← Back to FirstTen

Privacy Policy

Last updated: June 18, 2026

1. What data we collect

Account data — your name, email address, and a hashed password when you register. If you sign in with Google, we receive your name and email from Google.

Usage data — searches you run, leads you save, lead statuses and notes you add, and pitches you generate.

Business/lead data — business names, addresses, and phone numbers sourced from the Google Maps Platform (Places API) and stored to power your saved lead pipeline.

2. What we do NOT store

Contact emails found on third-party business websites are displayed to you during an active search session only. They are never saved to our database. Once you navigate away, they are gone.

3. How we use your data

  • To provide and personalise the FirstTen service.
  • To track your lead pipeline and search history.
  • To send transactional emails (password reset only — no marketing emails).
  • To enforce plan usage limits (search and pitch quotas).

We do not sell your data. We do not use your data for advertising.

4. Third-party services

FirstTen uses the following external services to operate. Each is subject to its own privacy policy.

  • Google Maps Platform — business discovery
  • Google Gemini API — AI pitch generation
  • Google OAuth — optional sign-in
  • Supabase — database hosting
  • Resend — transactional email (password reset)
  • DuckDuckGo Search — website discovery for leads

5. Data retention

  • Account data — retained until you delete your account.
  • Business/lead data from Google Maps Platform — automatically deleted within 30 days, in line with Google Maps Platform's caching requirements. You can also delete individual leads and search history at any time from the dashboard.
  • Your pipeline data — lead statuses, notes, and generated pitches you add are retained while your account is active and can be deleted from the dashboard at any time.
  • Password reset tokens — expire after 1 hour and are permanently invalidated after use.
  • Session data — expires per NextAuth session lifetime.

6. Cookies

We use session cookies solely to authenticate you (NextAuth). We do not use tracking, analytics, or advertising cookies.

7. Your rights

Depending on your location you may have the right to:

  • Access — request a copy of your personal data.
  • Deletion — delete your account and all associated data from your profile page.
  • Correction — update your name and email from your profile page.
  • Portability — request a copy of the account and pipeline data you have provided, by contacting us at the address below.

These rights apply under GDPR (EU/EEA), CCPA (California), and PIPEDA (Canada). To make a request, contact us at the address below.

Business owners: if your business's information appears in FirstTen and you would like it removed, email us at the address below and we will delete it from our systems.

8. Contact

For privacy questions or data requests, contact us at support@firstten.app.