Privacy Policy

Last updated: April 22, 2026

SDR AI is operated by BotLab. This policy explains what we collect, how we use it, and the rights you have over your data. If anything is unclear, reach us at botlab.dev/#contact.

1. Data We Collect

  • Account data: email address and a bcrypt-hashed password. We do not store your password in plaintext.
  • Usage data: the research queries, ICP configurations, drafts, and lead jobs you create. Cost, timestamp, and endpoint for each API call.
  • Payment records: top-up history (amount, date, method). Card details are handled by Stripe and never touch our servers. Lightning payments leave only a preimage and sats amount.
  • Technical logs: IP address, user agent, and request paths for rate limiting, fail2ban, and debugging. Retained 90 days.

2. Data We Do Not Collect

  • Credit card numbers (handled by Stripe directly).
  • Behavioral tracking cookies or browser fingerprints.
  • Data from third-party aggregators. SDR AI rejects leads sourced from ZoomInfo, RocketReach, Hunter, Apollo, Buzzfile, and similar services.

3. How We Use It

  • To run the service: authenticate you, bill your balance, serve research and draft results.
  • To protect the service: rate limiting, abuse detection, fraud prevention on payments.
  • To improve the service: aggregate, non-identifying metrics (request counts, error rates, cost per operation).
  • We do not sell your data, ever.

4. Lead Generation Data

The /api/v1/leads endpoint surfaces contact information that firms themselves publish on their websites (contact, team, attorneys, about pages). Each returned lead includes a verification_url pointing to the page where the email was found. DNS MX records are checked to confirm the mailbox domain resolves; we do not probe mailboxes with SMTP RCPT-TO. We do not buy, license, or scrape personal data from data brokers.

If you are an individual whose published contact information appears in a lead result and you would like it suppressed from future research, email the contact address above with the domain to exclude.

5. Third-Party Services

We rely on a small set of providers. Each receives only the minimum data required:

  • Stripe — card payments and billing receipts.
  • LNBits / phoenixd — Lightning invoice generation and settlement proof.
  • Cloudflare — CDN, TLS termination, DDoS protection.
  • Google Gemini API — language-model inference for research summaries and drafts. Queries include the company/contact name you submitted plus any ICP context.
  • Brave Search API — web searches during research and lead generation.
  • Vultr — server hosting (Dallas, TX).

6. Data Retention

  • Research results, ICPs, drafts, and lead jobs: kept indefinitely while your account is active. Deleting an item or your account removes it within 30 days of the next backup rotation.
  • Billing records: retained 7 years for tax and accounting compliance.
  • Technical/access logs: 90 days.
  • Database backups (encrypted): 14 days rolling.

7. Your Rights

Regardless of jurisdiction, you may:

  • Access and export your data (research history, ICPs, drafts) via the dashboard or API.
  • Correct inaccurate account information.
  • Delete individual research items (via API) or your entire account (contact us).
  • Object to, or restrict, processing.
  • Lodge a complaint with your local data protection authority.

We respond to verified requests within 30 days.

8. Security

Passwords are stored as bcrypt hashes. TLS terminates at Cloudflare and is re-established to our origin. API keys and payment credentials are kept in environment files with 0600 permissions on dedicated servers. Admin endpoints are blocked at the web server layer. We run fail2ban and PF blocklists against known scanners.

No system is perfectly secure. If you discover a vulnerability, please report it to botlab.dev/#contact.

9. Children

SDR AI is a business tool and is not intended for, or directed at, individuals under 16. We do not knowingly collect data from children.

10. Changes

We may update this policy. The "Last updated" date at the top changes when we do. Material changes will be announced in the dashboard before they take effect.

11. Jurisdiction

This policy is governed by the laws of British Columbia, Canada.

Contact

Questions or requests: botlab.dev/#contact.