Privacy Policy

Last updated: May 24, 2026 (expanded SMS opt-in methods to include website contact form and Google Ads Lead Form; clarified Google Ads Lead Form is a text-answer question with affirmative-variant parsing, and described push-notification fallback when a consumer declines SMS)

1. Introduction

LeadHub AI LLC ("LeadHub AI," "we," "our," or "us"), a Florida limited liability company, operates the leadhubai.io website and the LeadHub AI platform, including app.leadhubai.io and dashboard.leadhubai.io. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

2. Information We Collect

Information You Provide

Account Information: Business name, owner name, email address, phone number, website URL, and industry when you register for our service.
Payment Information: Credit card details are processed securely through Stripe. We do not store full card numbers on our servers.
Service Pricing: Service names, prices, and descriptions you add to your account for AI quoting purposes.
Team Members: Names, email addresses, and roles of team members you invite to your account.

Information Collected Automatically

Lead Data: When potential customers contact your business via SMS, WhatsApp, Facebook Messenger, Instagram DM, your website contact form, or a Google Ads Lead Form attached to your campaigns, we collect their name, phone number, email (if provided), and message content to facilitate lead management.
Conversation Data: Messages exchanged between your leads and our AI system, as well as messages you send manually through our inbox.
Usage Data: Pages visited, features used, and interaction patterns within our platform.
Device Information: Browser type, operating system, and device type for optimizing our web application.

Mobile App Information

When you install and use our iOS or Android mobile apps, we additionally collect:

Push Notification Tokens: Apple Push Notification service (APNs) tokens on iOS and Firebase Cloud Messaging (FCM) tokens on Android. We store these on our servers solely to deliver new-lead alerts and account-related transactional notifications. Android push delivery is routed by Google's FCM service as required by the platform.
Device Diagnostics: Device model, operating system version, and app version, used to diagnose issues and prioritize platform support.
Photos and Videos (Quick Post feature): When you use the Post tab in the LeadHub AI mobile app, the photos or videos you select or capture are uploaded through our backend to Meta's Graph API for publishing to your connected Facebook Page and Instagram account. We do not retain media files long-term; they are transmitted to Meta and removed from our servers within 24 hours of publication.

The mobile apps request notification permission on first launch. When you use the Quick Post feature for the first time, the apps additionally request access to your camera (to capture new photos or videos) and your photo library (to select existing media); these permissions are only required for Quick Post and can be denied or revoked at any time. We do not access your contacts, microphone, or precise location. You may revoke any granted permission at any time via your device Settings → LeadHub AI.

Information from Third Parties

Facebook/Instagram (Meta): When you connect your Facebook Page or Instagram Professional account, we receive your Page name, Page ID, access tokens, and the permissions you grant. We only access the Pages and accounts you explicitly authorize. From your connected Pages and Instagram accounts we receive: Messenger and Instagram Direct messages (including message text and attachments), Page-scoped User IDs (PSIDs), Instagram-scoped User IDs (IGSIDs), public profile information of users who message your Page (name and profile picture), Lead Ad form submissions (when a user submits a Facebook/Instagram Lead Ad linked to your Page), Page metadata (category, business hours, about section), and delivery/read receipts. We receive this data exclusively through Meta's official Graph API and webhook subscriptions, and only for the Pages and accounts you authorize.
Google (Ads, Places API): LeadHub AI uses two Google integrations with different data flows.
- Google Places API (server-side, no per-user authorization): we use a server-side API key to retrieve publicly available business data — name, formatted address, phone number, primary type, business hours, photos, review count, and star rating — for businesses your visitors search for or that you select during a Free Listing signup. This data is sourced from Google's public business index and does not require any user account, OAuth grant, or Google Business Profile connection.
- Google Ads (OAuth, opt-in, customers who run ad campaigns): if you connect your Google Ads account from Lead Generation → Google Ads, we receive — only for accounts you explicitly authorize via the adwords OAuth scope — your accessible Google Ads customer IDs, billing-setup status, the campaigns and ad creative you create through LeadHub AI, audience configuration, and performance metrics (impressions, clicks, conversions, spend). We do not access any Google account data outside the Google Ads API.
LeadHub AI does not currently integrate with the Google Business Profile API and does not request the business.manage OAuth scope.
Twilio: Phone number information and SMS/WhatsApp message metadata for lead communication.
Stripe: Payment-method tokens, subscription status, invoice records (full card numbers are never stored by us).

