Privacy Policy
Effective Date: [10/19/2024]
Controller/Operator: Assure Lead LLC, a South Carolina limited liability company
Principal Office (Mailing):
215 East Bay Street
Ste 201k #3328
Charleston, South Carolina 29401
Privacy Contact: [email protected]
1) Scope, Applicability & Conspicuous Notice
This Privacy Policy explains how we collect, use, disclose, and retain information related to:
(a) visitors to our websites, landing pages, and forms;
(b) prospective and current customers;
(c) end-users whose information is supplied to or processed by us in connection with our lead-generation and related services; and
(d) job applicants and contractors (as noted below).
This Policy applies to information collected online and offline (including web, chat, email, SMS, and recorded calls). “Services” means our websites, forms, communications, and lead-related offerings.
Conspicuous Notice & Acknowledgment.
By visiting our sites, submitting any form, purchasing any product or service, downloading any file or resource, or otherwise interacting with our websites or communication systems, you acknowledge this Privacy Policy and how we process information as described here. If you do not agree with these practices, do not use the Services.
Cookie Banner Acknowledgment.
By selecting “Accept All” on our cookie banner, you consent to non-essential cookies as described in our Cookie Policy and acknowledge this Privacy Policy. Cookie consent is separate and granular; it does not constitute acceptance of our Terms of Service or Refund & Billing Policy.
Contractual Conflicts.
If you enter into a separate written agreement (e.g., an Order, SOW, or DPA), that agreement governs to the extent it conflicts with this Policy for the subject matter of that agreement.
Roles.
We act as a business/controller when we decide why/how personal information is processed, and as a processor/service provider when we process on behalf of a client under a DPA.
Children.
We do not knowingly collect information from children under 13 (or the applicable age of digital consent). If you believe a child has provided information to us, contact us immediately.
2) Key Definitions (plain-English)
Personal Information / Personal Data (PI/PD): Info that identifies or could reasonably be linked to an individual or household.
Sensitive Personal Information (Sensitive PI): Includes precise geolocation, government IDs, account credentials, health/biometric inferences (including voice characteristics where applicable), and similar protected categories.
Sell / Share / Targeted Advertising: As defined by US state privacy laws (e.g., CPRA). “Sell” is disclosure for value; “Share” is cross-context behavioral ads; “Targeted Advertising” covers cross-site ad delivery based on PI.
Profiling / Automated Decision-Making: Automated processing to analyze or predict aspects (e.g., lead fit, fraud risk, priority).
De-identified / Aggregated Data: Cannot reasonably identify an individual or household; we commit not to re-identify.
Controller vs. Processor: We are the controller when we set purposes/means; a processor when following a client’s instructions under contract.
3) Notice at Collection — Categories, Purposes, Retention, Sell/Share Flags
We collect the following categories of Personal Information. Retention periods are maximums unless law/contract requires otherwise. “Sell/Share/Targeted Ads” flags reflect website visitor practices; client projects handled under a DPA are not a sale/share by us.
Category of PIExamplesPrimary Purposes (see §5)Legal Basis*RetentionSell / Share / Targeted Ads**IdentifiersName, email, phone, IP, device IDsLead intake, onboarding, support, security, fraud prevention, complianceLegitimate interests; contract; consent (where required)24 months from last activity (unless contracted otherwise)May “Share” via ad tech unless you opt outCommercial infoPurchases, subscription tier, invoicesBilling, account mgmt, collections, complianceContract; legal obligation7 years (tax/audit)NoInternet/network dataDevice/browser, pages, UTM, cookies/pixelsAnalytics, performance, ad measurement, securityConsent (EU/UK); legitimate interests26 months (analytics defaults), see Cookie PolicyMay “Share” unless you opt out / GPCCoarse geolocationCity/region from IPRouting, geo-fit, analytics, securityLegit interests; consent where required26 monthsMay “Share” unless you opt outAudio/visualCall recordings, voicemails, meetingsQA, training, disputes, transcription/AIConsent; legitimate interestsAudio 90 days; transcripts 12 months; derived analytics 24 monthsNoProfessional/B2BFirm, role, licensing (if provided)B2B contracting, due diligence, routingLegitimate interests; contract24 monthsNoInferences/profilesLead fit scores, fraud flags, engagementPrioritization, QA, security, improvementLegitimate interests; consent (opt-out rights apply)24 monthsNoSensitive PI (limited)Voice inferences (not voiceprints), credential hashes, precise geo (only if opted-in)Security/authentication/fraud; never for adsConsent; legal obligation; legit interestsVoice-inference metrics 24 months; security data per policyNo
Legal bases summarized for GDPR/UK; details in §7.
