Last updated 17 June 2026

Privacy Policy

Your privacy matters to us. This policy explains exactly what data LeadOs collects, why, how it's protected, and what rights you have over it.

1. Who we are

LeadOs is a product of Saya·IO ("we", "us", "our"). When you use LeadOs at leados.saya-io.com, Saya·IO acts as the data controller for the personal data described in this policy.

For privacy inquiries: privacy@saya-io.com

2. Data we collect

2a. Account data

When you create a LeadOs workspace, we collect:

  • Business name, workspace slug, industry
  • Your full name and work email
  • A bcrypt-hashed password (we never store your plain-text password)
  • Billing plan and payment status (payment card data is handled by Stripe and never stored on our servers)

2b. Lead and conversation data

LeadOs processes the messages your leads send through the channels you connect (WhatsApp, email, web forms, Shopify, etc.). This includes names, phone numbers, email addresses, and message content provided by your customers. You are the data controller for this data; we process it as your data processor.

2c. Usage data

We collect usage metrics: pages visited, features used, API calls made, AI tokens consumed. This data is aggregated and used to improve the product and calculate your plan usage.

2d. Technical data

IP addresses, browser type, device type, and operating system collected automatically when you use the service. Used for security, fraud prevention, and debugging.

3. How we use your data

  • Providing the service — qualifying leads, sending automated replies, routing conversations
  • Account management — authentication, billing, plan enforcement
  • Security — fraud detection, brute-force prevention, incident response
  • Product improvement — aggregated, anonymised analytics to improve features
  • Communications — transactional emails (password resets, billing), product updates (opt-out available)

We do not sell your data. We do not use your business data or lead conversations to train AI models without your explicit consent.

4. Sharing & sub-processors

We share data only with sub-processors necessary to run the service:

Sub-processorPurposeLocation
AnthropicAI qualification and reply generationUSA
OpenAISemantic search / embeddingsUSA
StripePayment processingUSA / EU
AWS / HetznerInfrastructure hostingEU / USA
Redis LabsSession and rate-limit cacheEU
PostmarkTransactional email deliveryUSA

All sub-processors are bound by data processing agreements and applicable privacy laws. Data transfers to the USA are covered by Standard Contractual Clauses (SCCs).

5. Security

  • AES-256 encryption at rest for all stored data
  • TLS 1.3 for all data in transit
  • Webhook payloads verified via HMAC signatures (per-provider)
  • JWT tokens with short expiry and automatic refresh-token rotation
  • Account lockout after repeated failed login attempts
  • All API endpoints rate-limited per IP and per tenant
  • API server not publicly reachable — only accessible via reverse proxy

If you discover a security vulnerability, please email security@saya-io.com before disclosing publicly. We acknowledge all reports within 24 hours.

6. Data retention

  • Conversation history: retained for the period your plan includes (7 days on Starter, 90 days on Growth, unlimited on Pro/Enterprise) and deleted within 30 days of account cancellation
  • Account data: retained for the lifetime of your account plus 90 days after cancellation for legal compliance
  • Billing records: retained for 7 years as required by financial regulations
  • Usage logs: aggregated and anonymised after 90 days

7. Your rights (GDPR / privacy laws)

Depending on your jurisdiction, you may have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion ("right to be forgotten")
  • Portability — receive your data in a machine-readable format
  • Restriction — limit how we process your data
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — for any processing based on consent

To exercise any right, email privacy@saya-io.com. We respond within 30 days. EU/EEA residents may also lodge a complaint with their local supervisory authority (e.g., ICO in the UK, CNIL in France).

For your leads' data (where you are the data controller), you are responsible for providing appropriate privacy notices to your customers.

8. Cookies

LeadOs uses a minimal set of cookies:

  • auth_token — stores your login session (essential, HttpOnly, Secure)
  • refresh_token — enables session persistence (essential, HttpOnly, Secure)
  • currency_pref — remembers your preferred display currency (functional, 30-day expiry)

We do not use third-party advertising cookies or tracking pixels. Analytics are privacy-first and do not require a cookie consent banner.

9. Children

LeadOs is a business tool intended for users aged 18 and over. We do not knowingly collect data from children. If you believe a child has created an account, please contact us at privacy@saya-io.com.

10. Changes to this policy

We may update this policy as the product evolves. Material changes will be notified via email to account holders at least 14 days before they take effect. The "Last updated" date at the top always reflects the current version. Continued use of LeadOs after changes constitutes acceptance.

11. Contact us

For any privacy question or data request:

  • Email: privacy@saya-io.com
  • Subject line: Privacy Request — [your name]
  • Response time: within 30 days
Terms of Service →Contact us →Back to home →