Security
This page describes how QuickLead protects your data across the browser extension, portfolio, AI assistant, and backend services.
1. Encryption in transit
All communication between your browser, the extension, and our servers uses HTTPS (TLS encryption). This includes listing captures, AI chat messages, billing operations, and account management.
2. Account separation
Each user account has its own isolated portfolio. Your captured listings, notes, buyer profile, and chat history are only accessible to you and family members you explicitly invite (Plus plan). Other users cannot see your data.
Account authentication uses secure session tokens with automatic expiry. Family members authenticate independently with their own credentials.
3. AI data handling
When you use the Decision Assistant, listing data and conversation context are sent to Alibaba Cloud Model Studio (Qwen) via their API. Alibaba Cloud has confirmed that data submitted through their API is not used for model training. The connection uses HTTPS and API key authentication.
4. Payment security
All payments are processed by Stripe. We never store, see, or have access to your credit card number. Stripe is PCI DSS Level 1 certified — the highest level of payment security.
5. Rate limits and abuse prevention
We enforce rate limits on account creation, captures, and chat messages to prevent abuse and protect service availability. Accounts creating excessive requests may be temporarily throttled. We also limit account creation per device and IP address.
6. Secret management
Service credentials, API keys, and encryption secrets are stored in managed environment variables and are never exposed in application logs or client-side code.
7. Logging and monitoring
We maintain operational logs for reliability, incident response, and abuse detection. Logs contain request metadata (timestamps, response codes, latency) but do not store raw personal data, passwords, or payment details.
8. Data minimisation
We aim to collect and retain only the data needed to provide the service. Security logs are retained for up to 90 days. Portfolio data is kept while your account is active and deleted within 30 days of account deletion. See our Privacy Policy for full retention details.
9. Reporting security issues
If you discover a security vulnerability or have a concern, please report it to support@quicklead.tools. We take all reports seriously and will respond as quickly as possible.