* See Cookie Policy for ad-tech specifics and opt-out mechanisms. We honor Global Privacy Control (GPC) for browser-level opt-outs.
4) Sources of Personal Information
Direct: Web forms, chat, email, SMS, phone (including recorded lines with notice), meetings, uploaded/imported files.
Automatic: Cookies, pixels, SDKs, server logs, device/browser metadata, session/usage analytics.
Clients/Partners (processor context): Leads/contact records via API/CSV/CRM sync, per client instructions and our DPA.
Service providers: Anti-fraud tools, data validation, email deliverability results (e.g., hard-bounce signals), call intelligence/S2T engines.
Public/third-party sources: Public websites, professional directories, and licensed datasets used to validate/enrich records where permitted.
5) How We Use Personal Information (purposes)
We use PI to:
Intake & route leads: Collect/process inquiries; geo/practice fit; deduplicate; route internally or (in processor context) to the client.
Deliver services & administer accounts: Provision accounts/snapshots/integrations; process orders; provide support.
Quality assurance & training: Monitor quality; improve playbooks; record and transcribe calls (with notice).
Security & fraud prevention: Detect bots/abuse; validate phones/emails; rate-limit; investigate incidents; maintain audit logs.
Analytics & performance: Measure site/app usage and campaign effectiveness; A/B tests; diagnose issues; improve UX.
Personalization & advertising (site visitors): Show relevant content/ads; measure performance; honor opt-outs/GPC; see Cookie Policy.
Automated decision-making/profiling (limited): Create lead fit scores, dupes/fraud flags, prioritization indicators; see §8 and §20 (rights).
Communications: Respond to inquiries; onboarding; operational messages; legally required notices; marketing where permitted (opt-out available).
Compliance & legal: Contract enforcement, billing, audits, regulatory reporting, dispute resolution, and exercising/defending legal claims.
De-identification & aggregation: Produce non-identifiable statistics; we do not re-identify.
6) Use of AI, Speech-to-Text & Automated Tools (transparency)
We use automated tools (“AI Services”), including LLMs and speech-to-text systems, to:
Transcribe/summarize calls/voicemails and extract structured fields (e.g., claim type, timeline).
Classify, score, and prioritize leads (completeness, geo/practice fit, fraud likelihood).
De-duplicate/cleanse data, validate contact info, and detect spam/bots.
Draft internal notes and first-pass responses for human review before material decisions.
Model training & vendors. Vendors are contractually prohibited from training publicly available foundation models on your data unless expressly stated or you provide explicit consent. Vendors may retain transient logs for security/quality subject to DPAs.
Human oversight. Material outcomes (e.g., eligibility to enter a paid program, pricing, or binding commitments) are not made solely by automated means; you may request human review (see §8 and §16).
Audio/voice retention. Audio 90 days, transcripts 12 months, derived analytics 24 months, unless needed longer for disputes/legal obligations or specified by contract. (See §21 in Part 2 for Sensitive PI details.)
7) Legal Bases for Processing (EU/UK) & US Alignment
Contract (Art. 6(1)(b)) — Account setup, order fulfillment, support, billing.
Legitimate Interests (Art. 6(1)(f)) — Security/fraud prevention; service improvement; B2B marketing to existing/prospective customers (subject to e-privacy rules); limited profiling for routing; de-identification. We balance against your rights/expectations.
