Effective Date: 28 April 2026 Last Updated: 28 April 2026
This Privacy Policy explains how APLeads Ltd ("we", "us", "our"), a company registered in England and Wales (company number [TO BE INSERTED]), collects, uses, shares, and protects personal data when you use the AP Sales Coach desktop application (the "App"), the apsalescoach.com website (the "Site"), and any related services (the "Service").
We are the data controller of personal data we collect about you as our customer.
If you are using the App to capture audio and process it, you are the data controller of any personal data contained in that audio (including the personal data of third parties whose voice may be captured). We act as a data processor on your behalf for the limited purpose of providing the App's transcription and routing functions. See Section 9.
1. Information we collect
We collect the minimum data necessary to provide the Service. Specifically:
1.1. Information you provide directly
- Email address — when you sign up via magic-link authentication.
- Payment information — collected and stored by Stripe; we receive only payment metadata (e.g. last four digits, billing country, subscription status).
- Support communications — when you contact us via support@apsalescoach.com or in-app feedback.
- Affiliate application data — if you apply for our affiliate program: name, payment details, audience information you choose to share.
1.2. Information collected automatically
- Hardware fingerprint — a one-way SHA-256 hash derived from your Mac's IOPlatformUUID, model, and CPU brand. Used solely to enforce the one-device-per-account license rule. We cannot reverse-engineer this hash to identify your hardware.
- Device label — your Mac's "Computer Name" (e.g. "Alix's MacBook Pro"). Used to display the bound device in the license-management UI.
- Subscription and license metadata — your tier, billing status, founding-member flag, current subscription period, license bound device.
- Usage events — when you sign in, start a call, complete a call, click upgrade, etc. Used for analytics. We do not capture the content of calls or scripts.
- App version, OS version, error reports — captured by Sentry (with personal data redaction) for crash reporting.
- IP-derived country — captured at the edge function level for geographic analytics. We do not store full IP addresses.
- Cookies and similar technologies — see Section 7.
1.3. Information we do NOT collect
We do not collect, store, or process:
- Audio recordings. Your microphone audio is streamed directly to Deepgram for real-time transcription and is then discarded. We never receive, store, or replay audio.
- Transcripts. Transcripts are generated by Deepgram and shown to you in the App. Transcripts are stored only on your local device. They never reach our servers.
- Script content. Your script tree (the prompts you write) is stored on your local device only.
- Call history. Per-call metadata (timestamps, dispositions) is stored on your local device only.
- The content of calls you make. We have no visibility into who you called, what was said, or what happened on the call.
2. How we use your data
We use your personal data only for the following purposes:
| Purpose | Lawful Basis (UK GDPR) |
|---|---|
| Providing and operating the Service (account, license validation, billing) | Performance of contract |
| Processing payments | Performance of contract / Legal obligation |
| Sending transactional emails (magic-link codes, receipts, billing notices) | Performance of contract |
| Sending lifecycle and product emails (welcome, trial reminders) | Legitimate interests, with opt-out |
| Providing customer support | Performance of contract |
| Detecting and preventing fraud, abuse, or unauthorised use | Legitimate interests / Legal obligation |
| Complying with legal, tax, and regulatory obligations | Legal obligation |
| Improving the Service via aggregated analytics | Legitimate interests |
| Operating the affiliate program (where applicable) | Performance of contract |
We do not use your personal data for automated decision-making with legal or similarly significant effects, and we do not sell your personal data.
3. Data sharing and sub-processors
We share personal data only with carefully selected sub-processors who help us operate the Service. Each sub-processor has signed a data-processing agreement requiring them to handle your data securely and only for the purposes we authorise.
3.1. Current sub-processors
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Anthropic, PBC | Routing prospect utterances to script nodes (LLM matcher) | Last prospect utterance text + your script node IDs | United States (with EU/UK data-protection compliance) |
| Deepgram, Inc. | Real-time speech-to-text transcription of microphone audio | Audio stream (in-flight, not stored) | United States (with EU/UK data-protection compliance) |
| Supabase, Inc. | Account, license, subscription, and analytics storage | Email, hardware fingerprint hash, subscription status, usage events | EU (Ireland region) |
| Stripe, Inc. | Payment processing | Email, payment method, billing address | EU + global (PCI-compliant) |
| Resend, Inc. | Transactional and lifecycle email delivery | Email address, email content | United States / EU |
| GitHub, Inc. | Distribution of app updates and release artifacts | Anonymous download metadata | Global CDN |
| Sentry, Functional Software Inc. | Error monitoring and crash reporting | App version, OS version, error stack traces (with PII redaction) | United States |
| Vercel, Inc. | Website hosting | Anonymous request logs, IP-derived country | Global edge network |
| Cloudflare, Inc. (where applicable) | DNS and edge protection | Anonymous request metadata | Global edge network |
The current authoritative sub-processor list is published at apsalescoach.com/legal/sub-processors and is updated when we change vendors. We will notify you in advance of any new sub-processor added that materially changes how your data is handled.
3.2. International transfers
Some of our sub-processors are based outside the UK and EU (notably the United States). When we transfer personal data internationally we rely on:
- The European Commission's adequacy decisions (where applicable);
- Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner's Office;
- Sub-processor self-certification under the UK-US and EU-US Data Privacy Frameworks where the sub-processor is certified.
You can request copies of our SCCs and other transfer mechanisms by emailing privacy@apsalescoach.com.
3.3. Other disclosures
We may disclose personal data:
- To comply with law — court orders, subpoenas, lawful government requests, regulatory investigations.
