Privacy Policy

Version 2.0 — Effective Date: March 4, 2026 GLBA Compliant CCPA Compliant TDPSA Compliant

Lead Validator Pro ("we," "us," "our," or the "Service") is operated by Lead Validator Pro LLC. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you use our insurance lead validation platform.

Information We Collect
Data Sources and Purposes
Third-Party Data Processors
How We Use Your Information
Data Retention
Your Rights
California Privacy Rights (CCPA/CPRA)
Texas Data Privacy and Security Act (TDPSA)
Gramm-Leach-Bliley Act (GLBA) Notice
Cookies and Local Storage
Data Security
Children's Privacy
Changes to This Policy
Contact Information

1. Information We Collect

We process the following categories of personally identifiable information (PII) for the purpose of insurance lead validation and quality scoring:

Category	Data Elements	Purpose
Identity	First name, last name, date of birth, gender	Identity verification, age validation, fraud detection
Contact	Phone number, email address	Contact verification, deliverability checks, duplicate detection
Address	Street address, city, state, ZIP code	Address validation, property matching, geographic compliance
Vehicle	VIN, make, model, year, registration state	Auto insurance lead validation, DMV record matching
Driver's License	DL number, state, status, expiration	Identity verification under DPPA-permitted purposes
Insurance	Current carrier, policy expiration, coverage type, claims history	Lead quality scoring, policy validation
Property	Ownership status, property type, square footage, year built, roof type, replacement cost	Home insurance lead validation, property risk assessment
Financial	Estimated income range, credit tier (when provided by lead source)	Insurance eligibility screening, GLBA-governed processing

2. Data Sources and Purposes

We obtain and cross-reference lead data from the following sources to validate lead quality and detect fraud:

Data Source	Data Obtained	Purpose
Enformion (EndatoGO)	Name, phone, email, address history, relatives, associates	Identity verification, contact enrichment, fraud screening
Public Records Provider	Vehicle registration, driver's license records	DMV record matching, DL verification under DPPA
Trestle IQ (RealContact)	Phone carrier data, line type, caller ID, CNAM	Phone validation, VoIP detection, contact quality scoring
Google Maps / Places API	Address geocoding, Street View imagery, place verification	Address existence validation, property visual verification
Market Listing Providers	Property details, estimated value, listing status	Property ownership verification, value cross-reference
ATTOM Data Solutions	Property records, tax assessments, ownership history, hazard data	Property risk assessment, ownership verification
County Assessor Records	Property tax records, assessed value, ownership name	Property ownership and value verification
RentCast	Rental estimates, comparable property data	Property valuation cross-reference
Anthropic Claude AI	None (receives lead data for analysis)	AI-powered legitimacy scoring, fraud detection reasoning, disposition recommendations
DuckDuckGo Search	Publicly available web information	Open-source intelligence for lead research and verification
IPQualityScore (IPQS)	Email/phone fraud scores, risk flags	Email and phone fraud detection, disposable domain detection, VoIP risk scoring

3. Third-Party Data Processors

We engage the following third-party processors to provide our Service. Each processor is contractually bound to process data only for the purposes specified and in accordance with applicable data protection laws:

Processor	Role	Data Processed	Location
Google LLC	Cloud infrastructure, Maps API, geocoding	Address data, property imagery requests	United States
Trestle IQ Inc.	Phone carrier intelligence	Phone numbers for carrier lookup	United States
Anthropic PBC	AI analysis engine	Lead data for legitimacy analysis (no persistent storage by Anthropic)	United States
Enformion Inc. (EndatoGO)	Identity verification, contact enrichment	Name, address for identity matching and enrichment	United States
IPQualityScore LLC (IPQS)	Email and phone fraud scoring	Email address, phone number for fraud analysis	United States
ATTOM Data Solutions LLC	Property data validation	Address for property records lookup	United States
Redfin Corporation	Property comparison data	Address for comparable listings (TOS compliance under review)	United States

    Note: All third-party processors are required to maintain security standards consistent with SOC 2 Type II or equivalent certifications. Data is transmitted via TLS 1.2+ encrypted connections.

4. How We Use Your Information

We use the personal information we process exclusively for the following business purposes:

Lead Validation: Verifying identity, contact information, and address accuracy for insurance lead quality scoring
Fraud Detection: Identifying fraudulent, synthetic, or low-quality insurance leads using cross-source verification
Property Assessment: Validating property details for home insurance underwriting support
Vehicle and DL Verification: Confirming vehicle ownership and driver's license status for auto insurance leads
Household Intelligence: Analyzing household composition for multi-policy opportunity identification
Disposition Recommendations: Generating AI-assisted lead handling recommendations for insurance agents
Compliance: Meeting regulatory requirements under GLBA, FCRA, DPPA, CCPA, and TDPSA
Service Improvement: Improving our validation algorithms and fraud detection accuracy

5. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected:

Data Type	Default Retention	Notes
Lead PII (name, phone, email, address)	90 days	Configurable per organization (30-365 days)
Validation results and scores	90 days	Retained with lead data
AI analysis and disposition data	90 days	Retained with lead data
Audit logs	1 year	Required for compliance
Security logs (login, access)	1 year	Required for incident response
Cached API responses	30-90 days	Varies by data source; auto-purged
Account data (users)	Duration of service + 30 days	Deleted upon account closure request

Upon expiration of the retention period, data is permanently deleted from active systems. Backup copies are purged within 30 days of the primary deletion.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Right to Access: Request a copy of the personal information we hold about you
Right to Correction: Request that we correct inaccurate or incomplete personal information
Right to Deletion: Request that we delete your personal information (subject to legal retention requirements)
Right to Data Portability: Receive your data in a structured, machine-readable format (JSON or CSV)
Right to Opt-Out of Sale: Direct us not to sell your personal information (see CCPA section below)
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights: Submit a request via email to [email protected] or use the DELETE /api/user/data endpoint in your account settings. We will respond within 30 days (45 days for complex requests).

