Privacy Policy

LeadPilot is a product operated by Mverse360, a business unit of Gryffin Global IT Services Private Limited, a company incorporated under the Companies Act, 2013 (India). As the operator of the Service, Gryffin Global IT Services Private Limited acts as the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDPA) and the Data Controller under applicable international data protection laws.

All references to "we", "us", "our", or "LeadPilot" in this Privacy Policy refer to Gryffin Global IT Services Private Limited operating under the Mverse360 brand.

This Privacy Policy applies to all users who create an account on LeadPilot regardless of plan; all access channels including the web application, APIs, integrations, and associated subdomains; and all personal data - any information that identifies or can identify a natural person, processed in connection with the Service.

This policy does not apply to third-party websites, services, or platforms (including LinkedIn) that LeadPilot may interact with. Those platforms operate under their own privacy policies.

We collect personal data only to the extent necessary to deliver, operate, and improve the Service.

3.1 Account & Registration Data

• Identity data - first name, last name, email address, phone number (optional), company or organisation name
• Authentication data - email-based login credentials; password stored as a one-way hash; session tokens via Supabase Auth
• Profile data - LinkedIn profile URL (entered by user), LinkedIn account email (provided via OAuth), LinkedIn profile ID (sub) returned by LinkedIn OIDC

3.2 LinkedIn Automation Credentials

To deliver the core outreach automation functionality, we collect and store your LinkedIn username and password. These are encrypted at rest using AES-256 encryption in our Supabase database; transmitted securely over TLS 1.2/1.3; never logged or displayed in plain text at any point; and strictly limited - used only to authenticate.

3.3 LinkedIn OAuth Data (Identity Verification)

When you connect your LinkedIn account via "Sign in with LinkedIn" (powered by Supabase linkedin_oidc), we receive from LinkedIn via OAuth 2.0 / OpenID Connect: your name, email address, LinkedIn profile ID (the unique sub identifier), and profile picture URL (optional, for display purposes).

We request only the minimum scopes: openid · profile · email. We do NOT request access to your LinkedIn connections, messages, inbox, posts, or Sales Navigator data via OAuth.

3.4 Campaign and Automation Activity Data

• Campaign configuration - ICP targeting filters, message sequences, automation rules, saved search names
• Campaign metadata - connection request counts, message delivery status, campaign status (live/paused/pending_review/action_required)
• Sales Navigator & LinkedIn Automation Data - LeadPilot's automation agent operates on your behalf on LinkedIn and LinkedIn Sales Navigator using the inputs you provide. These inputs may include your Saved Search name, Ideal Customer Profile (ICP) parameters (such as target accounts, geography, seniority level, job function, and other targeting criteria), and outreach sequences. The agent accesses and acts upon your LinkedIn and Sales Navigator account solely to execute the campaign actions you configure; all inputs are provided by you and processed on your behalf.

3.5 Payment and Billing Data

Payments are processed by Razorpay (primary) and/or Stripe. We do not receive, store, or process full payment card numbers, CVVs, or bank account details. We receive only: transaction metadata (payment status, amount, plan name, date); invoice information (invoice ID, GST details as required under the CGST Act, 2017); and Razorpay/Stripe customer ID for subscription management only.

3.6 Technical and Usage Data

• Device information - IP address, browser type, operating system, screen resolution
• Usage events - page views, button clicks, feature interactions, session duration
• Error and performance logs - crash reports, API error codes, latency metrics
• Cookie identifiers - as described in Section 11 below

3.7 Communications Data

• Support interactions - emails, chat messages, and transcripts from support requests
• Demo booking data - name, phone, company, preferred slot, and goal - collected via the demo booking form

We process personal data only for specified, explicit, and legitimate purposes.

We engage the following third-party processors to operate the Service. All processors are bound by data processing agreements (DPAs) and are required to maintain appropriate security standards.

