Privacy Policy

Last updated: April 13, 2026

1. Information We Collect

We collect only what's necessary to provide the Service:

• Account information: Email address and hashed password (bcrypt)
• CRM OAuth tokens: Access and refresh tokens, encrypted at rest with AES-128 (Fernet)
• CRM data: Data exported from your CRM, stored temporarily as files
• Usage data: Export job history, entity types exported, record counts
• Payment information: Processed by Stripe. We do not store credit card numbers.

2. How We Use Your Information

• To authenticate you and maintain your session
• To connect to your CRM and export/sync data on your behalf
• To process payments via Stripe
• To send transactional emails (verification, password reset, export notifications)

We do not use your data for advertising, analytics profiling, or any purpose beyond providing the Service.

3. Data Storage & Security

• OAuth tokens: Encrypted at rest using Fernet (AES-128-CBC) symmetric encryption
• Passwords: Hashed with bcrypt (work factor 12)
• Export files: Stored on our server, automatically deleted after 7 days
• Database: SQLite with WAL mode, stored on our VPS
• Transport: All connections use HTTPS/TLS

4. Data Sharing

We do not sell, rent, or share your personal information or CRM data with third parties, except:

• Stripe: For payment processing (email, plan info)
• Your CRM provider: API calls made on your behalf using your OAuth tokens
• Legal requirements: If required by law or to protect our rights

5. Data Retention

• Account data: Retained while your account is active
• Export files: Automatically deleted after 7 days
• OAuth tokens: Deleted when you disconnect a CRM or delete your account
• Session tokens: Expire after 30 days

6. Your Rights

You have the right to:

• Access: View your account data through the dashboard
• Disconnect: Revoke CRM access at any time (one-click)
• Delete: Request account deletion by contacting support
• Export: Download all your export data via the dashboard
• Portability: Your exports are in standard JSONL and CSV formats

For EU/EEA users (GDPR): You also have the right to rectification, erasure, restriction of processing, and to lodge a complaint with a supervisory authority.

7. Cookies

We use a single session cookie (session) for authentication. It is HTTP-only and SameSite=Lax. We do not use tracking cookies, analytics scripts, or third-party cookies.

8. Children

The Service is not intended for users under 18 years of age. We do not knowingly collect information from children.

9. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users.

10. Contact

Privacy questions? Email us at support@lucilead.com.

← Back to CRM Liberator