Privacy Policy

Version 2.1 — Effective Date: May 20, 2026 GLBA CCPA/CPRA TDPSA GPC

Lead Validator Pro ("we," "us," "our," or the "Service") is operated by Resolon LLC. This Privacy Policy describes how we collect, use, disclose, and safeguard personal information when you use our insurance lead validation platform.

Information We Collect
Data Sources and Purposes
Third-Party Sub-processors
How We Use Your Information
Data Retention
Your Rights
California Privacy Rights (CCPA/CPRA)
Texas Data Privacy and Security Act (TDPSA)
Gramm-Leach-Bliley Act (GLBA) Notice
Cookies and Local Storage (Global Privacy Control)
Data Security
Children's Privacy
Geographic Scope and International Transfers
Changes to This Policy
Contact Information

1. Information We Collect

We process the following categories of personally identifiable information (PII) for the purpose of insurance lead validation and quality scoring:

Category	Data Elements	Purpose
Identity	First name, last name, date of birth, gender	Identity verification, age validation, fraud detection
Contact	Phone number, email address	Contact verification, deliverability checks, duplicate detection
Address	Street address, city, state, ZIP code	Address validation, property matching, geographic compliance
Vehicle	VIN, make, model, year, registration state	Auto insurance lead validation, DMV record matching
Driver's License	DL number, state, status, expiration	Identity verification under DPPA-permitted purposes
Insurance	Current carrier, policy expiration, coverage type, claims history	Lead quality scoring, policy validation
Property	Ownership status, property type, square footage, year built, roof type, replacement cost	Home insurance lead validation, property risk assessment
Financial Indicators	Estimated income range, credit tier (when provided by lead source)	Insurance eligibility screening, GLBA-governed processing

2. Data Sources and Purposes

We obtain and cross-reference lead data from the following sources to validate lead quality and detect fraud. The authoritative, current list of all sub-processors (with privacy-policy links and jurisdictions) is maintained at /subprocessors and forms part of this Privacy Policy by reference.

Data Source	Data Obtained / Sent	Purpose
Enformion (EndatoGO)	Name, phone, email, address — identity match, alternate contact data	Primary identity verification and contact enrichment
IPQualityScore (IPQS)	Phone number, email address — fraud and risk scores	Email and phone fraud detection, disposable-domain detection, VoIP risk scoring
Smarty	Street address only — rooftop geocode, property attributes, ownership records	Property and address verification
Google Maps / Places API	Street address only — geocode, Street View imagery	Address geocoding and property visual verification
Anthropic Claude AI	Lead attributes and aggregated validator results — structured disposition	AI-powered legitimacy scoring, fraud reasoning, disposition recommendations. Anthropic does not train on API data by default.

3. Third-Party Sub-processors

In addition to the data sources above, we engage infrastructure and operational sub-processors to host the Service, secure the perimeter, deliver email, process payments, monitor errors, and route operational alerts. Each sub-processor is contractually bound (where a Data Processing Agreement is offered by the sub-processor) to process data only for the specified purpose and in accordance with applicable data protection laws.

Processor	Role	Data Processed	Location
Render Services, Inc.	Application hosting, managed Postgres, managed daily snapshots	All Personal Data stored at rest (US-East region)	United States
Cloudflare, Inc.	DNS, WAF, Zero Trust Access, Turnstile, edge CDN, inbound email Worker	Source IP, User-Agent, request path/headers, inbound lead email contents	Global edge / United States control plane
WorkOS, Inc.	Identity, password storage, session management, MFA, SSO	Subscriber email, hashed password, IP, User-Agent at auth time	United States
Stripe, Inc.	Subscription billing, payment processing, customer portal	Billing contact, company name, tokenized card, invoice history. No PAN stored by us.	United States (global processing)
Resend, Inc.	Transactional email delivery (alerts, password reset, lead notifications, drip campaigns)	Recipient email address, message subject and body (which may include lead identifiers per Subscriber-configured templates), delivery telemetry	United States
Functional Software, Inc. d/b/a Sentry	Error and performance monitoring	Stack traces, environment fingerprints, scrubbed request context. PII scrubbing applied server-side before events are sent.	United States
Anthropic PBC	AI analysis engine	Lead attributes needed to score the lead. Anthropic does not train on API data by default.	United States
Enformion, Inc. (EndatoGO)	Identity verification, contact enrichment	Name, address for identity matching and enrichment	United States
IPQualityScore LLC	Email and phone fraud scoring	Email address, phone number for fraud analysis	United States
Smarty, LLC	Property data validation	Street address only	United States
Google LLC	Maps API, geocoding, Street View imagery	Street address only	United States
Telegram Messenger Inc.	Operational alerting to Subscriber-administered Telegram chats	Message contents configured by the Subscriber (may include lead verdict, score, and contact identifiers)	Global (Telegram Bot API)

Sub-processor change notice: We will provide at least 30 days' prior written notice of any addition or replacement of a sub-processor, via update to /subprocessors and, for Subscribers who have subscribed to sub-processor notifications, by email. To subscribe, email privacy@leadvalidatorpro.com. We prioritize sub-processors that hold current SOC 2 Type II, ISO 27001, or equivalent attestations, and we disclose each sub-processor's current certification status at /subprocessors. Data in transit to each sub-processor is encrypted via TLS 1.2+.

