01Who we are
“BioLeads” (we, us, our) is a product operated by BioLeads Inc., a Delaware corporation with a globally distributed team. We're the people who built the bio link you're using; we're also the people who answer the support inbox.
This policy covers bioleads.link, the dashboard at app.bioleads.link, and every public page hosted on bioleads.link/<handle>.
02What we collect
We try to collect the minimum. Concretely:
From you (the BioLeads account holder)
- Account basics: your name, email, password hash, chosen handle, optional profile photo.
- Billing: if you upgrade — last 4 digits of card, billing address, invoice history. Card numbers are handled by Stripe; we never see them.
- Your content: the links, blocks, forms, and text you've added to your page.
- Usage: pages you visited in the dashboard, features you used, errors we caught. Helps us fix things.
From your audience (people who tap your link)
- Aggregate analytics: the page they visited, country (from IP — then IP is discarded), device class (mobile/desktop), referrer source (Insta / TikTok / etc.).
- Form submissions: only what they filled in. If your form asks for name + email, we keep name + email. We never silently add fields.
03Why we collect it
Three reasons, and they're all things you signed up for:
- To run your bio page. Without the content, we have nothing to render.
- To show you analytics. Without aggregate counts and form submissions, we can't tell you who's tapping.
- To bill you, if you're on Pro. Without billing data, our team doesn't get paid; we can't ship updates.
We do not collect data to: profile you for ads, train external AI models, sell to third parties, or pad an “engagement” pitch deck.
04Your visitors' data
When someone submits your lead form, the data they enter belongs to you, the BioLeads account holder. We act as a “processor” — we just hold it for you. You decide who can see it, where it gets exported, and when it gets deleted.
You are responsible for telling your audience how you'll use what they share. We make this easy by:
- Showing a small, customizable note under every form (default: “Your details stay between us — see our privacy policy.”)
- Auto-generating a per-page privacy link that includes your contact email.
- Honoring deletion requests forwarded through us — we'll route them to you, and delete from our side after 30 days.
05Cookies & tracking
Public bio pages (bioleads.link/<handle>) set zero cookies by default. Analytics use a daily-rotated hash of IP + user-agent, so we can count uniques without identifying anyone. The hash is purged every 24 hours.
The dashboard (app.bioleads.link) sets one essential cookie to keep you logged in. That's it. No marketing cookies, no analytics tags, no Hotjar, no Facebook pixel.
If you embed a marketing pixel yourself
Pro accounts can add their own Meta / TikTok / GA4 pixel to their page. If you do that, you're responsible for cookie consent on your page — we render a consent banner block you can add in one click.
06When we share
We share data only when one of these is true:
| Recipient | What | Why |
|---|---|---|
| Stripe | Billing details | Process Pro subscriptions |
| AWS (eu-west / us-east / ap-south) | Encrypted database snapshots | Host & back up data |
| Postmark | Your email + lead notification text | Send you “you got a new lead” emails |
| Sentry | Error stack traces (no user data) | Catch & fix bugs |
| An integration you turned on | The data you chose to send | Sync your leads to your CRM / sheet |
We will never sell, rent, or “license” your data — or your audience's data — to a third party for marketing, ad targeting, or AI training. If that ever changes (it won't), this section will say so, and you'll get an email 30 days before it takes effect.
07Where it's stored
We pick the storage region based on where you sign up:
- EU users: data in AWS
eu-west-1(Ireland). - Asia-Pacific users: data in AWS
ap-southeast-1(Singapore). - Everyone else: data in AWS
us-east-1(Virginia).
Everything's encrypted at rest (AES-256) and in transit (TLS 1.3). Backups are encrypted, region-pinned, and retained for 30 days.
08Your rights
Wherever you live, you have these rights with us:
- Access: download a copy of all your data from
Settings → Export. - Correct: edit anything in your profile or page in the dashboard.
- Delete: hit “Delete account” → confirm → we purge everything within 14 days. No retention “grace period” begging you to come back.
- Port: export leads & content in CSV / JSON. Open formats, no lock-in.
- Object: email us and we'll stop processing your data for any non-essential reason.
For EU/UK residents: this satisfies GDPR / UK-GDPR Articles 15–21. For California residents: this satisfies your CCPA/CPRA rights.
09Children
BioLeads isn't built for anyone under 13 (or under the local age of digital consent — 16 in some EU countries). If you're a parent and you think your child created an account, email privacy@bioleads.link and we'll close it within 24 hours.
10Changes & contact
We'll update this page when something material changes. If the change affects how we use your data, you'll get an email at least 30 days before it takes effect.
For any privacy question — including subject access requests, deletion, or “wait, what does this paragraph mean?” — write to:
- 📧 privacy@bioleads.link
- 🏢 BioLeads Inc. · 1209 N Orange St, Wilmington, DE 19801, USA
We aim to reply within 3 business days. Usually faster.
— signed, the BioLeads team