Trust Center
Trust, Security & Privacy
This page is maintained by Scorching Leads to answer common security and privacy questions about the Scorching Leads CRM. It describes the controls currently enabled in the product. It is not an independent certification or audit report.
Authentication & access
- Email & password sign-in with optional Google sign-in.
- Every workspace request is checked against the signed-in user's organization membership before any data is returned.
- Database-level row-level security restricts each record to the organization that owns it; cross-organization reads and writes are denied by default.
- Administrative actions are limited to organization admins and platform super admins.
Hosting & platform
Scorching Leads runs on Lovable Cloud, which uses managed Postgres, managed authentication, and edge-deployed serverless functions. Customer data is stored in the managed database with row-level security policies enforced for every query. Lovable Cloud provides the underlying platform controls; Scorching Leads is responsible for the application-layer access rules described on this page.
Data we collect
- Account profile: name, email, and organization membership.
- CRM content created by your team: contacts, leads, notes, dispositions, call logs, SMS history, and uploaded attachments.
- Operational telemetry needed to run the product: sign-in events, audit log entries, and request error traces.
Workspace data is scoped to the organization that created it and is only visible to members of that organization.
Subprocessors & integrations
Scorching Leads relies on the following service providers to deliver core features. Data shared with each provider is limited to what that feature requires.
- Lovable Cloud — application hosting, database, authentication, file storage.
- Twilio — outbound and inbound voice calls and SMS messaging.
- Resend — transactional email delivery (invites, password resets, notifications).
- ElevenLabs — optional AI voice features used by the receptionist.
- Firecrawl — optional property research lookups.
- GoHighLevel — optional CRM sync where the customer has connected an account.
- Meta Conversions API — optional ad-attribution events where enabled.
Retention & deletion
Customer data is retained for the life of the workspace. To request export or deletion of your organization's data, contact us using the address below and we will respond within a reasonable timeframe.
Reporting a security issue
If you believe you've found a security vulnerability, please email info@scorchingleads.com. Please do not publicly disclose the issue until we have had a chance to investigate and respond.
Compliance
Scorching Leads does not currently hold independent compliance certifications such as SOC 2, ISO 27001, HIPAA, or PCI-DSS. We will update this page when that changes.