Privacy Policy

Effective Date: March 23, 2026

LeadShutter, a service provided by vSites OÜ ("Company," "we," "us," "our," or "vSites OÜ"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website and services.

vSites OÜ is a private limited company registered in Estonia. We are the data controller for the personal information we collect through LeadShutter.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our services.

1. Information We Collect

1.1 Information You Provide Directly

Account Registration Information:

• Full name
• Email address
• Phone number (optional)
• Business name and website URL
• Business location/state
• Ad budget information

Payment Information:

• Billing name and address
• Credit card information (processed securely via Stripe; we do not store this)

Communication Information:

• Any messages, emails, or correspondence you send us
• Information you provide in support requests or feedback

Business Information:

• Your Google Ads account ID (for audit and campaign analysis)
• Business type and service area
• Business details you share with us

Google Ads Account Access:

When you connect your Google Ads account via Google OAuth, we receive:

• An OAuth access token and refresh token (used to access your Google Ads data on your behalf)
• Your Google email address
• Your Google Ads customer ID

We store these tokens securely in our database. The refresh token allows us to access your account data for ongoing audits and monitoring without requiring you to re-authenticate each time. You can revoke access at any time through your Google Account settings (myaccount.google.com/permissions).

1.2 Information Collected Automatically

Website Usage Data:

• IP address
• Browser type and version
• Operating system
• Pages visited and time spent on pages
• Referral source
• Device information (desktop/mobile)

Tracking Technologies:

• Cookies (session and persistent)
• Web beacons
• Google Analytics (see Section 5 for details)

Google Ads Account Data:

• Search term reports (the actual queries that triggered your ads)
• Campaign performance metrics (impressions, clicks, cost, conversions)
• Keyword and negative keyword data
• Ad schedule and geographic targeting data
• Auction insights (competitor domain visibility data)
• Budget and spend information

AI Processing:

• We send your search term data to AI language model providers (such as Google Gemini or Anthropic Claude) for classification and analysis
• Search terms are sent in batches without your personal identifying information
• AI providers process this data according to their own privacy policies and do not use it for model training

2. How We Use Your Information

We use the personal information we collect for the following purposes:

2.1 Providing and Improving Services

• Auditing your Google Ads account for wasted spend and optimization opportunities
• Classifying search terms using AI to identify irrelevant, competitor, or too-broad queries
• Applying negative keywords to your campaigns (only when you explicitly request it)
• Generating audit reports and grades based on your campaign performance
• Monitoring your campaigns for ongoing waste detection (paid tier)
• Delivering customer support
• Responding to inquiries and requests
• Improving our service quality and user experience

2.2 Payment and Billing

• Processing payments and refunds
• Invoicing and account management
• Detecting and preventing fraudulent transactions

2.3 Communication

• Sending transactional emails (order confirmations, receipts, campaign updates)
• Sending service notifications (campaign launches, performance reports)
• Responding to customer support requests

2.4 Marketing and Business Operations

• Sending promotional emails or newsletters (only with your consent or as permitted by law)
• Analyzing market trends and user behavior
• Improving marketing strategies
• Conducting research and analytics

2.5 Compliance and Legal Obligations

• Complying with legal requirements and regulations (including GDPR, CCPA, etc.)
• Establishing, defending, or protecting our legal rights
• Investigating fraud or unauthorized access

2.6 Aggregated and De-Identified Data

• Creating aggregated or anonymized data for statistical and analytical purposes
• Sharing insights about campaign performance trends (without identifying you)

3. How We Share Your Information

3.1 Third-Party Service Providers

We share your information with trusted third-party providers who assist us in delivering services:

Stripe (Payment Processing)

• Your billing name, address, and payment method
• Stripe processes payments securely and is PCI DSS compliant
• Privacy Policy: https://stripe.com/privacy

Supabase (Data Storage)

• Your account information, campaign data, and user preferences
• Supabase securely stores our database
• Privacy Policy: https://supabase.com/privacy

Google (Google Ads Account)

• We access your Google Ads account via OAuth to read campaign data and apply negative keywords
• Google's Privacy Policy: https://policies.google.com/privacy
• Google API Services User Data Policy: https://developers.google.com/terms/api-services-user-data-policy

AI Language Model Providers (Google Gemini, Anthropic Claude)

• We send search term data (without personal identifiers) for classification and analysis
• Google AI Privacy: https://ai.google.dev/gemini-api/terms
• Anthropic Privacy: https://www.anthropic.com/privacy

Resend (Email Service)

• Your email address for transactional and marketing communications
• Used to send audit reports and weekly digests
• Privacy Policy: https://resend.com/legal/privacy-policy

3.2 Legal Obligations

We may disclose your information if required by law or if we believe in good faith that disclosure is necessary to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Service
• Protect the safety, rights, and property of vSites OÜ, our users, or the public
• Detect and prevent fraud or security issues

3.3 Business Transfers

If vSites OÜ is acquired, merged, or substantially all of our assets are transferred, your information will be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

3.4 No Sale of Personal Information

We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.

