Privacy Policy

1. Introduction

FreelanceLeads.io ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data when you use our web application and related services (the "Service").

By using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

2. Data We Collect

2.1 Account Information

• Name, email address, and password (hashed)
• Agency or business name, phone number, job title
• Niche specializations and target cities
• Avatar image URL

2.2 Business Data from Searches

• Search queries you perform (niche, location) and the resulting business leads
• Website analysis data for discovered businesses (page speed scores, SEO metrics, social profiles)
• Saved leads, pipeline stages, notes, and outreach history
• AI-generated pitch emails, proposals, and case studies

2.3 Billing Information

Payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription status but never store credit card numbers or full payment details on our servers.

2.4 Usage and Log Data

• IP address, browser type, and device information
• Pages visited, features used, and timestamps
• Email open and click tracking (for outreach emails you send)

3. Third-Party Services

We use the following third-party services to operate FreelanceLeads.io. Each service has its own privacy policy governing its use of data:

• Google APIs(Places API, PageSpeed Insights API, OAuth) — Used for business discovery, website performance analysis, and sign-in authentication.
• Anthropic AI (Claude) — Powers AI-generated pitch emails, proposals, and content analysis. Business data from searches may be sent to Anthropic for processing.
• Stripe— Handles all payment processing and subscription management.
• DataForSEO— Provides SEO metrics including domain authority and SERP analysis.
• Moz— Provides domain authority measurements when you audit a website or a lead's site. The target domain (never your personal data) is sent to Moz.
• Semrush— Provides keyword research, organic traffic estimates, and competitor analysis. The target domain or keyword is sent; your personal data is not.
• Brave Search— Used as a fallback search provider and for brand-mention monitoring. Only the search query is sent (usually a public keyword or brand name).
• Google Places / PageSpeed — Provides business listing data and website performance scoring. The target business name/URL is sent; your personal data is not.
• Upstash Redis— Used for rate limiting and caching to improve performance.
• Neon PostgreSQL— Cloud-hosted database where your account data, leads, and content are stored.

When you analyze a website: the URL you submit is transmitted to our SEO data providers (DataForSEO, Moz, Semrush) so they can return metrics. We never send your account credentials or contact list to these providers.

3a. Chrome Extension (LinkedIn Optimizer)

FreelanceLeads publishes a free Chrome browser extension — the LinkedIn Optimizer. It is free for everyone, with no signup, no license, and no API keys. Its data practices are deliberately minimal and differ from the web app in important ways. This section is the binding privacy disclosure for that extension.

What stays on your computer (never transmitted by default)

• Your typed niche, discipline, ideal-client description, value proposition, location, language, and tone preferences (stored in chrome.storage.local).
• Your LinkedIn profile content (headline, About, experience, skills, etc.) when you click Score my profile. The read happens in your browser, the score is computed in your browser, the result is shown in your browser. None of this content is transmitted to FreelanceLeads.
• Generated content (headlines, About sections, connection notes, posts, image prompts). All generation happens locally — either via niche-tuned templates or via the optional WebLLM model that runs entirely on your computer's GPU.
• Saved drafts of any generated variant, and scheduled Day 3 / Day 9 follow-up reminders (stored in chrome.storage.local and the local chrome.alarms queue).
• Score history (up to 30 entries) for the dashboard's progress sparkline.
• Daily-limit counters and activity-cadence timestamps used by the extension's built-in LinkedIn safety guardrails.
• Profile-view counts for the per-day safety threshold. The URL of the profile you viewed is not stored or transmitted — only the count for today, used to warn you before LinkedIn's scrape-detection threshold.

Third-party servers the extension contacts

• huggingface.co and raw.githubusercontent.com: on first activation of the optional local-AI feature, the extension downloads ~1.6 GB of WebLLM model weights and compiled WebGPU shaders from these public CDNs and caches them in your browser's OPFS storage. These are public downloads — we do not see your activity on them. No tracking cookies, no analytics; the requests are standard HTTP fetches.
• linkedin.com: the extension reads the DOM of LinkedIn pages you visit, and builds search URLs (with LinkedIn's geoUrn geo-scope parameter) that you click yourself. We do not call LinkedIn's internal APIs; we only read the public DOM and construct URLs.