Meta Permissions We Request

When you connect a Facebook Page, LeadHub AI requests the following Meta Graph API permissions. We only access the data described, and only for the Pages and accounts you explicitly authorize. You can revoke any or all of these at any time via Facebook Settings → Business Integrations, or by clicking Disconnect in Setup → Channels in the LeadHub AI dashboard.

pages_show_list — Lists the Facebook Pages you manage so you can pick which Page to connect to LeadHub AI on the Page selector screen. We do not store the full list; only the ID and name of the Page you select.
pages_manage_metadata — Subscribes your selected Page to webhook events so incoming Messenger conversations on that Page are routed to your LeadHub AI inbox in real time. We use it solely to register and unregister webhook subscriptions for the conversation, message-postback, and message-handover events.
pages_messaging — Reads inbound Messenger conversations on your connected Page so they appear in your unified inbox, and sends replies on your behalf — both AI-drafted and human-typed — back through Messenger. We process message text, attachments, sender Page-Scoped IDs, and delivery/read receipts only for the Pages you connect.
pages_manage_posts — Publishes AI-generated marketing content (images and captions) to your connected Page when you click "Publish" in the Lead Generation tab. We never post without an explicit user action and never modify or delete posts you create outside of LeadHub AI.
pages_read_engagement — Reads engagement metadata (post reach, reactions, comment counts) from your connected Page so we can surface analytics inside your dashboard. We do not aggregate this data across customers and do not use it for advertising.
pages_manage_engagement — Replies to comments left on your Page's posts, on your behalf — both AI-drafted auto-replies (when enabled) and human-typed replies. We never delete user content; only reply to it.
pages_read_user_content — Reads the text of comments and reactions left by other users on your Page, so the AI can draft contextual replies and so we can route public conversations into your inbox alongside private DMs.
business_management — Allows the connection flow to discover Pages owned by your Facebook Business Manager (rather than Pages you administer directly). We do not access any other business assets — only the Pages list and only during the connect flow. We do not modify business settings.

If we later add features that require additional Meta permissions (such as Instagram messaging, Instagram content publishing, or Lead Ad form retrieval), we will request them through Meta's standard OAuth consent flow and update this policy before requesting them.

Google Permissions We Request

LeadHub AI requests only one Google OAuth scope, and only when you choose to connect your own Google Ads account from Lead Generation → Google Ads. You can revoke this access at any time via Google Account → Security → Third-party apps with account access, or by clicking Disconnect in your LeadHub dashboard.

https://www.googleapis.com/auth/adwords — Reads and manages your Google Ads campaigns for the accounts you authorize. We use this scope solely to: (1) list the Google Ads customer accounts accessible to your Google login and check billing-setup status during pre-flight; (2) create, modify, pause, resume, and report on advertising campaigns that you initiate from within LeadHub AI; (3) read campaign performance metrics (impressions, clicks, conversions, spend) to surface in your LeadHub dashboard. We do not retrieve, store, or use Google Ads data for any purpose beyond delivering the features described in this section. We do not share Google Ads data with any third party, do not combine it with data from other Google services, and do not use it for advertising outside of the campaigns you yourself create.

LeadHub AI additionally uses the Google Places API with a server-side API key (not via per-user OAuth, and not requiring any Google account login) to display publicly available business information — including business name, formatted address, phone number, business hours, primary type, photos, review count, and star rating — on your customer-facing LeadHub directory page and in the Free Listing signup search. The Places API operates exclusively on Google's public business index; it does not require any per-user authorization or grant of access to any Google account.

