What data lives where
A plain-English account of every external service LeadFuel touches, what we send each one, what we keep, and how long. If you're a security-minded customer evaluating the suite, this is the page that answers your "where does my stuff go" questions in one place.
In two sentences
Your customer data lives in our Railway-hosted Postgres database in the US-East region. We send pieces of it out to a handful of third parties — always at your direction (you connect them) — and we encrypt the sensitive access tokens at rest.
Where your data is stored
| What | Where | Encrypted at rest? |
|---|---|---|
| Account + invite + entitlement rows | Postgres (shared DB) | Yes (disk-level) |
| ICP documents, scoring data | SmartICP Postgres | Yes (disk-level) |
| Campaign plans, drafts, sends, replies | NovaHerald Postgres | Yes (disk-level) |
| LinkedIn posts, personas, buckets | NovaHound Postgres | Yes (disk-level) |
| Mailbox-derived contacts & messages | NovaHawk Postgres | Yes (disk-level) |
| Microsoft 365 OAuth tokens | NovaHawk Postgres | Yes (Fernet, app-level) |
| LinkedIn OAuth tokens | NovaHound Postgres | Yes (Fernet, app-level) |
| Uploaded documents (Briefcase) | NovaHub Postgres (BYTEA blobs) | Yes (disk-level) |
| Billing identifiers (Stripe IDs) | NovaHub Postgres | Yes (disk-level) |
| Card numbers, raw payment details | Stripe — we never see them | n/a |
SECRET_KEY.
What we send to third parties (and why)
| Service | What we send | Why | Retention by them |
|---|---|---|---|
| Anthropic (Claude API) |
The prompt for each generation: your ICP profile, persona, draft text. No customer-list emails, no stored contact PII unless you explicitly include it in a prompt. | Powers SmartICP synthesis, NovaHerald drafting, NovaHound posting, NovaHawk relationship summaries. | 30 days for abuse review, then deleted. Your prompts are not used to train Anthropic's models (per their commercial API terms). |
| OpenAI (Realtime voice) |
Audio + text transcript when you use the 🎤 voice intake on SmartICP. | Conversational ICP intake. | 30 days for abuse review. Not used for training under the API ToS. |
| Resend (email send + inbound) |
Outbound email content + recipient address. For NovaHerald replies, the inbound email is forwarded back to us. | Sending campaign + transactional email and matching replies. | 30 days of message logs in Resend's UI for your own review. |
| Stripe | Your email + the amount + the product. Card data goes directly from your browser to Stripe — never through our servers. | Billing. | Per Stripe's policy — they're PCI-compliant. |
| Post text when NovaHound publishes. Your access token for sign-in + posting. | Publishing to your LinkedIn profile or org pages. | Per LinkedIn's policy. | |
| Microsoft Graph | Nothing — we read from your mailbox. Token is encrypted on our side. | NovaHawk relationship intelligence + (optional) NovaHerald customer-domain reply inbox. | n/a — read-only. |
| HubSpot / Pipedrive | Nothing — they POST events to us when deals close. | SmartICP deal outcome auto-sync. | n/a — inbound only. |
| Slack (your incoming webhook) |
Event titles + summaries you've opted into on /integrations. No raw customer data unless you've ticked the relevant event toggle. | Notifications. | Per your Slack workspace's retention policy. |
| Your outbound webhook URL | Same payloads as Slack — JSON, HMAC-signed with your suite's SECRET_KEY so you can verify authenticity. |
Custom integrations (Zapier/Make/n8n/anything). | Your decision — we don't store the payload anywhere it isn't already. |
What we deliberately don't do
- We don't sell or share your customer-data to advertisers, data brokers, or aggregator partners. There are none.
- We don't fine-tune AI models on your data.
- We don't pre-load your contacts to any service you didn't explicitly connect.
- We don't use your prompts for product analytics in a way that retains identifying content.
- We don't store credit-card numbers. Stripe does.
Per-customer isolation
Every customer's data is scoped by account_email in every table.
Cross-customer reads are gated at the application layer and the
service-mesh layer. Admins (us, the operators) can impersonate a
customer for support — when this happens, a visible orange banner
appears at the top of every page that says
"Viewing as customer@example.com · Exit impersonation"
and the action is logged.
Retention & deletion
- Audit logs: 90 days.
- Magic-link sign-in tokens: 30 minutes (then deleted).
- Customer-deleted ICPs / campaigns / posts: soft-deleted, purged from disk on the next archive run.
- Full account deletion: email hello@leadfuel.cloud and we delete everything within 14 days. We'll send you a confirmation when complete.
Honest limitations (May 2026)
- We are not SOC 2 certified yet. The compliance audit is on the roadmap once we hit the customer threshold that warrants it.
- We are not currently set up to sign BAA / HIPAA-grade agreements. Don't put PHI in here.
- We do follow the EU GDPR's data-minimization and access-request principles — write to us and we'll honor a data-subject access request.
- For very paranoid customers: we can configure a per-customer BYO-Anthropic-key override so your AI calls route through your own API account. Ask us.
Questions or corrections to this page? Email hello@leadfuel.cloud. Updated 2026-05-31.