← dmtolead.com
Legal

PRIVACY POLICY

Last updated: February 26, 2026 · Version 2.0

DMtoLead (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our websites, products, and services (collectively, the “Services”). By using our Services, you agree to the practices described in this policy.

01

Information We Collect

Account Information

Name, email address, profile picture, and identifiers from identity providers you use to sign in (e.g., Google, Meta). Used to create and manage your account, send transactional emails, and provide support.

Social Platform Integrations

When you connect a platform (Instagram, WhatsApp, Facebook, Telegram), we store the minimum credentials needed — page IDs, access tokens, webhook metadata — to operate the integration on your behalf. We never act outside the scope you authorize.

Google Integrations

If you connect Google services, we access data only within the scope you approve — currently the calendar.events scope to read availability and create/modify events at your request. We do not use Google data for advertising or profiling. DMtoLead's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Conversation & Message Data

Messages processed through connected platforms are stored to maintain conversation history and enable context-aware AI replies. You can delete conversation history at any time from your dashboard.

Usage & Analytics Data

Log files, device/browser info, IP address, pages visited, and session data. Used to diagnose issues, improve the product, and understand feature usage — aggregated and anonymized where possible.

Payment Data

Billing is handled by Stripe. We do not store full card numbers or CVV codes. We retain non-sensitive billing metadata such as plan type, invoice history, and subscription status.

RAG & Knowledge Base Data

Content you upload to power your AI agents (product catalogs, documents, Shopify data, etc.) is stored securely and used exclusively for your connected channels. We do not use your data to train shared AI models.
02

How We Use Your Information

Provide, operate, maintain, and improve the Services.
Create and manage your account and workspace.
Enable and manage third-party integrations you connect.
Generate AI-powered responses on your behalf across connected channels.
Send transactional emails (confirmations, password reset, billing receipts).
Send product updates and feature announcements — you may opt out at any time.
Detect and prevent fraud, abuse, and security incidents.
Comply with legal obligations and enforce our Terms of Service.
Conduct anonymized analytics to understand product usage and improve features.
03

Sharing & Disclosure

We Do Not Sell Your Data

We never sell, rent, or trade your personal information to third parties for marketing purposes.

Service Providers

We share data with trusted vendors — AWS (hosting), MongoDB Atlas (database), Stripe (payments), AWS SES (email) — who are contractually required to protect your data and use it only to perform services for us.

Platform APIs

To deliver messages on your behalf, we communicate with third-party platform APIs (Meta, Telegram, etc.) using credentials you provide. Data exchanged is limited to what is necessary for each action.

Legal Requirements

We may disclose data if required by law, court order, or governmental authority, or to protect the rights and safety of DMtoLead, our users, or the public.

Business Transfers

In the event of a merger or acquisition, user data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
04

Data Retention

Account data: Retained until you delete your account, plus up to 30 days for backup recovery.

Conversation history: Retained for 12 months by default; configurable per workspace.

Billing records: Retained for 7 years to comply with financial regulations.

Usage logs: Retained for 90 days for debugging and security.

Google OAuth tokens: Deleted immediately upon revoking access or disconnecting the integration.

To request deletion: privacy@dmtolead.com

05

Your Rights

Depending on your location (EEA, UK, Turkey, California), you may have the following rights:

Access
Request a copy of the data we hold about you.
Correction
Request correction of inaccurate or incomplete data.
Deletion
Request deletion of your personal data (right to be forgotten).
Portability
Receive your data in a structured, machine-readable format.
Restriction
Ask us to limit how we process your data in certain circumstances.
Objection
Object to processing based on legitimate interests or direct marketing.
Withdraw Consent
Withdraw consent at any time where processing is based on consent.
Google Revocation
Revoke Google access at myaccount.google.com/permissions or from within the app.

Contact: privacy@dmtolead.com — we respond within 30 days.

06

Security

Encryption in transit (TLS 1.2+) and at rest (AES-256) for all sensitive data.

AWS infrastructure with VPC isolation, IAM least-privilege access controls, and automated threat monitoring.

OAuth 2.0 tokens stored server-side with encryption — never exposed in client-side code or logs.

Cognito-based authentication with MFA support.

Regular security reviews and dependency updates.

No internet transmission method is 100% secure. In the event of a data breach, we will notify you as required by applicable law.

07

Cookies & Tracking

Essential cookies: Required for authentication and session management. Cannot be disabled.

Analytics cookies: Help us understand how the Services are used. You can opt out via browser settings.

Preference cookies: Remember your settings such as language and UI preferences.

We do not use third-party advertising cookies or sell tracking data to ad networks.

08

International Data Transfers

DMtoLead operates globally using AWS infrastructure. Your data may be stored and processed in the United States, EU, and other regions. For transfers from the EEA or UK, we rely on Standard Contractual Clauses (SCCs) and data processing agreements with sub-processors.

09

Children's Privacy

The Services are intended for users at least 16 years old (or the applicable minimum age in your jurisdiction). We do not knowingly collect data from children. If you believe we have, contact us immediately and we will delete it.

10

Changes to This Policy

We may update this policy periodically. When we make material changes, we will notify you by email at least 14 days before the changes take effect. Your continued use after the effective date constitutes acceptance.

Contact

Questions about your privacy?

Our team takes privacy seriously. Reach out and we'll respond within 2 business days.

privacy@dmtolead.com