← Back to PropLead

Privacy Policy

Last updated: March 2026

PropLead ("we," "us," or "our") operates the PropLead platform available at propleadcrm.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use our Service.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices described herein, you should not use the Service.

This Privacy Policy applies to all users of the Service, including account holders, team members, and visitors to our website. It does not apply to third-party websites or services that may be linked from our platform.

1. Information We Collect

We collect the following categories of information:

1.1 Account and Profile Information

  • Full name, email address, phone number, and job title.
  • Organization name, business type, and team size.
  • Billing information, including billing address, GST identification number (for Indian customers), and payment method details (processed and stored by our payment providers, not by PropLead directly).
  • Profile photograph (if uploaded).
  • Authentication credentials (password hash) or third-party OAuth tokens (e.g., Google).

1.2 Customer Data (CRM Data)

This is data you input into the Service as part of your CRM operations. You are the data controller of this information, and PropLead acts as a data processor on your behalf:

  • Lead and contact information: names, phone numbers, email addresses, addresses, and other contact details of your prospects and customers.
  • Property listings, project details, and inventory data.
  • Notes, tags, custom fields, and activity logs associated with leads and contacts.
  • Deal and pipeline data, including stage, value, and expected close dates.
  • Documents and files uploaded to the platform.

1.3 Communication Data

  • WhatsApp messages, SMS messages, and email communications sent and received through the platform.
  • Message templates, broadcast lists, and campaign data.
  • Delivery status, read receipts, and response metadata.
  • Call logs and recordings (if applicable and enabled by you).

1.4 Usage Data

  • Pages viewed, features used, actions taken, and time spent on the platform.
  • Search queries and filter usage within the Service.
  • API calls, integration events, and automation execution logs.
  • Error logs and performance data.

1.5 Technical Data

  • IP address, browser type and version, operating system, and device type.
  • Screen resolution, language preference, and time zone.
  • Referring URL and pages visited on our marketing website.
  • Unique device identifiers and cookie identifiers.

2. How We Collect Information

We collect information through the following methods:

2.1 Directly from You

  • Registration: When you create an account, you provide your name, email, phone number, organization details, and other profile information.
  • CRM Usage: When you add leads, contacts, properties, deals, and other records to the platform.
  • Communications: When you send messages through the platform's messaging channels or contact our support team.
  • Billing: When you subscribe to a paid plan and provide payment information.

2.2 Through Google OAuth

If you choose to sign in using Google OAuth, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password. The information we access is limited to what is necessary for authentication and is governed by Google's API Services User Data Policy.

2.3 Automatically

  • Cookies and Similar Technologies: We use cookies, local storage, and similar technologies to collect usage and technical data. See Section 9 (Cookies and Tracking) for details.
  • Server Logs: Our servers automatically record information when you access the Service, including IP address, request URL, timestamp, and response status.
  • Analytics: We use analytics services to understand usage patterns and improve the Service.

2.4 From Third Parties

  • Messaging Providers: Delivery receipts, read receipts, and message status updates from WhatsApp Business API, Twilio (SMS), and SendGrid (email).
  • Payment Processors: Transaction confirmation, payment status, and basic billing information from Razorpay and Paddle.
  • Lead Sources: If you configure lead capture integrations (e.g., Facebook Lead Ads, website forms), we receive lead data from those sources as configured by you.

3. How We Use Information

We use the information we collect for the following purposes:

3.1 Providing and Operating the Service

  • To create and manage your account, authenticate your identity, and maintain your session.
  • To deliver the core CRM functionality, including lead management, contact management, property management, and pipeline tracking.
  • To facilitate multi-channel messaging (WhatsApp, SMS, email) as directed by you.
  • To execute automated workflows and triggers configured by you.
  • To generate reports, analytics, and dashboards based on your data.