Consent (Art. 6(1)(a)) — Non-essential cookies/ads; call recording in certain jurisdictions; marketing where required; certain Sensitive PI.
Legal Obligation (Art. 6(1)(c)) — Tax, accounting, regulatory and consumer-protection duties.
Vital/Public Interests (rare).
For US state laws, we provide Notice at Collection, opt-out of Sell/Share/Targeted Ads, limit Sensitive PI, and an appeals process for denied rights requests. We honor GPC signals for site visitors.
8) Automated Decision-Making & Profiling — Your Choices
What we do: Automated scoring/classification for lead quality, duplicate detection, fraud/spam screening, and prioritization.
What we don’t do: We do not make legal or pricing decisions solely by automated means.
Why it matters: These processes help us route inquiries efficiently, protect systems, and improve service.
Your options: Object to profiling for direct marketing or request human review of a decision that materially affects you. Email [email protected] with subject “Automated Review Request” and include identifiers (email/phone) and timeframe.
9) Disclosure of Personal Information
We disclose PI only as described here. We never sell raw lead or customer data for consumer marketing and only “share” data as defined by law where noted.
9.1 Service Providers / Processors
Vetted third parties operate under contract and access PI only to perform tasks on our behalf (hosting/CDN, CRM/automation, payments, call-recording/S2T/AI, email/SMS, analytics, fraud/validation, professional advisors). Each is bound by confidentiality, data-protection, and security obligations consistent with law and our DPA.
9.2 Clients & Authorized Partners
As a processor, we disclose PI to the client that engaged us, strictly per that client’s instructions and contract. As a controller, we may share lead/contact data with an authorized downstream partner only when (i) you consent or reasonably expect it, (ii) it’s necessary to fulfill your request, or (iii) required by law.
9.3 Affiliates & Transactions
We may share PI with controlled affiliates under equivalent safeguards. In a merger, acquisition, restructuring, or sale of assets, PI may transfer to the successor, who must honor this Policy or provide notice before materially different handling.
9.4 Legal, Compliance & Safety
We may disclose PI to comply with law or lawful requests; enforce contracts or collect debts; prevent fraud/abuse; or protect users, employees, or the public from harm.
9.5 De-identified/Aggregated
We may share statistics or de-identified information that cannot reasonably identify you; we will not attempt re-identification.
10) Third-Party Links, Integrations & External Sites
Our sites/dashboards may link to or embed third-party tools (payment gateways, scheduling, CRMs, analytics tags, social pixels). These parties operate under their own privacy policies; we do not control their collection or use. Interacting with such features may allow the third party to recognize you or link activity across sites. Review each provider’s policy.
11) International Data Transfers
Your information may be transferred to or stored in countries other than where it was collected.
11.1 United States
If you are outside the U.S., you acknowledge transfer to and processing in the U.S., where laws may differ.
11.2 EU/UK/EEA Safeguards
Transfers to countries without an adequacy decision rely on Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and additional technical/organizational measures (encryption, access controls, segregation, vendor audits).
11.3 Other Regions
For regions requiring cross-border mechanisms (e.g., Argentina, Canada, APAC), we apply equivalent contractual and security measures.
12) Data Retention & Deletion
We retain PI only as long as necessary for the purposes described or as required by law/contract.
CategoryTypical Maximum RetentionNotesLead & contact data24 months from last activityExtended if active contract or disputeClient account & billing7 yearsTax/audit/legalCall recordings90 daysDeleted sooner upon verified request unless under investigationTranscripts / AI summaries12 monthsQA and trainingDerived analytics/metrics24 monthsDe-identified after aggregationSupport tickets/logs24 monthsService history/disputesCookies/analytics IDsPer Cookie Policy (26 months default)Subject to user deletion/opt-outApplicant/HR data12 monthsDeleted on request if not hired
At end of retention, we securely delete, anonymize, or aggregate. Backups may persist for limited periods under access controls until overwritten.
