Privacy Policy

Last updated: April 19, 2026. Controller: iSCALE LLC.

1. Information We Collect

We collect the following categories of personal information:

  • Account data: name, email address, company name, role, organization membership, and login timestamps.
  • Authentication data: OAuth identifiers (Google), WebAuthn passkey credentials, two-factor authentication secrets, and session tokens.
  • Usage data: IP address, user agent, device type, login timestamps, pages visited, and actions taken in the platform.
  • Lead data you process: if you use Lead Router to route leads, the data subjects' names, contact details, and any custom fields you capture. You are the controller of this data; we process it under your instruction.
  • Billing data: payment card data is handled by our processor (Stripe) and never stored on our systems.

2. How We Use Your Information

We use your information to: authenticate your identity, manage your account, provide access to the Lead Router platform, maintain security through audit logging, process payments, communicate service updates, respond to support requests, and comply with legal obligations. We do not sell your personal information. We do not use your data to train artificial intelligence models without your consent.

3. Third-Party Service Providers

We share personal information with the following categories of processors, each under a data processing agreement (DPA):

  • Infrastructure: Vercel (hosting), Neon (Postgres), AWS (file storage).
  • Authentication: Google (OAuth sign-in), when you choose it.
  • Payments: Stripe.
  • Monitoring: Sentry (error tracking).
  • Communications: transactional email and SMS providers configured by you.

We do not share your data with advertising networks, data brokers, or analytics platforms that re-sell it.

4. Data Security

We protect your account using Google OAuth, magic-link email authentication, WebAuthn passkeys, and optional time-based one-time-password (TOTP) two-factor authentication. We do not store user passwords. Additional safeguards include TLS 1.2+ for data in transit, AES-256-GCM encryption at rest, multi-tenant isolation at the row level, role-based access controls, and audit logging on every authenticated action. Lead Router is architected for SOC 2 Type II and HIPAA compliance; a Business Associate Agreement (BAA) is available on request.

5. Data Retention

Account data is retained while your account is active and for a reasonable period after closure to comply with legal, accounting, and dispute-resolution obligations. Audit logs are retained for 90 days. Lead data you process through the platform is retained under your configuration; you control deletion windows and can export or purge it at any time. When an account is closed, we delete associated personal data within 30 days, except where retention is required by law.

6. International Transfers

Lead Router is operated from the United States. If you access the service from outside the US, your data will be transferred to the US. For data originating from the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism.

7. Your Rights (GDPR, CCPA, and Other Regulations)

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (subject to legal retention requirements).
  • Object to or restrict certain processing.
  • Port your data in a machine-readable format.
  • Opt out of sale or sharing (we do not sell your data).
  • Withdraw consent previously given.

Submit requests through our Data Subject Request form. We respond within 30 days (45 days for CCPA requests requiring extension).

8. Cookies and Tracking

Lead Router uses strictly necessary cookies for authentication and session management. We do not use advertising cookies or third-party trackers on authenticated pages. Our public marketing pages use first-party analytics only to measure aggregate traffic patterns.

9. Children's Privacy

Lead Router is a business-to-business platform and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us immediately and we will delete it.

10. Changes to This Policy

We may update this policy to reflect changes in our practices or applicable law. Material changes will be announced via email to account administrators at least 30 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact

For privacy inquiries, data subject requests, or questions about this policy, contact us at privacy@iscale.com or use our Data Subject Request form. Mailing address: iSCALE LLC, United States.