3.2 AI-Powered Features

  • To power AI lead qualification and scoring based on lead attributes and interaction history.
  • To generate AI-assisted message responses and conversation summaries.
  • To provide intelligent recommendations for follow-ups and next actions.
  • See Section 7 (AI/LLM Data Processing) for detailed information on AI data handling.

3.3 Billing and Payments

  • To process subscription payments, usage-based charges, and generate invoices.
  • To send payment confirmations, billing reminders, and failed payment notifications.

3.4 Communication

  • To send transactional emails (account verification, password resets, billing receipts).
  • To send service-related communications (feature updates, maintenance notices, security alerts).
  • To respond to your support requests and inquiries.
  • To send product updates and marketing communications (with your consent, and with the ability to opt out).

3.5 Improvement and Development

  • To analyze aggregated and anonymized usage patterns to improve the Service.
  • To identify and fix bugs, errors, and performance issues.
  • To develop new features and functionality based on usage trends.

3.6 Security and Compliance

  • To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
  • To enforce our Terms of Service and Acceptable Use Policy.
  • To comply with applicable legal obligations, regulatory requirements, and lawful government requests.

4. Data Storage and Security

4.1 Infrastructure

All Customer Data and Service data is stored on Google Cloud Platform (GCP) infrastructure located in the Mumbai region (asia-south1), India. Our infrastructure is hosted within GCP's SOC 2 Type II, ISO 27001, and ISO 27017 certified data centers.

4.2 Encryption

  • Data at Rest: All data stored in our databases and file storage systems is encrypted using AES-256 encryption. Database-level encryption is enabled by default on all GCP storage services we use.
  • Data in Transit: All data transmitted between your browser/device and our servers is encrypted using TLS 1.2 or higher. Internal service-to-service communication within our infrastructure is also encrypted.
  • Sensitive Fields: Certain sensitive data fields, such as API keys, third-party credentials (BYOC tokens), and authentication tokens, are additionally encrypted at the application level before storage.

4.3 Access Controls

  • Access to production systems and databases is restricted to authorized engineering personnel on a strict need-to-know basis.
  • All production access is authenticated, logged, and periodically audited.
  • We implement the principle of least privilege for all system access.
  • Employee access to Customer Data is limited to what is necessary to provide support and maintain the Service.

4.4 Backups

We perform automated daily backups of all databases. Backups are encrypted and stored in geographically separate locations within India. Backup retention follows our data retention policy, and backups of deleted data are purged within ninety (90) days.

4.5 Incident Response

PropLead maintains an incident response plan to address data security breaches. In the event of a data breach that affects your personal data, we will notify affected users and relevant regulatory authorities in accordance with applicable data protection laws, typically within seventy-two (72) hours of becoming aware of the breach.

5. Multi-Tenancy and Data Isolation

PropLead is a multi-tenant SaaS platform, meaning multiple organizations share the same underlying infrastructure. However, we implement strict data isolation measures to ensure your data remains private and inaccessible to other tenants:

  • Logical Data Isolation: Each organization's data is logically separated using unique tenant identifiers enforced at the database query level. All data access is scoped to your organization's tenant context.
  • Application-Level Enforcement: Our application layer enforces tenant boundaries on every API request, ensuring that users can only access data belonging to their own organization.
  • Role-Based Access Control (RBAC): Within each organization, access to data is further restricted based on user roles and permissions configured by the organization administrator.
  • Audit Logging: All data access operations are logged to enable security audits and compliance verification.

No organization can view, access, modify, or query another organization's data through the Service.

