Back to Home

Privacy Policy

Last Updated: November 20, 2025

1. Introduction

Welcome to FirstLeads ("Company", "we", "our", "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you use our fire incident lead generation platform and services.

By accessing or using FirstLeads, you agree to the terms of this Privacy Policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect (CCPA/CPRA Data Inventory)

2.1 Personal Information

CCPA Categories of Personal Information Collected:

  • Identifiers: Name, email address, phone number, company name, IP address, device identifiers, account username
  • Commercial Information: Subscription tier, payment history, purchase records, credit balance, transaction history
  • Internet Activity: Browsing history, search queries, fire incident views, alert configurations, feature usage patterns
  • Geolocation Data: IP-derived location, custom alert region boundaries, search location filters
  • Professional Information: Business name, industry type, use case description
  • Inferences: User preferences, usage patterns, subscription tier recommendations

Information You Provide Directly:

  • Name and contact information (email address, phone number)
  • Account credentials (username, password - encrypted)
  • Billing information (payment method details processed by Stripe)
  • Company information (business name, industry)
  • Profile information (subscription tier, preferences)

2.2 Usage Data

We automatically collect information about your interaction with our services:

  • Log data (IP address, browser type, device information)
  • Activity data (pages viewed, features used, search queries)
  • Fire incident views and exports
  • Alert region configurations
  • Cookies and similar tracking technologies

2.3 Geographic Data

We collect location data related to:

  • Custom alert regions you create
  • Search locations and filters you apply
  • General location derived from IP address (for service optimization)

3. How We Use Your Information

We use your information for the following purposes:

  • Service Delivery: To provide, maintain, and improve our fire incident tracking platform
  • Account Management: To create and manage your user account and subscription
  • Alerts & Notifications: To send you fire incident alerts for your configured regions
  • Payment Processing: To process payments and manage billing (via Stripe)
  • Communication: To send you service-related announcements, updates, and support
  • Analytics: To understand usage patterns and improve our services
  • Security: To protect against fraud, unauthorized access, and security threats
  • Legal Compliance: To comply with legal obligations and enforce our terms

4. Data Sharing and Disclosure

4.1 Third-Party Service Providers

We share your information with trusted third-party service providers who assist us in operating our platform:

  • Database providers: Database hosting and authentication services
  • Stripe: Payment processing (they have their own privacy policy)
  • Mapping services: Mapping and geospatial visualization
  • Cloud infrastructure: Infrastructure and hosting services
  • Email service providers: For transactional and notification emails

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Valid legal requests (subpoenas, court orders, government inquiries)
  • Protection of our rights, property, or safety
  • Prevention of fraud or security threats
  • Enforcement of our Terms of Service

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change in ownership.

4.4 What We Don't Share

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5. Data Security & Incident Response

5.1 Technical Security Measures

We implement comprehensive security controls:

  • Encryption in Transit: TLS 1.3 protocol for all data transmission (HTTPS)
  • Encryption at Rest: AES-256 encryption for database storage
  • Authentication: Secure JWT tokens with automatic expiration and refresh
  • Session Management: Secure session handling with timeout controls
  • Database Security: Row-Level Security (RLS) policies and secure database access controls
  • Access Controls: Role-based permissions and least-privilege access
  • Payment Security: PCI-DSS compliant processing via Stripe (Level 1)
  • Password Security: Bcrypt hashing with salt (passwords never stored in plaintext)
  • API Security: Rate limiting, authentication requirements, input validation
  • Infrastructure: Secure cloud hosting infrastructure (SOC 2 Type II compliant)

5.2 Organizational Security Measures

  • Monitoring: Real-time security monitoring and automated alerts
  • Auditing: Comprehensive audit logs for all sensitive operations (retained 1 year)
  • Access Management: Multi-factor authentication for administrative access
  • Vendor Management: Due diligence on all third-party processors
  • Security Reviews: Regular security assessments and vulnerability scans
  • Compliance Goal: Working toward SOC 2 Type II certification

5.3 Security Incident Response

Security Incident Procedures:

In the event of a security incident, we follow a structured response process:

  1. Detection: Automated monitoring systems + manual security reviews
  2. Assessment: Incident severity classification and scope determination
  3. Containment: Immediate action to prevent further unauthorized access
  4. Investigation: Root cause analysis and impact assessment
  5. Notification: Affected users notified within 72 hours (CCPA/GDPR requirement)
  6. Remediation: Security patches, system hardening, credential rotation
  7. Reporting: Regulatory notifications (CA Attorney General, EU supervisory authorities)
  8. Post-Incident Review: Lessons learned and security improvements

Security Contact: security@firstleads.ai
Response Time: 24 hours for critical security issues
User Responsibility: You must notify us immediately if you suspect unauthorized account access

Important Disclaimer: No method of transmission over the Internet is 100% secure. While we implement industry-leading security measures and strive to protect your data, we cannot guarantee absolute security against all possible threats.

