Privacy Policy
We believe privacy is a right, not a feature. Here's exactly how we handle your data — no jargon, no surprises.
Last updated: March 29, 2026
1Overview
DeadLeadCo ("we", "our", or "us") operates a SaaS platform that uses AI to identify and re-engage stale CRM leads. This Privacy Policy explains what information we collect, what we access from your connected accounts, how we use it, and the rights you have — including rights under the EU General Data Protection Regulation (GDPR).
By creating an account and using our service you agree to this policy. If you do not agree, please do not use the service.
2What We Access From Your Accounts
We only request the minimum permissions needed to deliver the service. Here is exactly what we access when you connect each integration — and what we do not access.
| What we read | Why |
|---|
| Contact name, email, job title | To personalise outreach emails |
| Company name and industry | To research news triggers (funding, hires) |
| Last activity date | To determine whether a lead is stale (90+ days inactive) |
| Lead score | To prioritise which leads are worth reviving |
| Deal stage | To avoid contacting leads already in active deals |
We do not write to, modify, or delete any records in your HubSpot account.
| What we access | Why |
|---|
| Send emails on your behalf | To deliver AI-drafted revival emails from your inbox after your approval |
| Your email address | To identify which account is sending |
We do not read your inbox, access received emails, access contacts, or store email content after sending.
Every email is shown to you for approval before it is sent — we never send autonomously.
You can disconnect any integration at any time from the Integrations page. This immediately revokes our access and deletes all stored OAuth tokens for that service.
4How We Use Your Information
Service delivery: To scan your CRM leads, generate AI-personalised revival email drafts, and send approved emails through your Gmail account.
AI processing: Lead data (name, company, job title) is sent to Anthropic's Claude API to generate personalised email content. This is the core function of the service.
Web research: Company names are sent to Tavily (a web-search API) to find recent news triggers such as funding rounds or leadership changes.
Authentication: To verify your identity and keep your account secure.
Billing: To process subscription payments through Stripe.
Product improvement: Aggregated, anonymised usage signals help us improve the product. We do not build individual profiles for advertising.
Support: To respond to questions, bug reports, and feature requests.
Legal compliance: To comply with applicable laws including GDPR and CAN-SPAM.
5Data Sharing & Sub-processors
We do not sell, rent, or trade your personal data. We share data only with the sub-processors listed below, which are strictly necessary to operate the service. Each is bound by data processing agreements.
| Sub-processor | Purpose | Data sent |
|---|
| Supabase | Database & authentication | Account data, encrypted OAuth tokens |
| Anthropic (Claude AI) | AI email generation | Contact name, company, job title |
| Tavily | Company news research | Company name only |
| Stripe | Payment processing | Email address, billing info |
| Google (Gmail API) | Sending emails on your behalf | Composed email content after your approval |
| HubSpot API | Reading CRM contacts | OAuth token (read-only) |
We may disclose data if required by law, court order, or to protect the rights, property, or safety of DeadLeadCo, our users, or others.
6Data Retention
We retain your account data for as long as your account is active. CRM contact data is fetched fresh from your CRM each time you run a revival — we do not maintain a separate persistent copy of your contacts.
Email queue drafts are stored until you approve, skip, or delete them. Sent email records are retained for up to 12 months so you can track revival history.
You may request full deletion of your account and all associated data at any time by emailing hello@deadleadco.com. We process deletion requests within 30 days.
7Security
We implement industry-standard safeguards: TLS encryption in transit, AES-256 encryption at rest, and role-based access controls. Passwords are hashed using bcrypt. OAuth tokens are encrypted before storage.
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to continuous improvement and prompt disclosure of any breaches.
8GDPR & Your Rights (EU / EEA)
If you are in the European Union or European Economic Area, you have the following rights under GDPR. Our lawful basis for processing your data is performance of a contract (delivering the service) and legitimate interests (improving the product and preventing fraud).
Right of access (Art. 15): Request a copy of all personal data we hold about you.
Right to rectification (Art. 16): Ask us to correct inaccurate or incomplete data.
Right to erasure (Art. 17): "Right to be forgotten" — request deletion of your personal data.
Right to restriction (Art. 18): Ask us to stop processing your data in certain circumstances.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON or CSV).
Right to object (Art. 21): Object to processing of your data for direct marketing.
Right to withdraw consent: Where we rely on consent, you may withdraw it at any time without affecting prior processing.
To exercise any right, email hello@deadleadco.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
Data transfers outside the EU/EEA: our sub-processors (Supabase, Anthropic, Stripe) are based in the US and operate under Standard Contractual Clauses (SCCs) or are covered by equivalent safeguards.
9Cookies
We use strictly necessary session cookies to keep you logged in. We do not use advertising trackers, third-party analytics cookies, or cross-site tracking.
You can disable cookies in your browser settings, but this will prevent you from staying logged in to the app.
10Children's Privacy
Our service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently done so, please contact us immediately.
11Changes to This Policy
We may update this policy periodically. When we do, we will revise the "Last updated" date at the top and, for material changes, notify you by email or an in-app notice at least 14 days in advance. Continued use after the effective date constitutes acceptance.