LEADWING Privacy Policy

1.1 Personal Information

We may collect the following types of personal information:

• Names, phone numbers, email addresses, and physical addresses/postcodes.
• Enquiry details, service requirements, and interaction history (chat logs).
• Website interaction data, usage patterns, and technical data (IP addresses, device info).
• Business contact and billing information from our Clients.

1.2 Interactive AI Collection

Information is collected through our proprietary AI assistant embedded on Client websites. By interacting with the AI, you consent to the real-time processing of your data to qualify your service request and facilitate routing to the appropriate service provider within our network.

2.1 Primary Purposes

We use personal information to:

• Operate and deliver our Services to Clients.
• Accurately qualify and route enquiries to the correct geographical service provider.
• Improve AI conversational accuracy and routing performance.
• Provide network-wide analytics and reporting to Client Head Offices.

2.2 Network Distribution & Routing (Franchise & Multi-Location Clients)

Leadwing operates a centralised lead orchestration system. Depending on the postcode or location data provided, End-Customer information will be disclosed directly to the specific, independent franchisee or authorised service partner responsible for that geographic area. These partners are independent entities; however, they are required by the Client Head Office to handle data in accordance with the Australian Privacy Act 1988.

2.3 Direct Marketing

We do not use End-Customer information for our own marketing purposes. We may contact our business Clients regarding service updates; Clients may opt out at any time.

3.1 Client Responsibility (Data Controller)

Leadwing acts as a Data Processor. Our Clients are the Data Controllers. The Client warrants that they have obtained all necessary consents to allow Leadwing to process End-Customer data.

3.2 Use of Artificial Intelligence & LLMs

We utilise Large Language Models (LLMs) and Natural Language Processing (NLP) to interpret and categorise enquiries. While the AI analyses message content to provide accurate responses and route leads, this data is used strictly for fulfilling the immediate request and is never used to train public AI models.

4.1 Australian Data Storage

All customer and lead data collected through Leadwing is stored in a PostgreSQL database hosted on Supabase, with servers located in Sydney, Australia (AWS ap-southeast-2). This ensures all data remains within Australian jurisdiction in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Data may only briefly pass through overseas jurisdictions where specific AI model providers operate, as noted in Section 5.

4.2 Data Encryption

All data collected and processed by Leadwing is encrypted both at rest and in transit using industry-standard encryption protocols, including:

• At Rest: AES-256 encryption applied to all stored data within our secure PostgreSQL database infrastructure.
• In Transit: All data transmission occurs exclusively over encrypted channels using HTTPS/TLS 1.3, minimising exposure and preventing interception.

4.3 Secure Backend Architecture

No client, end-user, or external system connects directly to Leadwing's database. All database access is exclusively mediated through a dedicated Node.js backend application hosted on Railway. This backend acts as the sole access point for all data operations, enforcing authentication and business logic before any database interaction occurs.

Every request to the backend must include a valid API key transmitted via a secure request header. Requests without a valid key are rejected outright. The database service role key — which grants elevated database access — is stored exclusively as a server-side environment variable and is never exposed in client-facing code, public repositories, or transmitted over the network.

4.4 Tenant Data Isolation (Schema-Per-Client Architecture)

Leadwing employs a schema-per-tenant architecture within its PostgreSQL database. Each Client is assigned a dedicated, isolated PostgreSQL schema, meaning their data is structurally separated from all other Clients at the database level. Data isolation is enforced at the application layer: the backend is designed such that all queries are explicitly scoped to the requesting Client's schema, making cross-client data access architecturally impossible under normal operation.

4.5 API Security

All API connections used within Leadwing's infrastructure are secured as follows:

• All API keys and sensitive credentials are stored as encrypted server-side environment variables.
• No sensitive credentials, API keys, or tokens are hardcoded within application code or publicly accessible repositories.
• Access to all API endpoints is authenticated, and all communications are encrypted in transit per Section 4.2.

4.6 Custom-Coded Infrastructure

Unlike solutions that rely on third-party automation middleware — which increases data vulnerability and introduces fragile dependencies — Leadwing utilises a custom-coded, serverless backend infrastructure. This minimises the attack surface and ensures direct control over how data is accessed, processed, and protected.

4.7 Audit Trail

All lead interactions processed through Leadwing's infrastructure are logged with full timestamps, creating a comprehensive audit trail. This log records the date, time, and nature of each lead interaction and routing event. The complete audit trail is maintained securely and is available to the network operator (Client Head Office) upon request.

5.1 Data Retention

Leadwing applies the following data retention periods:

• End-Customer Lead Data: Customer lead data is retained for ninety (90) days from the date of collection, after which it is permanently and irreversibly deleted from our systems, unless a longer retention period has been expressly agreed in writing between Leadwing and the Client.
• Client Business Data: Retained for the duration of the Client relationship plus seven (7) years for legal and accounting purposes.

5.2 No Third-Party Sharing

Lead data collected through Leadwing is never sold, shared, or distributed to any third party outside of the Client's own franchise or service network. Specifically:

• Lead data is used solely for the purpose of lead routing and reporting within the Client's franchise or multi-location network.
• Leadwing does not sell, trade, or transfer End-Customer data to external parties for any commercial, marketing, or other purpose.
• Data is shared only with the specific, authorised franchisee or service partner responsible for the relevant geographic territory, as directed by the Client Head Office.

5.3 Third-Party Service Providers (Infrastructure Only)

Leadwing deliberately bypasses fragile third-party automation tools to protect your data. We only utilise enterprise-grade infrastructure providers strictly necessary for service delivery, including:

• AI model and logic providers (e.g., OpenAI, Anthropic, Voiceflow).
• Secure database and cloud hosting (e.g., Supabase, AWS ap-southeast-2).
• Direct API SMS/Email communication gateways.

These providers are used solely for infrastructure purposes and are not permitted to use your data for their own commercial purposes.

5.4 Overseas Disclosure

By using the Services, you acknowledge that data may be briefly processed by AI model providers operating in the United States and other jurisdictions to facilitate AI logic, as described in Section 4.1. All other data storage and processing occurs within Australia.

6.1 Access & Correction

Individuals have the right to request access to or correction of their personal information held by Leadwing.

6.2 End-Customer Requests

Because Leadwing operates strictly as a Data Processor infrastructure, End-Customers seeking to access, correct, or delete their data should contact the specific Client business (e.g., the franchise Head Office) directly. Leadwing will execute these deletion/correction requests immediately upon instruction from the Client.

Leadwing Pty Ltd

26 Ormuz Road, Yeronga, Queensland, Australia

Website: www.leadwing.com.au

Email: admin@leadwing.com.au