> PRIVACY_POLICY.TXT

> 1. WHAT_WE_COLLECT

When you create an account we collect your email address and a bcrypt-hashed password (we never store plaintext passwords). If you sign in with Google, we receive your email and name from Google OAuth, and no password is stored.

We also store usage data: the number of leads generated each billing period, your subscription tier, and your Stripe customer ID (if you subscribe to a paid plan). We do not store the actual leads or search results you generate, as those are returned directly to your browser.

> 2. HOW_WE_USE_IT

Your data is used solely to operate the service: authenticating your account, enforcing monthly lead quotas, processing subscription payments via Stripe, and sending transactional emails (password reset, contact form replies). We do not sell your data, share it with third parties for marketing, or use it for advertising.

> 3. THIRD_PARTY_SERVICES

Stripe - processes all payments. Stripe stores your payment method and billing details. We never see your full card number. Stripe's privacy policy: stripe.com/privacy.

Google Maps API - powers all scans. Your search queries (business category + location) are sent to Google. Google's privacy policy: policies.google.com/privacy.

Resend - delivers transactional emails. Your email address is passed to Resend when sending emails.

> 4. DATA_RETENTION

Your account and associated data are retained for as long as your account is active. If you delete your account, all personal data (email, hashed password, usage records, Stripe customer link) is permanently deleted from our database within 30 days.

> 5. YOUR_RIGHTS

You have the right to access, correct, or delete your personal data at any time. To delete your account and all associated data, use the contact page with the subject "Delete my account". We will process your request within 30 days.

If you are located in the EU/EEA, you also have the right to data portability and to lodge a complaint with your local data protection authority.

> 6. COOKIES_AND_STORAGE

We use localStorage in your browser to store your authentication token (JWT). This token is used to identify you across sessions. No third-party tracking cookies are used. You can clear your browser storage at any time to log out.

> 7. SECURITY

All data is transmitted over HTTPS. Passwords are hashed with bcrypt and never stored in plaintext. Authentication tokens expire and are signed with a server-side secret. We do not log or store search queries beyond what is needed to enforce usage limits.

> 8. CONTACT

Questions about this policy? Use the contact page.