6. Third-Party Data Sharing

PropLead does not sell your personal data or Customer Data to any third party. We share data with third parties only in the following circumstances and only to the extent necessary:

6.1 Service Providers (Data Processors)

  • Twilio: We share recipient phone numbers and message content with Twilio to deliver SMS messages on your behalf. Twilio processes this data as a sub-processor under their Data Protection Addendum.
  • SendGrid (Twilio): We share recipient email addresses, email content, and sender information with SendGrid to deliver emails on your behalf.
  • Meta / WhatsApp Business API: We share recipient phone numbers, message content, and media with Meta's WhatsApp Business API to deliver WhatsApp messages on your behalf. Meta processes this data in accordance with the WhatsApp Business Data Processing Terms.
  • Google Cloud Platform: Our infrastructure provider. All data stored and processed through our Service resides on GCP infrastructure. GCP acts as a sub-processor and is bound by Google Cloud's Data Processing and Security Terms.
  • Google Gemini (AI): We send limited data to Google's Gemini AI models for AI-powered features. See Section 7 for details.
  • Razorpay: We share billing information with Razorpay to process payments for Indian customers. Razorpay is PCI-DSS compliant and processes payment data under their privacy policy.
  • Paddle: We share billing information with Paddle to process payments for international customers. Paddle acts as the Merchant of Record and processes payment data under their privacy policy and GDPR-compliant data processing agreement.

6.2 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, including to meet national security or law enforcement requirements. We will endeavor to notify you before disclosing your information unless prohibited by law or court order.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or use of your personal data.

6.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so, such as when you enable a third-party integration within the Service.

7. AI/LLM Data Processing

PropLead uses Google's Gemini large language models to power AI features within the Service. We are committed to transparency about how your data is used in connection with AI features.

7.1 What Data is Sent to AI Models

When you use AI-powered features, the following data may be sent to Google Gemini for processing:

  • Lead Qualification: Lead attributes (name, source, inquiry details, property preferences) and interaction history (messages, engagement signals) are sent to generate qualification scores and insights.
  • Smart Responses: Recent conversation context (the most recent messages in a conversation thread) is sent to generate suggested responses.
  • Conversation Summaries: Message content from a conversation thread is sent to generate a summary.
  • Content Generation: Prompts and context you provide are sent to generate message templates, property descriptions, or other content.

7.2 How AI Data is Handled

  • Data sent to Google Gemini is processed through Google Cloud's Vertex AI platform under our enterprise agreement with Google Cloud.
  • Under our agreement, Google does not use your data sent through Vertex AI to train, improve, or develop general AI/ML models. Your data is used solely to provide the requested AI output.
  • AI inputs and outputs are transmitted over encrypted channels (TLS 1.2+).
  • We do not permanently store the raw AI prompts or outputs on third-party systems. AI-generated results (e.g., qualification scores, suggested responses) are stored within your PropLead account data on our infrastructure.
  • You can choose not to use AI-powered features. AI features are optional and can be disabled by your organization administrator.

7.3 AI Limitations

AI-generated outputs (scores, suggestions, summaries) are provided as assistive tools and should not be treated as definitive assessments. PropLead is not responsible for decisions made based on AI-generated outputs. Users should review and verify AI-generated content before acting on it.

8. WhatsApp/SMS Data

8.1 WhatsApp Business API Compliance

PropLead facilitates WhatsApp messaging through the Meta WhatsApp Business API. When you use WhatsApp messaging through PropLead:

  • Messages are transmitted through Meta's infrastructure and are subject to Meta's WhatsApp Business Terms and Privacy Policy.
  • Meta may access message metadata (sender, recipient, timestamp, delivery status) as part of operating the WhatsApp Business API.
  • WhatsApp messages are end-to-end encrypted between Meta's servers and the recipient's device. Messages stored within PropLead are encrypted at rest on our servers.
  • You are responsible for complying with WhatsApp's Business Policy, Commerce Policy, and messaging guidelines, including obtaining opt-in consent from recipients before sending messages.
  • Message templates used for business-initiated conversations are subject to Meta's template approval process.

8.2 SMS Data

SMS messages sent through PropLead are transmitted via Twilio or your own BYOC provider:

  • Recipient phone numbers and message content are shared with the SMS provider for delivery.
  • SMS delivery is subject to the SMS provider's terms and applicable telecommunications regulations.
  • You are responsible for complying with applicable regulations, including TCPA (US), TRAI DND regulations (India), and other local telemarketing and SMS regulations.