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the third parties with whom we share it
Right to Delete: You may request deletion of personal information we have collected from you
Right to Correct: You may request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing: You may opt out of the "sale" or "sharing" of your personal information
Right to Limit Use of Sensitive Personal Information: You may limit our use of sensitive personal information to what is necessary to provide the Service

"Do Not Sell or Share My Personal Information"
We do not sell personal information as defined by the CCPA. Lead data processed through our platform is used exclusively for validation and quality scoring on behalf of our business customers (insurance agencies). If you believe your data has been processed by our Service and wish to opt out, contact us at [email protected] with the subject line "CCPA Opt-Out Request."

Verification: To protect your privacy, we will verify your identity before fulfilling any CCPA request by matching at least two data points you provide against information we hold.

Authorized Agents: You may designate an authorized agent to submit requests on your behalf. The agent must provide written authorization signed by you.

Response Timeline: We will acknowledge receipt within 10 business days and provide a substantive response within 45 calendar days.

8. Texas Data Privacy and Security Act (TDPSA)

If you are a Texas resident, the Texas Data Privacy and Security Act (effective July 1, 2024) provides you with the following rights:

Right to Access: Confirm whether we are processing your personal data and access such data
Right to Correction: Correct inaccuracies in your personal data
Right to Deletion: Delete personal data you have provided or we have obtained
Right to Data Portability: Obtain your personal data in a portable, readily usable format
Right to Opt-Out: Opt out of processing for targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects

To exercise your TDPSA rights, contact us at [email protected]. We will respond within 45 days. If we decline a request, you may appeal within 60 days, and we will respond to the appeal within 60 days.

9. Gramm-Leach-Bliley Act (GLBA) Notice

Certain data processed through our Service may constitute "nonpublic personal information" (NPI) as defined by the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.). When acting as a service provider to financial institutions or insurance agencies, we:

Process NPI solely as directed by and on behalf of our business customers
Maintain administrative, technical, and physical safeguards consistent with the FTC Safeguards Rule (16 CFR Part 314)
Do not disclose NPI to non-affiliated third parties except as permitted under GLBA exceptions (e.g., to process a transaction, with consumer consent, or as required by law)
Restrict employee access to NPI on a need-to-know basis
Require all sub-processors handling NPI to maintain equivalent safeguards

10. Cookies and Local Storage

We use essential cookies and localStorage only. We do not use third-party tracking cookies, advertising pixels, or analytics trackers.

Technology	Name/Key	Purpose	Duration
HTTP Cookie	`access_token`	JWT authentication (httpOnly, Secure, SameSite=Lax)	15 minutes
HTTP Cookie	`refresh_token`	Session refresh (httpOnly, Secure, SameSite=Lax)	7 days
HTTP Cookie	`csrf_token`	Cross-site request forgery protection	Session
localStorage	`cookie_consent`	Records user's cookie consent preference	Persistent
localStorage	`sidebar_collapsed`	UI preference (sidebar state)	Persistent
localStorage	`theme`	UI preference (color theme)	Persistent

No personal information is stored in localStorage. Authentication tokens are stored exclusively in httpOnly cookies that are inaccessible to JavaScript.

11. Data Security

We implement comprehensive security measures to protect your personal information:

Encryption in Transit: All data is transmitted via TLS 1.2+ (HTTPS enforced via Cloudflare)
Data at Rest: Application databases are protected by server-level access controls and restrictive file permissions (0600). AES-256 encryption at rest is planned (see Security Roadmap). Backup files are compressed and stored with the same restrictive permissions
Authentication: Argon2id password hashing, JWT-based sessions with refresh token rotation, optional TOTP-based MFA
Access Control: Role-based access control (RBAC) with principle of least privilege
Audit Logging: All data access, modifications, and administrative actions are logged with timestamps, user identity, and IP addresses
Rate Limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks
Security Monitoring: Real-time login monitoring, suspicious activity detection, and automated session revocation
Incident Response: Documented incident response plan with 72-hour breach notification commitment

12. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email notification to account holders and/or a prominent notice within the Service at least 30 days prior to the change taking effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact Information

For privacy-related inquiries, data access requests, or to exercise your rights under applicable law:

Channel	Contact
Email (Privacy Requests)	[email protected]
Email (General)	[email protected]
Data Deletion API	`DELETE /api/user/data` (authenticated)
Mailing Address	Lead Validator Pro LLC, Attn: Privacy Officer, [Address on file]

We will acknowledge all privacy requests within 10 business days and provide a substantive response within 30-45 calendar days depending on complexity and applicable law.