← Back to LeadFlow

Privacy Policy

Last updated: April 19, 2026

LeadFlow is a local-first tool. Your data lives on the machine where you installed it. This page explains exactly what happens to your information.

What LeadFlow stores on your device

• Leads — businesses you scan from OpenStreetMap or import from CSV, including names, addresses, phone numbers, and email addresses.
• Campaigns and sequences — the email content you write.
• Sends — records of emails you've sent through LeadFlow.
• Replies — replies pulled from your own Gmail inbox via the Gmail API (only if you grant read access).
• Settings — your workspace name, mailing address, sending preferences, and OAuth tokens.

All of the above is stored in your browser's IndexedDB and localStorage. Nothing is sent to our servers. We don't run servers for this tool.

External services LeadFlow uses

• Gmail API (Google) — to send emails and, optionally, read your own inbox to detect replies. You grant access via OAuth. Tokens are stored only in your browser. Revoke access anytime at myaccount.google.com/permissions.
• OpenStreetMap Overpass API — public, anonymous database of businesses. We query it for leads. No personal data leaves your machine.
• Cloudflare DNS-over-HTTPS — used to verify whether a domain accepts mail. We look up the MX record only; no personal data is sent.
• Reacher (optional) — if you run Reacher locally for SMTP verification, it contacts recipient mail servers to check mailbox existence. No third-party company is involved.
• Ollama or Groq (optional) — for AI email drafting. Either runs on your machine (Ollama) or through Groq's API with your own key. We don't proxy AI calls.

What LeadFlow does NOT do

• We don't send telemetry, analytics, or crash reports.
• We don't share your leads or email content with third parties.
• We don't sell your data. There's nothing to sell — we don't have it.
• We don't store your OAuth tokens on any server. They live in your browser.

Your rights (GDPR / CCPA)

Because all your data is local, you can exercise every right directly:

• Right to access — Settings → Privacy & data → Export JSON. Full dump of everything.
• Right to delete — Settings → Privacy & data → Delete all my data. Irreversible wipe.
• Right to portability — the export is plain JSON. Take it anywhere.
• Right to revoke OAuth — Google account permissions.

Cold email compliance

LeadFlow is a tool. You are responsible for what you send with it. US CAN-SPAM requires that every commercial email include a valid physical mailing address and a working unsubscribe mechanism. LeadFlow auto-appends both when you set your address in Settings → Workspace. You must keep that address accurate.

Contact

Questions: marketingwiththeagencyinfo@gmail.com