Privacy Policy

Effective date: April 12, 2026

This Privacy Policy describes how Lucas Zainer, an individual sole proprietor doing business as “InsertLead” (“InsertLead,” “we,” “us,” or “our”), collects, uses, and discloses information in connection with the InsertLead software-as-a-service platform available at insertlead.com and related subdomains (the “Service”). By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

The Service is offered only to users located in the United States. We do not knowingly collect personal information from individuals outside the United States. If you are accessing the Service from outside the United States, please do not provide personal information to us.

1. Information We Collect

1.1 Information You Provide Directly

Account information. When you request access or create an account, we collect your full name, email address, telephone number, and a short description of your business. Your password is stored only as a salted bcrypt hash; we never store or have access to your plaintext password.
Third-party credentials. To operate the Service you supply your own Twilio Account SID, Twilio Auth Token, Twilio phone number, and (optionally) an API key for an artificial intelligence provider such as Anthropic or OpenAI. These credentials are encrypted at rest using symmetric authenticated encryption (Fernet / AES-128-CBC with HMAC-SHA256) before being written to our database.
Subscriber and lead data. You may upload contact records (names, addresses, telephone numbers, property data, and related notes) through CSV import or through individual data entry. This data is stored in a per-user database scope and is referred to in this Policy as “Customer Data.”
Messaging content. Outbound SMS messages you send through the Service, and inbound SMS replies the Service receives on your behalf, are logged and associated with your account so that you can view and manage conversation history.

1.2 Information Collected Automatically

Session cookies. We use a single session cookie (set by the Flask-Login library) to keep you signed in. We do not use advertising, analytics, or tracking cookies.
Server logs. Our hosting provider records standard HTTP access logs, including IP address, timestamp, request path, and user agent, for security and debugging purposes.

2. How We Use Information

We use the information described above to:

Provide, maintain, and improve the Service;
Authenticate you and secure your account (including by decrypting your Twilio and AI credentials, in memory only, at the time of each outbound request you initiate);
Transmit SMS messages on your instructions, by relaying them to Twilio using the credentials you have supplied;
Generate message drafts by relaying prompts to your chosen artificial intelligence provider using the API key you have supplied;
Respond to your requests for support and to communicate with you about the Service;
Detect, investigate, and prevent fraud, abuse, and security incidents;
Comply with applicable law and enforce our Terms of Service.

3. Disclosure of Information

We do not sell your personal information or Customer Data, and we do not share it with third parties for their own marketing purposes. We disclose information only in the following limited circumstances:

Subprocessors. We rely on a small number of third-party service providers to operate the Service, including Railway (application hosting and managed PostgreSQL database) and Cloudflare (DNS). These providers may process information on our behalf under their own terms and privacy policies.
Your designated providers. When you send an SMS message or request an AI-generated draft, the Service transmits the necessary content to Twilio or your chosen AI provider using your credentials. Your relationship with those providers, and the data you send to them, is governed by their respective terms and privacy policies, not ours.
Legal process. We may disclose information if we believe in good faith that disclosure is required by law, subpoena, court order, or other valid legal process, or is necessary to protect the rights, property, or safety of InsertLead, our users, or the public.
Business transfers. If InsertLead is involved in a merger, acquisition, or sale of all or a portion of its assets, information may be transferred as part of that transaction, subject to a successor's agreement to honor the commitments made in this Policy.

4. Customer Data and Multi-Tenant Isolation

Customer Data you upload or generate through the Service is scoped to your account at the database-query level. We do not make Customer Data available to other users of the Service. Authorized personnel of InsertLead (at present, the sole proprietor) may access Customer Data solely to operate, troubleshoot, or secure the Service.

5. Data Retention

We retain account information, Customer Data, and messaging history for as long as your account is active. When you close your account, we delete account-level personal information and Customer Data within thirty (30) days, except where retention is required by law, necessary to resolve disputes, or necessary to enforce our agreements. Encrypted credential fields are destroyed at the time of account closure.

6. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect the information we process, including at-rest encryption of third-party credentials, HTTPS in transit, bcrypt password hashing, per-user query scoping, and audit logging of sensitive operations. No method of electronic storage or transmission is completely secure, and we cannot guarantee absolute security.

7. Your California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (“CCPA”) provides you with rights regarding your personal information, including the right to request access to, deletion of, or correction of personal information we have collected about you, and the right not to be discriminated against for exercising these rights. We do not sell or share personal information as those terms are defined under the CCPA. To exercise any CCPA right, contact us using the information in Section 12.

8. Children’s Privacy

The Service is intended for business use by adults and is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.

9. Third-Party Links and Services

The Service may contain links to or interact with third-party websites and services (including Twilio, Anthropic, and OpenAI). We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy policies before providing them with information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice by posting the updated Policy at this URL and revising the “Effective date” above. Your continued use of the Service after an update constitutes your acceptance of the revised Policy.

11. Do Not Track

Some browsers transmit “Do Not Track” signals. Because there is no industry-standard interpretation of these signals, the Service does not currently respond to them.

12. Contact

Questions, requests, or complaints regarding this Privacy Policy should be directed to:

Lucas Zainer, d/b/a InsertLead
Email: jzainer56@gmail.com
State of organization: Wisconsin, United States