Leadmeadow Leadmeadow

Privacy

Privacy Policy

Last updated 11 April 2026

This Privacy Policy explains what information Leadmeadow collects when you use the service, why we collect it, who we share it with, and the rights you have over your data. We try to keep this document plain and short. If anything is unclear, write to leadmeadow.help@gmail.com and we will explain.

Who we are. “Leadmeadow”, “we”, “us” refers to the operator of the Leadmeadow service available at leadmeadow.com. Leadmeadow is a software service that automates WhatsApp lead conversion for small businesses.

1. The two kinds of people whose data we handle

It is important to keep these separate, because the law treats them differently:

  • Customers. Businesses (and the individuals who run them) who sign up for a Leadmeadow account. You are reading this if you are or are about to become a Customer.
  • Leads. The end-users that our Customers' businesses are trying to reach — people who fill in a contact form, send a WhatsApp message to a Customer's business number, or are imported into the dashboard.

For Customer data, Leadmeadow is the data controller. For Lead data, the Customer is the data controller and Leadmeadow is the data processor, acting on the Customer's instructions. If you are a Lead with a question about your data, you should contact the business that messaged you. If they cannot help, you can also write to us and we will route the request.

2. What we collect

From Customers

  • Your email address and a password hash (we never store your raw password — only a bcrypt hash of it).
  • Your business name and any business description, services list, pricing, and FAQ text you choose to enter.
  • Optional: a PDF document you upload describing your business. We store the PDF filename and the extracted text so the AI can answer questions about your services.
  • Your WhatsApp Business phone number ID and your WhatsApp Business API access token. The access token is encrypted at rest using authenticated symmetric encryption (AES-128-CBC + HMAC-SHA256 via Fernet) and is never displayed back to you in full.
  • Optional: an outbound webhook URL you provide so we can forward new leads into your own systems.
  • Your subscription plan (Pro or Max) and a monthly count of how many AI messages you have used.
  • Account timestamps: when your account was created, when your message counter last reset, whether you finished onboarding.
  • The IP address of requests you make to the site. We use these to enforce rate limits and to detect brute-force attempts on the login and gate forms. IPs are stored in a short-lived rate-limit ledger and pruned automatically.

From Leads (handled on behalf of our Customers)

  • Phone number, name (if provided), email (if provided), source (form / Instagram / manual), and current status (new / active / booked / closed / cold).
  • The full content of every WhatsApp message exchanged between the Lead and the Customer's business through Leadmeadow, in both directions, with timestamps. This is necessary so the AI can carry on a conversation with continuity and so the Customer can review the conversation in their dashboard.
  • Free-form notes the Customer attaches to a Lead.

What we deliberately do not collect

  • We do not collect tracking analytics, behavioural fingerprints, or third-party advertising identifiers.
  • We do not sell or rent data to anyone, ever.
  • We do not read or process any WhatsApp conversation that does not pass through a Customer's connected business number.

3. Why we collect it

Each piece of data above maps to one of the following lawful purposes:

  • Providing the service you signed up for. Account, business info, WhatsApp credentials, lead and message records.
  • Generating AI replies. Business info and the recent message history are sent to a Large Language Model (see §4) so it can compose a contextually appropriate response.
  • Billing and quota enforcement. Plan, message count, reset date.
  • Security and abuse prevention. IP addresses, rate-limit ledger, login activity.
  • Customer support. So we can find your account and understand your problem when you write to us.

The legal basis under GDPR is the performance of the contract you enter into when you sign up (Art. 6(1)(b)) for service-related data, and our legitimate interest in keeping the service safe and operational (Art. 6(1)(f)) for security data.

4. Third parties we share data with

We share the minimum amount of data with the minimum number of third parties needed to actually run the service. Today these are:

  • Meta Platforms, Inc. — the WhatsApp Business Cloud API. Every message we send on your behalf is delivered through Meta's API. Inbound messages reach us through Meta's webhook system. Meta's processing of WhatsApp messages is governed by their own privacy terms.
  • Google LLC — we send the relevant slice of conversation context to Google's AI API to generate AI replies. We do not opt this content into Google's model training. Google's API processing terms apply.
  • Our hosting provider — the server that runs Leadmeadow and the database that stores it. Server location is disclosed on request.