4. Data Retention

4.1 Retention Periods

We retain your personal information for as long as necessary to:

• Provide our services to you
• Fulfill our contractual obligations
• Comply with legal and tax requirements
• Resolve disputes

4.2 Specific Retention Policies

• Account Information: Retained for the duration of your account plus 7 years (for tax and legal compliance)
• Payment Information: Not retained by us (Stripe retains per their policy)
• Google Ads Data & Audit Results: Retained as long as your account is active; deleted upon account closure (unless required by law)
• Google OAuth Tokens: Deleted immediately when you disconnect your Google Ads account or close your account
• Email Communications: Retained for 2 years or as required by law
• Website Analytics: Retained for 26 months (Google Analytics default)

4.3 Deletion Requests

You may request deletion of your data at any time by contacting [email protected]. We will delete data within 30 days unless we are required to retain it by law.

5. Cookies and Tracking Technologies

5.1 Types of Cookies We Use

Essential Cookies:

• Session cookies (to maintain your login session)
• Security cookies (to detect fraud)

Analytics Cookies:

• Google Analytics (to understand user behavior and optimize our service)

Functional Cookies:

• Preference cookies (to remember your choices and settings)

5.2 Google Analytics

We use Google Analytics to collect and analyze website usage data. Google Analytics uses cookies and similar technologies to track your activity.

• Google Analytics Privacy Policy: https://policies.google.com/privacy
• You can opt out of Google Analytics: https://tools.google.com/dlpage/gaoptout

5.3 Cookie Preferences

Most web browsers allow you to control cookies through your browser settings. You can:

• Delete all cookies
• Block all cookies
• Allow only certain cookies

Note: Disabling essential cookies may impact your ability to use our services.

5.4 Do Not Track

Some browsers have a "Do Not Track" feature. We do not currently respond to DNT signals, but you can control tracking through your browser settings.

6. Your Rights and Choices

6.1 General Rights

You have the right to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete information
• Request deletion of your personal information (subject to legal requirements)
• Opt out of marketing communications
• Port your data to another service

6.2 European Union (GDPR) Rights

If you are a resident of the EU, you have additional rights under the General Data Protection Regulation:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Request deletion ("right to be forgotten"), subject to exceptions
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to processing of your data for specific purposes
• Right to Withdraw Consent: Withdraw consent to data processing at any time
• Right to Lodge a Complaint: File a complaint with your local Data Protection Authority

6.3 California Residents (CCPA)

If you are a California resident, you have the right to:

• Know what personal information is collected, used, shared, or sold
• Request deletion of your personal information
• Opt out of the sale or sharing of your personal information
• Non-discrimination for exercising your rights

6.4 Canadian Residents (PIPEDA)

If you are a Canadian resident, you have the right to:

• Access your personal information
• Request correction of inaccurate information
• Request deletion or anonymization
• Opt out of marketing communications

6.5 How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected] with:

• Your name and email address
• A description of your request
• Verification of your identity

We will respond within 30 days (or as required by applicable law).

7. Data Security

7.1 Security Measures

We implement industry-standard security measures to protect your personal information, including:

• Encryption of data in transit (HTTPS/TLS)
• Secure password storage (hashed and salted)
• Access controls and authentication
• Regular security audits and updates
• Firewall protection

7.2 Payment Security

Payment information is processed securely via Stripe and is PCI DSS Level 1 compliant. We do not store your credit card information on our servers.

7.3 Limitations

While we implement robust security measures, no security system is impenetrable. We cannot guarantee absolute security of your data. You use our services at your own risk.

7.4 Data Breach Notification

In the event of a data breach, we will notify affected users and relevant authorities as required by law within 30 days of discovery.

8. Third-Party Links and Services

Our website and services may contain links to third-party websites and services that are not operated by vSites OÜ. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices.

Third parties may include:

• Google Ads
• Google Analytics
• Stripe
• Supabase
• Email service providers

We encourage you to review the privacy policies of any third-party services before providing your information.

9. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we discover we have collected information from a child under 18, we will delete it immediately.

10. International Data Transfers

vSites OÜ is based in Estonia. Your personal information may be stored, processed, or transferred to servers located in Estonia or other countries where we operate.

10.1 EU/EEA Residents

If you are located in the EU or EEA, your data may be transferred outside the EU/EEA. We implement appropriate safeguards, including:

• Standard contractual clauses (SCCs)
• Your explicit consent
• Other legally recognized mechanisms

By using our services, you consent to the transfer of your data as described in this Privacy Policy.

11. Data Protection Officer and Compliance

If you have questions about our data protection practices or wish to file a complaint, you may contact:

LeadShutter Support:

• Email: [email protected]

Company Information:

• Company: vSites OÜ
• Registry Code: [YOUR ESTONIAN REGISTRY CODE]
• Location: Tallinn, Estonia

Estonian Data Protection Authority:

• Estonian Data Protection Inspectorate (EDPI)
• https://www.aki.ee

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes via email or by posting an updated version on our website.

• Effective Date: March 23, 2026
• Last Updated: March 23, 2026

Your continued use of our services after changes are posted constitutes your acceptance of the updated Privacy Policy.

13. Compliance Standards

This Privacy Policy is designed to comply with:

• GDPR (EU General Data Protection Regulation)
• Estonian Personal Data Protection Act
• CCPA (California Consumer Privacy Act)
• PIPEDA (Personal Information Protection and Electronic Documents Act - Canada)
• LGPD (Brazil's General Data Protection Law)

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: [email protected]
Company: vSites OÜ (operating as LeadShutter)
Registry Code: 17112051 Location: Tallinn, Estonia

We will respond to your inquiry within 30 days.

Last Updated: March 23, 2026