Privacy Policy
Summary: LOLA collects lead data on behalf of businesses (tenants) that use our platform. We do not sell your data. You can request deletion at any time via our data deletion page.
1. Who We Are
LOLA ("the Service") is a lead management SaaS platform operated by OXO Digital Ltd ("OXO", "we", "us", "our"), a company registered in Mauritius.
Contact: dpo@oxo.mu
2. Scope of This Policy
This Privacy Policy explains how LOLA collects, uses, stores, and protects personal data when:
- A lead submits information via a LOLA web form or landing page;
- A lead responds to an ad with a Meta Lead Ad or Google Lead Form connected to LOLA;
- A user accesses the LOLA platform as an employee or agent of a tenant organization.
3. Data We Collect
3.1 Lead Data (collected on behalf of tenants)
When you submit a lead form — whether on a website, through a Meta Lead Ad, or a Google Lead Form — we may collect:
- Full name (first name, last name)
- Email address
- Phone number
- Any custom fields defined by the tenant (e.g., project type, budget, location, message)
- Submission timestamp and source (form name, campaign name)
3.2 Platform User Data
For users who log in to LOLA as members of a tenant workspace:
- Name and email address
- Activity logs (actions performed within the platform)
- Authentication tokens (stored encrypted)
3.3 Technical Data
- IP address and browser information (server logs)
- Webhook metadata from connected ad platforms (Meta, Google)
4. How We Use Your Data
We use collected data exclusively to:
- Route and display lead submissions to the appropriate tenant;
- Deduplicate contacts and match leads to existing records;
- Send notifications to tenant users about new leads;
- Provide the LOLA CRM features (pipeline, deal tracking, assignment);
- Maintain platform security, integrity, and audit logs.
We do not use personal data for advertising, profiling, or any purpose beyond the service delivery described above.
5. Legal Basis for Processing
We process personal data under the following legal bases (under GDPR and applicable Mauritian data protection law):
- Consent: when leads voluntarily submit a form;
- Legitimate interests: for platform security and fraud prevention;
- Contract: for processing data on behalf of tenants under a data processing agreement.
6. Data Storage & Security
- Database: PostgreSQL hosted on Laravel Cloud (EU/US infrastructure). Data is isolated per tenant using row-level security.
- Encryption: OAuth tokens and sensitive credentials are encrypted using envelope encryption (per-tenant encryption keys). Data in transit is protected by TLS 1.2+.
- Attachments: Files are stored with access-controlled signed URLs (5-minute expiry). No public access to raw attachment URLs.
- Backups: Automated daily backups with point-in-time recovery.
7. Data Retention
Lead and contact data is retained for 24 months from the date of last activity, unless:
- The tenant requests earlier deletion;
- You submit a data deletion request (see Section 9);
- Applicable law requires a different retention period.
8. Data Sharing
We do not sell, rent, or share your personal data with third parties for commercial purposes.
Data may be shared with:
- Tenant organizations: the business that owns the LOLA workspace to which your lead was submitted;
- OXO group entities: solely for internal service delivery;
- Infrastructure providers: Laravel Cloud (hosting), Cloudflare (CDN/DNS) — under data processing agreements;
- Law enforcement: only when required by applicable law.
9. Your Rights
Depending on your location, you may have the right to:
- Access the personal data we hold about you;
- Request correction of inaccurate data;
- Request deletion of your data;
- Object to or restrict processing;
- Receive a copy of your data in a portable format.
To exercise any of these rights, visit our Data Deletion & Rights page or contact us at dpo@oxo.mu.
10. Meta Lead Ads
LOLA integrates with the Meta Lead Ads platform (Facebook/Instagram). When you submit a Meta Lead Ad:
- Meta shares your submitted information with the advertiser (tenant) via the Meta Lead Ads API;
- LOLA receives this data via a secure webhook and stores it within the tenant's workspace;
- Meta's own Privacy Policy governs how Meta processes your data on their platform.
11. Cookies
The LOLA web application uses only essential session cookies for authenticated users. No advertising or tracking cookies are used. Public-facing lead forms may use a CSRF token cookie for security.
12. Changes to This Policy
We may update this policy periodically. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.
13. Contact
For privacy-related questions or to exercise your rights:
- Email: dpo@oxo.mu
- Data Protection Officer: Jean Marc Santucci, OXO Digital Ltd, Mauritius
- Data deletion requests: hilola.app/data-deletion