Privacy Policy

1. Who we are

Agent Lead Tracker is a real-estate CRM operated by Agent Lead Tracker, San Diego, California, USA. For privacy questions, email support@agentleadtracker.com.

2. Information you provide

When you sign up for ALT we collect your name, email address, and password (stored as a salted hash — we never see your plaintext password). When you use the product you may add information about your real-estate contacts, leads, properties, appointments, and messages. That data belongs to you; we store it on your behalf so the product works.

3. Information from Google

If you connect your Google Calendar from Settings → Calendar Sync, we ask Google for permission using OAuth 2.0. The specific access we request is:

• https://www.googleapis.com/auth/calendar.events — read and write events on the calendars you own. We use this only to (a) push appointments you create in ALT into your Google Calendar, and (b) update or delete those same events when you change them in ALT.

We store the resulting OAuth access token and refresh token in our database, scoped to your ALT account, so the calendar sync can keep working in the background. Tokens are deleted immediately when you disconnect the integration or delete your ALT account.

We do not read events from your calendar that ALT didn’t create, and we do not list, search, or browse calendars other than your primary calendar.

For a step-by-step walkthrough of the consent flow, the exact scope, and how to disconnect, see our Google Calendar integration help page.

3b. Information from Instagram / Meta

If you connect your Instagram business account from Settings → Social, we ask Meta for permission using Instagram's OAuth 2.0 flow (the new "Instagram API with Instagram Login" flow). The specific scopes we request are:

• instagram_business_basic — read your profile and media.
• instagram_business_manage_messages — read inbound DMs sent to your business account and send replies you author or that you have configured as auto-replies.
• instagram_business_manage_comments — read comments on your posts and reply to them.
• instagram_business_content_publish — publish posts/stories you author in ALT.
• instagram_business_manage_insights — read post analytics so we can show them in your dashboard.

We store the Instagram access token encrypted at rest with AES-256-GCM, scoped to your ALT account. We store the inbound and outbound DM bodies in our database so the conversation thread shows up in your CRM inbox and is available to the keyword-trigger and AI auto-reply features you opt into. Tokens and stored DM content are deleted when you disconnect the integration or delete your ALT account.

We do not use Instagram DM content for advertising, do not transfer it to third parties for advertising, and do not train AI/ML models on it. AI auto-reply generation sends the conversation context to the model providers listed in §6 only to produce the reply you configured.

You can revoke ALT's access to your Instagram account at any time from Instagram's Settings → Apps and Websites, or by disconnecting in Settings → Social in ALT. Either action invalidates the token within minutes.

4. Limited Use of Google user data

Agent Lead Tracker’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In plain English: we only use Google Calendar data to provide the calendar-sync feature you turned on. We don’t sell it, transfer it to third parties for advertising, use it to train AI/ML models, or let humans read it except (a) with your explicit consent, (b) for security investigations, or (c) when required by law.

5. How we use your information

• To run the product (showing you your contacts, sending the SMS messages you ask us to send, syncing your calendar, etc.).
• To generate AI-assisted suggestions inside ALT (e.g. drafting a follow-up message or analyzing a lead). Prompts are sent to model providers listed in §6 and are not used for advertising.
• To email you transactional product messages (account verification, password resets, billing receipts, security alerts).
• To detect and prevent abuse, fraud, and security incidents.

We do not sell your personal information, and we do not run advertising inside ALT.

5b. AI training data

To improve the AI features inside ALT over time — auto-replies, drafting suggestions, the assistant, briefings — we log the prompts those features run and the responses the model returns. We use this dataset to fine-tune and evaluate our own in-house models so the product gets smarter and less dependent on third-party APIs.

Before any log row is written, we automatically strip the following from both the prompt and the model output:

• Email addresses
• Phone numbers
• US street addresses and ZIP / postal codes
• The first and last name of the contact involved in the interaction, and (where available) the agent's persona name

We are training on the shape of prompts and responses, not on the identity of specific people. We do not include training-log data in any product sold or transferred to third parties.

You can opt out at any time from Settings → Account Settings → AI Training & Privacy. When you opt out, no further training rows are written for your account. (As noted in §3b, content from Instagram / Meta is excluded from training regardless of this setting.)

6. Service providers we share data with

To run ALT we rely on a small number of vetted processors. They only see what they need:

• Google — calendar sync (only when you connect it).
• Twilio — sending and receiving SMS on your behalf.
• Resend — sending transactional email (verification, invites, receipts).
• Stripe — subscription billing.
• OpenRouter, Anthropic, OpenAI, Google AI — running AI features (drafting messages, analyzing leads). Prompts may include the contact context required to produce a useful answer.
• Cloudflare — DNS and edge security.

7. How long we keep data

We keep your account data while your account is active. If you cancel and request deletion, we erase your contacts, messages, calendar tokens, and personal information from our production database within 30 days, and from backups within 90 days. Aggregate, non-identifying analytics may be retained beyond that.

8. Your choices and rights

• Disconnect Google Calendar at any time from Settings → Calendar Sync → Disconnect. We immediately delete the stored tokens.
• Revoke access on Google’s side at myaccount.google.com/permissions. Google will invalidate our token within minutes.
• Delete your account by emailing support@agentleadtracker.com from the address on file. We’ll confirm and delete within 30 days.
• Access or export your data by emailing the same address.
• If you are in the EU/UK, California, or any other jurisdiction with applicable data-protection law, you have the rights granted by that law (access, correction, portability, erasure, objection). Email us to exercise them.

9. Security

We use TLS for all traffic in and out of the application, encrypt OAuth refresh tokens at rest with AES-256-GCM, scope every database query to the requesting user’s ID, and review our codebase for the OWASP top 10. No system is perfectly secure; if you discover a vulnerability, please report it to support@agentleadtracker.com and we will respond promptly.

10. Children

ALT is a business tool for licensed real-estate professionals. It is not directed to children under 13, and we do not knowingly collect data from them.

11. Changes to this policy

We may update this policy as the product evolves. If a change is material — for example, a new category of data collected or a new processor — we will email you at the address on file before it takes effect.

12. Contact

Questions, requests, or complaints: support@agentleadtracker.com.