• Supabase Inc. - Database (PostgreSQL), authentication, edge functions; data hosted in India region where available
• Razorpay Software Private Limited - Payment gateway; governed by Razorpay's Privacy Policy and PCI-DSS compliance
• Stripe Inc. - Payment gateway (international transactions)
• Google Analytics (Google LLC) - Web analytics; subject to Google's Privacy Policy and EU Standard Contractual Clauses
• Meta Pixel (Meta Platforms, Inc.) - Advertising attribution and measurement
• Brevo (formerly Sendinblue) - Transactional email delivery via auth@leadpilot.mverse360.com
• Cal.com / Calendly - Demo scheduling

We do not sell, rent, or lease your personal data to any third party for their own marketing purposes. Processor access is limited to what is strictly necessary for service delivery.

Primary data storage and processing occurs in India. Our Supabase database is configured to use India-region hosting where available. Some third-party processors (e.g., Google Analytics, Meta Pixel, Stripe) operate servers outside India. Where such international transfers occur:

• Contractual safeguards - we rely on Standard Contractual Clauses (SCCs) or equivalent mechanisms recognised under DPDPA 2023 and GDPR
• Adequacy assessments - we assess the data protection laws of recipient countries before transfer
• Minimisation - we ensure only the minimum necessary data is transferred to international processors

LinkedIn credential data (AES-256 encrypted) is stored exclusively in our India-hosted Supabase database and is never transmitted to our servers in plain text under any circumstances.

We implement industry-standard technical and organisational security measures commensurate with the risk and sensitivity of the data processed:

• Encryption in transit - TLS 1.2/1.3 for all data transmitted between your browser and our servers
• Encryption at rest - AES-256 encryption for LinkedIn credentials; database-level encryption via Supabase
• Access control - role-based access control (RBAC); principle of least privilege; multi-factor authentication required for administrative access
• Security monitoring - automated intrusion detection, rate limiting, anomaly detection on API endpoints
• Vulnerability management - regular dependency audits, penetration testing as the product matures, and prompt patching of known vulnerabilities
• Incident response - documented breach notification procedure; affected users notified within 72 hours of confirmed breach in accordance with DPDPA 2023 and GDPR Article 33

No method of electronic storage or transmission is 100% secure. While we take all reasonable precautions, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your LeadPilot login credentials.

Upon account deletion or service cancellation, we will delete or anonymise your personal data in accordance with the schedule above, unless a longer retention period is required by law.

• Right to Access - you may request a copy of the personal data we hold about you
• Right to Correction - you may request correction of inaccurate or incomplete data
• Right to Erasure - you may request deletion of your data, subject to our legal retention obligations
• Right to Data Portability - you may request your data in a structured, machine-readable format
• Right to Withdrawal of Consent - where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
• Right to Grievance Redressal - under DPDPA 2023, you may raise a grievance with our Grievance Officer and, if unresolved, with the Data Protection Board of India
• Right to Nominate - under DPDPA 2023, you may nominate another individual to exercise your rights in the event of your death or incapacity
• Right to Object / Restrict - under GDPR, you may object to processing based on legitimate interests or request restriction in certain circumstances
• Right to Lodge a Complaint - EU/UK residents may lodge a complaint with their local supervisory authority (e.g., the ICO in the UK)

The Service is designed for professional business use and is intended solely for individuals who are 18 years of age or older. We do not knowingly collect, solicit, or process personal data from any person under the age of 18. If we become aware that personal data has been collected from a minor without verifiable parental consent, we will take immediate steps to delete such data. Contact us at info@mverse360.com if you believe a minor has provided us with personal data.

