Privacy & Compliance
Built for India. DPDP compliant from day one.
LeadCues stores your data on Indian infrastructure, collects only what's needed, and gives your team full control — in line with India's Digital Personal Data Protection Act 2023 and GDPR.
DPDP Act 2023
India-first compliance
Leadcues is built to meet India's Digital Personal Data Protection Act 2023. We collect data only with explicit consent, state the purpose clearly at signup, and honour all data principal rights within the statutory timelines.
GDPR
GDPR ready
For teams with EU contacts or employees, Leadcues meets GDPR requirements: lawful basis for processing, right to erasure, right to portability, and data breach notification within 72 hours.
Infrastructure
Data stored in India
All customer data — CRM records, WhatsApp messages, call logs — is stored in Supabase's AWS ap-south-1 (Mumbai) region. No data leaves India except as required to operate specific third-party services listed below.
What we collect — and why
We collect only what is necessary to operate the service. No selling, no advertising profiles.
| Data category | What it is | Why we need it |
|---|---|---|
| Account data | Name, email, phone, organisation name | Create your account and identify your organisation |
| WhatsApp session data | Linked number, encrypted auth state, messages sent/received | Operate the WhatsApp Inbox on your behalf |
| CRM data | Contacts, companies, deals, notes, tasks, call logs | Core CRM functionality — you create and own this data |
| Billing data | Plan, transaction IDs, payment history | Process payments — card numbers never touch our servers (Razorpay) |
| Usage data | IP address, browser type, pages visited | Security monitoring and product analytics |
| Consent record | Timestamp of agreement to Terms + Privacy at signup | DPDP Act compliance — logged at account creation |
Your rights as a data principal
Under the DPDP Act 2023 and GDPR, you have the following rights over your personal data. We honour all of them.
Right to access
You can request a complete export of all personal data we hold about you — contacts, messages, call logs, notes — at any time. We respond within 7 days (DPDP) or 30 days (GDPR).
Right to correction
If any personal data we hold about you is inaccurate or incomplete, you can update it directly in the product or request a correction via privacy@leadcues.pro.
Right to erasure
You can delete your account and all associated data at any time from Settings → Account. Data is removed from production systems within 30 days and from backups within 60 days.
Right to portability
You can export your CRM contacts, companies, deals, and message history in machine-readable format (CSV / JSON) from the product at any time.
Right to withdraw consent
You can withdraw consent for optional data processing at any time by contacting privacy@leadcues.pro. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
Right to grievance
If you have a complaint about how we handle your data, contact privacy@leadcues.pro. We will respond within 48 hours. If unresolved, you may escalate to India's Data Protection Board.
To exercise any right, email privacy@leadcues.pro or use the data request form. DPDP timelines: 7 days for access requests. GDPR timelines: 30 days.
Sub-processors
We use a limited set of third-party services to operate Leadcues. We do not share customer data with advertising networks or data brokers.
| Service | Purpose | Data location |
|---|---|---|
| Supabase | Database, authentication, file storage, realtime | AWS ap-south-1 (Mumbai, India) |
| Razorpay | Payment processing and subscription billing | India |
| Resend | Transactional email (account verification, alerts) | USA (EU SCCs apply) |
| Cloudflare | DNS, CDN, DDoS protection, proxy | Global edge (data in transit only) |
| Vercel | Frontend hosting (leadcues.pro and app.leadcues.pro) | Global edge (no persistent customer data) |
| Anthropic | AI suggested replies (WhatsApp Inbox — opt-in feature) | USA (EU SCCs apply) |
How we implement DPDP consent
India's DPDP Act 2023 requires explicit, informed consent before collecting personal data. Here is exactly what we do.
Explicit checkbox at signup
Every new account must actively check a consent box before submitting — no pre-ticked boxes. The checkbox links to the full Terms of Service and Privacy Policy, with the purpose of data collection stated inline.
Consent timestamp logged
The exact date and time of consent is recorded in our database against the user's account. This log is retained for the lifetime of the account and is available on request.
Purpose stated clearly
The consent notice at signup explicitly states that data will be used to operate the CRM and WhatsApp Inbox features — not for advertising or sale to third parties.
Data Protection contact
Our Data Protection point of contact is reachable at privacy@leadcues.pro. We respond to all DPDP inquiries within 48 hours and to formal requests within the statutory timelines.
Questions about your data?
For data access, deletion, or correction requests — use the data request form. For general privacy questions, contact privacy@leadcues.pro. For security vulnerabilities, contact security@leadcues.pro.
Last updated: May 2026. This page is reviewed whenever our data practices change. For Enterprise DPA (Data Processing Agreement) requests, contact support@leadcues.pro.