Skip to main content
NFBack to LeadLens

Privacy Policy

Neural Forge ("we," "us," or "our") operates LeadLens (the "Service") at leadlens.neural-forge.io. This policy explains what personal data we collect, who we share it with, and how you can exercise your rights under GDPR, CCPA, and similar laws. We have tried to write this in plain English; where the law requires specific language, we use it.

1. Who We Are

Neural Forge is a Texas-based business operated by Travis Curnutte. LeadLens is a web-based trade show lead-capture tool built as a Progressive Web App. For any question about this policy or to exercise a privacy right, email support@leadlens.neural-forge.io.

2. What We Collect

2.1 Account data

When you sign up, Supabase Authentication records your email address, hashed password (or OAuth identity), sign-in timestamps, and IP address. We add a row in our user_profiles table with your name, current plan tier, your active team (if any), and — if you subscribe — your Stripe customer ID, subscription ID, price ID, current period end, and cancel-at- period-end flag.

2.2 Badge scans and contacts

When you scan a trade show badge, your device camera captures an image. That image is sent to your chosen AI vision provider (see §3) for text extraction and is not retained on our servers after the extraction call completes. The extracted fields (name, title, company, email, phone, badge type) are stored in our Supabase contacts table under your user ID and, if you are operating in Team mode, under your team ID. A local IndexedDB copy is also maintained on your device so the app works offline.

2.3 Business card scans

You can also scan printed business cards. Card images follow the same flow as badges — sent to the AI provider you chose, fields extracted (name, company, title, email, phone, website, address), saved into contacts. Images are not retained on our servers.

2.4 Enrichment data

If you choose to enrich a contact, we send minimal identifying information (typically first name, last name, company, and website where available) to the enrichment services listed in §3 to retrieve job title, LinkedIn URL, Twitter handle, company industry, company size, profile image, and similar public professional details. Every enrichment call is logged in our enrichment_logs table for billing and anti-abuse purposes (see §8).

2.5 Shows and qualifying answers

The trade shows you configure (name, qualifying questions) and the per-contact qualifying answers, notes, tags, lead score, and lead temperature are stored in Supabase alongside your contacts.

2.6 Digital business card data

If you create a digital business card, the fields you enter (name, title, company, email, phone, website, LinkedIn, bio, photo, theme) are stored in localStorage on your device and synced to Supabase so your card can be served from its public QR URL at /card/[id]. Anyone with the URL can view the card — that is how sharing works.

2.7 Team and invite data

If you create or join a team, we store team name, plan, member roles (owner / admin / member / viewer), and an audit record of who invited whom. Pending invites record the invitee’s email, the invite token, the role being granted, and a 7-day expiry.

2.8 Billing data

Payment card details are collected by Stripe directly inside their hosted checkout and customer portal — they never touch our servers. We store only the Stripe customer ID, subscription ID, price ID, current period end, and cancel-at-period-end flag on your profile, plus a log of billing events (tier upgrades, tier downgrades, payment failures, payment successes, disputes) in our audit log.

2.9 Integration credentials

If you connect Google Sheets, HubSpot, Slack, or a custom webhook, we store the OAuth tokens (Google / Slack), the API key you pasted in (HubSpot), or the webhook URL you configured. Custom webhook URLs live in localStorage on your device; OAuth tokens for Google Sheets and Slack are stored server-side in Supabase and used only to push data you explicitly trigger.

2.10 Analytics data

We record page views, referrers, a first-party visitor ID (stored in localStorage as leadlens-visitor-id) and a session ID (stored in sessionStorage as leadlens-session-id) in our own page_views table. URLs with embedded PII (the card sharing URLs) are normalized to /card/[id] before they are recorded, and admin / auth / API paths are never tracked. We also load Vercel Web Analytics and an anonymous pageview tracker served from neural-forge.io — see §4.

2.11 Support and feedback

If you submit feedback in-app or email us, the message text and your email address are stored in Supabase (our feedback and email_logs tables). Delivery receipts from our email provider (Resend) are kept for one year.

2.12 Audit log

Every billing event, every admin action, and every tier-changing subscription update writes an immutable row to our audit_log table with timestamp, actor, action, entity, and the diff of what changed.

3. Who We Share It With (Processors and Sub-Processors)

Below is the complete list of third parties that process your personal data on our behalf. Each has a standard data processing agreement (DPA) with us or an equivalent contractual commitment. We do not sell your data, and we do not share it with advertisers.

