Privacy Policy

Last updated: April 18, 2026

1. Who We Are

ok200leads is a product of Business Design (Puerto Rico). We operate the platform at ok200leads.com. This policy explains what data we collect, why, and what rights you have.

2. Data We Collect

About you (the user)

  • Email, full name, workspace/org name (when you sign up).
  • Password (hashed via Supabase Auth — we never see it in plaintext).
  • OAuth profile info when you sign in with Google (name, email, profile picture).
  • Billing info via Stripe (we never store full card numbers — Stripe does).
  • IP addresses, user agent, timestamps for security + abuse prevention.
  • Product usage analytics via PostHog: pages visited, buttons clicked, sessions.

About your leads

  • Whatever you add to your CRM: names, emails, phones, company, tags, notes, etc.
  • Messages you exchange with leads through our Conversations feature.
  • Form submissions captured via your embeddable forms on third-party websites.

About Lead Store inventory

  • Business names, phones, websites, locations collected from public sources (Google Places, business directories, public websites).

3. Why We Collect It

  • To provide the Service (CRM, outreach, analytics).
  • To bill you for paid plans via Stripe.
  • To send transactional notifications (email, Telegram).
  • To improve the product (PostHog analytics, session recordings).
  • To prevent abuse (rate limiting, fraud detection).
  • To comply with legal obligations.

4. How We Share Data

We share data only with:

  • Supabase— our database & auth provider (US-hosted).
  • Vercel — our hosting provider (US edge network).
  • Stripe — payment processing.
  • Resend— transactional & outreach email delivery.
  • Anthropic & Ollama — AI providers for lead scoring and email generation. Lead text is sent to these services only when you trigger AI features.
  • Meta (WhatsApp Cloud API) — for WhatsApp messaging features.
  • Telegram — for our own operator notifications (bot messages to the account owner).
  • PostHog— product analytics & session replays.

We do not sell your data to third parties for advertising.

5. Your Rights

You can:

  • Access, edit, or delete your account data from Settings.
  • Export your CRM leads as CSV at any time.
  • Cancel your subscription from Settings.
  • Request deletion of your account by emailing contact@ok200leads.com. We'll process within 30 days.

GDPR/CCPA: residents of the EU, UK, or California have additional rights (access, portability, rectification, erasure, objection). Email us to exercise them.

6. Lead Removal Requests

If you're a business that appears in our Lead Store and want to be removed, email contact@ok200leads.com with proof of representation. We'll remove your listing within 30 days and block future re-inclusion.

7. Data Retention

  • Account data: kept while your account is active.
  • After account deletion: 30 days, then permanently deleted.
  • Stripe billing records: 7 years (tax/accounting requirement).
  • Audit logs: 12 months.

8. Security

  • All data encrypted in transit (HTTPS/TLS) and at rest (Supabase/Vercel/Stripe).
  • Multi-tenant isolation via Postgres Row-Level Security policies.
  • Rate limiting and API key authentication on all service-to-service endpoints.
  • We follow industry-standard password hashing and session management.

9. Cookies & Tracking

We use cookies for authentication (session cookies via Supabase Auth) and product analytics (PostHog). We do not use third-party advertising trackers.

10. Children

ok200leads is not for users under 18. We do not knowingly collect data from minors.

11. Changes to This Policy

We may update this policy. Material changes will be emailed to active accounts at least 30 days before taking effect.

12. Contact

Questions about privacy? Email contact@ok200leads.com.