We do not share Customer or Lead data with anyone else for any purpose. We will never sell data, and we will never share it with advertisers, data brokers, or analytics resellers.

5. Cookies

Leadmeadow uses two cookies, both strictly necessary, both HttpOnly and SameSite=Strict:

  • site_gate — remembers that a visitor entered the shared site password (if one is configured for the deployment).
  • token — the signed JWT that keeps you logged in to your dashboard. Bumping your “session version” (which we do on logout) immediately invalidates every existing token, so logout actually means logout.

We do not use any analytics, advertising, or tracking cookies.

6. How long we keep data

  • Account data is kept for as long as your account exists, plus 30 days after you close it, after which it is deleted.
  • Lead and message records are kept for the lifetime of your account so you can refer back to past conversations. You can delete individual leads, individual messages, or your entire account at any time from the dashboard or by writing to us.
  • Rate-limit and security records are kept only as long as the lockout window requires (a few hours) and are pruned automatically.
  • Audit logs for sensitive admin actions (such as redeem-code generation) may be kept for up to 12 months for security review.

7. Your rights

If you are in the EU, the UK, California, or any jurisdiction with comparable privacy law, you have the following rights:

  • Access — ask for a copy of the personal data we hold about you.
  • Rectification — ask us to correct any data that is wrong.
  • Erasure — ask us to delete your data. For Customers this means closing your account. For Leads this means contacting the Customer business that messaged you, or writing to us if they cannot help.
  • Portability — ask for a machine-readable export of your data.
  • Objection / restriction — ask us to stop or limit specific processing.
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time. Withdrawing consent does not undo processing that already happened lawfully.
  • Complain to a regulator — you have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, write to leadmeadow.help@gmail.com. We aim to respond within 30 days.

8. Security

The technical measures we currently take include:

  • Passwords are hashed with bcrypt. Plaintext passwords are never written to disk or logs.
  • WhatsApp access tokens are encrypted at rest with authenticated symmetric encryption (Fernet / AES-128-CBC + HMAC-SHA256). The encryption key is held in environment configuration and never lives in the database.
  • Inbound webhooks from Meta are verified using HMAC-SHA256 against the Meta App Secret before any payload is processed. Forged or unsigned requests are rejected.
  • Outbound webhooks you configure are validated server-side against an SSRF block list (loopback, private RFC1918 ranges, link-local, cloud metadata endpoints) before being called.
  • The login form, the gate form, and the inbound lead webhook are rate-limited per IP using a database-backed ledger that survives server restarts.
  • Sessions are revocable. Logging out bumps your session version, which immediately invalidates every JWT issued before the bump — so a leaked cookie can be killed.
  • Standard security response headers (CSP, X-Frame-Options DENY, Referrer-Policy, Permissions-Policy, HSTS over HTTPS) are sent on every response.
  • Form submissions are body-size capped at the middleware layer before reaching any handler.
  • Internal account fields (plan, message count, etc.) cannot be modified from the user-facing settings form — the server explicitly rejects attempts to do so.

No system is impossible to breach. If we ever suffer a security incident affecting your data, we will notify you without undue delay and explain what happened, what we know, and what we are doing about it.

9. International transfers

Depending on where our hosting provider runs the service, your data may be processed outside the country you live in. Where we transfer EU/UK personal data outside the EEA/UK, we rely on the European Commission's Standard Contractual Clauses or an equivalent transfer mechanism with each sub-processor.

10. Children

Leadmeadow is a business-to-business product. It is not directed at children, and we do not knowingly collect personal data from anyone under 18. If you become aware that a minor's data has been entered into Leadmeadow, write to leadmeadow.help@gmail.com and we will delete it.

11. Changes to this policy

We will update this page when our practices change. The “Last updated” date at the top will always reflect the most recent revision. Material changes to how we process Customer data will also be communicated by email to active accounts.

12. Contact

Questions, concerns, or rights requests:
leadmeadow.help@gmail.com

More from Leadmeadow

About Privacy Terms Refunds Contact