Privacy Policy

MAXY Investment Inc., a Texas corporation, doing business as LeadSmart AI (“LeadSmart,” “we,” “us,” or “our”) operates the website leadsmart-ai.com and provides AI-assisted lead management, CRM, SMS follow-up, email automation, and related services (the “Service”). This Privacy Policy explains what information we collect, how we use and share it, and the choices you have.

By using the Service you agree to the practices described here. If you do not agree, please do not use the Service.

We collect information in three buckets:

• Information you give us directly — account details (name, email, phone, brokerage, role), billing information processed through our payment processor, content you create in the Service (lead records, contacts, messages, notes, preferences), and support communications.
• Information about how you use the Service — pages viewed, features used, device and browser identifiers, IP address, approximate location derived from IP, session duration, referrer, and crash or error diagnostics.
• Information from integrations you connect — lead sources such as Zillow, Realtor.com, Follow Up Boss, kvCORE, Sierra Interactive, Facebook Lead Ads, Google, and any IDX site you link. If you forward emails to your unique LeadSmart inbound address (e.g. your-name@inbox.leadsmart-ai.com), we process only those emails you explicitly forward to us — see section 5 for inbound email handling. We receive only what each integration’s OAuth scope permits.

Categories collected (for California residents)

For purposes of the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), we collect the following statutory categories of personal information from agents using the Service:

• Identifiers — name, email, postal address, phone, account login, IP address, device identifiers.
• Customer records (Cal. Civ. Code § 1798.80) — billing information, brokerage / license details.
• Commercial information — subscription tier, transactions, referral activity.
• Internet / network activity — pages viewed, features used, session timing, referrer, browser + OS metadata, error diagnostics.
• Geolocation data — approximate location derived from IP. We do not collect precise device geolocation.
• Professional information — license number, brokerage affiliation, role.
• Inferences drawn from the above to characterize agent preferences and recommend product features.

We do not knowingly collect sensitive personal informationunder CPRA § 1798.140(ae). For information about contacts the agent uploads or imports — which is the agent’s data, not LeadSmart’s — see section 5 (How we share information) and section 11 (Retention).

We use the information described above to:

• Operate, maintain, and improve the Service.
• Send automated SMS and email on your behalf to leads and contacts you manage (only where consent has been captured — see section 6, “SMS and email compliance”).
• Personalize the product experience and generate AI-assisted recommendations.
• Provide customer support and respond to inquiries.
• Detect and prevent fraud, abuse, and violations of our Terms of Service.
• Comply with legal obligations and enforce our rights.
• Send you product updates, security notices, and (with your consent) marketing communications.

We do not train AI models on your data

We do not use your account information, your content (including contacts, messages, and notes), or AI-generated output to train, fine-tune, or otherwise develop generalized machine-learning models — neither our own nor those of any third party. If we ever change this practice we will update this policy and offer an opt-out before the new use begins. Data processed by our third-party AI providers is subject to their no-training contractual terms, described in section 4.

LeadSmart uses third-party AI providers — currently OpenAI and Anthropic — to generate messages, summarize calls, and rank leads. When the Service sends data to these providers:

• Only the content needed for the specific task is transmitted.
• Providers act as data processors under agreements that prohibit using the data to train their models for other customers.
• Generated output is treated as your data and subject to the same protections as the input.

Current AI sub-processors

Each provider operates under its own data-protection terms (Anthropic Commercial Terms, OpenAI Business / API Terms) which require them to act as a processor of your data, prohibit secondary use, and require deletion at the end of the retention window. We update this table when we add or remove a provider; the “last updated” date at the top of this page reflects the current set.

LeadSmart provisions each agent a unique inbound forwarding address (e.g. your-name@inbox.leadsmart-ai.com) on first dashboard visit. The address is yours alone, scoped to your account, and only processes emails you explicitly forward to it — typically via a Gmail / Outlook filter you configure yourself.

What we receive

• The full envelope (From, To, Subject) of any email forwarded to your alias.
• The plain-text body (first ~2,000 characters stored, full body kept transiently for AI extraction).
• Attachments (PDFs of offers, listing agreements, etc.) referenced by signed URLs that expire. We do not permanently store attachment binaries; we read them once for extraction and discard them.

How we use it

• We classify the email’s intent (offer, listing agreement, showing request) using a keyword pass plus an optional AI overlay.
• We run an AI extractor against any PDF attachment to pull structured fields (price, dates, parties, contingencies).
• We create a “Review forwarded …” task on your CRM dashboard with a link to a review page where you confirm the parsed fields and apply them as a draft offer / listing / showing.
• We attempt a best-effort match between the sender’s email and your existing CRM contacts as a suggestion you confirm or override — never auto-routed.

