Privacy Policy

This Privacy Policy describes how Leadseeder, LLC, a limited liability company organized under the laws of the State of Delaware, with a principal place of business at 1111b South Governors Avenue, Dover, DE 19904, USA ("GroupMailBox," "we," "us," or "our"), collects, uses, discloses, and protects information when you ("you," "User," or "Customer") access or use the GroupMailBox website (the "Site"), the GroupMailBox Chrome browser extension (the "Extension"), and any related backend services (collectively, the "Services").

By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, do not use the Services.

1. Scope and Roles

GroupMailBox provides software-as-a-service tools that enable administrators of Facebook™ groups ("Group Admins") to capture answers to membership screening questions submitted by prospective members of their own groups, append those answers to a Google Sheet they connect, and (optionally) send email campaigns to those leads from the Group Admin's own Gmail account.

For the purposes of the EU/UK General Data Protection Regulation ("GDPR") and analogous laws:

• (a) Member & Recipient Data. When you use the Services to process personal data of prospective Facebook-group members, your existing leads, or campaign recipients ("Member Data"), you are the "controller" and GroupMailBox acts as a "processor" or "service provider." Our processing of Member Data on your behalf is governed by our Data Processing Agreement.
• (b) Account Data. When we process information about you as the GroupMailBox account holder — registration, license, OAuth tokens you authorized, billing, and product-usage data ("Account Data") — GroupMailBox is the "controller."

This Privacy Policy primarily describes our processing of Account Data and gives a high-level summary of our processing of Member Data; the full Member Data terms are in the Data Processing Agreement.

2. Information We Collect

2.1 Information you provide directly to us

• Account registration data: license key, the email address Google returns at OAuth, and the Google Sheet ID you connect.
• Customer-support communications you initiate.
• Marketing preferences (e.g. newsletter opt-in).

2.2 Information collected automatically

• Device and browser metadata (browser type, version, operating system).
• IP address and approximate geolocation derived from IP.
• Log data: timestamps, requests, error reports, and counters used to enforce rate limits and the daily 450-message Gmail send cap.
• Cookies and similar technologies on the Site (see Section 11).

2.3 Information processed by the Extension on your device

The Extension activates only on Facebook Group member-request administration pages, only when you (the logged-in Group Admin) navigate there. It does not run on any other website or any other Facebook page, and does not browse, crawl, or fetch Facebook content in the background.

When active, the Extension reads only:

• The display names and public Facebook profile URLs of pending members shown to you.
• The screening-question answers those pending members have voluntarily submitted to your group.
• The Facebook Group ID of the page you are viewing.
• Your Extension settings (selected sheet, mapping, filters, UI preferences).

The Extension does NOT access: your private Facebook messages, your news feed, your friends list, your photos, your notifications, content from any Facebook page outside member-requests, or any Facebook account credentials or session tokens.

Captured rows stay in your local browser (chrome.storage.local) until you click Capture & Push. On that explicit action, the rows are sent over HTTPS to GroupMailBox's backend, written to your account record, and appended to the Google Sheet you connected.

2.4 Information from third-party integrations you authorize

When you connect Google services to your GroupMailBox account via OAuth 2.0, we receive and store:

• The access token and refresh token Google returns for the scopes you granted (spreadsheets and, if you connect Gmail, gmail.send). Tokens are encrypted at rest and used only to fulfill your requests.
• The Google Sheet ID(s) you select and the Gmail address Google returns at OAuth.
• For email campaigns you create: templates, campaigns, recipient lists, rendered messages, send-log entries (recipient address, status, Gmail message ID, error if any), and unsubscribe records.

2.5 Website data

When you visit the Site, we may collect standard request metadata such as browser type, pages visited, and referring URL. If you subscribe to our newsletter we collect the email address you provide for that purpose only.

3. How We Use Account Data

We use Account Data to:

• Provide, maintain, and improve the Services you initiate (lead capture to Sheets, sending Gmail campaigns you compose).
• Authenticate you with Google via OAuth 2.0 and administer your account.
• Enforce rate limits and quotas (e.g., the daily 450-message Gmail send cap) so the Services stay within Google's API policies.
• Honor unsubscribe requests across your future campaigns.
• Diagnose errors and maintain reliability.
• Communicate with you about service updates, security alerts, and customer support.
• Send marketing communications (which you may opt out of at any time).
• Comply with legal obligations and enforce our Terms of Service.

We rely on the following lawful bases under GDPR: performance of contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) in operating, securing, and improving the Services; consent (Art. 6(1)(a)) for marketing where required; and compliance with legal obligations (Art. 6(1)(c)).

4. Member Data — Limited Processing on Your Behalf

Member Data captured by the Extension or supplied by you is processed only on your documented instructions. Specifically, GroupMailBox:

• Will not sell, rent, or trade Member Data.
• Will not use Member Data to train artificial-intelligence or machine-learning models.
• Will not share Member Data with advertisers, data brokers, information resellers, Meta, Facebook, or any advertising network.
• Will only retain Member Data as necessary to deliver it to your selected destinations and for the retention period configured (see Section 6), after which it is deleted.
• Transmits Member Data using HTTPS/TLS in transit and stores OAuth tokens encrypted at rest.

You represent and warrant that you have a lawful basis (such as legitimate interest, your group's stated rules, or recipient consent) to collect, store, and contact these individuals, and that your use of GroupMailBox to email them complies with applicable laws including the CAN-SPAM Act, GDPR, the UK Privacy and Electronic Communications Regulations (PECR), CCPA/CPRA, and CASL. Recipients can opt out at any time using the unsubscribe link in every campaign email; opt-outs are honored automatically across all of your future campaigns.