13) Security Measures & Incident Posture
We implement administrative, technical, and physical safeguards designed to protect PI against accidental loss, misuse, unauthorized access, disclosure, alteration, or destruction, including:
Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
Network security (firewalls, DDoS protection, monitoring, endpoint protection)
Access controls (least privilege, role-based permissions, MFA for admin systems)
Audit logging of data access/changes
Vendor vetting (security questionnaires; contractual obligations)
Employee training (data handling, phishing, confidentiality)
Incident response plan with defined notification procedures
If a security incident involves PI, we will investigate, mitigate, and notify affected individuals and authorities as required by law. No system is 100% secure; you use the Services at your own risk.
14) Children’s Data
Our services are directed to businesses and adults. We do not knowingly collect PI from anyone under 13 years of age (or the applicable age of consent). If we learn we collected PI from a child without verifiable parental consent, we will delete it promptly. Parents/guardians may contact [email protected].
15) Your Privacy Rights — Overview
Depending on your jurisdiction, you may have rights to:
Access / Know (confirm processing; receive a copy)
Correction (rectify inaccuracies)
Deletion (request deletion subject to legal/contract exceptions)
Portability (machine-readable copy of certain PI)
Opt-out (direct us not to “sell,” “share,” or use PI for targeted advertising)
Limit Sensitive PI (restrict certain uses beyond what’s reasonably expected)
Non-Discrimination (no adverse treatment for exercising rights)
Appeal (challenge our response to a rights request)
How to exercise these rights (verification, timelines, authorized agents, appeals) appears in §16 and §17 (Part 2 also adds opt-out mechanisms, GPC handling, and state/EU details).
16) How to Exercise Your Rights (requests, verification, timelines)
Submit a request via:
Web form: [Link to Privacy Request Form]
Email: [email protected] (subject: “Privacy Request”)
Postal: Assure Lead LLC — Attn: Privacy Requests,
215 East Bay Street
Ste 201k #3328
Charleston, South Carolina 29401
Include: (a) the right you wish to exercise, (b) info to verify your identity, and (c) details to locate your records (email/phone used, approximate dates, campaign/landing page, or client name if you interacted via a client).
Verification.
Consumers/Visitors: Verify control of email/phone on file (link/code/reply).
B2B Contacts/Clients: We may require company-domain verification or SOW/Order references.
Sensitive/high-risk requests: Additional documentation or attestations may be required.
We will deny unverified requests and explain why.
Timelines.
We respond within 45 days of a verifiable request (US); may extend 45 days with notice. EU/UK: respond within 1 month; may extend 2 months for complex requests.
Authorized Agents.
Provide signed permission or power of attorney, plus direct verification from you. Agents must show sufficient authority.
Appeals.
If we deny your request, you may appeal within 30 days by replying to our decision email with “Appeal” in the subject line and a short explanation. We will respond to appeals within 45 days (or as required by state law). You may also contact your supervisory authority/AG if available.
17) Opt-Outs — “Sell,” “Share,” and Targeted Advertising
17.1 Ad Tech & Cross-Context Advertising
Our use of third-party advertising and analytics tools (including Meta Pixel, Google Analytics 4, and similar platforms) may constitute “Share” of identifiers and internet activity under certain state privacy laws.
You can opt out by:
Using our Do Not Sell/Share My Personal Information link in the site footer,
Accessing the Cookie Preferences Center to disable advertising cookies, or
Enabling a browser-based Global Privacy Control (GPC) signal (see §18.2).
17.2 First-Party Marketing Communications
You may opt out of marketing emails at any time via unsubscribe links.
For SMS/text, reply STOP (standard rates apply).
Transactional and service messages (e.g., invoices, security notices) will continue.
17.3 Processor Context Pass-Through
When we process data on behalf of a client, opt-out and privacy requests should be sent directly to that client (the controller).
If you submit such a request to us, we will promptly forward it to the appropriate controller and follow their instructions under our DPA.