8.3 Message Storage

All messages (WhatsApp, SMS, email) sent and received through PropLead are stored within your account for the duration of your subscription to enable CRM functionality such as conversation history, search, and reporting. Messages are encrypted at rest and are subject to the data retention periods described in Section 10.

9. Cookies and Tracking

PropLead uses cookies and similar tracking technologies to operate and improve the Service. Below is an overview of the types of cookies we use:

9.1 Essential Cookies

These cookies are strictly necessary for the Service to function. They include session cookies for authentication, CSRF protection tokens, and user preference cookies (e.g., language, theme). You cannot opt out of essential cookies as they are required for the Service to operate.

9.2 Analytics Cookies

We may use analytics cookies to understand how users interact with the Service, which pages are most visited, and where errors occur. Analytics data is aggregated and anonymized. We may use services such as Google Analytics or similar tools for this purpose.

9.3 Performance Cookies

These cookies help us understand and improve the performance of the Service by collecting data on load times, server response times, and error rates.

9.4 Managing Cookies

You can manage cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. However, blocking essential cookies may prevent you from using the Service. For analytics and performance cookies, you may opt out through your browser settings or through the cookie preferences option on our website (where available).

10. Data Retention

We retain your data for as long as necessary to fulfill the purposes described in this Privacy Policy, subject to the following guidelines:

  • Active Accounts: Your account data and Customer Data are retained for the duration of your active subscription.
  • After Cancellation: Upon cancellation of your subscription, your data is retained for thirty (30) days to allow for reactivation or data export. After this period, data is queued for permanent deletion.
  • Permanent Deletion: Data queued for deletion is permanently removed from our primary databases within thirty (30) days and from all backups within ninety (90) days.
  • Communication Logs: Message and conversation data is retained for the duration of your subscription and deleted in accordance with the schedule above upon account closure.
  • Billing Records: Transaction records, invoices, and payment history are retained for a minimum of eight (8) years as required by Indian tax and accounting regulations.
  • Usage Logs: Server logs and usage analytics are retained for up to twelve (12) months for security, performance monitoring, and debugging purposes, after which they are aggregated or anonymized.
  • Support Tickets: Support correspondence is retained for up to twenty-four (24) months after the ticket is resolved to maintain service quality and for reference.
  • Legal Holds: If we are required to retain data due to a legal obligation, regulatory requirement, or ongoing legal proceeding, we will retain the relevant data for as long as required, even if it exceeds the standard retention periods.

11. User Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

  • Right of Access: You have the right to request a copy of the personal data we hold about you. You can access most of your data directly through the Service dashboard.
  • Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.
  • Right to Erasure (Right to be Forgotten): You have the right to request deletion of your personal data, subject to applicable legal retention requirements. Deleting your account will initiate the data deletion process described in Section 10.
  • Right to Data Portability: You have the right to receive your personal data and Customer Data in a structured, commonly used, machine-readable format (e.g., CSV, JSON). You can export your data using the export tools within the Service.
  • Right to Object: You have the right to object to the processing of your personal data for certain purposes, including direct marketing. You can opt out of marketing communications using the unsubscribe link in our emails.
  • Right to Restrict Processing: You have the right to request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
  • Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

How to Exercise Your Rights: To exercise any of these rights, please contact us at privacy@propleadcrm.com. We will verify your identity before processing your request and respond within thirty (30) days. In complex cases, we may extend this period by an additional sixty (60) days, in which case we will inform you of the extension and the reasons for the delay.

If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.

12. GDPR Compliance

For users located in the European Union (EU), European Economic Area (EEA), or the United Kingdom (UK), PropLead complies with the General Data Protection Regulation (GDPR) and the UK GDPR.