Optional account connection (only if you opt in)

If — and only if — you separately log in to your FreelanceLeads.io account from the web app, an authentication token is stored locally by the extension. From that point forward, the extension may transmit the following events to your account so they appear in your dashboard's outreach log:

• DM Send-detected and Connect Send-detected — when you yourself click LinkedIn's Send button after composing a message, we record the action type, the target profile's public LinkedIn URL, and the optional FreelanceLeads business ID. We never log message bodies.
• Profile views are never transmitted, with or without an account connection. Profile-view counters are kept locally for safety-counter purposes only.

If you do not have a FreelanceLeads account or do not log in, zero backend calls are made for these events. You can use the entire extension fully without ever creating an account.

What we never do

• Never send your LinkedIn profile content, generated copy, or prospect data to any cloud LLM provider. The extension does not collect or transmit OpenAI / Anthropic / Gemini API keys because it does not use any.
• Never auto-click Connect, Message, Send, Save, Follow, Endorse, or any other action that mutates LinkedIn. The student initiates every action manually; the extension only fills text into edit modals the student has already opened.
• Never bulk-scrape competitor profiles. The optional Analyze open profile tool reads what is already rendered in your active tab and discards the data after producing the in-session insight.
• Never run analytics, telemetry, or usage tracking. The extension does not phone home — including for crash reports or feature-usage counters.
• Never share, sell, or rent any extension data to third parties.

Image-generation deep links

The extension generates niche-tuned image prompts (for a profile picture or banner) and offers one-click links to ChatGPT, Gemini, Midjourney, Ideogram, and Leonardo.ai. These links open the third-party site in a new tab and copy the prompt to your clipboard. Once you arrive at the third-party site, that service's own privacy policy governs your use. We do not transmit any data to those services on your behalf.

Your data controls (built into Settings)

The extension's Settings panel includes two privacy controls available at any time:

• 📥 Export my data — downloads a single JSON file containing every chrome.storage.local key the extension has written.
• 🗑 Reset all data — wipes both chrome.storage.local and chrome.storage.session and cancels every scheduled reminder alarm. The extension returns to a fresh-install state without uninstalling.

Storage and uninstallation

All extension storage lives in chrome.storage.local under your browser profile. Uninstalling the extension via chrome://extensions removes all locally stored data. The optional WebLLM model file is cached in your browser's OPFS storage and can be cleared by removing the extension or via Chrome's storage settings.

3b. Legal Basis for Processing (GDPR Art. 6)

• Performance of a contract: processing account data, subscription status, and usage counters so we can deliver the Service you signed up for.
• Legitimate interest: security logging, fraud prevention, rate-limit enforcement, and aggregated product analytics. You can object at any time by contacting us.
• Consent: any marketing communication (newsletters, product updates). Transactional emails (verification, password reset, subscription receipts) do not rely on consent — they rely on contract performance.
• Legal obligation: retaining payment records for tax/accounting purposes as required by applicable law.

3c. California Residents (CCPA / CPRA)

If you are a California resident, you have the right to (a) know what personal information we collect and how we use it, (b) request deletion of your personal information, (c) opt out of the sale or sharing of personal information, and (d) not be discriminated against for exercising these rights. We do not sell or share your personal information for cross-context behavioral advertising. To exercise any of these rights, email us at the address at the bottom of this page.

4. How We Use Your Data

• Lead generation: Searching for businesses, analyzing their online presence, and scoring them as potential clients.
• AI analysis: Generating personalized pitch emails, proposals, case studies, and website reports.
• Billing: Managing your subscription, processing payments, and enforcing usage limits.
• Communication: Sending transactional emails (verification, password resets, weekly progress reports).
• Improvement: Analyzing aggregate usage patterns to improve the Service.

5. Cookies

We use session cookies via NextAuth.js to keep you signed in. These cookies are essential for the Service to function and are not used for advertising or cross-site tracking.

We do not use third-party advertising cookies. If we integrate analytics in the future, we will update this policy accordingly.

6. Data Retention and Deletion

We retain your data for as long as your account is active. When you delete your account, all associated data — including searches, saved leads, proposals, case studies, portfolios, and sent email records — is permanently removed from our database within 30 days.

Some anonymized, aggregated data (such as total search counts) may be retained for analytics purposes after account deletion.

7. Data Security

We implement industry-standard security measures including HTTPS encryption, hashed passwords, rate limiting, and account lockout protection. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Update or correct inaccurate data through your account settings.
• Deletion: Delete your account and all associated data from your settings page.
• Portability: Request your data in a portable format by contacting us.
• Objection: Object to certain data processing activities.

To exercise any of these rights, please contact us using the information below.

9. Children's Privacy

The Service is not intended for users under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at: