Privacy Policy | GeoLayer.io

1. Data Orchestration & Email Validation

GeoLayer.io provides B2B business intelligence sourced from public business registries, Google Maps listings, and manual research. Email addresses are MX-validated — we confirm the receiving domain is configured to accept mail — before they are returned. MX validation is not a guarantee that any individual mailbox is active or that a message will be delivered, and we do not claim a specific deliverability percentage. Where a third-party verification provider is configured, individual addresses may additionally be checked and flagged.

2. Strict No-Refund Policy

Due to the immediate costs associated with real-time data extraction and third-party API orchestration, GeoLayer.io operates a strict no-refund policy.

✕ No refunds for unused lead credits.
✕ No pro-rated refunds for mid-cycle cancellations.
✓ Full access remains until the end of your billing period.

3. Acceptable Use & Anti-Spam (CAN-SPAM)

By using GeoLayer.io, you represent and warrant that your use of our data will comply with all applicable laws, including the CAN-SPAM Act of 2003. Users are strictly required to:

Include a valid physical postal address in all outreach.
Provide a clear, functioning "Unsubscribe" mechanism.
Ensure subject lines are not misleading or deceptive.

GeoLayer.io reserves the right to terminate accounts found to be in violation of global anti-spam regulations without notice or refund.

4. Third-Party Data Sources

Our "Market Opportunity" insights and "Agency Gaps" are calculated using a blend of live Google Maps data and industry benchmarks (e.g., 12.2% CAGR for home services). While we strive for 100% accuracy, GeoLayer.io is not liable for discrepancies in third-party business listings or closing businesses.

5. Integrations & Data Sharing With Third Parties

When you connect a third-party integration (e.g. Zapier, an outbound webhook, or a downstream tool via our public API), GeoLayer.io transmits lead data on your explicit instruction to the service you have authorized. You remain the data controller for those leads; we act as a data processor in the technical sense of the term.

What is shared: only the fields you ask the integration to receive — typically first_name, last_name, email, phone, company_name, title, website, address, city, state, and a GeoLayer internal id for dedup.

OAuth tokens: for OAuth-based integrations, access and refresh tokens are stored encrypted at rest using AES-256-GCM. They are used solely to push leads on your instruction and to maintain the integration's session. You can revoke at any time from the Integrations tab of your dashboard or by uninstalling the GeoLayer app from your third-party account.

Webhooks: if you configure an outbound webhook, GeoLayer.io will deliver task-completion notifications to the URL you provide, signed with HMAC-SHA256 using your account secret. You are responsible for the security and processing of data on the receiving endpoint.

Sub-processors used to operate the service: Neon (Postgres database), Netlify (hosting + compute), Resend (transactional email), Stripe (payments), Anthropic (in-product chatbot — messages only, no lead data), and Sentry (error monitoring). Customer-data flows to these sub-processors only where necessary to operate the service. A current sub-processor list is available on request: admin@geolayer.io.

Data Removal (Opt-Out)

To request the removal of a professional business profile from our orchestration layer:

contact@geolayer.io