18) Cookies, Global Privacy Control (GPC) & Do Not Track (DNT)
18.1 Cookie Preferences Center
Our banner links to a Preferences Center that allows you to manage cookie categories (Essential, Functional, Analytics, Advertising).
Essential cookies are required for basic operation and cannot be disabled via the banner.
Full details appear in our Cookie Policy.
18.2 Global Privacy Control (GPC)
We honor GPC signals for site visitors by treating them as a request to opt out of sale/share/targeted advertising for that browser.
18.3 Do Not Track (DNT)
We do not respond to legacy DNT signals because no universal standard exists; however, we provide equivalent controls through the Cookie Preferences Center.
18.4 Browser & Device Controls
You can block or delete cookies via browser settings, reset mobile ad identifiers, and disable email tracking pixels. Blocking some cookies may limit functionality.
19) De-Identification, Aggregation & Data Minimization
19.1 De-Identified Data
When we de-identify data, we implement technical measures that prohibit re-identification and commit not to attempt to re-identify.
We require any recipients of de-identified data to adhere to the same prohibition.
19.2 Aggregation
We may produce aggregate statistics for service optimization, capacity planning, and reporting.
Aggregated data does not identify individuals or households.
19.3 Minimization & Annual Review
We collect and retain only data that is reasonably necessary and proportionate to the purposes disclosed in this Policy or our DPA.
We evaluate our collection and retention practices at least annually to ensure necessity and proportionality.
20) Automated Decision-Making — Human Review & Objection
For automated scoring or classification that may materially affect you (e.g., whether a lead qualifies for manual review):
Request Human Review: Email [email protected] with subject line “Automated Review Request.”
Object to Profiling: You may object to profiling for direct marketing.
Provide Context: You may supply additional information to correct or clarify automated inferences.
We will route your request to a trained reviewer, assess the automated rationale, and provide a written summary of the action taken or reason for no change.
21) Sensitive Personal Information
21.1 Limited Use & Scope
We collect very limited categories of Sensitive PI (e.g., precise geolocation, credential hashes, or voice inferences) solely for security, authentication, fraud prevention, or as required by law.
We do not use Sensitive PI for targeted advertising or profiling.
21.2 Voice/Biometric Clarification
We do not create or store voiceprints. Any voice “inferences” are used strictly for quality assurance or fraud detection, not for identification or advertising.
Destruction schedule: voice audio retained 90 days; derivative analytics retained 24 months.
21.3 Limitation Rights
Where your jurisdiction provides a right to limit Sensitive PI use, you can exercise it via our Preferences Center or by emailing [email protected].
22) Payments, Processors & Financial Data
Cards/ACH are processed by third-party payment processors that act as independent controllers for payment data.
We receive only limited billing metadata (e.g., last4 digits, transaction tokens, status).
For ACH transactions, you authorize debits per NACHA rules; returned debits may incur a service fee.
We retain invoices and transaction records for 7 years for accounting and audit purposes.
23) Subprocessors & Third-Party Vendors
23.1 Categories of Subprocessors
We use vendors across these functional areas:
Hosting, cloud infrastructure, and CDN
Database and storage services
Logging, monitoring, and analytics
CRM and marketing automation
Email/SMS delivery and routing
Speech-to-text and AI processing
Fraud detection and lead validation
Payment processing and billing
Document e-signature and management
Legal, accounting, and professional advisors
23.2 Change Management & Notifications
We maintain a list of subprocessor categories in this Policy and may publish a detailed list on our website.
When we materially add or change subprocessors, we will update this Policy (and, if contractually required, provide notice to clients who may object).
24) Region-Specific Disclosures
24.1 California (CPRA)
Notice at Collection: See §3.
Sell/Share: We may share identifiers and internet activity with ad partners unless you opt out.
Rights: Access, deletion, correction, portability, opt-out of sale/share/targeted ads, limit Sensitive PI, and appeal.
Financial Incentives: We do not offer financial incentives in exchange for personal information.
GPC: Honored for browser-level opt-outs.