How we don't use it

• We do not read emails sent to other addresses on your domain — only your unique LeadSmart alias.
• We do not use forwarded email content to train, fine-tune, or otherwise develop generalized machine-learning models, including large language models. AI extraction calls run against the message in-context per request and are not retained for training.
• We do not sell, license, or transfer forwarded email content to any third party, except the sub-processors necessary to operate the Service (Resend for inbound webhook delivery, Anthropic for AI extraction, Supabase for database storage) and only under contractual obligations that mirror these restrictions.
• Humans at LeadSmart do not read your forwarded email content except when (i) you give explicit written permission for specific messages, (ii) it is necessary for security or to prevent abuse, (iii) it is required for compliance with applicable law, or (iv) the content is first aggregated and anonymized in a way that cannot be used to identify you or your contacts.

Retention and deletion

• Forwarded email envelopes + body previews are retained in your LeadSmart CRM until you delete them, delete the associated review task, or delete your account. When your account is deleted, all inbound delivery records are removed or anonymized within 90 days, aligned with section 11 below.
• Stop forwarding at any time by disabling or deleting the Gmail / Outlook filter you set up. We have no way to pull emails from your inbox; we only receive what your filter sends.
• Rotate or disable your alias — visit Settings → Calendar → Email forwarding to rotate to a fresh alias, or contact us to disable inbound entirely.

Per-alias rate limit

To deter abuse, each alias caps inbound deliveries at 100 per rolling 24 hours. Emails over the cap are dropped (we return 200 to the upstream provider and discard). Volumes above this are extremely rare in normal use; raise a support request if your workflow needs a higher cap.

We share information only with:

• Service providers that help us operate the Service — hosting (Vercel, Supabase), SMS delivery (Twilio), email delivery (SendGrid / Resend), payments (Stripe), AI inference (OpenAI, Anthropic), analytics, and customer support tools.
• Your leads and contacts — messages you or LeadSmart send on your behalf disclose your identity to those recipients.
• Legal and safety — when required by law, subpoena, court order, or to protect the rights, property, or safety of LeadSmart, our users, or the public.
• Business transfers — in connection with a merger, acquisition, or sale of assets.

We do not sell personal information in exchange for monetary consideration. We also do not currently “sell” or “share” personal information as those terms are defined under CCPA/CPRA — including for cross-context behavioral advertising. We do not load advertising trackers (Facebook Pixel, Google Ads conversion tracking, TikTok Pixel, LinkedIn Insight, etc.) on the Service. If we ever change this practice we will update this policy and post the “Do Not Sell or Share My Personal Information” control described in section 9 before the new use begins.

For end-user SMS recipients (homeowners, leads, and contacts)

If you opt in to receive marketing text messages from LeadSmart AI via a consent checkbox on a LeadSmart public surface (for example /contact, /home-value-funnel, or /open-house-signup), the mobile phone number you provide and your SMS opt-in record are used solely to deliver the marketing text messages you authorized at the moment of opt-in.

We do not sell, rent, lease, share, transfer, or otherwise disclose your mobile phone number or SMS opt-in data to any third party or affiliate for their own marketing, promotional, or commercial purposes. Mobile information collected through SMS opt-in is excluded from all data-sharing arrangements with third parties, except where strictly necessary to deliver the messages you requested (e.g. our SMS provider, Twilio) and only for that delivery purpose.

You may opt out at any time by replying STOP to any text message. For help, reply HELP. Message frequency varies. Message and data rates may apply. Consent is not a condition of any purchase. The four-element disclosure shown beneath the consent checkbox on each opt-in surface defines the exact terms at the moment of opt-in; that wording is pinned per surface and stored in our audit log so the exact text shown at the time of opt-in can be reproduced on request.

For LeadSmart customers (agents sending on behalf of their own contacts)

LeadSmart sends SMS and email on your behalf only when consent has been established. By using the Service, you represent and warrant that:

• You have obtained prior express written consent (as required by the Telephone Consumer Protection Act, 47 U.S.C. § 227, and FCC rules) from every recipient before a marketing SMS is sent on your behalf.
• For non-marketing SMS (informational / transactional), you have a legitimate business relationship with the recipient.
• Every marketing email complies with the CAN-SPAM Act, including an unsubscribe link and accurate sender identification.
• You will honor STOP / UNSUBSCRIBE / HELP requests immediately — LeadSmart automatically suppresses these numbers and addresses on your behalf, but compliance is ultimately your responsibility.

