Privacy Policy

Lead Magic Corporation ("LogoRouter," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, retain, and protect information about you when you use our website (logorouter.com), API services, documentation, and any related products or services (collectively, the "Services").

This policy applies to all users of our Services, including visitors, registered users, and API consumers. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Services immediately.

This Privacy Policy complies with applicable data protection laws including the Massachusetts Data Privacy Law, the General Data Protection Regulation (GDPR) as applicable, and other relevant privacy laws.

We use your information strictly to provide, operate, maintain, and improve our Services. Specifically:

• To create and manage your account and authenticate your identity
• To process and fulfill API requests and return logo assets
• To track usage against your plan limits and bill accordingly
• To send transactional emails: receipts, API key alerts, plan limit warnings
• To send service announcements, security notices, and legal updates
• To respond to support requests and provide customer service
• To detect, investigate, and prevent fraud, abuse, and security incidents
• To enforce our Terms of Service and Acceptable Use Policy
• To analyze aggregate, anonymized usage trends to improve the service
• To comply with legal obligations and respond to lawful government requests
• With your explicit consent: marketing communications (you can opt out at any time)

We do not sell, rent, lease, or trade your personal information to any third party for their marketing purposes. We do not use your data to train AI or machine learning models without your explicit consent.

We do not sell your personal data. We share information only in the following limited circumstances:

We retain your personal data only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements.

• Account data: retained for the lifetime of your account, plus 90 days after deletion request
• API request logs: 30 days (Community plan), 90 days (Startup), 1 year (Pro and Enterprise)
• Billing records and invoices: 7 years as required by U.S. tax law
• Support communications: 3 years from last interaction
• Webhook event logs: 90 days
• Server access logs: 30 days, then aggregated and anonymized
• Anonymized, aggregated analytics: indefinitely

After the applicable retention period, data is securely deleted or irreversibly anonymized. You may request early deletion as described in Your Rights section below.

We implement industry-standard technical and organizational security measures to protect your information from unauthorized access, disclosure, alteration, or destruction. Our measures include:

• All data encrypted in transit using TLS 1.2+ (enforced, no downgrade)
• All data encrypted at rest using AES-256 in our Neon PostgreSQL database
• API keys are stored as bcrypt-hashed values — we cannot retrieve your key plaintext
• HTTP-only, Secure, SameSite=Strict session cookies
• Role-based access controls limiting employee access to production data
• Regular third-party security audits and penetration testing
• Automated dependency vulnerability scanning via Dependabot
• Incident response plan with 72-hour breach notification procedures
• SOC 2 Type II audit in progress (target: Q3 2025)

No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to protect your data.

We use cookies and similar tracking technologies to operate our Services and improve your experience.

You can control non-essential cookies via the cookie preferences banner. Disabling essential cookies will prevent you from signing in. We do not respond to Do Not Track (DNT) browser signals as there is no accepted standard.

Depending on your location, you may have the following rights regarding your personal data:

• Right to Access: request a copy of the personal data we hold about you
• Right to Rectification: request correction of inaccurate or incomplete data
• Right to Erasure ('Right to be Forgotten'): request deletion of your personal data
• Right to Data Portability: receive your data in a machine-readable format (JSON or CSV)
• Right to Restriction: request that we limit how we use your data
• Right to Object: object to processing based on legitimate interests
• Right to Withdraw Consent: withdraw marketing consent at any time without affecting prior processing
• Right to Non-Discrimination: exercising your rights will not affect your access to Services
• Right to Lodge a Complaint: with a supervisory authority in your jurisdiction

To exercise any of these rights, email privacy@logorouter.com with the subject line "Privacy Rights Request." We will respond within 30 days (or 45 days for complex requests). We may ask you to verify your identity before processing the request.

LogoRouter is headquartered in the United States. If you access our Services from outside the United States, your information may be transferred to and processed in the United States. We rely on the following transfer mechanisms:

• Standard Contractual Clauses (SCCs) approved by the European Commission for EU/EEA to U.S. transfers
• UK Addendum for transfers from the United Kingdom
• Swiss-U.S. Data Privacy Framework for transfers from Switzerland
• Data Processing Agreements with all sub-processors that include appropriate safeguards

By using our Services, you consent to the transfer of your information to the United States and acknowledge that the laws of the United States may differ from the laws of your country.

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information as quickly as possible.

If you believe we have inadvertently collected information from a child under 16, please contact us immediately at privacy@logorouter.com.

Massachusetts residents have rights under applicable Massachusetts privacy and consumer protection laws, including M.G.L. c. 93A and the Massachusetts Data Privacy Law.

• We do not sell or share personal information for cross-context behavioral advertising
• We do not use sensitive personal information for purposes other than those listed in this policy
• You may opt out of any future sale or sharing (though we currently do not sell data)
• Authorized agents may submit requests on your behalf with proper verification
• You may contact the Massachusetts Attorney General's office to report privacy violations

Categories of personal information we collect: identifiers, commercial information, internet activity, geolocation data, professional information, and inferences. We do not collect biometric data, financial information, or health information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the Effective Date at the top of this page
• Send an email notification to your registered email address at least 14 days before changes take effect
• Post a prominent notice on our website and dashboard
• For significant changes affecting your rights, seek your renewed consent where required by law

Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Data Protection Officer:

Lead Magic Corporation
Attn: Privacy / Data Protection Officer
Boston, MA
United States