Do Not Track: Equivalent controls via our Cookie Preferences Center.
24.2 Other U.S. States (CO, CT, VA, UT, OR, TX, TN, DE)
We extend the same rights—access, correction, deletion, portability, opt-out of targeted ads/sale, and appeal—under each applicable state privacy law.
24.3 EU/UK/EEA
Controller: Assure Lead LLC.
Legal Bases: As detailed in §7.
Transfers: Governed by SCCs and the UK Addendum, with additional security measures.
Representative (if applicable): We have not appointed an EU/UK representative at this time.
Supervisory Authority: You may lodge complaints with your local data protection authority.
24.4 Argentina (PDPA)
Where we recruit or collect data within Argentina, individuals may exercise rights of access, rectification, updating, or deletion.
Notice of international transfers is provided in §11.
25) Marketing, Communications & Preferences
We may send transactional and marketing communications.
Email: Unsubscribe via link or contact [email protected].
SMS: Reply STOP to opt out; HELP for assistance.
Phone: Marketing calls made only with consent where required.
We maintain “do-not-contact” records to ensure preferences are respected.
B2B Legitimate Interest: If you are a business contact, we may send relevant updates under legitimate interest; you may still opt out of non-essential marketing.
26) Job Applicants, Contractors & Employees
Applicants: Information provided for recruitment is used only for evaluating suitability. Retained 12 months unless longer retention is required or consented to.
Contractors/Vendors: We process limited PI to manage contracts, payments, and compliance; retained 7 years (tax/audit).
Employees: Governed by a separate internal notice compliant with employment law.
27) Accessibility & Alternative Formats
We are committed to providing accessible privacy information.
We aim for WCAG 2.1 AA compliance for policy content.
You may request this Policy in an alternative format (large print, audio, or accessible electronic file) by contacting [email protected] or mailing our address.
28) Security Incident Response & Notification
In case of a security incident involving PI:
We will investigate and mitigate the issue promptly.
We will notify affected individuals and regulators as required by law.
We will document the event and corrective actions internally.
No system is completely secure; transmission over the internet is at your own risk.
29) Links to Related Policies
This Privacy Policy should be read alongside:
Terms of Service / Terms & Conditions
Refund & Billing Policy
Disclaimer Policy
Cookie Policy
If provisions conflict, the specific policy governing that subject matter controls.
30) Changes to This Policy
We may update this Privacy Policy periodically.
Versioning: Each revision lists an updated “Effective Date.”
Notice: Material changes will be announced via on-site banner, email, or comparable method.
Archive: Prior versions are available on request.
Continued use of our sites or services after an update constitutes acceptance.
31) Governing Law & Jurisdiction
Unless otherwise specified in a contract, this Policy and related disputes are governed by the laws of the State of [South Carolina or Wyoming], without regard to conflicts-of-law principles.
Dispute resolution follows the Arbitration & Venue clause in our Terms of Service.
32) Contact Information
Assure Lead LLC
Attn: Privacy Officer
215 East Bay Street
Ste 201k #3328
Charleston, South Carolina 29401
Email: [email protected]
If required by regulation, EU/UK representative or DPO details will be posted on our website.
33) Defined Terms Appendix
TermSummary DefinitionPersonal Information / Personal DataAny information identifying or reasonably linkable to an individual or household.Sensitive Personal InformationCategories requiring heightened protection (e.g., precise geolocation, biometric/voice data, government IDs).Controller / BusinessEntity determining purposes and means of processing.Processor / Service ProviderEntity processing data on behalf of a controller/business under contract.Sell / Share / Targeted AdvertisingDisclosure for value or cross-context ad targeting under CPRA and similar laws.Profiling / Automated Decision-MakingAutomated analysis of PI to evaluate personal aspects such as preferences or lead scoring.Global Privacy Control (GPC)Browser signal indicating a user’s opt-out preference for sale/share/targeted ads.De-identified DataData modified so it can no longer reasonably identify an individual.