Importa Leads

Privacy Policy

Last updated: May 7, 2026

1. Overview

This Privacy Policy describes how Importa Leads ("we", "us") collects, uses, and protects information when you use our service. We take your privacy seriously and are committed to being transparent about our data practices.

Importa Leads acts as a data processor for lead data you store on our platform — you are the data controller for that data and are responsible for its lawful handling. For your account data (name, email address, billing), Importa Leads is the data controller.

2. Information We Collect

Account information

When you sign up, we collect your name, email address, and a hashed password (we never store plain-text passwords).

Lead contact data

Leads you import (from Google Maps or CSV) are stored in your account database. This data may include names, email addresses, phone numbers, and other contact details of third parties. This is your data — we do not access it for any purpose other than displaying it to you and enabling your campaigns. You are the data controller for all lead data. You are responsible for ensuring you have a lawful basis to store and process this data under applicable law (including GDPR, UWG, and other privacy regulations).

API keys and credentials

API keys you add (Gemini, Google Places) and email credentials (Gmail OAuth tokens, SMTP passwords) are stored encrypted using Supabase Vault (Transparent Column Encryption). We never store these in plain text and cannot read them.

Usage data

We collect basic usage metrics such as number of leads imported, campaigns created, and emails sent — used for plan limit enforcement and billing only.

Technical data

We log IP addresses and user agents for security purposes (detecting unauthorised access). These are not shared with third parties.

3. How We Use Your Information

  • To provide and improve the service
  • To enforce plan limits and process billing
  • To send transactional emails (account confirmation, password reset, invoices)
  • To detect and prevent fraud or abuse
  • To respond to your support requests

We do not use your lead data for any advertising or marketing purposes. We do not sell your data to any third party.

4. Data Controller vs. Data Processor

Under GDPR and similar laws, the distinction between controller and processor matters:

  • Your account data (name, email, billing info): Importa Leads is the data controller and determines the purpose and means of processing.
  • Lead data (contacts you import and manage): You are the data controller. Importa Leads is a data processor acting on your instructions. You are responsible for having a lawful basis to store and process this data, and for responding to any data subject requests from your leads.

If a person whose data you have stored requests access, correction, or deletion of their data, that is your obligation to fulfil. Contact us at support@importaleads.com if you need assistance extracting or deleting specific records.

5. Data Storage and Security

Your data is stored in a PostgreSQL database managed by Supabase with row-level security — each user can only access their own data. All data is encrypted at rest and in transit (HTTPS/TLS). API keys and credentials use Supabase Vault encryption. We perform regular backups. Our servers are hosted on Hetzner in Europe.

6. Third-Party Services

We use the following third-party services to operate the platform:

  • Supabase — database, authentication, and encrypted secret storage
  • Hetzner — server hosting (data center in Europe)
  • Resend — transactional email delivery (confirmation, password reset)
  • Stripe / Razorpay / PayPal — payment processing (we never store card details)

Third-party APIs you connect (Google Places, Gemini) operate under their own privacy policies — please review those separately.

7. Email Tracking

Emails sent through campaigns include an invisible 1×1 tracking pixel to detect opens, and wrapped links to detect clicks. This tracking applies only to emails sent by you to your leads. The recipients of your campaigns are not our users — you are responsible for disclosing tracking practices to them as required by applicable law (e.g., GDPR Art. 13/14 information obligations).

8. Cookies

We use a single session cookie (set by Supabase Auth) to keep you logged in. We do not use any advertising or analytics cookies. We do not use Google Analytics or any third-party tracking scripts on the app pages.

9. Your Rights

You have the following rights regarding your personal data:

  • Access (Art. 15 GDPR) — export all your leads and campaign data at any time
  • Erasure (Art. 17 GDPR) — permanently delete your account and all associated data directly from Settings → Profile → Danger Zone
  • Rectification (Art. 16 GDPR) — update your profile information at any time
  • Portability (Art. 20 GDPR) — download your lead data as CSV
  • Restriction (Art. 18 GDPR) — request restriction of processing in certain circumstances
  • Objection (Art. 21 GDPR) — object to processing based on legitimate interests

For GDPR requests or any data-related questions, email us at support@importaleads.com and we will respond within 30 days. If you are an EU resident and believe we have violated your rights, you have the right to lodge a complaint with your national data protection authority (e.g., the German BfDI or Austrian DSB).

10. Data Retention

Active account data is retained for as long as your account exists. When you delete your account via Settings → Profile → Danger Zone, all personal data is permanently and immediately deleted. Payment records are retained for 7 years as required by law.

11. International Data Transfers

Our servers are hosted in Europe (Hetzner). Supabase may process data in the EU. If data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions) in accordance with GDPR Chapter V.

12. Children's Privacy

Our service is not directed at anyone under 18. We do not knowingly collect data from minors.

13. Changes to This Policy

We may update this Privacy Policy. Significant changes will be notified by email at least 14 days before taking effect.

14. Contact

For privacy questions or data requests: support@importaleads.com