Privacy Policy

This Privacy Policy describes how HawkLeads, a product of Workbird LLC (“we,” “us,” or “our”), collects, uses, stores, shares, and protects information when you use our platform at hawkleads.io, our embeddable widget, our APIs, and related services (collectively, the “Service”). This policy applies to two categories of individuals: Customers (account holders who use HawkLeads to collect and manage leads) and End Users(visitors who interact with HawkLeads widgets embedded on Customer websites).

1. Information We Collect

1.1 Customer Information

When you create an account and use HawkLeads, we collect:

• Account information: email address, password (stored as a bcrypt hash, never plaintext), company name, and timezone
• Billing information: payment details are processed and stored by Stripe. We store only your Stripe customer ID and subscription status. We never have access to full credit card numbers.
• Usage information: login timestamps, feature usage patterns, pages visited within the dashboard, and API request logs
• Support communications: emails and messages exchanged with our support team

1.2 End User Information

When end users interact with HawkLeads widgets embedded on Customer websites, we collect:

• Submitted information: name, email address, phone number (optional), free-text message (optional), and qualifying flow answers
• Technical information: IP address (hashed after 30 days), browser user agent, referring page URL, device type, and country (derived from IP)
• Interaction data: widget open/close events, step completion events, and submission timestamps

We do not use cookies, local storage, or any persistent tracking mechanisms in the widget. The widget does not load third-party analytics, advertising pixels, or social media trackers.

1.3 Automatically Collected Information

For both Customers and End Users, we automatically collect server access logs that include IP addresses, request timestamps, request paths, HTTP status codes, and response sizes. These logs are retained for 30 days and used exclusively for security monitoring and debugging.

2. How We Use Information

2.1 To Provide the Service

• Process and store widget submissions on behalf of Customers
• Calculate lead scores based on qualifying flow answers
• Send email notifications about new leads, follow-up reminders, and account activity
• Deliver webhook payloads to Customer-configured endpoints
• Display analytics and reports within the Customer dashboard
• Process subscription payments through Stripe

2.2 To Maintain and Improve the Service

• Monitor service performance, uptime, and error rates
• Identify and fix bugs, security vulnerabilities, and performance issues
• Analyze usage patterns (using anonymized, aggregated data only) to inform product decisions

2.3 To Communicate

• Send transactional emails (account verification, password resets, billing receipts)
• Send product emails you have opted into (weekly digests, trial reminders)
• Respond to support requests

We do not send marketing emails to End Users. We do not sell, rent, or trade email addresses for advertising purposes.

2.4 To Enforce Security

• Rate limit API requests and widget submissions to prevent abuse
• Detect and block bot submissions using timing checks and honeypot fields
• Verify Stripe webhook signatures to prevent fraud
• Hash IP addresses after 30 days to minimize stored personal data

3. Information Sharing and Disclosure

We do not sell personal data. We share information only in the following circumstances:

3.1 Service Providers

We use the following third-party services to operate HawkLeads:

• Supabase: database hosting, authentication, and real-time subscriptions (data stored in US-based infrastructure)
• Stripe: payment processing (subject to Stripe's Privacy Policy)
• Resend: transactional email delivery
• Upstash: rate limiting (Redis-based, stores only hashed identifiers and request counts)
• Cloudflare: CDN for widget bundle delivery and DDoS protection
• Netlify: application hosting

Each service provider processes data only as necessary to provide their specific service and is bound by their own privacy policies and data processing agreements.

3.2 Customer Access to End User Data

End User submissions are accessible to the Customer whose widget collected the data. Customers can view, export, and delete submissions through their dashboard or API. HawkLeads acts as a data processor on behalf of the Customer (data controller) for End User data.

3.3 Legal Requirements

We may disclose information if required to do so by law, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

3.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and a prominent notice on our website before your information becomes subject to a different privacy policy.

4. Data Storage, Security, and Retention

4.1 Storage

All data is stored in Supabase-managed PostgreSQL databases hosted in US-based data centers. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

4.2 Security Measures

• Row-level security (RLS) on all database tables containing user data
• API keys stored as cryptographic hashes (never plaintext)
• Passwords hashed using bcrypt with salt
• HTTPS enforced on all connections
• CORS restrictions on API endpoints
• Rate limiting on all public endpoints
• Webhook payloads signed with HMAC-SHA256
• No third-party JavaScript in the widget (no tracking, no ads)
• Shadow DOM isolation for the widget to prevent CSS/JS conflicts

4.3 Retention

• Account data: retained while the account is active. Deleted permanently upon account deletion.
• Lead submissions: retained while the account is active. Cascade-deleted when the account is deleted.
• IP addresses: raw IP addresses are hashed after 30 days and cannot be reversed.
• Server logs: retained for 30 days, then automatically purged.
• Inactive trial accounts: data retained for 90 days after trial expiration, then permanently deleted.
• Canceled subscriptions: data retained for 90 days after subscription end, then permanently deleted.

5. Cookies and Tracking

5.1 Dashboard (hawkleads.io)

The HawkLeads dashboard uses only essential, first-party cookies for authentication and session management. These cookies are:

• Strictly necessary for the service to function
• Not used for tracking, analytics, or advertising
• Set with HttpOnly, Secure, and SameSite=Lax attributes

5.2 Widget

The HawkLeads widget does not set any cookies, use local storage, or employ any persistent tracking mechanisms. The widget does not load any third-party scripts. End User interactions are recorded only as server-side events (widget opens, step completions, submissions).

6. Your Rights

6.1 All Users

Regardless of your location, you have the right to:

• Access: view all personal data we hold about you
• Correction: update or correct inaccurate information
• Deletion: permanently delete your account and all associated data
• Export: request a copy of your data in a machine-readable format
• Opt-out: unsubscribe from non-essential email communications at any time

Customers can exercise most of these rights directly through their account settings. For data export requests or other inquiries, contact support@hawkleads.io.

6.2 European Economic Area (GDPR)

If you are located in the EEA, you have additional rights under the General Data Protection Regulation:

• Right to restrict processing: request that we limit how we use your data
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interest
• Right to lodge a complaint: file a complaint with your local data protection authority

Our legal basis for processing Customer data is contractual necessity (performance of the subscription agreement). For End User data, the legal basis is the legitimate interest of the Customer in managing their leads, with consent obtained by the Customer at the point of collection.

6.3 California (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of your personal information
• Opt out of the sale of personal information (we do not sell personal information)
• Non-discrimination for exercising your privacy rights

6.4 End User Rights

End Users who wish to access, correct, or delete their submitted data should contact the Customer (website operator) who collected their data. Customers can manage End User data through the HawkLeads dashboard. If an End User cannot reach the Customer, they may contact us at support@hawkleads.io and we will assist in locating and processing the request.

7. International Data Transfers

HawkLeads is based in the United States. If you access the service from outside the US, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and our service providers' data transfer mechanisms to ensure appropriate safeguards for international data transfers. By using the service, you consent to the transfer of your data to the United States.

8. Children's Privacy

HawkLeads is not directed to individuals under the age of 13 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. Customers are prohibited from using HawkLeads to collect data from minors. If we learn that we have collected personal information from a child, we will take immediate steps to delete that information. If you believe a child has provided personal information through a HawkLeads widget, contact us at support@hawkleads.io.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered Customers at least 30 days before they take effect. The "Effective date" at the top of this page will be updated to reflect the date of the most recent revision. Your continued use of the service after the effective date constitutes acceptance of the updated policy.

10. Contact Us

For any questions or concerns about this Privacy Policy, your data, or to exercise your rights, contact us at:

For GDPR-related inquiries, you may also contact your local data protection authority. A list of EEA data protection authorities is available at edpb.europa.eu.