This Privacy Policy describes how Conduit Lead Intelligence Infrastructure ("Conduit", "we", "us") collects, processes, stores, and protects personal data in the course of operating the lead intake and qualification platform.
Conduit is a B2B infrastructure product. Clients are the businesses that deploy Conduit to manage their own lead pipelines. Data principals (referred to as "leads" within the platform) are the individuals whose personal information is submitted through lead capture forms, email, WhatsApp, or CSV import.
Each Conduit deployment is operated by an independent client on their own infrastructure. That client is the primary data fiduciary under the India Digital Personal Data Protection Act 2023 (DPDP Act). Conduit provides the processing infrastructure; the client is responsible for obtaining lawful consent from their leads before their data enters the system.
The categories of personal data processed by Conduit depend on the client's configuration. For the reference travel deployment, the following data is collected:
| Field | Type | Purpose |
|---|---|---|
| Full Name | Identity | Required for personalised outreach. Not used in lead scoring. |
| Phone Number | Contact | Primary channel for WhatsApp outreach and deduplication. |
| Email Address | Contact | Secondary channel, ingested via Gmail pipeline. |
| Travel Destination | Qualifying signal | Used in LSQA scoring (Intake Completeness Score). |
| Travel Date | Qualifying signal | Used in LSQA scoring (Temporal Urgency Index). |
| Budget | Qualifying signal | Used in LSQA scoring (Allocation Signal Density). |
| Conversation messages | Behavioural | WhatsApp conversation history used by AI qualification agent. |
| Lead source | Metadata | Used in LSQA scoring (Source Authority Index) and analytics. |
| Consent method & timestamp | Compliance | Records how and when the individual consented to be contacted. |
Fields are defined per-client in their configuration file. The set of data collected for any deployment is limited to what the client configures.
Conduit uses the Claude AI API (provided by Anthropic, PBC) for two processing functions:
The qualification agent is an AI system. If a lead directly asks whether they are speaking to a bot, robot, or AI, the system is required to honestly disclose that it is an AI assistant. This requirement is enforced in the agent's operating instructions and aligns with WhatsApp Business API policy and applicable transparency obligations.
Automated lead scoring (the LSQA model) assigns each lead a score between 0–100 and categorises them as HOT, WARM, COLD, or JUNK. This scoring directly affects the outreach sequence the lead receives. Leads may be manually re-scored or have their stage overridden by the client through the dashboard.
Personal data flows through the following third-party sub-processors as part of normal system operation:
| Processor | Role | Data Transferred | DPA / Agreement |
|---|---|---|---|
| Supabase | Database (PostgreSQL) | All lead PII, conversation history, scoring records | DPA available. India deployments must use Singapore or Mumbai region. |
| Twilio | WhatsApp messaging | Phone number, message content | DPA required. Sign via Twilio Console → Legal before go-live. |
| Anthropic (Claude API) | AI email parsing & conversation agent | Email content, conversation messages, lead fields | Subject to Anthropic Usage Policy. DPA recommended for EU deployments. |
| Meta (Facebook) | Lead Ads webhook source | Form submission data | Governed by Meta Business Terms & WhatsApp Business API policy. |
| Gmail API (OAuth) | Email content from configured sender addresses only | Governed by Google API Services User Data Policy. | |
| Railway / Render | Hosting platform | Application logs (no persistent PII storage) | Per-platform DPA / data processing addendum. |
Each client deployment uses their own accounts with these third-party services. Client data is not co-mingled across deployments. Row-Level Security (RLS) is enforced on all Supabase tables, with client_id as the isolation key.
The default data retention period is 365 days from the date of lead creation, configured via the compliance.data_retention_days field in each client's configuration file. Clients may set a shorter retention period appropriate for their jurisdiction and regulatory obligations.
Conversation history, scoring records, outreach logs, and follow-up records are all subject to the same retention period as the parent lead record. After the retention period expires, all associated records are eligible for deletion.
Under the India Digital Personal Data Protection Act 2023, you have the following rights with respect to your personal data:
To exercise any of these rights, contact the client (the business that collected your information). The client is the data fiduciary and is responsible for responding to your request within the timeframes prescribed by the DPDP Act.
Consent is required before any lead data enters the system. The method of consent collection depends on the ingestion source:
meta_form.website_form.csv_import.
The system records a consent_given_at timestamp and consent_method field on every lead record at the time of ingestion.
To immediately opt out of all WhatsApp communications, send any of the following messages to the WhatsApp number you were contacted from:
The system processes opt-out requests in real time. Upon detection, the lead record is archived and all pending follow-up messages are cancelled. No further messages will be sent from the system. This opt-out is permanent for that phone number within the deployment.
Messaging a lead after they have sent a STOP request is a violation of the WhatsApp Business API Messaging Policy and may result in suspension of the client's WhatsApp Business Account. The Conduit opt-out mechanism is enforced at the infrastructure level and cannot be bypassed.
client_id. Cross-client data access is architecturally prevented.This policy may be updated to reflect changes in Conduit's data processing practices, applicable law, or platform capabilities. Material changes will be reflected in the effective date at the top of this document. Continued use of the platform following an update constitutes acceptance of the revised policy.
For privacy-related inquiries, data principal rights requests, or to report a concern, contact the client operating the deployment you interacted with. For infrastructure-level inquiries regarding Conduit, use the contact form at conduit.infrastructure.