This Privacy Policy explains how Leniventus LLC (“Company”, “we”, “our”) collects, uses, stores, and protects personal data in connection with the First Impression Manager service (the “Service”).
We act as a data controller for visitors of our marketing site (firstimpressionmanager.com) and platform admins, and as a data processor for end-users who chat with the First Impression Manager widget embedded on our customers’ sites. In the data-processor role, our customer is the data controller — they choose the prompts, the lead-capture questions, and the retention period.
1. Who we are
Leniventus LLC
16192 Coastal Highway
Lewes, DE 19958, USA
Email: hello@firstimpressionmanager.com
2. Information we collect
From visitors on customer sites (end-users)
- Chat messages. The full text of conversations with the widget, including any personal data the visitor types in.
- Lead information. When the widget captures a lead, the fields submitted (typically name, email, phone, and a free-form question).
- Technical metadata. Timestamps, conversation IDs, and aggregate token counts for the LLM call. No IP addresses are stored long-term in the database.
From admins of customer organizations
- Authentication records. Email address, hashed password (bcrypt cost 12), session tokens, and magic-link verification tokens.
- Activity logs. Login times, configuration changes, and other state-changing actions in the admin UI.
From marketing-site visitors
- A/B test assignment. A first-party cookie
fim-variantassigning each visitor to the optimist or cynic landing variant. Stored 90 days. - Cookie consent state. A first-party cookie recording whether the visitor accepted, rejected, or customized cookies. See our Cookie Policy.
- Trial onboarding form data. Email + website URL submitted during the
/tryflow.
3. How we use this information
- Provide the Service. Display the chat widget, generate replies via large language models, capture leads, send notification emails, render admin transcripts.
- Improve the Service. Aggregate, de-identified analytics on widget performance, A/B test conversion, and prompt quality. We never train our own machine-learning models on customer chat data.
- Communicate with you. Account-related emails (login links, billing receipts, security alerts). We do not send marketing emails without explicit opt-in.
- Comply with legal obligations. Tax records, accounting, response to lawful requests.
4. Legal basis (GDPR)
- Contract performance (Art. 6(1)(b)) — providing the Service you signed up for.
- Legitimate interests (Art. 6(1)(f)) — securing the Service, fraud prevention, aggregate analytics.
- Consent (Art. 6(1)(a)) — non-essential cookies, marketing communications, and (where required) A/B test assignment.
- Legal obligation (Art. 6(1)(c)) — tax + accounting records.
5. Sub-processors
We rely on a small set of vendors to deliver the Service. Each is bound by a Data Processing Agreement (DPA) consistent with GDPR Art. 28 where applicable.
| Sub-processor | Purpose | Region |
|---|---|---|
| Vercel Inc. | Application hosting, CDN | US (data) / global edge |
| Neon Inc. | Postgres database (chats, leads, admin records) | EU (Frankfurt) |
| Anthropic PBC | LLM (chat assistant + analysis) | US |
| OpenAI, L.L.C. | Text embeddings (knowledge retrieval) | US |
| Resend, Inc. | Transactional email (login links, lead notifications) | EU (Frankfurt) |
| Stripe, Inc. | Payment processing | US / EU |
Anthropic and OpenAI process LLM prompts under their respective enterprise terms; by default, prompts and completions are not used for model training. Cross-border transfers from the EU to the US rely on Standard Contractual Clauses where applicable.
6. Data retention
Per-tenant retention defaults to 365 days for chats and leads; medical-vertical tenants may opt for 30 days. Tenant admins can override this in their settings. After the retention window expires, conversations and lead records are purged. Audit log entries are retained for as long as the tenant exists, then deleted on tenant deletion.
Authentication session tokens expire after 30 days of inactivity. Verification tokens (magic links) expire 24 hours after issuance.
7. Your rights
Subject to applicable law (GDPR for EU/UK residents, CCPA for California residents, similar rights elsewhere), you may:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete your data (subject to legal retention obligations).
- Object to processing based on legitimate interests.
- Port your data to another controller in a structured, machine-readable format.
- Withdraw consent at any time for processing based on consent (e.g. cookies).
To exercise any of these rights, email hello@firstimpressionmanager.com. We respond within 30 days. If you are an end-user of a customer site, your request is typically routed to that customer (the data controller for chat data); we will inform you and assist them in fulfilling it.
8. International transfers
Personal data may be transferred to and processed in countries outside your country of residence — primarily the EU (Frankfurt for our database) and the US (for LLM processing). Where transfers occur from the EU/UK to a third country without an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses.
9. Security
We protect data in transit (TLS 1.2+) and at rest (Postgres with Neon-managed encryption). Passwords are bcrypt-hashed (cost 12). Access to production systems is restricted to authorized personnel. We do not guarantee any system is impenetrable — if a breach affects your data, we will notify you and the appropriate supervisory authority within the timelines required by law (e.g. 72 hours under GDPR).
10. Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, email hello@firstimpressionmanager.com and we will delete it.
11. Cookies
See our separate Cookie Policy for the full inventory of cookies we set and how to manage them.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced via email to account admins and posted on this page with an updated “Last updated” date.
13. Contact
For privacy questions or data-subject requests, email hello@firstimpressionmanager.com, or write to us at the address on the Contact page.