Note on Google Business Profile. LeadHub AI no longer integrates with the Google Business Profile API. A connection flow that requested the business.manage scope was present in an earlier version of the Service; it has been removed in favor of the read-only Places API integration described above. If you previously connected your Google Business Profile to LeadHub AI, your access tokens have been revoked.

If we later add features that require additional Google permissions (such as Google Calendar integration), we will request them through Google's standard OAuth consent flow and update this policy before requesting them.

3. SMS and Messaging Consent

Program Description

LeadHub AI operates a Customer Care SMS program that sends conversational, appointment, and service-related text messages on behalf of our small and medium business clients. All messages are in response to consumer-initiated inquiries.

How You Opt In

You consent to receive automated SMS and WhatsApp messages from LeadHub AI (on behalf of the business you contacted) through any of the following explicit opt-in methods:

Text-initiated: You send an inbound text to the business's LeadHub AI-managed phone number, which you obtained from the business's Google Maps or Google Search listing, the LeadHub directory page, advertising, signage, business card, vehicle decal, or direct referral. The inbound text itself is your express consent to receive an SMS response to your inquiry. Note: our website chat widget is a chat-only channel and does not collect SMS consent or trigger SMS messages.
Website contact form: You submit a contact or service-request form on the business's website that includes a separate, non-pre-checked SMS consent checkbox located directly adjacent to the phone-number field. The checkbox carries full disclosure of the business's identity, message frequency, opt-out instructions ("Reply STOP to cancel"), the statement that consent is not a condition of purchase, and links to these SMS Terms and this Privacy Policy.
Google Ads Lead Form: You complete a Google Ads Lead Form attached to a business's search or display advertising campaign. The form includes a required text-answer question asking your permission to receive text messages. The question reads: "Can we text you about your service request? Reply YES to get a text reply, or NO to be called/emailed instead." Only consumers whose answer begins with "yes" (or affirmative variants such as "y", "yeah", "yep", or "sure") enter the SMS automation; all other answers — including "no", a blank answer, or any ambiguous response — are treated as a decline. When a consumer declines SMS contact, the business is alerted by push notification with the consumer's name, phone number, and inquiry summary so they can follow up by phone or email instead. The form disclaimer presents the full TCPA-compliant consent language identifying the business, message frequency, opt-out instructions, the statement that consent is not a condition of purchase, and a link to these SMS Terms.
Facebook or Instagram Lead Ad: You submit a Meta Lead Ad form containing a clearly labeled, non-pre-checked SMS consent checkbox with the same required disclosures.
Verbal opt-in: You verbally request SMS follow-up during a phone conversation with the business, who logs your phone number, the date and time, and the exact consent phrasing presented to you.

Messages you may receive include:

Responses to your inquiry
Service quotes and pricing information
Appointment confirmations and reminders
Follow-up messages related to your inquiry
Rescheduling and cancellation confirmations

Consent is not a condition of purchase. Message frequency varies based on your interaction (typically 1–10 messages per inquiry).

How You Opt Out

You can opt out of SMS messages at any time by replying STOP (or UNSUBSCRIBE, CANCEL, END, or QUIT) to any message. After opting out, you will receive one final confirmation message and no further texts will be sent. Opt-out is processed immediately, permanently, and per phone number. You may also opt out by emailing support@leadhubai.io.

How to Get Help

Reply HELP to any message for assistance, or contact support@leadhubai.io.

Message and Data Rates

Message and data rates may apply depending on your mobile carrier and plan. LeadHub AI is not responsible for carrier charges.

Supported Carriers

Our SMS services are supported by all major US carriers including AT&T, T-Mobile, Verizon, and others. Carrier support may change without notice.

