Privacy Policy

Leads Peer · Last updated: 27 June 2026

This Privacy Policy explains how Leads Peer (“we”, “us”, “our”) collects, uses, stores, and shares information when our customers (businesses) and their end customers interact with our WhatsApp Business platform (the “Service”). The Service enables businesses to operate AI-assisted customer support, ordering, and booking conversations on WhatsApp through Meta’s official WhatsApp Business Cloud API.

We act as a Meta Tech Provider. Each business customer owns its WhatsApp Business Account (WABA) and is the controller of personal data exchanged with its end customers. Leads Peer acts as a processor of that data on the business customer’s behalf, under the terms of our customer agreement.

1. Who this policy covers

• Business users: employees and authorised representatives of organisations that sign up to use the Service.
• End customers: individuals who message a business via WhatsApp that uses our Service to respond.
• Website visitors: people who visit leadspeer.com.

2. Information we collect

2.1 From business users

• Account information: name, work email, password (stored hashed), organisation name.
• WhatsApp Business Account metadata received via Meta’s Embedded Signup flow: WABA ID, phone number ID, display phone number, and an access token issued by Meta. Tokens are stored encrypted at rest using AES-256-GCM.
• Knowledge content uploaded to the platform (e.g. product documents, FAQs) so the AI assistant can answer end customer questions.
• Agent configuration, message templates, and operator activity within the Service.

2.2 From end customers (via WhatsApp)

• WhatsApp phone number, WhatsApp profile name, and the content of messages the end customer sends to the business’s WhatsApp number.
• Message metadata: timestamps, delivery/read status, message IDs, conversation history.
• Any content the end customer voluntarily shares in a conversation (e.g. an order reference number).

We do not collect WhatsApp data from end customers who have not messaged a business using the Service.

2.3 Automatically

• Standard server logs (IP address, user agent, request paths) for security, debugging, and abuse prevention. Logs are retained for a limited operational period.

3. How we use information

We use the information described above only for the purposes listed below:

• Operating the Service: routing messages between the business’s WhatsApp number and our platform, generating AI responses from the business’s own uploaded knowledge, and sending replies via the WhatsApp Business Cloud API.
• AI processing: end-customer messages are processed by a large language model (currently OpenAI’s API, used as a sub-processor) to generate replies that stay scoped to the business’s declared domain. We do not use end customer messages to train AI models. We do not send AI-generated general-purpose chatbot replies. The agent stays within the business service scope, in line with WhatsApp Business policy.
• Human handoff: when the AI cannot answer, conversations are routed to the business’s human staff via our dashboard.
• Security, abuse prevention, and debugging.
• Communication with business users about account, security, and service issues.
• Compliance with applicable law and with Meta’s WhatsApp Business Platform policies.

We do not sell personal data, do not use it for cross-business advertising, and do not share business data between tenants of the Service.

4. Legal basis (for users in the EEA/UK)

• Performance of a contract with our business users (and, indirectly, with end customers using the business’s service).
• Legitimate interests in operating, securing, and improving the Service.
• Consent, where required (for example, end customers initiate the conversation by messaging the business).
• Legal obligation, where applicable.

5. Sub-processors and sharing

We share data only with the following categories of recipients:

• Meta Platforms, Inc. — to send and receive WhatsApp messages via the WhatsApp Business Cloud API.
• OpenAI — to generate AI replies. Message content is sent to OpenAI’s API for inference only; per OpenAI’s API terms, data sent to the API is not used to train OpenAI models.
• Cloud infrastructure providers hosting the Service’s servers and databases.
• The business customer whose WhatsApp number an end customer messaged. End customer messages are visible to that business’s operators inside our dashboard. They are not visible to any other business.
• Authorities, where legally required.

Each business customer’s data is logically isolated from every other business customer’s data within the Service.

6. Storage, encryption, and security

• Service data is stored in PostgreSQL databases. Access tokens for WhatsApp Business Accounts are encrypted at rest using AES-256-GCM.
• Uploaded knowledge documents are processed, indexed, and the raw uploaded bytes are purged after indexing completes; only the derived text chunks and vector embeddings are retained.
• All communication with the Service and with Meta is over HTTPS/TLS.
• Access to production systems is restricted to authorised Leads Peer personnel.
• Webhook callbacks from Meta are authenticated using HMAC-SHA256 signature verification on every request.

7. Retention

• Conversation messages and knowledge content are retained for as long as the business customer maintains an active account, or until earlier deletion as instructed by the business.
• WhatsApp access tokens are retained while the WhatsApp connection is active; they are deleted when the connection is removed.
• Operational server logs are retained for a limited period for security and debugging.
• On account termination, business customer data is deleted within 30 days, subject to legal hold requirements.

8. Your rights

Depending on your location, you may have the right to access, correct, export, restrict, or delete personal data we hold about you, and to object to certain processing. End customers who wish to exercise these rights should typically contact the business they messaged, because that business is the controller of the conversation. We will assist business customers in responding to such requests.

To make a request directly to Leads Peer, email privacy@leadspeer.com. We respond within 30 days.

9. Data deletion

Business users can request deletion of their account and associated data by emailing privacy@leadspeer.com from the account email address. End customers should contact the business they messaged.

Instructions and the deletion request channel are available at: https://leadspeer.com/privacy#data-deletion (this section).

10. International transfers

The Service operates from infrastructure that may be located outside the country where you reside, including the United States and the European Union. Where applicable, we rely on appropriate safeguards (such as Standard Contractual Clauses) for international data transfers.

11. Children

The Service is not directed to children under 13 (or the higher minimum age set by local law). We do not knowingly collect personal data from children. If we become aware that we have done so, we will delete it.

12. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the latest revision. Material changes will be communicated to business users by email.

14. Who we are

Suggested text: Our website address is: https://www.leadspeer.com.

15. Comments

Suggested text: When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

16. Media

Suggested text: If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

17. Cookies

Suggested text: If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

18. Embedded content from other websites

Suggested text: Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

19. Who we share your data with

Suggested text: If you request a password reset, your IP address will be included in the reset email.

20. How long we retain your data

Suggested text: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

21. What rights you have over your data

Suggested text: If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

22. Where your data is sent

Suggested text: Visitor comments may be checked through an automated spam detection service.

23. Contact