Privacy policy

LeadsRally is a product owned and operated by VALHALLA MARKETING LLC, a Florida limited liability company. References to "LeadsRally", "we", "us", or "our" in this Privacy Policy mean VALHALLA MARKETING LLC, which offers this product under the trade name LeadsRally.

This Privacy Policy explains how LeadsRally collects, uses, and protects personal data when you use our platform. It applies to the customers who sign up for accounts and to the end-contacts who receive messages through the platform.

1. Data we collect

• Account data: email, password hash, organization name, role.
• Contact data imported by customers: name, phone number, email, tags, custom fields, consent state.
• Message content: SMS and WhatsApp exchanges routed through Twilio and Meta.
• AI analysis metadata: intent labels, interest scores, and reply suggestions generated from message content.
• Operational telemetry: IP address, request timestamps, error traces (via Sentry), webhook delivery logs.

2. How we use it

Primary uses (necessary to provide the service — cannot be opted out of while using LeadsRally):

• Delivering the messaging, analytics, and automation features the customer configured.
• Generating AI responses, lead scoring, and reply suggestions on your behalf.
• Service reliability, abuse prevention, fraud detection, and billing.
• Notifying account owners about service changes, security alerts, and transactional matters.

Secondary uses (optional — you may opt out by emailing [email protected]):

• Sending product updates, feature announcements, and promotional communications to account owners.
• Aggregated, anonymized usage statistics to improve the platform.
• Case studies or testimonials (only with your explicit written consent).

3. Legal basis (GDPR art. 6)

• Contract — to provide the service customers signed up for.
• Legitimate interest — securing the platform, preventing abuse, improving reliability.
• Consent — where required (e.g. marketing communications to you). Customers who use the platform to contact their own audience are responsible for obtaining consent from those contacts.
• Legal obligation — tax, accounting, and regulatory record-keeping.

4. Sharing with third parties (subprocessors)

• Twilio (US) — SMS delivery and phone number management.
• Meta (US/IE) — WhatsApp Business messaging and Lead Ads ingestion.
• Anthropic (US) — AI inference on conversation snippets when AI features are enabled.
• Sentry (US) — error monitoring and performance traces.
• Resend (US) — transactional email (password reset, notifications).
• Railway (US) — application hosting and managed Postgres.

We do not sell personal data. We share data with subprocessors only to the extent needed to deliver the service you requested.

Support access: Our support team may access your account — including contacts and conversation history — when you open a support request that requires it. This access is limited to resolving your request. Support staff do not store or export your data outside the platform.

5. SMS communications

LeadsRally sends SMS messages in two contexts: (a) to users and prospects who opt in directly on leadsrally.app to receive product updates, demo reminders, and account notifications from LeadsRally; and (b) on behalf of our business customers, who use the platform to message their own contacts via Twilio. The following terms apply to all SMS communications:

• Opt-in: recipients must have explicitly opted in to receive SMS messages before any message is sent. For LeadsRally's own outreach, opt-in is collected via the public form at leadsrally.app/en/sms-consent. For customer outreach, customers are solely responsible for obtaining valid opt-in consent from their contacts in compliance with applicable law. Opt-in consent (timestamp, IP, exact disclosure shown) is recorded per contact and stored in the platform.
• Message frequency: message frequency varies based on the program and recipient activity.
• Message and data rates: message and data rates may apply depending on the recipient's mobile carrier and plan.
• Opt-out: recipients may reply STOP at any time to unsubscribe from further messages. One final confirmation message will be sent. No further SMS will be sent after a valid STOP request.
• Help: recipients may reply HELP for assistance, or contact us at [email protected].
• No sharing of mobile information: mobile phone numbers, SMS opt-in/opt-out consent data, and any text messaging originator opt-in information collected by LeadsRally will not be shared with any third parties or affiliates for marketing or promotional purposes. Information sharing is limited to subprocessors strictly necessary to deliver the SMS service (e.g. Twilio as the messaging aggregator).

6. International data transfers

Our infrastructure and most subprocessors are based in the United States. If you are located in the EEA, UK, or Switzerland, your data is transferred to the US under Standard Contractual Clauses with each subprocessor, and we implement the supplementary technical measures required by Schrems II (encryption in transit and at rest, access controls, short-lived credentials).

7. Retention

• Account data — while the account is active, plus 30 days after deletion for reversal and audit.
• Message content and conversations — retained until the customer deletes them, subject to any provider-mandated retention (e.g. Twilio 13-month log retention).
• Error telemetry (Sentry) — 30 days.
• Webhook delivery logs — 90 days.
• Billing records — 7 years, for tax and accounting obligations.
• Backup snapshots — up to 30 days; deletions propagate when a snapshot rolls off.

8. Your rights

• Access and portability: download your data from Settings → Privacy & Account → Export.
• Erasure: delete your account from Settings → Privacy & Account → Delete account.
• Correction: edit your contact and profile details inside the product at any time.
• Opt-out: end-contacts can reply STOP to any message, or use the unsubscribe link in a message, to opt out of further communications.
• Complaint: EEA/UK residents can lodge a complaint with their supervisory authority; if you're unsure which one applies, contact us first and we'll help.

How to submit a formal request: Email [email protected] with: (1) your full name and account email, (2) a copy of a government-issued ID or equivalent verification, and (3) a clear description of the right you wish to exercise and the data involved. We will acknowledge your request within 5 business days and resolve it within 20 business days of receipt. If additional time is needed, we will notify you before the deadline and complete the request within 15 additional business days.

9. Security

Access tokens and refresh tokens are scoped and short-lived. Passwords are stored with bcrypt. Database traffic is TLS-encrypted. Customer credentials for Twilio and Meta are encrypted at rest. We maintain an incident response process and notify affected customers within 72 hours of a confirmed breach involving their data.

10. Children

LeadsRally is a B2B platform and is not directed at children under 16. We do not knowingly collect personal data from children.

11. California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights over the personal information described in section 1:

• Right to know — request the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to delete — request deletion of the personal information we collected from you, subject to legal exceptions.
• Right to correct — request correction of inaccurate personal information.
• Right to opt out of sale or sharing — we do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. There is therefore nothing to opt out of.
• Right to limit use of sensitive personal information — we do not use or disclose sensitive personal information for purposes beyond those permitted by the CCPA/CPRA.
• Right to non-discrimination — we will not deny service, charge a different price, or provide a different quality of service because you exercised any of these rights.

To exercise any of these rights, follow the formal request process in section 8 or email [email protected]. You may use an authorized agent to submit a request on your behalf; we will ask the agent for proof of authorization and may still verify your identity directly. Verifiable consumer requests are free.

12. Email communications (CAN-SPAM)

The commercial and promotional emails we send to account owners (the secondary uses described in section 2) comply with the US CAN-SPAM Act:

• We do not use false or misleading sender information, and subject lines accurately reflect the content of the email.
• Promotional emails are identifiable as such.
• Every commercial email includes our valid physical postal address.
• Every commercial email includes a clear and conspicuous way to opt out of future promotional email.
• We honor opt-out requests promptly, and in no case later than 10 business days.

To stop receiving promotional email, use the unsubscribe link in any such message or email [email protected]. Transactional and service emails — security alerts, billing, and account notifications — are not promotional and will continue regardless of your marketing opt-out status.

13. Changes to this policy

We may update this policy to reflect new features, subprocessors, or legal requirements. Material changes will be announced in-product and via email to account owners at least 14 days before they take effect.

14. Contact

For privacy questions, contact us at [email protected]. For general support, email [email protected].