SupabaseDatabase hosting (Postgres), authentication, email OTP, and row-level security. Stores your account, contacts, shows, teams, invites, feedback, audit log, and billing state.
VercelApplication hosting and global edge network. Also provides Vercel Web Analytics (first-party, IP-anonymized, see §4).
StripeSubscription billing and payment processing. Card data is collected directly by Stripe and never touches our servers. We store only the Stripe customer ID and subscription metadata.
ResendTransactional email (team invites, password resets, billing and dispute notifications). Recipient address and message content are sent to Resend.
OpenAIUser-selectable AI vision provider for badge and business card OCR. Badge and card images are sent to OpenAI only when you select it as your provider in Settings.
xAI (Grok)User-selectable AI vision provider for badge and business card OCR. Images are sent to xAI only when you select it as your provider.
AnthropicUser-selectable AI vision provider for badge and business card OCR. Images are sent to Anthropic only when you select it as your provider in Settings.
Google (Gemini)User-selectable AI vision provider for badge and business card OCR. Images are sent to Google only when you select Gemini as your provider in Settings.
ProspeoPrimary paid email and LinkedIn enrichment. Receives first name, last name, and company domain to look up professional contact details.
Hunter.ioFallback email-finder used when Prospeo has no result. Receives first name, last name, and company domain.
People Data Labs (PDL)Used only to verify a LinkedIn URL returned by another provider. No contact data is submitted to PDL for discovery.
ClearbitFree company-domain autocomplete (logos and names as you type a company). Only the query string is sent; no contact data is shared.
Google (Sheets API)Optional integration. Only active if you connect your Google account. When you push contacts to a sheet, those contact rows are sent to Google Sheets on your explicit instruction under the OAuth scope you granted.
HubSpotOptional CRM integration. Only active if you add a HubSpot API key. Contact fields you push are sent to HubSpot on your explicit instruction.
SlackOptional notifications integration. Only active if you connect Slack. Webhook messages about contacts you save are posted to the channel you selected.
Custom webhooks (yours)If you configure a webhook URL, contacts you save are POSTed to that URL as JSON. The destination is under your control; we do not inspect or store the response body.
Neural Forge Studio analyticsAn anonymous pageview tracker served from neural-forge.io that measures traffic across Neural Forge properties. No cross-site advertising cookies; no contact data.
LeadLens page_views (first-party)Our own analytics table inside Supabase. Records path, referrer, country, and first-party visitor/session IDs. Never shared.

If we add a new sub-processor, we will update this list at least 30 days before they process your data, unless the change is required by law.

4. Cookies and Local Storage

4.1 Essential (authentication)

Supabase sets authentication cookies so you stay signed in. These are strictly necessary for the Service to work and cannot be disabled without breaking sign-in.

4.2 Vercel Web Analytics

We load @vercel/analytics globally to measure page views and performance. It is a first-party script served from our own domain. Vercel does not set cross-site tracking cookies, anonymizes IP addresses, and does not build advertising profiles. See Vercel’s analytics privacy policy.

4.3 Neural Forge Studio tracker

We load a lightweight tracker script from neural-forge.io on every page. It counts anonymous pageviews across Neural Forge properties (of which LeadLens is one). It does not set advertising or cross-site tracking cookies.

4.4 First-party page_views

We run our own lightweight pageview tracker that writes a row into our Supabase page_views table. It uses localStorage (leadlens-visitor-id) and sessionStorage (leadlens-session-id) to deduplicate visitors and sessions. No cross-site tracking. Admin paths, API routes, and auth flows are never tracked; card-share URLs are normalized to strip the encoded contact payload before the path is recorded.

4.5 App storage on your device

LeadLens is a Progressive Web App. We use IndexedDB to keep a local copy of your contacts so the app works offline, and localStorage to remember your webhook URL, your digital business card draft, and UI preferences. A service worker caches the app shell. You can clear all of this at any time via your browser’s site-data controls.

4.6 No advertising cookies

We do not use Google Analytics, Meta Pixel, TikTok Pixel, or any third-party advertising or retargeting cookie.

5. Enrichment — Data About People You Scan

Please read this section carefully.

When you scan a badge or business card, LeadLens may query public sources (Prospeo, Hunter, People Data Labs) to find the scanned person’s contact information. Those people did not directly consent to LeadLens; they consented to the event organizer that issued their badge and, by wearing it at a trade show or handing you their card, generally expected to be contacted by exhibitors. That is the lawful basis we rely on (legitimate interest under GDPR Art. 6(1)(f); B2B contact scope under CCPA).

You, as the LeadLens user, are responsible for using the data lawfully, honoring opt-out requests from people you contact, and complying with CAN-SPAM, GDPR, PIPEDA, CCPA, and any other applicable law in your jurisdiction. You can disable enrichment entirely per contact or globally in Settings.

If a person you scanned contacts LeadLens directly and asks us to delete their contact record across every user who has it, we will honor that request within 30 days and will notify affected users that the deletion occurred.

