view and feature usage data	2 years
Analytics (3rd party)	Google Analytics / Plausible for aggregate traffic insights	2 years

Essential Cookies

Session and authentication cookies are strictly necessary for the platform to function. You cannot opt out of these without logging out of the application.

Analytics Cookies

We use aggregate analytics to understand which features are most valuable and where users encounter friction. We prefer privacy-first analytics tools and do not build individual behavioural profiles for advertising purposes. You may opt out of analytics tracking by enabling "Do Not Track" in your browser or contacting us directly.

Third-Party Scripts

We may load scripts from trusted third parties (e.g., Google Analytics) for analytics. These providers operate under their own cookie and privacy policies. We maintain a current Data Processing Agreement (DPA) with each provider.

09Third-Party Providers

We work with carefully selected third-party providers who process data on our behalf under contractual obligations consistent with this Privacy Policy:

Provider	Role	Data Processed
Supabase	Database & auth infrastructure	All platform data (encrypted)
OpenAI / AI APIs	AI message generation	Lead message content (transient)
Meta / Facebook	Lead form & WhatsApp API provider	Lead data, page tokens
Stripe	Payment processing	Billing name, card metadata (no card numbers stored by us)
Vercel / AWS	Hosting & CDN infrastructure	Request logs (IP, timestamps)
Google	OAuth identity & analytics	Name, email (OAuth); aggregate usage (Analytics)

We do not allow any third-party provider to use your data for their own marketing or product development unless you have separately consented to that provider's terms. All providers are required to maintain reasonable security standards and are prohibited from sub-processing your data without our prior approval.

10Data Deletion Requests

You have the right to request deletion of your account and all associated data. We honour these requests promptly and transparently.

How to Request Deletion

In-app: Navigate to Settings → Account → Delete Account. This initiates immediate deactivation.
By email: Send a request to Support@detailinLeads.com with subject line "Account Deletion Request" and your registered email address.

Deletion Timeline

Account deactivated immediately upon request
All lead data purged from active systems within 30 days
All AI logs and processed message content purged within 30 days
Backup systems cleared within 90 days
Billing records retained for 7 years per applicable tax law (not accessible to any platform feature)

For lead data deletion specifically (deleting a specific customer's data from your account without deleting your entire account), use the lead deletion feature within the platform dashboard or contact us at Support@detailinLeads.com and we will process the request within 10 business days.

11International Data Processing

DetailinLeads AI's primary database and authentication infrastructure is hosted by Supabase in the South Asia region (Mumbai, India — AWS ap-south-1). Your account data and customer lead data are stored at rest in India by default.

Certain sub-processors that support the platform operate outside India. Specifically:

AI inference (OpenAI / LLM APIs): Message content sent for AI processing is transmitted to servers in the United States
CDN & hosting (Vercel): The web application is served via a global edge network; request logs may be processed in the US or EU
Payment processing (Stripe): Billing data is processed in the United States
Meta / WhatsApp APIs: Lead and message data passes through Meta's global infrastructure

Legal Basis for EU / UK Transfers

For any transfers of personal data from the EU or UK to countries without an adequacy decision (including the United States), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, entered into with our sub-processors. Our Data Processing Agreement (DPA) is available upon request.

Legal Basis for Processing (GDPR Article 6)

Contract performance — processing necessary to provide the platform service you have subscribed to
Legitimate interests — security logging, fraud prevention, product improvement
Legal obligation — billing record retention required by applicable tax law
Consent — optional analytics tracking and marketing communications

India — DPDP Act 2023

For users and Data Principals located in India, we process personal data in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and any rules or regulations notified thereunder. Where we transfer Indian personal data outside India, we will do so only in compliance with the conditions specified under the DPDP Act and any cross-border data transfer frameworks notified by the Central Government of India. We implement appropriate contractual and technical safeguards for such transfers.

US — CCPA / CPRA

We do not sell or share personal information of California residents as those terms are defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). We do not use sensitive personal information for purposes beyond those permitted under applicable California law.

If you are located in a jurisdiction with specific data localisation requirements not covered above, please contact us at Support@detailinLeads.com to discuss your requirements before subscribing.

12Contact Information

If you have any questions about this Privacy Policy, wish to exercise your data rights, or need to report a security concern, please contact us. All privacy, legal, compliance, and security enquiries are handled through our single support channel:

All enquiries (privacy, legal, security, data rights, support): Support@detailinLeads.com

Please include your registered account email and a brief description of your request. We aim to respond to all privacy-related enquiries within 5 business days and to all data subject access requests within 30 days as required by applicable law.

We reserve the right to update this Privacy Policy at any time. When we make material changes, we will notify you via email or a prominent notice within the platform at least 14 days before the new policy takes effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.