What data lives where
A plain-English account of every external service LeadFuel touches, what we send each one, what we keep, and how long. Security-minded customers evaluating the suite get the "where does my stuff go" answers in one place here.
In two sentences
Your customer data lives in our Railway-hosted Postgres database in the US-East region. We send pieces of it out to a handful of third parties, always at your direction (you connect them), and we encrypt the sensitive access tokens at rest.
Where your data is stored
| What | Where | Encrypted at rest? |
|---|---|---|
| Account + invite + entitlement rows | Postgres (shared DB) | Yes (disk-level) |
| ICP documents, scoring data | Scope Postgres | Yes (disk-level) |
| Campaign plans, drafts, sends, replies | Reach Postgres | Yes (disk-level) |
| LinkedIn posts, personas, buckets | Signal Postgres | Yes (disk-level) |
| Mailbox-derived contacts & messages | Orbit Postgres | Yes (disk-level) |
| Microsoft 365 OAuth tokens | Orbit Postgres | Yes (Fernet, app-level) |
| LinkedIn OAuth tokens | Signal Postgres | Yes (Fernet, app-level) |
| Uploaded documents (Briefcase) | Core Postgres (BYTEA blobs) | Yes (disk-level) |
| Billing identifiers (Stripe IDs) | Core Postgres | Yes (disk-level) |
| Card numbers, raw payment details | Stripe, and we never see them | n/a |
Disk-level encryption means Railway/Postgres encrypts the
data store using AES-256. Fernet app-level encryption
means the application encrypts those specific fields before writing
them, so even a stolen DB dump can't reveal them without our
SECRET_KEY.
What we send to third parties (and why)
| Service | What we send | Why | Retention by them |
|---|---|---|---|
| Anthropic (Claude API) |
The prompt for each generation: your ICP profile, persona, draft text. No customer-list emails, no stored contact PII unless you explicitly include it in a prompt. | Runs Scope synthesis, Reach drafting, Signal posts, and Orbit relationship summaries. | 30 days for abuse review, then deleted. Your prompts are not used to train Anthropic's models (per their commercial API terms). |
| OpenAI (Realtime voice) |
Audio + text transcript when you use the 🎤 voice intake on Scope. | Conversational ICP intake. | 30 days for abuse review. Not used for training under the API ToS. |
| Resend (email send + inbound) |
Outbound email content + recipient address. For Reach replies, the inbound email is forwarded back to us. | Sending campaign + transactional email and matching replies. | 30 days of message logs in Resend's UI for your own review. |
| Stripe | Your email + the amount + the product. Card data goes directly from your browser to Stripe. It never passes through our servers. | Billing. | Per Stripe's policy. They're PCI-compliant. |
| Post text when Signal publishes. Your access token for sign-in + posting. | Publishing to your LinkedIn profile or org pages. | Per LinkedIn's policy. | |
| Microsoft Graph | Nothing. We read from your mailbox, and the token is encrypted on our side. | Orbit relationship intelligence + (optional) Reach customer-domain reply inbox. | n/a, read-only. |
| HubSpot / Pipedrive | Nothing. They POST events to us when deals close. | Scope deal outcome auto-sync. | n/a, inbound only. |
| Slack (your incoming webhook) |
Event titles + summaries you've opted into on /integrations. No raw customer data unless you've ticked the relevant event toggle. | Notifications. | Per your Slack workspace's retention policy. |
| Your outbound webhook URL | Same payloads as Slack: JSON, HMAC-signed with your suite's SECRET_KEY so you can verify authenticity. |
Custom integrations (Zapier/Make/n8n/anything). | Your decision. We don't store the payload anywhere it isn't already. |
What we deliberately don't do
- We don't sell or share your customer-data to advertisers, data brokers, or aggregator partners. There are none.
- We don't fine-tune AI models on your data.
- We don't pre-load your contacts to any service you didn't explicitly connect.
- We don't use your prompts for product analytics in a way that retains identifying content.
- We don't store credit-card numbers. Stripe does.
Per-customer isolation
Every customer's data is scoped by account_email in every table.
Cross-customer reads are gated at the application layer and the
service-mesh layer. Admins (us, the operators) can impersonate a
customer for support. When this happens, a visible orange banner
appears at the top of every page that says
"Viewing as customer@example.com · Exit impersonation"
and the action is logged.
Retention & deletion
- Audit logs: 90 days.
- Magic-link sign-in tokens: 30 minutes (then deleted).
- Customer-deleted ICPs / campaigns / posts: soft-deleted, purged from disk on the next archive run.
- Export your data: from Settings → Your data you can download a JSON copy of everything tied to your account, any time.
- Full account deletion: from Settings → Your data you can request deletion yourself. It signs you out of the suite right away and schedules a permanent purge after a 30-day grace window (so an accidental request can be undone). Prefer a human? Email hello@leadfuel.cloud.
Honest limitations (May 2026)
- We are not SOC 2 certified yet. The compliance audit is on the roadmap once we hit the customer threshold that warrants it.
- We are not currently set up to sign BAA / HIPAA-grade agreements. Don't put PHI in here.
- We do follow the EU GDPR's data-minimization and access-request principles. Write to us and we'll honor a data-subject access request.
- For very paranoid customers: we can configure a per-customer BYO-Anthropic-key override so your AI calls route through your own API account. Ask us.
Questions or corrections to this page? Email hello@leadfuel.cloud. Updated 2026-05-31.