01 Company Information
Valid Lead ("Valid Lead," "we," "us," or "our") is a US-based company operating the lead quality scoring platform available at valid-lead.com. We provide B2B SaaS services that help businesses evaluate and score inbound lead quality in real time.
Contact address: privacy@valid-lead.com
02 Data We Collect
Lead Form Data (processed on behalf of customers)
When our JavaScript snippet (lq.js) or webhook integration is active on a customer's website, we process lead form submission data on their behalf, which may include:
- Email address
- Phone number
- Name (first, last, full)
- Company name and job title
- Any other fields present in the customer's lead form
- Google Ads click ID (gclid) for conversion attribution
Behavioral Signals (collected by lq.js)
Our JavaScript snippet is cookieless — it does not set cookies or use localStorage. It collects behavioral signals during a visitor's session to assess lead quality:
- Time spent on page and within the form
- Mouse movement patterns and event count
- Scroll depth and scroll behavior
- Keystroke timing and form field interaction count
- Copy-paste detection
- Form correction count
These signals are used only for lead quality scoring and are not used for cross-site tracking or advertising profiling.
Technical and Device Information
- IP address (used for geolocation and fraud detection; not stored in plain text after scoring)
- Screen resolution
- Browser language and timezone
- Hardware concurrency (logical CPU count, for bot detection)
- Page URL of the form submission
Customer Account Data
For customers who create accounts, we collect:
- Email address and password (stored via Supabase Auth with bcrypt hashing)
- Company name and website URL
- Google OAuth tokens (for GTM and Google Ads integrations, stored encrypted)
- Billing information (handled by our payment processor — we do not store raw card data)
03 How We Use Data
- Lead quality scoring: Email verification, phone lookup, IP intelligence, behavioral analysis, and cross-visitor pattern matching to assign a quality score to each lead.
- Google Ads offline conversion import: Returning quality signals (qualified/observed conversion events) to a customer's Google Ads account via the Google Ads API, using hashed identifiers (hashed email or phone) when available.
- Scoring model improvement: Anonymized and aggregated signal patterns are used to improve our detection models. Raw PII from one customer is never used to train models specific to another customer's data.
- Service delivery: Providing API responses, dashboard functionality, and lead feed data to customers.
- Fraud and abuse prevention: Identifying bot traffic, form spam, and fraudulent lead patterns.
We do not sell, rent, or share raw lead data (email, phone, name) between customers. We do not use lead data for advertising targeting on third-party platforms.
04 Google API Services Disclosure
Valid Lead's use and transfer to any other app of information received from Google APIs will adhere to the
Google API Services User Data Policy, including the Limited Use requirements.
What Google data we access
When a customer connects their Google account, we may request access to:
- Google Tag Manager API: Read/write access to GTM containers and tags, for the purpose of automatically installing the Valid Lead tracking tag.
- Google Ads API: Access to Google Ads accounts and conversion actions, for the purpose of importing offline conversion signals (qualified lead events) into the customer's campaigns.
How we use Google user data
- Google OAuth access tokens and refresh tokens are stored in our database with encryption at rest (AES-256 via Supabase).
- Tokens are used exclusively to perform GTM tag installation and Google Ads conversion uploads on behalf of the customer who granted access.
- We do not share Google user data with any third party, except as necessary to operate the service (e.g., the Google APIs themselves).
- We do not use Google user data for any advertising, profiling, or cross-customer purposes.
- Access tokens are scoped to the minimum required permissions: GTM container read/write and Google Ads conversion import.
Revoking access
Customers can revoke Valid Lead's access to their Google accounts at any time via Google Account Permissions. After revocation, we will delete any stored tokens for that customer within 30 days.
05 Third-Party Services
We use the following third-party services to operate Valid Lead:
- ZeroBounce — Email verification and quality scoring. Lead email addresses are transmitted to ZeroBounce for real-time verification. ZeroBounce's privacy policy governs their handling of data.
- Twilio Lookup — Phone number validation and carrier lookup. Phone numbers are transmitted to Twilio's API for validation. Twilio's privacy policy governs their handling of data.
- Google Ads API — Offline conversion import to customers' Google Ads campaigns.
- Google Tag Manager API — Automated tag installation into customers' GTM containers.
- Supabase — Database (PostgreSQL) and authentication. Customer data and lead records are stored in Supabase. Data is hosted in the US region.
- Railway — Application hosting and deployment for the Valid Lead backend API.
- Cloudflare — CDN and DNS for the marketing site. Cloudflare may log request metadata as part of its network operations.
06 Our Role as Data Processor
Valid Lead acts as a data processor on behalf of its business customers (data controllers) with respect to lead form data. Our customers determine what data is collected via their forms and are responsible for ensuring they have a lawful basis to collect and process their visitors' data.
Our customers are responsible for:
- Disclosing their use of Valid Lead as a data processor in their own privacy policies
- Obtaining any necessary consent from their visitors for lead form data processing
- Complying with applicable data protection laws (GDPR, CCPA, etc.) as data controllers
A Data Processing Agreement (DPA) is available to enterprise customers upon request at privacy@valid-lead.com.
07 Cross-Network Intelligence
Valid Lead's fraud detection benefits from cross-network pattern recognition — identifying signals (such as behavioral patterns, IP ranges, and submission timing) that appear across multiple customers' lead forms as indicators of bot traffic or fraud rings.
This cross-network analysis uses:
- Hashed identifiers only — email addresses and phone numbers are hashed (SHA-256) before being used in any cross-customer analysis. Raw PII from one customer is never exposed to or compared against data from another customer.
- Aggregated behavioral signals — anonymized statistical patterns (timing distributions, interaction sequences) that cannot be traced back to individual leads.
Raw lead data (names, email addresses, phone numbers) is strictly isolated per customer and is never shared between customer accounts.
08 Data Retention
- Lead data: Retained for the duration of the customer's active account, plus 30 days following account deletion or cancellation, after which it is permanently deleted.
- Behavioral signals: Retained alongside the lead record. Deleted with the lead record per the schedule above.
- Google OAuth tokens: Retained until the customer disconnects the integration or deletes their account. Deleted within 30 days of disconnection or account deletion.
- Account data: Retained for the duration of the account, plus 30 days after deletion.
Customers can request deletion of their data at any time by contacting privacy@valid-lead.com.
09 Security
We implement the following security measures to protect your data:
- HTTPS everywhere — All data in transit is encrypted using TLS 1.2+.
- Encrypted storage — Sensitive values (OAuth tokens, API keys) are encrypted at rest using AES-256 via Supabase's built-in encryption.
- Row-level security (RLS) — Customer data in our database is isolated at the row level. Customers can only access their own lead data.
- UUID API keys — Customer API keys are long UUID-based tokens. They are hashed in our database and never stored in plain text.
- No cookies or persistent client storage — lq.js operates without cookies or localStorage, reducing exposure to cross-site attacks.
Despite these measures, no security system is perfect. If you discover a security issue, please contact privacy@valid-lead.com.
10 GDPR Rights (EEA Residents)
If you are located in the European Economic Area, you have the following rights regarding your personal data:
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Request correction of inaccurate or incomplete data.
- Right to erasure — Request deletion of your personal data ("right to be forgotten").
- Right to data portability — Request your data in a machine-readable format.
- Right to object — Object to processing of your personal data for certain purposes.
- Right to restrict processing — Request that we limit how we use your data.
Note: Valid Lead processes lead data on behalf of our business customers (controllers). To exercise GDPR rights regarding lead data, contact the business whose form you submitted. To exercise rights regarding your Valid Lead account data, contact privacy@valid-lead.com.
Our legal basis for processing customer account data is performance of a contract (service agreement). Our legal basis for processing lead data on behalf of customers is our contractual obligation to those customers as a data processor.
11 CCPA Rights (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides the following rights:
- Right to know — Request disclosure of the personal information we collect, use, disclose, and sell.
- Right to delete — Request deletion of your personal information.
- Right to opt-out of sale — We do not sell personal information. No opt-out mechanism is required, but you may contact us to confirm.
- Right to non-discrimination — We will not discriminate against you for exercising CCPA rights.
To submit a CCPA request, contact privacy@valid-lead.com. We will respond within 45 days.
12 Children's Privacy
Valid Lead is a B2B service directed at business professionals. We do not knowingly collect personal information from individuals under the age of 13. If we become aware that we have collected data from a child under 13, we will delete it promptly. Contact privacy@valid-lead.com if you believe we have inadvertently collected such data.
13 Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify active customers via email or an in-app notice. Continued use of Valid Lead after changes are posted constitutes acceptance of the updated policy.