How FirstLineAI handles data

We collect a small number of data categories to operate the product:

• Account data such as email address, profile name, and authentication records.
• Workspace data such as lead lists, campaigns, leads, generated openers, export history, and notification settings.
• Billing data such as subscription state, credit balances, purchase events, and customer identifiers from Polar.
• Operational data such as webhook inbox events, telemetry, alerts, and recovery records used to diagnose failures and reconcile billing or workflow issues.
• Public-source company website data that is crawled and cached to extract signals used in personalization.

• To authenticate users and provide access to their workspace.
• To crawl company websites, extract company signals, and generate opener suggestions.
• To meter usage, manage credits, and process subscription or one-time credit purchases.
• To send product emails that the user has explicitly enabled, such as campaign-complete notifications.
• To monitor reliability, investigate incidents, and prevent abuse or fraud.

FirstLineAI stores a shared cache of public company website data in the company_profiles andcompany_signals datasets. This cache is used to reduce repeated crawling and model costs.

This cache is limited to public-site derived content. It is currently readable by authenticated users because it is intended as shared, non-user-authored operational cache data. If the product later adds private enrichment or customer-supplied context to this cache model, this access model will change.

The current baseline retention periods are:

• Customer workspace data: retained until the user deletes the account.
• Shared company cache: 30 days by default, then removed by scheduled purge.
• Telemetry events: 90 days.
• Processed webhook inbox events: 30 days.
• Failed webhook inbox events: 90 days.
• Resolved operational alerts: 90 days.
• Completed, canceled, or rejected account deletion requests: 365 days.

Users can request account deletion from the account settings page. Deletion is not immediate. Requests are scheduled with a grace window, currently 7 days by default, to reduce accidental loss and allow the user to cancel the request before the account is removed.

The deletion request may be blocked if:

• there is still an active paid subscription attached to the account, or
• the user owns a team that still has other members.

When deletion runs, the authentication user is deleted and user-owned relational data is removed through database cascade behavior or detached where operational audit retention is still required.

We use the following core providers to run the product:

• Supabase for authentication, database storage, and application data.
• Inngest for background job orchestration and scheduled operational workflows.
• Firecrawl for crawling and scraping public company websites.
• Anthropic for signal extraction, generation, and validation steps.
• Polar for billing, subscriptions, and one-time credit purchases.
• Resend for transactional email delivery.

• We are not an email sending platform. Users export generated openers into their own sending tools.
• We do not intentionally store private prospect inbox data inside the core opener-generation workflow.
• We do not keep public-site cache forever by default.

For privacy or deletion questions, contact the team through the product support channel or the contact details listed on the company website.