12.1 Legal Bases for Processing

We process your personal data on the following legal bases:

  • Contractual Necessity (Article 6(1)(b)): Processing necessary to perform our contract with you (i.e., providing the Service).
  • Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, such as improving the Service, preventing fraud, and ensuring security, provided these interests do not override your fundamental rights.
  • Consent (Article 6(1)(a)): Processing based on your freely given, specific, informed, and unambiguous consent (e.g., marketing communications, optional AI features).
  • Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations (e.g., tax record-keeping, responding to lawful government requests).

12.2 Data Processing Agreement

Where PropLead processes Customer Data on your behalf (i.e., where you are the data controller and PropLead is the data processor), we offer a Data Processing Agreement (DPA) that complies with GDPR Article 28 requirements. To request a DPA, please contact us at privacy@propleadcrm.com.

12.3 EU Representative

As PropLead is based in India, we are in the process of appointing an EU representative under GDPR Article 27. Details of our EU representative will be published on this page once appointed. In the interim, you may direct GDPR-related inquiries to privacy@propleadcrm.com.

13. Indian Data Protection Compliance

PropLead complies with the Digital Personal Data Protection Act, 2023 (DPDPA) and its implementing rules as applicable to our operations in India.

  • Lawful Purpose: We process personal data only for lawful purposes as described in this Privacy Policy and with appropriate consent or other legal basis.
  • Consent: We obtain clear and informed consent for the collection and processing of personal data from Indian users. You may withdraw consent at any time through your account settings or by contacting us.
  • Data Principal Rights: Indian users have the right to access, correct, and erase their personal data, and the right to nominate a representative to exercise these rights. These rights can be exercised as described in Section 11.
  • Reasonable Security Safeguards: We implement reasonable security safeguards to protect personal data as required under the DPDPA, including encryption, access controls, and regular security assessments.
  • Breach Notification: In the event of a personal data breach, we will notify the Data Protection Board of India and affected data principals in accordance with DPDPA requirements.
  • Grievance Redressal: You may raise any grievances related to your personal data by contacting our Grievance Officer (see Section 17 for contact details).

14. Children's Privacy

The Service is not intended for or directed at individuals under the age of eighteen (18). PropLead does not knowingly collect, store, or process personal data from children under 18.

If we become aware that we have inadvertently collected personal data from a child under 18, we will take prompt steps to delete such data from our systems. If you believe that a child under 18 has provided personal data to PropLead, please contact us immediately at privacy@propleadcrm.com so that we can take appropriate action.

15. International Data Transfers

PropLead is based in India, and your data is primarily stored on Google Cloud Platform servers in the Mumbai region, India. However, in the course of providing the Service, your data may be transferred to and processed in countries other than your country of residence in the following circumstances:

  • Messaging Providers: When you send WhatsApp, SMS, or email messages, message content and recipient data are transmitted to the respective messaging provider's infrastructure, which may be located in the United States or other jurisdictions.
  • AI Processing: Data sent to Google Gemini for AI processing may be processed on Google's infrastructure in various locations, subject to our enterprise agreement with Google Cloud.
  • Payment Processing: Payment data for international customers processed through Paddle may be handled in the EU or other jurisdictions where Paddle operates.

Where personal data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/EEA.
  • Data processing agreements with all sub-processors that include data protection obligations at least as protective as those in this Privacy Policy.
  • Verification that third-party providers maintain appropriate security certifications and compliance frameworks.

16. Changes to This Policy

PropLead may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make changes:

  • We will update the "Last updated" date at the top of this page.
  • For material changes that affect how we collect, use, or share your personal data, we will provide at least thirty (30) days' notice via email to the address associated with your account and/or a prominent notice within the Service.
  • Non-material changes (formatting corrections, clarifications that do not change the substance of the policy) may be made without prior notice.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with the changes, you should stop using the Service and delete your account before the changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below:

General Privacy Inquiries

Email: privacy@propleadcrm.com

Data Protection Officer / Grievance Officer

Email: dpo@propleadcrm.com

General Support

Email: support@propleadcrm.com

PropLead

Website: propleadcrm.com

Address: Bengaluru, Karnataka, India