No Sharing of Mobile Information

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All other categories exclude text-messaging originator opt-in data and consent; this information will not be shared with any third parties. We do not sell, rent, or share your phone number, SMS opt-in data, or mobile consent information with any third parties or affiliates for marketing or promotional purposes. Mobile information collected in connection with our SMS program is used only to provide the messaging service you requested and is not disclosed to any third party for their own marketing use.

Consent Records

We log all SMS opt-ins with a timestamp, source (text-initiated, website contact form, Google Ads Lead Form, Facebook/Instagram Lead Ad, or verbal), the exact consent phrasing presented to you, and the form or page version on which consent was captured. These records are retained for at least four (4) years in accordance with TCPA record-keeping best practice and carrier registration requirements.

4. How We Use Your Information

Use AI to qualify incoming leads and generate suggested replies on behalf of the business that received the inquiry. AI-generated replies are sent in the connected business's name and remain reviewable and overridable by the business owner at any time. Outbound AI content is constrained by safety prompts to prevent abusive or off-brand output.
Send automated follow-up messages to your leads on your behalf
Generate AI-powered advertising content and social media posts
Publish content to your connected Facebook Page and Instagram account
Process payments and manage your subscription
Send transactional emails (onboarding, password resets, team invitations)
Provide analytics and insights about your lead performance
Protect against spam, bots, and fraudulent lead activity
Improve our AI models and platform features

5. How We Share Your Information

We do not sell your personal information. We share data only with:

Service Providers: Cloud hosting (Supabase, AWS us-east region), payment processing (Stripe), email delivery (Resend), SMS/messaging (Twilio), AI inference providers (Anthropic, OpenAI), mobile push notification delivery (Apple Push Notification service for iOS, Google Firebase Cloud Messaging for Android — limited to push tokens and notification payloads). Each provider is contractually bound to process data only on our instructions, in compliance with applicable privacy law, and (for AI providers) is prohibited from training models on customer API data per their published API data policies.
Meta (Facebook/Instagram): To publish content and manage messaging on your connected Pages and accounts, as authorized by you. We do not share Meta-sourced data with any party other than the customer who owns the connected Page.
Legal Requirements: When required by law, subpoena, or legal process.

Meta Platform Terms compliance: Data we obtain from Meta Platforms (Facebook, Instagram, Messenger, Graph API, and webhooks) is handled strictly in accordance with Meta's Platform Terms and Developer Policies. We do not sell, license, or transfer Meta-sourced data to any third party, do not use it for advertising outside of the connected Page owner's own campaigns, and do not combine it with data from any other source for the purpose of identifying individuals beyond what is required to deliver the services you connected.

AI use disclosure: LeadHub AI uses generative AI services to draft replies to your leads and to generate marketing content from prompts you provide. AI-generated content is labeled in our user interface, and you review and approve it before it is sent or published. We do not use Meta-sourced data to train AI models — our AI providers process data through their inference APIs only, and per their published API data policies, customer API data is not used for model training.

6. Data Security

We implement industry-standard security measures including:

Encryption of data in transit (TLS/SSL) and at rest
Secure authentication with password hashing
Role-based access controls for team members
Regular security monitoring and updates
PCI-compliant payment processing through Stripe

7. Data Retention

Active accounts: We retain your data for as long as your account is active.
Canceled accounts: We retain data for 90 days after cancellation to allow for account recovery, then permanently delete it.
Lead data: Retained for the duration of your subscription. You can delete individual leads directly from the inbox app at any time.
Conversation history: Retained for the duration of your subscription. You may request scrubbing of specific messages by emailing privacy@leadhubai.io.
Meta-sourced data (PSIDs, IGSIDs, Messenger/Instagram messages, Lead Ad submissions): Deleted within 30 days if you disconnect your Page, revoke access via Facebook Settings → Apps and Websites, or submit a deletion request. See our Data Deletion page for details.
SMS consent records: Retained for at least four (4) years per TCPA best practice, even after account cancellation, to evidence the lawful basis of prior outreach.
Billing and tax records: Retained for up to seven (7) years as required by financial-reporting regulations.

