Privacy Policy

This Privacy Policy applies to:

• •Users of the Leadnest.ai platform, including free and paid accounts.
• •End users who interact with notifications, campaigns, or messages sent via Leadnest.ai.
• •Visitors to our websites, subdomains, and mobile applications.
• •Healthcare clients and their patients (when Leadnest.ai acts as a HIPAA Business Associate).

This policy does not apply to third-party websites or services not controlled by Leadnest.ai.

We collect the following categories of information:

Account & Identity Data

• •Name, email, phone number, company, job role.
• •Authentication credentials (hashed passwords, API tokens).

Customer & Lead Data

• •Contacts uploaded by customers (names, emails, phone numbers).
• •Campaign metadata (delivery status, open/click rates, engagement history).
• •Preferences and opt-in/opt-out status.

Technical & Device Data

• •IP addresses, device identifiers, browser types, operating systems.
• •Log data (usage timestamps, session activity, crash reports).

Payment & Billing Data

• •Payment method details (processed via secure PCI-DSS compliant providers).
• •Billing address and transaction history.

Special Category Data (GDPR & HIPAA Context)

• •For healthcare clients: Protected Health Information (PHI).
• •Any sensitive personal data (e.g., health, biometric, or financial information) processed strictly under explicit consent or contractual necessity.

We process your data to:

• •Provide platform functionality (sending messages, managing leads, reporting analytics).
• •Personalize user experience (recommendations, tailored notifications).
• •Ensure platform security (fraud prevention, abuse detection, anomaly monitoring).
• •Fulfill legal obligations (tax laws, audit trails, compliance reporting).
• •Conduct research and development for improving our AI models and services.
• •Support healthcare organizations with HIPAA-compliant data processing.

We do not engage in profiling that produces legal or significant effects without your explicit consent.

We process data under the following bases:

• •
  Consent (DPDPA & GDPR):freely given, informed, and revocable at any time.
• •
  Contractual Necessity:to fulfill service agreements.
• •
  Legitimate Interest:product improvement, fraud prevention, and business intelligence (balanced against user rights).
• •
  Legal Obligation:compliance with tax, data protection, and regulatory requirements.
• •
  HIPAA:as a Business Associate, processing PHI only under signed Business Associate Agreements (BAAs).

We may share your data with:

• •
  Infrastructure Providers(cloud hosting, content delivery networks).
• •
  Communication Partners(email, SMS, push delivery providers).
• •
  Analytics & Monitoring Tools(for diagnostics and performance).
• •
  Payment Processors(PCI-DSS certified).
• •
  Regulatory Authorities(when legally mandated).
• •
  Corporate Transactions(mergers, acquisitions, asset sales).

A current list of subprocessors is maintained and made available upon request.

• •
  GDPR:safeguarded by Standard Contractual Clauses (SCCs) and supplementary measures.
• •
  DPDPA:cross-border transfers limited to approved jurisdictions.
• •
  HIPAA:PHI remains in HIPAA-compliant U.S. environments only.

• •
  Account Data:retained for the lifetime of your account + 90 days, unless deletion is requested.
• •
  Lead & Campaign Data:retained based on customer settings, and deleted promptly after contract termination.
• •
  Healthcare Data (PHI):retained for 6 years (per HIPAA).
• •
  Log Data:retained for up to 12 months for security auditing.

We apply industry-leading safeguards:

• •Encryption: TLS 1.3 in transit, AES-256 at rest.
• •Access Controls: RBAC (Role-Based Access Control), MFA (Multi-Factor Authentication).
• •Monitoring: 24/7 anomaly detection, intrusion prevention.
• •Certifications: [Insert if ISO 27001, SOC 2, HIPAA audits are obtained].
• •Incident Response: documented breach notification procedures in line with GDPR (72 hours) and HIPAA (60 days).

Under GDPR & DPDPA:

• •Right to Access
• •Right to Rectification
• •Right to Erasure (“Right to be Forgotten”)
• •Right to Restrict Processing
• •Right to Data Portability
• •Right to Object
• •Right to Withdraw Consent

Under HIPAA (for PHI):

• •Right to Access and Amend Records
• •Right to Accounting of Disclosures
• •Right to Request Restrictions
• •Right to Confidential Communications

We respond to verified rights requests within 30 days (extendable to 60 days for complex requests).

We do not knowingly process data of children under 18 years (DPDPA) or 16 years (GDPR). For healthcare settings, parental or guardian consent is required before handling any minor’s PHI.

We use cookies, SDKs, and pixels for:

• •Performance monitoring.
• •User session management.
• •Fraud detection.
• •Personalized experience.

You can manage cookies through browser settings or in-app preferences.

In the event of a data breach:

• •
  GDPR:affected users and authorities will be notified within 72 hours.
• •
  HIPAA:affected entities and HHS will be notified within 60 days.
• •
  DPDPA:users will be informed promptly in accordance with guidance from the Data Protection Board of India.

We may revise this Privacy Policy periodically. Material changes will be communicated via email, platform notifications, or website updates.

You may escalate concerns to:

• •India: Data Protection Board of India
• •EU: Your national Data Protection Authority
• •U.S: Department of Health & Human Services, OCR