4. How We Use Your Information

We use the personal information we process for the following business purposes:

Lead Validation: Verifying identity, contact information, and address accuracy for insurance lead quality scoring
Fraud Detection: Identifying fraudulent, synthetic, or low-quality insurance leads using cross-source verification
Property Assessment: Validating property details for home insurance underwriting support
Vehicle and DL Verification: Confirming vehicle ownership and driver's license status for auto insurance leads
Household Intelligence: Analyzing household composition for multi-policy opportunity identification
Disposition Recommendations: Generating AI-assisted lead handling recommendations for insurance agents
Compliance: Meeting regulatory requirements under GLBA, FCRA, DPPA, TCPA, CCPA, and TDPSA
Service Improvement: Training, calibrating, and improving our validation algorithms, scoring models, and fraud detection systems using Lead Data, including derivative and aggregated forms
Benchmarking and Derivative Products: Generating aggregated industry benchmarks, lead quality metrics, regional trend data, and other derivative data products. Derivative data may be licensed, sold, or otherwise commercialized by us as described in our Terms of Service, Section 10.
Product Development: Developing new features, validation modules, and derivative data products
Research: Conducting internal and external research on lead quality patterns, fraud indicators, and insurance market trends

4.1 Data Rights and Derivative Use

By submitting Lead Data to the Service, Subscribers grant the Company a worldwide, perpetual, irrevocable, royalty-free, fully sublicensable and transferable license to process Lead Data and to create, use, license, sell, and otherwise commercialize derivative works, including aggregated benchmarks and de-identified data products. All derivative data, models, algorithms, validation patterns, scoring calibrations, fraud detection signatures, and aggregated benchmarks created through processing Lead Data are the exclusive property of the Company and survive termination indefinitely. See Terms of Service, Section 10 for the full grant.

5. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected:

Data Type	Default Retention	Notes
Lead PII (name, phone, email, address)	90 days	Configurable per organization (30-365 days)
Validation results and scores	90 days	Retained with lead data
AI analysis and disposition data	90 days	Retained with lead data
Audit logs	1 year	Required for compliance
Security logs (login, access)	1 year	Required for incident response
Cached API responses	30-90 days	Varies by data source; auto-purged
Account data (users)	Duration of service + 30 days	Deleted upon account closure request
Billing and invoice records	7 years	IRS / tax retention requirement
Derivative data, aggregated models, benchmarks (no individual identifiers)	Indefinite	Per Terms of Service, Section 10.3

Upon expiration of the retention period, individually identifiable data is permanently deleted from active systems. Backup copies are purged within 30 days of the primary deletion. Derivative data that cannot reasonably identify any individual is retained indefinitely.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Right to Access: Request a copy of the personal information we hold about you
Right to Correction: Request that we correct inaccurate or incomplete personal information
Right to Deletion: Request that we delete your personal information (subject to legal retention requirements and the derivative-data carve-out in Section 5)
Right to Data Portability: Receive your data in a structured, machine-readable format (JSON or CSV)
Right to Opt-Out of Sale: Direct us not to sell raw, individually identifiable personal information (see CCPA section below)
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights:

Self-serve (no account required):
- Erasure (Art. 17 GDPR / CCPA right-to-delete): POST /api/privacy/erasure-request with {"email": "you@example.com"}. We email a one-time confirmation link to that address; click it within 72 hours and we permanently delete every lead-related record we hold mentioning your email across all tenants of the service.
- Portability (Art. 20 GDPR / CCPA right-to-know): POST /api/privacy/portability-request with the same shape. After you confirm the link, we package every matching record into a downloadable ZIP archive. The download link is valid for 24 hours.
- Status check at any time: GET /api/privacy/request-status/{token}.
Email: privacy@leadvalidatorpro.com — for complex requests, authorized-agent submissions, or if you can't access the email on file.
Logged-in tenant admins: use Settings › Privacy › Data Export / Data Deletion (uses the tenant-scoped admin endpoints).