6. Why We Use Your Data

We process personal data only for these purposes:

  • To provide the Service — authenticating you, running OCR on the badges and cards you scan, saving your contacts, syncing to the CRMs or webhooks you connect, and keeping your team roster.
  • To bill you — processing subscriptions through Stripe, tracking usage against your plan limits, and sending billing notifications.
  • To keep the Service working and safe — rate-limiting, detecting abuse (enrichment logs for billing reconciliation), measuring performance, and writing an audit trail of security-sensitive events.
  • To communicate with you — sending team invites, password resets, dunning emails when a payment fails, dispute notifications, and responses to your support requests.
  • To comply with the law — meeting tax, accounting, fraud-prevention, and data-protection obligations.

7. How We Share Your Data

We do not sell, rent, or trade your personal information. We share data only:

  • With our processors listed in §3, strictly to operate the Service.
  • With your team — when you create or join a team, contacts you scan in team mode are visible to other team members according to their role.
  • With destinations you connect — if you enable the HubSpot, Google Sheets, Slack, or custom webhook integration, we send contact data to that destination on your instruction.
  • For legal reasons— if required by law, subpoena, or to protect our rights or users’ safety.
  • In a business transfer — if we merge, are acquired, or sell assets, with notice to you before your data moves.

8. How Long We Keep It (Retention)

Contacts and showsIndefinite — until you delete them or delete your account
Digital business cardUntil you delete it or your account
User profile & auth recordsUntil account deletion, then removed via /api/account/delete
Team invites (unaccepted)Expire automatically 7 days after creation
Enrichment logs90 days (for billing reconciliation and abuse detection)
page_views analytics180 days, then auto-expired
Email logs (Resend delivery records)1 year
Stripe billing recordsRetained by Stripe per their policy; we keep only the IDs and summary state on your profile until account deletion
Audit log (compliance records)Retained indefinitely per legal obligation; actor references to deleted accounts are nulled

9. Your Rights

You have the following rights over your personal data, regardless of where you live. We honor them for every user, not only those covered by GDPR or CCPA.

  • Right to access and portability. Download everything we know about you as JSON from Settings → Your data → Download my data, or call GET /api/account/export. This returns your profile, contacts, shows, team memberships, audit-log references, admin notes, feedback, email logs, and Stripe customer/subscription IDs.
  • Right to deletion (right to be forgotten). Delete your account and all associated data from Settings → Your data → Delete my account, which calls POST /api/account/delete. This removes your contacts, shows, feedback, team memberships, profile row, and the underlying auth record. We retain audit-log entries referencing your user ID (with the reference nulled) for compliance.
  • Right to correction. Edit any contact, show, or profile field directly in the app.
  • Right to restrict processing. Disable enrichment per-contact or globally in Settings. Disconnect Google Sheets, HubSpot, Slack, or your webhook at any time. Revoke camera or notification permissions in your browser. Clear on-device storage (IndexedDB, localStorage) from your browser’s site-data controls.
  • Right to object. Email support@leadlens.neural-forge.io at any time to object to a specific use of your data.
  • Right to lodge a complaint. EU residents: your local data-protection authority. UK: Information Commissioner’s Office (ICO). California: California Privacy Protection Agency.

10. California Residents

If you are a California resident, the CCPA / CPRA grants you the rights described in §9 plus the right to know the categories of personal information we collect and the purposes of collection (both disclosed in §2 and §6), the right to correct inaccurate data, and the right to opt out of any “sale” or “share” of your personal information for cross-context behavioral advertising. We do not sell or share your personal information for advertising, so there is nothing to opt out of, but we will honor the Global Privacy Control signal if your browser sends one.

11. EU, UK, and International Transfers

LeadLens and its processors primarily operate in the United States. If you access the Service from the EEA, the UK, Switzerland, or elsewhere outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) and equivalent safeguards with our sub-processors. By using the Service, you consent to this transfer.

12. Data Security

All traffic to LeadLens is TLS-encrypted. Supabase encrypts data at rest. Passwords are hashed via Supabase Auth. Payment card data is handled exclusively by Stripe and never transits our infrastructure. Admin access is restricted by allowlisted email and server-side service role. We log every admin action and every enrichment call. Webhook deliveries go through retry-with-backoff logic and DNS-based rebinding protection. No system is 100% secure; in the event of a breach affecting your data, we will notify you within 72 hours of discovery as required by GDPR Art. 33/34.

13. Children

LeadLens is not intended for, and we do not knowingly collect data from, individuals under the age of 16. If you believe a child has provided personal data to us, email support@leadlens.neural-forge.io and we will delete it.

14. Changes to This Policy

We will update this policy when our practices change. Material changes will be announced in-app and via email at least 14 days before they take effect. The “Last updated” date at the top always reflects the current version.

15. Contact

Neural Forge

Owner: Travis Curnutte

Website: leadlens.neural-forge.io

Privacy / DSAR email: support@leadlens.neural-forge.io