Privacy Policy

This Privacy Policy explains how Leakbase, Inc. ("Leakbase," "we," or "us") collects, uses, shares, and protects information when you use our website, platform, and related services (the "Service").

1. Who we are

Leakbase, Inc. is a Delaware corporation. For privacy questions, contact us at contact@leakbase.ai.

2. Information we collect

2.1 Account information

When you sign up, we collect your name, email address, hashed password (or OAuth identifier from Google / Apple / Microsoft), profile picture URL, and your communications with us.

2.2 Billing information

Payments are processed by Stripe, Inc. We do not store full card numbers. We receive limited billing metadata from Stripe — customer ID, subscription status, plan, last four digits of the card, and invoice history — to manage your account.

2.3 Customer Data from Connected Apps

When you connect a third-party tool (Stripe, Shopify, HubSpot, etc.) we retrieve and store data from that tool as needed to detect lost revenue. This may include:

• Charges, payments, refunds, disputes, subscriptions, and invoices.
• Your customers' names, email addresses, billing addresses, and order history.
• Lead and contact records from your CRM (where connected).
• Webhook events emitted by Connected Apps in real time.

We act as a data processor for this Customer Data; you (the business) are the data controller. You are responsible for having a lawful basis to share this data with us and for informing end-users where required by law.

2.4 Usage and device data

We automatically log IP address, browser type, operating system, referring URL, pages viewed, actions taken, and timestamps. We use this for security, abuse prevention, and product analytics.

2.5 Cookies

We use a small number of strictly-necessary and analytics cookies. See our cookie notice on first visit and the "Cookies" section below.

3. How we use information

• Provide the Service — detect Leaks, surface them in your dashboard, draft recovery messages.
• AI processing — we send relevant Leak details (customer name, amount, category, scope) to large language model providers (currently Google Gemini and OpenAI) to draft recovery messages. We do not allow these providers to use your data to train their models.
• Billing — process subscription payments and manage your account.
• Communicate with you — service announcements, security alerts, billing notices, and (with your consent) product updates.
• Improve the Service — using aggregated, de-identified data only.
• Comply with law — respond to lawful requests, enforce our Terms, and protect rights and safety.

We do not sell your personal information. We do not use Customer Data to train any AI model — ours or any third party's.

4. Sub-processors and sharing

We share data with the following categories of service providers, bound by contract to protect it:

• Supabase, Inc. — managed database, authentication, file storage, and serverless functions hosted in the EU/US.
• Stripe, Inc. — payment processing and Stripe Connect for accessing your payment data.
• Google LLC and OpenAI, L.L.C. — large language models used to draft recovery messages.
• Cloudflare, Inc. — content delivery, DNS, and edge function hosting.
• Email delivery providers — for transactional and product emails.
• Connected Apps you choose — Stripe, Shopify, HubSpot, etc., when you authorize a connection.

We may also share information (a) with your consent, (b) as required by law, court order, or government request, or (c) in connection with a merger, acquisition, or sale of assets, in which case we will notify you before your information becomes subject to a different privacy policy.

5. International transfers

We may process data in the United States and the European Union. Where we transfer personal data of EU/UK residents outside their region, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

6. Data retention

We retain account data for as long as your account is active and for up to 30 days after cancellation, after which we delete it (subject to legal retention requirements such as tax records, which we keep for up to 7 years). Customer Data from Connected Apps is purged within 30 days of disconnecting the integration. You can request immediate deletion at any time — see Section 8.

7. Security

We use TLS in transit, encryption at rest, row-level security in our database, principle-of-least-privilege access controls, and audit logging. Despite our efforts, no system is perfectly secure. Please report security concerns to contact@leakbase.ai.

8. Your rights

Depending on where you live (notably the EU/UK under GDPR, California under CCPA/CPRA, and other US states with similar laws), you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data ("right to be forgotten").
• Export your data in a portable format.
• Restrict or object to certain processing.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your local data protection authority.

You can delete your account directly from the Settings page, or email us at contact@leakbase.ai to exercise any other right. We will respond within 30 days.

9. Cookies

We use the following cookie categories:

• Strictly necessary — authentication, session management, security. These cannot be disabled.
• Analytics — anonymized product analytics so we know which features people use. You can decline these in the cookie banner.

We do not use advertising or cross-site tracking cookies.

10. Children

The Service is not directed to children under 16 and we do not knowingly collect data from them. If you believe a child has provided us data, contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. If a change is material, we will notify you by email or through the Service at least 14 days before it takes effect.

12. Contact

Privacy questions or requests: contact@leakbase.ai
Mailing address: Leakbase, Inc., Delaware, USA