- To protect rights and safety — where we have a good-faith belief that disclosure is necessary to protect our rights, your safety, or the safety of others.
- In connection with a corporate transaction — merger, acquisition, sale of assets, or due diligence (with appropriate confidentiality protections).
We do not sell, rent, or share personal data with third parties for advertising purposes.
4. Data retention
We retain personal data for only as long as needed for the purposes described in this Policy, plus any period required by law.
| Data type | Retention |
|---|---|
| Account email | Lifetime of account + 6 years after closure (UK accounting and tax retention) |
| Hardware fingerprint hash | Lifetime of subscription + revoked-license retention (90 days) |
| Subscription and billing records | 6 years after the last billing event (UK statutory retention) |
| Analytics events | 24 months from creation, then aggregated and anonymised |
| Support communications | 3 years after the last interaction |
| Error reports (Sentry) | 90 days |
You may request deletion of your account at any time via Section 5.
5. Your rights (UK GDPR / EU GDPR)
If you are in the UK, EU, or EEA, you have the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your personal data (the "right to be forgotten"), subject to our legal obligations to retain certain records (e.g. accounting).
- Restriction — request that we restrict processing of your data in certain circumstances.
- Portability — request a machine-readable copy of the data you provided to us.
- Objection — object to processing based on legitimate interests, including direct marketing.
- Withdraw consent — where we rely on consent (e.g. marketing emails), you may withdraw it at any time.
- Complaint — lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local data-protection supervisory authority.
To exercise any of these rights, email privacy@apsalescoach.com. We will respond within one calendar month.
If you are in California, Virginia, Colorado, Connecticut, Utah, or another US state with a comprehensive privacy statute, you may have similar rights — contact us at the same address.
6. Security
We take reasonable technical and organisational measures to protect personal data:
- Encryption in transit — all data exchanged between the App, Site, and our servers uses TLS 1.2 or higher.
- Encryption at rest — data stored in Supabase is encrypted at rest. API keys you store in the App are encrypted using your macOS Keychain (
safeStorage). - Access control — only authorised personnel have access to production data, and access is logged.
- Sub-processor due diligence — we vet sub-processors for security posture and compliance.
- Incident response — we maintain procedures to detect, contain, and notify you of any personal-data breach as required by UK GDPR (typically within 72 hours of becoming aware).
No system is perfectly secure. We cannot guarantee absolute security but we work hard to protect your data and to comply with our legal obligations.
7. Cookies and similar technologies
The Site uses minimal cookies. Specifically:
- Plausible Analytics — privacy-first analytics that does not use cookies, does not collect personal data, and does not require a cookie consent banner under UK and EU rules.
- Stripe Checkout — Stripe sets cookies on its hosted checkout pages for fraud prevention and session management. These are essential to processing your payment.
- Authentication cookies — when you sign in via the Site, Supabase sets a session cookie to keep you logged in.
- Affiliate referral cookies — when you visit a
/r/<code>URL, we set a cookie (ap_ref, 60-day expiry) to attribute your subsequent signup to the referrer/affiliate.
The App itself does not use browser cookies.
For full details and our cookie banner choices, see our Cookie Policy at apsalescoach.com/legal/cookies.
8. Children
The Service is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@apsalescoach.com and we will delete it.
9. Audio, transcripts, and your role as data controller
This section is critical. Read it carefully.
9.1. We are a tool provider
The App captures audio from your Mac's microphone, processes it through Deepgram for real-time transcription, and uses Anthropic's language model to route prospect utterances to your pre-written script nodes. We do not generate, monitor, store, or otherwise control the audio you choose to capture or what you do with it.
9.2. You are the data controller
In the legal sense of UK GDPR and EU GDPR, when you use the App to capture audio that includes the personal data of a third party (for example, a sales prospect's voice), you are the data controller of that personal data. We are merely a tool you use, and a data processor acting on your instructions for the limited purpose of transcription and routing.
9.3. Your obligations
You must, at your sole responsibility:
- Determine the lawful basis under which you are capturing third-party voice data;
- Obtain all consents required by the law of your jurisdiction and of the jurisdiction of any third party whose voice is captured;
- Comply with all applicable telecommunications, wiretap, eavesdropping, and consumer-protection laws;
- Provide privacy notices to data subjects as required;
- Honour data subject rights requests with respect to data captured using the App;
- Maintain appropriate security for any transcript or call recording you choose to store on your local device.
9.4. We disclaim controllership of call content
We do not see, store, or process the substance of your calls. We have no ability to honour data subject rights with respect to call content because we do not hold it. If a third party contacts us seeking access to or deletion of their personal data, we will direct them to you as the responsible data controller.
9.5. Acceptable Use Policy
Section 7 of our Terms of Service and our standalone Acceptable Use Policy (apsalescoach.com/legal/aup) prohibit using the App to violate consent or recording laws. We reserve the right to terminate accounts that breach these provisions.
10. Changes to this Policy
We may update this Policy from time to time. The "Last Updated" date at the top will reflect the most recent revision. We will notify you of material changes via email or in-app notification at least 14 days before they take effect.
Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
11. Contact
For any questions about this Privacy Policy, your personal data, or to exercise your rights:
APLeads Ltd Privacy contact: privacy@apsalescoach.com Support contact: support@apsalescoach.com Registered office: [TO BE INSERTED] Company number: [TO BE INSERTED]
You also have the right to lodge a complaint with the UK Information Commissioner's Office: ICO Helpline: 0303 123 1113 ICO Website: ico.org.uk
This Privacy Policy is governed by the laws of England and Wales.