8. Your Privacy Rights

Rights Available to All Users

Regardless of where you live, you have the right to:

Access your personal data stored in our system
Correct inaccurate information in your account settings
Delete your account and associated data (see our Data Deletion page)
Export your lead data
Opt out of non-essential communications
Disconnect your Facebook/Instagram accounts at any time via Company → Channels in the dashboard, which revokes our access tokens immediately

Categories of Personal Information We Collect

For purposes of the California Consumer Privacy Act/Privacy Rights Act (CCPA/CPRA) and similar comprehensive state privacy laws, the table below summarizes the categories of personal information we have collected in the preceding twelve (12) months, the sources, the business or commercial purposes for which we process each category, and the categories of third parties with whom we disclose it. We have not "sold" or "shared" personal information (as those terms are defined under the CCPA/CPRA) in the preceding twelve (12) months, and we do not do so today.

Category (CCPA §1798.140(v))	Examples	Source	Purpose	Disclosed To
Identifiers	Name, email, phone, business name, IP address, account ID	You; integrations you authorize	Account creation, billing, lead routing, security	Stripe, Twilio, Resend, hosting/infra providers
Commercial information	Subscription plan, billing history, service-pricing entries	You; Stripe	Billing, plan administration, support	Stripe
Internet / network activity	Login timestamps, pages viewed, feature use, error logs	Automatic	Service operation, security, abuse detection	Hosting/infra providers
Geolocation (approximate)	City/state inferred from IP for time-zone defaults	Automatic	UX defaults, fraud detection	Hosting/infra providers
Audio, electronic, visual, or similar information	Inbound SMS/DM message content; photos/videos you upload for posts	You; consumers who message your connected Pages or your LeadHub-managed phone number	Lead routing, AI-drafted reply suggestions, publishing to Meta on your behalf	Meta (per your authorization), AI providers (Anthropic, OpenAI) via inference API only
Professional or employment information	Industry, role, team-member names and roles	You	Service personalization, role-based access controls	None
Inferences	Lead-quality scores and qualification status derived from message content	Derived	Help you prioritize your inbox	None

Sensitive Personal Information

We do not collect "sensitive personal information" (as defined under the CCPA/CPRA §1798.140(ae)) for purposes of inferring characteristics about you. Account passwords are processed only to authenticate you, are hashed at rest, and are never used for any other purpose. We do not collect precise geolocation, government identifiers, racial or ethnic origin, religious beliefs, union membership, biometric data, health data, or sexual orientation. Where you or a consumer happens to disclose sensitive information in the content of a message routed through the Service (e.g., a health detail mentioned in an SMS conversation with your business), that content is processed solely to deliver the Service and is not used for inference, profiling, or any secondary purpose. To the extent any of the foregoing constitutes a use or disclosure of sensitive personal information, you have the right to limit such use to the purposes permitted under CCPA/CPRA §1798.121; our use is already so limited.

Your State Privacy Rights

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, or another U.S. state that has enacted a comprehensive consumer privacy law, you have the following rights, subject to verifiable identification and to legal exceptions (e.g., records we must retain for tax, fraud-prevention, or TCPA-compliance reasons):

Right to know / access — the categories and specific pieces of personal information we have collected about you, the sources, the purposes for which we process it, and the categories of third parties with whom we share it.
Right to delete your personal information.
Right to correct inaccurate personal information we maintain about you.
Right to data portability — receive a copy of your personal information in a portable, machine-readable format.
Right to opt out of sale or sharing for cross-context behavioral advertising. We do not sell or share personal information.
Right to opt out of targeted advertising. We do not engage in targeted advertising of LeadHub AI users.
Right to opt out of profiling in furtherance of decisions producing legal or similarly significant effects. We do not use automated decision-making for legally significant decisions about consumers.
Right to limit use of sensitive personal information beyond the purposes permitted under CCPA/CPRA §1798.121.
Right to non-discrimination — we will not deny services, charge different prices, or provide a different level of service quality because you exercised any of these rights.