For 10DLC sender / caller allocation: LeadSmart maintains a registered 10DLC brand and campaign with The Campaign Registry (TCR) and operates the SMS sending infrastructure as the messaging vendor. You remain the “caller” under the TCPA and the “sender” under the CAN-SPAM Act, which means consent capture and message content are your responsibility. Section 6 of the Terms of Service spells this out in detail, including the option to bring your own 10DLC brand for enterprise use cases.

We use cookies and similar technologies to keep you signed in, remember preferences, measure usage, and improve the Service. You can control cookies through your browser settings. Blocking essential cookies will break functions like staying signed in.

Categories of cookies we use

• Strictly necessary — authentication, session integrity, security, fraud prevention, load balancing. These are always active; the Service does not function without them.
• Functional — remember preferences (language, sidebar state, last-viewed contact). Disabling these works, but you’ll re-enter preferences on each visit.
• Analytics — aggregate usage measurement to help us understand which features are useful. These are gated on your explicit opt-in; the Service ships zero analytics payloads to third parties until you grant consent.

We do not use advertising or cross-context tracking cookies. EU and California visitors see a consent banner controlling the analytics category; you can change your choice at any time from the cookie preferences link in the footer.

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your account and associated personal information.
• Export your data in a portable format.
• Object to or restrict certain processing.
• Withdraw consent to marketing communications.
• Opt out of any “sale” or “sharing” of personal information as defined under CCPA/CPRA (even though we do not believe we engage in either).

To exercise any of these rights, email contact@leadsmart-ai.com. We will respond within the timeframes required by applicable law.

California — Do Not Sell or Share My Personal Information

As described in section 6, we do not currently “sell” or “share” personal information under CCPA/CPRA. To submit a Do-Not-Sell-or-Share request anyway (it will be honored as a forward-looking opt-out), email contact@leadsmart-ai.com with the subject line “Do Not Sell or Share My Personal Information.” You may also designate an authorized agent to make the request on your behalf in accordance with CCPA/CPRA procedures.

European Economic Area, United Kingdom, Switzerland

If you are located in the EEA, the UK, or Switzerland, you may lodge a complaint with your local data protection authority. A current list of EEA Data Protection Authorities is available at edpb.europa.eu/about-edpb/about-edpb/members. UK residents may contact the Information Commissioner’s Office (ICO) at ico.org.uk. You may also contact us first at contact@leadsmart-ai.com, and we will respond within applicable legal timeframes.

We keep personal information for as long as your account is active and for a reasonable period afterward to handle support issues, enforce agreements, and comply with law. When your account is deleted we remove or anonymize personal information within 90 days, except where retention is required for legal, accounting, or fraud-prevention purposes.

Retention by category

• Account + profile data — kept while your account is active; removed or anonymized within 90 days after account deletion.
• Contact records you upload (CRM contacts, leads, notes) — kept while your account is active; deleted within 90 days after account deletion. You can delete individual contacts at any time.
• SMS + email logs (including TCPA / CAN-SPAM consent records and opt-out evidence) — retained for at least 4 years after the last communication, in line with the TCPA statute of limitations and the FCC consent-recordkeeping standard.
• Gmail-synced messages (when Gmail sync is connected) — see section 5 (Google user data); retained until you delete the message, the associated contact, or your account.
• Billing + tax records — retained for at least 7 years for tax and audit compliance.
• Behavioral / usage logs — retained for up to 13 months, then aggregated or deleted.
• AI inference logs (the request/response sent to OpenAI or Anthropic) — held no longer than 30 days on the provider side per their terms; we do not retain a separate copy beyond what is necessary to render the resulting output to you.
• Security + audit logs — up to 24 months, retained longer only when actively needed for an investigation.
• Backups — encrypted backups roll off on a 35-day cycle. Deleted records are removed from active systems immediately and from backups as the backup cycle completes.

Where a longer retention is required by law (subpoena, ongoing audit, fraud investigation, regulatory hold), we retain only the minimum data required and for only as long as the obligation persists.

We apply industry-standard administrative, technical, and physical safeguards, including encryption in transit (TLS) and at rest, access controls, audit logging, and regular security reviews. No method of transmission or storage is 100% secure, but we work to protect your information and promptly investigate and address incidents.

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, contact us so we can delete it.

We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice in the Service at least 30 days before they take effect. The “last updated” date at the top of this page always reflects the current version.

Questions about this Privacy Policy can be directed to contact@leadsmart-ai.com.