5.4 Data Breach Notification

In the event of a data security incident affecting your personal information, we will:

  • Notify affected users within 72 hours of discovery (or as required by law)
  • Provide notification via email to your registered account email
  • Describe the nature of the breach and data types affected
  • Outline steps we are taking to remediate the incident
  • Recommend actions you should take to protect yourself
  • Provide contact information for questions

We will also notify applicable regulatory authorities as required by law, including but not limited to the California Attorney General (for CA residents), EU supervisory authorities (for GDPR), and other state/federal agencies.

You agree to promptly notify us if you become aware of any unauthorized access to your account by emailing security@firstleads.ai.

6. Data Retention Schedule

We retain your information for as long as necessary to provide services, comply with legal obligations, resolve disputes, and maintain business records. Below is our complete data retention schedule:

Data TypeRetention PeriodLegal Basis
User account dataDuration of account + 1 yearContractual necessity
Payment records7 yearsIRS/tax requirements
Fire incident data24 hours (Basic), 7 days (Pro), 35 days (Premium)Service delivery
Skip trace resultsDuration of accountContractual necessity
Email communications2 yearsBusiness records
Audit logs1 yearSecurity/compliance
Marketing dataUntil opt-out + 30 daysConsent
Alert configurationsDuration of accountService delivery
Usage analytics90 days (anonymized after 30 days)Legitimate interest

6.1 Account Deletion

After account deletion:

  • Personal data is removed within 30 days
  • Payment records retained for 7 years (legal requirement)
  • Aggregated/anonymized data may be retained indefinitely
  • Backup systems purged within 90 days
  • Third-party processors notified to delete data

6.2 Legal Hold Exceptions

We may retain data beyond standard periods when required by law, legal process, litigation hold, government request, or to protect rights and safety. You will be notified if your data is subject to a legal hold.

7. Your Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data
  • Portability: Request transfer of your data to another service
  • Objection: Object to certain processing activities
  • Restriction: Request restriction of processing under certain circumstances
  • Withdraw Consent: Withdraw consent for processing (where applicable)

To exercise these rights, please contact us at info@firstleads.ai.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, maintain security, and analyze service usage. This section provides complete transparency about our cookie practices.

8.1 Types of Cookies We Use

Essential Cookies (Required)

  • Authentication Token: auth_token - Maintains your logged-in session (Duration: 7 days)
  • Session ID: session_id - Tracks your current browsing session (Duration: Session only)
  • CSRF Token: csrf_token - Protects against cross-site request forgery (Duration: Session only)

Purpose: These cookies are strictly necessary for the Services to function. You cannot opt out.

Performance/Analytics Cookies (Optional)

  • Usage Analytics: _analytics - Anonymized usage patterns and feature adoption (Duration: 30 days)
  • Performance Metrics: _perf - Page load times and performance data (Duration: 30 days)

Purpose: Help us understand how users interact with the Services to improve performance and user experience.

Functional Cookies (Optional)

  • User Preferences: user_prefs - Map zoom level, default view settings (Duration: 90 days)
  • Alert Settings: alert_config - Your notification preferences (Duration: 90 days)

Purpose: Remember your settings and preferences to provide a personalized experience.

8.2 Third-Party Cookies

  • Mapping services: Map rendering, geolocation services - Cookies managed by our mapping service providers
  • Stripe: Payment processing and fraud prevention - Cookies managed by Stripe (Privacy Policy)

Note: Third-party cookies are governed by the respective third party's privacy policy. We do not control third-party cookies. To opt out of third-party cookies, adjust settings in your browser or use the opt-out mechanisms provided by the respective services.

8.3 How to Control Cookies

You have several options to control cookies:

  • Browser Settings: Configure your browser to block or delete cookies (Chrome, Firefox, Safari, Edge all support cookie management)
  • Cookie Preferences: Adjust settings in your account dashboard (Settings > Privacy)
  • Opt-Out Links: Use third-party opt-out mechanisms via their privacy settings

Important: Blocking or deleting essential cookies will prevent you from using the Services. Performance and functional cookies can be disabled without impacting core functionality, but your experience may be degraded.

8.4 Other Tracking Technologies

  • Local Storage: HTML5 local storage for offline functionality and performance optimization
  • Web Beacons: Transparent pixel images in emails to track delivery and open rates
  • Device Fingerprinting: Browser and device characteristics for fraud prevention (not used for tracking individuals)

8.5 Do Not Track Signals

Some browsers support "Do Not Track" (DNT) signals. Currently, there is no industry standard for responding to DNT signals. We do not alter our data collection practices when we detect a DNT signal from your browser. We will monitor developments in DNT standards and update our practices accordingly.

