Data Processing Notice

1. Overview

This Data Processing Notice describes how LeadFlow AI (operated by Polsia, Inc.) processes personal data under the GDPR (EU/EEA) and CCPA (California). It supplements our Privacy Policy and Terms of Service.

2. Roles

You (the subscriber): Data Controller. You determine the purposes and means of processing lead data collected through your use of the platform. You are responsible for ensuring you have the legal basis to collect and process your customers' personal data.

LeadFlow AI / Polsia, Inc.: Data Processor. We process lead data only on your instructions and for the purpose of delivering the lead capture service. We do not use your data for our own purposes.

3. Sub-Processors

We use the following third-party sub-processors to deliver the service:

Sub-Processor	Purpose	Data Shared	Retention
Stripe, Inc.	Payment processing	Billing info, card details (tokenized)	Per Stripe policy (see Stripe Privacy Policy)
OpenAI, LLC	AI response generation	Lead conversation content (transient, not stored by OpenAI long-term)	Per OpenAI API policy (max 30 days)
Twilio, Inc.	SMS dispatch and delivery	Phone numbers, SMS content	Per Twilio retention policy (up to 25 months)
Neon (Neon Database Inc.)	PostgreSQL database hosting	Account data, lead records, message logs	Active account + 12 months post-closure

We will notify you (via email or this page) at least 30 days before adding or replacing any sub-processor.

4. Data Retention

Data retention periods:

Account data: Retained until account closure + 24 months
Lead records: Retained for 12 months after creation; deleted within 30 days of a deletion request
Message logs: Retained for 12 months
Payment records: Retained per legal and tax requirements (minimum 7 years)

5. Security Measures

We implement the following technical and organizational security measures:

TLS 1.2+ encryption for all data in transit
AES-256 encryption for data at rest
Role-based access control (RBAC) for internal systems
Annual third-party security audits
Incident response plan with notification within 72 hours of a confirmed breach

6. Data Subject Rights

Your customers have the following rights regarding their personal data processed through your use of LeadFlow AI:

Access: Right to request a copy of their personal data
Rectification: Right to correct inaccurate data
Erasure: Right to request deletion ("right to be forgotten")
Restriction: Right to restrict processing in certain circumstances
Portability: Right to receive their data in a structured, machine-readable format
Object: Right to object to processing based on legitimate interests

To exercise any of these rights, your customers should contact you directly. You may forward valid requests to us at support@polsia.app and we will assist within 30 days.

7. International Transfers

LeadFlow AI processes data primarily in the United States. If you or your customers are located in the EEA or UK, data may be transferred outside of those regions. We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for such transfers.

8. Data Processing Agreement (DPA)

If you require a signed Data Processing Agreement for your procurement, compliance, or legal review, email support@polsia.app with "DPA Request" in the subject line. We will send a DPA within 5 business days of your request.

9. Breach Notification

In the event of a confirmed personal data breach that is likely to result in risk to individuals' rights and freedoms, we will notify you within 72 hours of becoming aware. If required by GDPR, we will also notify the relevant supervisory authority.

10. Contact

Email: support@polsia.app
Company: Polsia, Inc.
DPA Requests: Email support@polsia.app with "DPA Request" in the subject line