To exercise any of these rights, email privacy@leadhubai.io with the subject line "Privacy Rights Request" and include the state of your residence and enough information for us to verify your identity. We will respond within forty-five (45) days, with one possible 45-day extension where reasonably necessary and notified to you in writing.

Right to Appeal. If we decline to act on your rights request in whole or in part, you may appeal that decision by replying to our response email within sixty (60) days, including the words "Privacy Rights Appeal" in your reply. Your appeal will be reviewed by a different individual than the one who handled the original request. We will respond to your appeal in writing within forty-five (45) days. If your appeal is denied and you are a resident of Colorado, Connecticut, Virginia, or another state that provides external escalation, you may also contact your state Attorney General's office.

Global Privacy Control (GPC) and Do Not Track

Where required by law, LeadHub AI honors the Global Privacy Control (GPC) signal sent by your browser as a valid opt-out preference signal under the CCPA/CPRA and similar state laws. Because we do not sell or share personal information for cross-context behavioral advertising and do not engage in targeted advertising, the GPC signal has no incremental effect on how we process your personal information; we treat it as a confirmation of these preferences for the device and browser from which it is sent. Our platform does not respond to the older "Do Not Track" header, which has no agreed-upon technical standard or legal effect.

GDPR (EU/EEA, United Kingdom, Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you additionally have the right to data portability, restriction of processing, objection to processing, withdrawal of any previously given consent, and to lodge a complaint with your local data-protection authority. To exercise any of these, email privacy@leadhubai.io.

Facebook/Instagram Conversation Participants

If your data was collected because you messaged a business that uses LeadHub AI, you can request deletion of your PSID/IGSID and associated conversation history by emailing privacy@leadhubai.io with the business name and the approximate date of your conversation. We will delete within 30 days.

9. Cookies and Tracking

Our platform uses minimal cookies for session management and authentication. We do not use third-party advertising trackers. Analytics are collected anonymously to improve our service.

Apple App Tracking Transparency: Our iOS app does not engage in "tracking" as defined by Apple's App Tracking Transparency framework. We do not link user or device data to data from other companies' apps or websites for advertising or measurement, and we do not share device identifiers with data brokers. The app therefore does not present an App Tracking Transparency prompt.

10. Children's Privacy

Our services are designed for use by businesses and adult professionals. We do not knowingly collect personal information from children under 13 years of age (or under 16 in the EU/EEA in jurisdictions where local law sets a higher age of digital consent). If we learn that we have collected such information without verifiable parental consent, we will delete it promptly. If you believe we may hold information about a child, contact privacy@leadhubai.io.

11. International Data Transfers

LeadHub AI LLC is based in the United States, and our service providers (including Supabase, Stripe, Twilio, Resend, Anthropic, OpenAI, Apple, and Google) primarily process data in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your country of residence.

EU/EEA, United Kingdom, and Switzerland: When we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States or other countries that have not received an adequacy decision from the European Commission, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where applicable, as the legal mechanism for such transfers. You may request a copy of the relevant clauses by emailing privacy@leadhubai.io.

By using the Service, you consent to the transfer of your information to the United States and to the processing of your information by our service providers as described in this Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through our platform. Your continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, or if you would like to exercise any of the privacy rights described above, please contact us:

LeadHub AI LLC
A Florida limited liability company
Privacy inquiries: privacy@leadhubai.io
Legal notices: legal@leadhubai.io
Support: support@leadhubai.io
Website: leadhubai.io

For postal correspondence, email legal@leadhubai.io and we will provide our current mailing address. Our registered agent and principal place of business are on file with the Florida Department of State and may also be searched at sunbiz.org.