Security overview
Last updated: May 28, 2026
LeadPilot is built around two principles: least-privilege access to your Thumbtack account, and your explicit approval before anything is sent. Here is exactly how we handle your data and your connection.
How we connect to Thumbtack
OAuth only — no passwords
You authorize LeadPilot on Thumbtack directly through the official Partner API. We never see, receive, or store your Thumbtack password. The connection is an OAuth grant that you control and can revoke at any time.
Least-privilege scopes
We request only the scopes the product needs: reading your leads and messages, and sending replies you approve. We do not request access to anything unrelated to responding to your leads.
Encrypted tokens
OAuth access and refresh tokens are encrypted at rest and used only to perform actions you've authorized. They are never exposed to other customers or third parties.
How we handle sending
Drafts and lead scores are suggestions generated from the lead context you authorize. You can edit, approve, or skip any draft. Follow-up reminders prompt you to act — they don't message customers on their own.
Data protection
- In transit: all traffic is served over HTTPS/TLS.
- At rest: your data and tokens are encrypted in our database.
- Access control: internal access follows least-privilege and is limited to what's needed to operate and support the service.
- No selling: we never sell your data or your customers' data, and we don't use it for advertising.
Service providers
We use a small set of trusted vendors — cloud hosting and database, an AI model provider for drafting and scoring, a payment processor, and a messaging/email provider for reminders. Each is bound by contract to handle data only as needed to provide their service. See our Privacy Policy for the current list.
Your controls
- Disconnect anytime: revoking access in LeadPilot (or on Thumbtack) immediately ends our access.
- Export: request a copy of your data.
- Deletion: we delete or anonymize your lead and message data within 30 days of account closure, except where retention is legally required.
Responsible disclosure
If you believe you've found a security vulnerability, please email security@leadpilot.work. We appreciate responsible disclosure and will work with you to confirm and fix valid issues quickly. Please don't access other users' data or disrupt the service while testing.
Contact
Security questions? Email security@leadpilot.work or visit our contact page.