Limited Use of Google API and Chrome Web Store data.

GroupMailBox's use and transfer to any other app of information received from Google APIs and from users of its Chrome extension will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer this information to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with prior user consent. We do not use or transfer this information for serving advertisements, including retargeted, personalized, or interest-based advertising. We do not use or transfer this information to determine credit-worthiness or for lending purposes. We do not allow humans to read this information except (i) with the user's affirmative agreement for specific messages, (ii) as necessary for security purposes, (iii) to comply with applicable law, or (iv) where the information has been aggregated and anonymized for internal operations.

Gmail-specific:

• We never read, list, or modify your existing emails. The gmail.send scope only permits sending new messages.
• Sent-message metadata (Gmail message ID, timestamp, recipient, subject, status) is logged so we can show you delivery status and handle retries.
• Email-template body content is stored in our database so the same template can be reused across recipients.
• You can revoke access at any time at https://myaccount.google.com/permissions or via the Disconnect Google action in the extension. Revocation halts sending immediately.

5. How We Share Information

We share information only as follows:

• To Google, on your explicit instruction — to write rows to your Google Sheet, or to send an email from your Gmail account to a recipient you specified in a campaign.
• To the email recipient's mail provider — when you send a campaign, the message is delivered to the recipient's inbox via Gmail, the same way any email from you reaches them.
• Service providers (sub-processors) strictly necessary to run the Services — Supabase (managed PostgreSQL hosting), Render (application hosting), and the Redis provider used for our outbound mail queue. These vendors process data only as our service providers, under contractual confidentiality, and never for their own purposes.
• Legal compliance — to comply with applicable law, lawful requests by public authorities, court orders, or to protect our or others' rights, property, or safety.
• Business transfers — in connection with a merger, acquisition, financing, reorganization, or sale of assets, with notice to you and an opportunity to object where required by law.
• With your consent.

We do not sell Account Data or Member Data, and we do not "share" Account Data or Member Data for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act, as amended ("CCPA").

6. Data Retention

• Account Data: retained while your account is active and for up to twenty-four (24) months thereafter, unless a longer period is required by law. You may request earlier deletion as described in Section 8.
• Member Data (leads, templates, campaigns, send logs, unsubscribes): retained per your instructions; absent specific instructions, deleted within ninety (90) days of capture or thirty (30) days after account termination, whichever is earlier. Unsubscribe records are retained for as long as needed to honor opt-outs.
• Log data: retained for up to twelve (12) months for security and debugging purposes.
• Backups: rotated and overwritten on a rolling basis not to exceed ninety (90) days.
• Locally cached data in chrome.storage is removed automatically when you uninstall the Extension.

On account deletion we revoke OAuth tokens server-side and remove all records, except where retention is required for legal or fraud-prevention purposes.

7. Security

We implement administrative, technical, and physical safeguards designed to protect information, including TLS 1.2+ in transit, encryption at rest for OAuth tokens and other sensitive credentials, role-based access controls, and periodic security review. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• GDPR / UK GDPR (EEA, UK, Switzerland): rights of access, rectification, erasure, restriction, objection, portability, and withdrawal of consent. You may also lodge a complaint with your local supervisory authority.
• CCPA / CPRA (California): rights to know, delete, correct, opt out of sale or sharing (we do not sell or share — see Section 5), limit use of sensitive personal information (we do not collect SPI for the purposes that trigger this right), and non-discrimination for exercising your rights. We have not sold or shared personal information in the preceding twelve (12) months.
• Other U.S. state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, and others as enacted): similar rights of access, correction, deletion, and opt-out of targeted advertising; we honor these rights subject to applicable verification.

To exercise any right, email support@groupmailbox.com with the subject line "Privacy Rights Request." We will respond within the time required by applicable law (generally 30–45 days). We may need to verify your identity before fulfilling certain requests. You may use an authorized agent where permitted by law.

9. International Transfers

We are based in the United States and process information in the United States and other countries where our service providers operate. For transfers of personal data from the EEA, UK, or Switzerland to the United States or other non-adequate countries, we rely on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and any approved UK Addendum issued by the Information Commissioner's Office, supplemented by appropriate technical and organizational measures.

10. Children's Privacy

The Services are intended for users 18 years of age or older and are not directed to children. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA). If we learn we have collected such information, we will delete it.

11. Cookies and Tracking

The Site uses strictly-necessary cookies for authentication and session security, and may use privacy-respecting aggregate analytics. The Extension itself does not set tracking cookies on facebook.com; it uses chrome.storage.local only for your settings and the local lead queue. We honor Global Privacy Control (GPC) signals as opt-out signals where required by law.

12. Trademarks & Facebook / Meta Disclaimer

"Facebook," "Meta," "Instagram," and related marks are trademarks of Meta Platforms, Inc. GroupMailBox is not affiliated with, endorsed by, sponsored by, or in any way officially connected to Meta Platforms, Inc. or any of its subsidiaries. GroupMailBox operates only on group-administration pages that you, as a Group Admin, are already authorized to view.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date and, where appropriate, by direct notice to your account email or a prominent in-product notice.

14. Contact Us

Leadseeder, LLC
Attn: Privacy Officer
1111b South Governors Avenue, Dover, DE 19904, USA
Email: support@groupmailbox.com

15. Limited Use Statement

GroupMailBox's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.