Statutory response window is 30 days (45 for complex requests); the self-serve flow typically completes within a few minutes of confirmation.

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the third parties with whom we share it
Right to Delete: You may request deletion of personal information we have collected from you
Right to Correct: You may request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing: You may opt out of the "sale" or "sharing" of your personal information
Right to Limit Use of Sensitive Personal Information: You may limit our use of sensitive personal information to what is necessary to provide the Service

7.1 "Do Not Sell or Share My Personal Information"

We do not sell raw, individually identifiable personal information of Lead Subjects to unaffiliated third parties as a standalone data product, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We do use Lead Data, including in aggregated, anonymized, and de-identified derivative forms, for service improvement, benchmarking, product development, research, and the creation and commercialization of derivative data products as described in Section 4.1 and in our Terms of Service, Section 10. California residents who wish to formally record an opt-out election may do so by either:

enabling Global Privacy Control in their browser (which we honor automatically as described in Section 10.1); or
emailing privacy@leadvalidatorpro.com with the subject line "DNS Request" from the email address on which the opt-out should be recorded.

We will record the opt-out within fifteen (15) business days and confirm by reply email. No verification of identity is required for an opt-out election.

Verification of other requests: To protect your privacy, we will verify your identity before fulfilling any access, deletion, or correction request by matching at least two data points you provide against information we hold.

Authorized Agents: You may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization signed by you.

Response Timeline: We will acknowledge receipt within 10 business days and provide a substantive response within 45 calendar days. We may extend by an additional 45 days with notice.

8. Texas Data Privacy and Security Act (TDPSA)

If you are a Texas resident, the Texas Data Privacy and Security Act (effective July 1, 2024) provides you with the following rights:

Right to Access: Confirm whether we are processing your personal data and access such data
Right to Correction: Correct inaccuracies in your personal data
Right to Deletion: Delete personal data you have provided or we have obtained
Right to Data Portability: Obtain your personal data in a portable, readily usable format
Right to Opt-Out: Opt out of processing for targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects

To exercise your TDPSA rights, contact us at privacy@leadvalidatorpro.com. We will respond within 45 days. If we decline a request, you may appeal within 60 days, and we will respond to the appeal within 60 days.

9. Gramm-Leach-Bliley Act (GLBA) Notice

Certain data processed through our Service may constitute "nonpublic personal information" (NPI) as defined by the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.). When acting as a service provider to financial institutions or insurance agencies, we:

Process NPI solely as directed by and on behalf of our business customers
Maintain administrative, technical, and physical safeguards consistent with the FTC Safeguards Rule (16 CFR Part 314)
Do not disclose NPI to non-affiliated third parties except as permitted under GLBA exceptions (e.g., to process a transaction, with consumer consent, or as required by law)
Restrict employee access to NPI on a need-to-know basis
Require all sub-processors handling NPI to maintain equivalent safeguards

10. Cookies and Local Storage

We use essential cookies and localStorage only. We do not use third-party advertising pixels. Product analytics (PostHog) may be enabled when the user grants consent and is fully disabled when Global Privacy Control is signaled.

Technology	Name/Key	Purpose	Duration
HTTP Cookie	`wos-session` (WorkOS)	Sealed JWE session (httpOnly, Secure, SameSite=Lax)	WorkOS-managed lifetime
HTTP Cookie	`access_token`	JWT authentication (httpOnly, Secure, SameSite=Lax)	15 minutes
HTTP Cookie	`refresh_token`	Session refresh (httpOnly, Secure, SameSite=Lax)	7 days
HTTP Cookie	`csrf_token`	Cross-site request forgery protection	Session
localStorage	`cookie_consent`	Records user's cookie consent preference	Persistent
localStorage	`sidebar_collapsed`	UI preference (sidebar state)	Persistent

No personal information is stored in localStorage. Authentication tokens are stored exclusively in httpOnly cookies that are inaccessible to JavaScript.

10.1 Global Privacy Control (GPC)

We recognize and honor the Global Privacy Control (GPC) signal as a valid opt-out of the sale and sharing of personal information, as required by the California Consumer Privacy Act (CCPA/CPRA), the Colorado Privacy Act (CPA), and the Texas Data Privacy and Security Act (TDPSA).

    How GPC works with our Service:
    When your browser sends the Sec-GPC: 1 header (or navigator.globalPrivacyControl is true), we treat this as your opt-out of non-essential data processing.
Analytics tracking (PostHog) is completely disabled when GPC is active.
Essential cookies (authentication, CSRF protection) continue to function normally — GPC does not prevent first-party essential functionality.
The cookie consent banner is not displayed when GPC is active — the GPC signal itself constitutes your consent decision.
We echo the Sec-GPC header back in our responses to confirm recognition of the signal.