11.1 Types of Cookies We Use

• Strictly necessary cookies - required for the Service to function; cannot be disabled (e.g., session authentication cookies via Supabase)
• Analytics cookies - Google Analytics - used to understand usage patterns, page performance, and user journeys; data is aggregated and anonymised where possible
• Marketing / attribution cookies - Meta Pixel - used to measure advertising campaign effectiveness; you may opt out via Meta's ad preferences
• Functional cookies - remember your preferences, language, and settings across sessions

11.2 Your Cookie Choices

You can control or disable non-essential cookies through: browser settings (most browsers allow you to block or delete cookies via their privacy/settings menu); Google Analytics opt-out at tools.google.com/dlpage/gaoptout; or Meta Ad Preferences at facebook.com/ads/preferences.

Disabling strictly necessary cookies may impair or prevent use of the Service. Where required by applicable law (including the IT Act, 2000), we will implement a cookie consent banner providing granular controls prior to placement of non-essential cookies.

LeadPilot is an independent software product and is not affiliated with, endorsed by, or sponsored by LinkedIn Corporation or Microsoft Corporation. LinkedIn® is a registered trademark of LinkedIn Corporation.

• Your LinkedIn account - your use of LeadPilot in connection with your LinkedIn account must comply with LinkedIn's User Agreement and Professional Community Policies
• Sales Navigator - if you use the Saved Search or ICP targeting feature, you must hold an active LinkedIn Sales Navigator subscription; the automation agent will access and act upon your Sales Navigator account based solely on the inputs you provide; we cannot verify your subscription status independently
• Third-party terms - Razorpay, Supabase, Google Analytics, Meta, Brevo, and other processors operate under their own terms and privacy policies; we encourage you to review them
• No warranty on LinkedIn availability - we do not warrant uninterrupted access to LinkedIn services and are not responsible for LinkedIn's decisions to restrict, suspend, or modify access to any account

LinkedIn may update its policies at any time. It is your responsibility to ensure your use of LeadPilot remains compliant with LinkedIn's current terms.

13.1 Data Protection and Privacy Laws

• Digital Personal Data Protection Act, 2023 (DPDPA) - primary Indian data protection legislation; we act as Data Fiduciary
• Information Technology Act, 2000 (IT Act) - and the IT (SPDI) Rules, 2011 - our security practices comply with the 'reasonable security' standard under Rule 8
• GDPR (EU 2016/679) - applicable to data subjects in the EEA; we apply GDPR standards globally as best practice
• UK GDPR and Data Protection Act 2018 - applicable to data subjects in the United Kingdom

13.2 Financial, Tax, and Corporate Laws

• Companies Act, 2013 - Gryffin Global IT Services Private Limited is duly incorporated
• Goods and Services Tax (GST) Act, 2017 - GST invoices issued for all taxable supplies; billing data retained for 7 years
• Income Tax Act, 1961 - financial records retained as required for tax compliance and audit purposes
• Payment and Settlement Systems Act, 2007 - payments processed through RBI-regulated payment aggregators (Razorpay)

13.3 Intellectual Property Rights

All intellectual property in the LeadPilot platform - including software code, algorithms, user interface design, brand identity (LeadPilot™, Mverse360™), domain names, documentation, and all derivative works - is owned exclusively by Gryffin Global IT Services Private Limited. Protected under the Copyright Act, 1957; Trade Marks Act, 1999; and the Berne Convention. No licence, right, or interest in our intellectual property is granted to users beyond the limited right to use the Service in accordance with the Terms of Service.

13.4 Consumer Protection

• Consumer Protection Act, 2019 - and Consumer Protection (E-Commerce) Rules, 2020 - users are entitled to accurate information, transparent pricing, and grievance redressal
• Advertising Standards Council of India (ASCI) - all marketing communications comply with ASCI guidelines

In accordance with the Digital Personal Data Protection Act, 2023 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have designated a Grievance Officer to address concerns relating to the processing of your personal data.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or applicable law. The updated policy will be posted at leadpilot.mverse360.com/privacy with a revised Effective Date. For material changes, we will provide advance notice by email to your registered address at least 14 days before the change takes effect, and by in-app notification within the LeadPilot dashboard. Your continued use after the effective date constitutes acceptance.