9. Third-Party Links

Our platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any information.

10. Children's Privacy (COPPA Compliance)

FirstLeads is intended solely for users 18 years of age or older. We do not knowingly collect, use, or disclose personal information from children under 13 years of age, in compliance with the Children's Online Privacy Protection Act (COPPA).

If we discover that we have collected personal information from a child under 13 without verifiable parental consent, we will:

  • Delete the information within 24 hours
  • Terminate the associated account
  • Notify the email address on file

If you are a parent or guardian and believe we have collected information from your child, contact us immediately at privacy@firstleads.ai with "COPPA Request" in the subject line.

By creating an account, you represent and warrant that you are at least 18 years of age and have the legal capacity to enter into this Agreement.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected
  • Right to know if personal information is sold or disclosed
  • Right to opt-out of the sale of personal information (we do not sell data)
  • Right to request deletion of personal information
  • Right to non-discrimination for exercising CCPA rights

To exercise these rights, contact us at info@firstleads.ai.

12. GDPR Compliance (EU Users)

If you are located in the European Economic Area (EEA), we process your data under the following legal bases:

  • Consent: For marketing communications and optional features
  • Contract: To fulfill our contractual obligations with you
  • Legitimate Interest: For service improvement and security
  • Legal Obligation: To comply with applicable laws

You have the right to lodge a complaint with your local data protection authority if you believe we are not complying with GDPR.

13. International Data Transfers

Your information may be transferred to and processed in countries other than your own, particularly the United States. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable laws.

13.1 Where Your Data Is Processed

Your data may be transferred to and processed in:

  • United States: Primary data processing location (database providers, cloud infrastructure, payment processors, fire incident data providers, third-party data services, email service providers)
  • European Union: Backup and redundancy systems (if applicable)
  • Other Locations: As required by our service providers and infrastructure partners

13.2 Legal Mechanisms for International Transfers

For data transfers from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on the following legal mechanisms:

  • Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (2021 version) to ensure adequate protection for personal data transferred outside the EEA
  • UK International Data Transfer Agreement (IDTA): For UK data subjects, we use the UK IDTA or EU SCCs with the UK Addendum
  • Swiss-U.S. DPF: Where applicable, we rely on Swiss Federal Data Protection and Information Commissioner approved mechanisms
  • Adequacy Decisions: We rely on EU Commission adequacy decisions where available for certain jurisdictions

13.3 Transfer Impact Assessments

For transfers of personal data from the EEA to the United States, we have conducted Transfer Impact Assessments (TIAs) to evaluate:

  • The legal framework in the destination country (U.S.)
  • Additional safeguards implemented (encryption, access controls)
  • Practical steps to ensure data protection (technical and organizational measures)
  • Risk assessment and mitigation strategies

13.4 Safeguards for International Transfers

Technical and Organizational Safeguards:

  • Encryption: TLS 1.3 in transit, AES-256 at rest (end-to-end protection)
  • Access Controls: Role-based access, multi-factor authentication, least-privilege principle
  • Data Minimization: Only transfer data necessary for service delivery
  • Contractual Protections: Data Processing Agreements (DPAs) with all processors
  • Audit Rights: Right to audit compliance with transfer safeguards
  • Breach Notification: 72-hour notification requirement for data breaches
  • Vendor Due Diligence: Regular assessment of processor security practices

13.5 Your Rights Regarding International Transfers

If you are located in the EEA, UK, or Switzerland, you have the right to:

  • Request information about international data transfers
  • Request a copy of the Standard Contractual Clauses we use
  • Object to data transfers in certain circumstances
  • Lodge a complaint with your local data protection authority (e.g., ICO in UK, CNIL in France, BfDI in Germany)

To request information about our international transfer mechanisms or obtain a copy of relevant safeguards, contact privacy@firstleads.ai with subject line "International Transfer Inquiry."

13.6 U.S. Government Access

As a U.S.-based company, we may be subject to U.S. laws that require disclosure of personal data to government authorities (e.g., FISA, CLOUD Act). We will only disclose data when legally required and will notify affected users unless prohibited by law. We do not provide blanket access to government authorities and challenge overbroad requests where legally permissible.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the updated policy on this page
  • Updating the "Last Updated" date
  • Sending you an email notification (for significant changes)

Your continued use of FirstLeads after changes constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

First Leads Generation Inc.

166 Geary St, STE 1500

San Francisco, CA 94108

Email: info@firstleads.ai

Website: https://firstleads.ai

By using FirstLeads, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of our services immediately.