SpeedToLeadAI

Real Estate Agency Platform

 Back to Home
Legal Operations

Privacy Policy

Last Updated: June 6, 2026. This policy explains how we collect, isolate, and secure buyer phone numbers, WhatsApp/SMS chat logs, and workspace data for your agency in accordance with national and international government regulations.

Government Data Privacy Standard complianceSpeedToLead AI operates on strict data isolation frameworks. Our platform is engineered to satisfy the mandates of GDPR (EU), CCPA (California), TRAI UCC directives (India), and Federal Communications Commission (FCC) privacy guidelines.

1. SMS/WhatsApp Lead Handling & Consent Policies

When you connect SpeedToLead AI with lead generation integrations (such as Facebook Ads, Zillow, or Realtor.com), we ingest incoming buyer names, phone numbers, and property preferences to initiate automated follow-ups:

  • Zero Spying Policy: We only monitor and process communications generated through Twilio numbers or Meta WhatsApp Business API channels explicitly connected by you. We never access your personal private communication streams.
  • Data Sharing & Sub-processors: Lead data is routed through secure telecommunication pipelines (Twilio and Meta) and parsed utilizing encrypted Google Gemini API endpoints. Lead data is strictly prohibited from being sold, rented, or distributed to advertising networks or external data brokers.
  • Prior Opt-In Logs: In adherence to US FCC and India TRAI regulations, subscribers are required to store prior express consent logs showing that leads opted-in to receive automated messaging.

2. Strict Row-Level Tenant Data Isolation

To guarantee complete corporate privacy and protect your proprietary client lists:

  • Logical Partitioning: All lead profiles, conversation histories, qualifies, and prompt configurations are tagged with a unique companyId.
  • Access Control: Query execution routines automatically enforce strict tenant boundaries. It is architecturally impossible for a competitor agency or an unauthorized user to retrieve, view, or intercept your contact lists.

3. Data Security, Hashing & Storage

We employ enterprise-grade security structures to guard your credentials and lead records:

  • Salted Password Encryption: All agency login credentials are encrypted using bcryptjs with strong salting factors before database writes occur. Plaintext passwords are never stored.
  • Secure Database Hosting: The SQLite database is hosted on secure virtual volumes with volume-level encryption active. Message text logs, qualifying budgets, and timelines are fully encrypted at rest.
  • Backups: Encrypted snapshots of the database are created at regular intervals and stored on isolated cloud backup servers with restricted administrative access.

4. GDPR & CCPA Compliance Rights

SpeedToLead AI equips users with tools to satisfy regional and global consumer rights:

  • Right to Erasure ("Right to be Forgotten"): Under GDPR and CCPA, your leads have the right to request deletion of their personal logs. You can permanently wipe a lead's record and entire conversation thread from our database via the dashboard's Lead Details panel.
  • Right to Portability: Agencies can export lead tables and qualification markers as standard CSV/JSON payloads to sync with external CRMs or for customer auditing requests.
  • Opt-Out Compliance: When a lead sends an opt-out keyword (like STOP), the system automatically updates the database to prevent further outbound AI messages.

5. Session Security & Cookie Policies

We eliminate XSS (Cross-Site Scripting) and session hijacking vulnerabilities by securing credentials:

  • HttpOnly JWT Storage: JSON Web Tokens (JWT) used to verify user sessions are stored strictly inside HttpOnly cookies. This prevents any client-side JavaScript or browser extensions from reading or stealing your session token.
  • Secure & SameSite Flags: Session cookies are transmitted exclusively over encrypted HTTPS connections (using the Secure flag) and are configured with SameSite=Strict to prevent Cross-Site Request Forgery (CSRF) attempts.

6. Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy to reflect updates in global telecom laws. If substantial structural modifications are made to how customer messages are retained, we will notify subscribers via the email address linked to their agency workspace.