You can enable GPC in your browser settings (Firefox, Brave, DuckDuckGo have built-in support) or by installing a GPC browser extension for Chrome or Edge. You can verify your GPC status in the Settings > Privacy tab within the application.

10.2 Cookie Consent Banner on Authentication Pages

The cookie consent banner is suppressed on authentication-mandatory pages (/login, /signup, /verify, /finalize-invite, /forgot-password, /reset-password) because (a) the cookies set on these pages are strictly necessary for authentication and security and require no consent under the ePrivacy Directive Article 5(3) "strictly necessary" exemption and the CCPA "necessary to provide the service" exemption, and (b) on small viewports the banner geometry would intercept the SIGN IN control. The banner is presented on the next non-authentication navigation (Dashboard, Leads, etc.). Analytics and other non-essential tracking remain disabled until explicit consent is granted on a non-authentication page.

11. Data Security

We implement comprehensive security measures to protect your personal information:

Encryption in Transit: All data is transmitted via TLS 1.2+ (HTTPS enforced via Cloudflare)
Data at Rest: Application data is stored in managed PostgreSQL hosted by Render (US-based infrastructure) with encryption at rest enabled at the storage layer. Daily encrypted backups and point-in-time recovery (PITR) over a 7-day window are managed by Render
Authentication: Identity, password storage, and session management are provided by WorkOS, a SOC 2 Type II certified identity platform. Passwords are hashed by WorkOS using industry-standard algorithms (bcrypt) and are never stored in our systems. Sessions use sealed JWE cookies (encrypted-and-signed) with rotation per WorkOS recommendations. Optional multi-factor authentication via WorkOS-managed TOTP (RFC 6238) is supported; account lockout and brute-force protection are managed by WorkOS based on geolocation, device, and risk signals
Access Control: Role-based access control (RBAC) with principle of least privilege; tenant isolation enforced via PostgreSQL row-level security (RLS), with every query scoped to the authenticated tenant's org_id
Audit Logging: All data access, modifications, and administrative actions are logged with timestamps, user identity, and IP addresses
Rate Limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks
Security Monitoring: Real-time login monitoring, suspicious activity detection, and automated session revocation
Incident Response: Documented incident response plan with 24-hour processor-to-controller breach notification commitment (see Incident Response Plan and Data Processing Agreement § 12)

11.1 Security Certifications and Readiness

Lead Validator Pro is currently undergoing SOC 2 Type II readiness with an attestation target in calendar year 2026 (readiness materials maintained internally at docs/compliance/soc2-readiness-pack/). We engage infrastructure sub-processors (Render, Cloudflare, Anthropic, Stripe, WorkOS, Resend, Sentry, Google) that hold current SOC 2 Type II or equivalent (ISO 27001, FedRAMP, PCI DSS) attestations, and we inherit their control environments where applicable. Enterprise prospects may request a current security questionnaire response (SIG-Lite, CAIQ-Lite, or similar) by emailing security@leadvalidatorpro.com. We do not currently publish a SOC 2 Type II report; this page will be updated when one is available.

12. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information promptly. Subscribers must not submit Lead Data of any individual under 18.

13. Geographic Scope and International Transfers

The Service is designed for and offered to insurance professionals operating in the United States, and Subscriber Data and Lead Data are processed and stored in the United States. We do not market the Service to residents of the European Economic Area, the United Kingdom, or Switzerland. Where a Subscriber chooses to submit Lead Data originating in a jurisdiction that requires additional cross-border transfer safeguards, the Subscriber is responsible for ensuring those safeguards are in place. Our Data Processing Agreement, Section 13, incorporates the Standard Contractual Clauses (Module 2, Controller-to-Processor) and the UK International Data Transfer Addendum for use by Subscribers who require them.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email notification to account holders and/or a prominent notice within the Service at least 30 days prior to the change taking effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

15. Contact Information

For privacy-related inquiries, data access requests, or to exercise your rights under applicable law:

Channel	Contact
Email (Privacy Requests)	privacy@leadvalidatorpro.com
Email (General)	support@leadvalidatorpro.com
Email (Security)	security@leadvalidatorpro.com
Self-serve DSR (no account)	`POST /api/privacy/erasure-request` · `POST /api/privacy/portability-request`
Authenticated Data Deletion API	`DELETE /api/user/data`
Mailing Address	Resolon LLC, Attn: Privacy Officer, 1202 E US HWY 175 Suite A, Crandall, TX 75114

We will acknowledge all privacy requests within 10 business days and provide a substantive response within 30-45 calendar days depending on complexity and applicable law.