Privacy Policy

Account Information

When you create an account, we collect your name, email address, and password (stored as a secure hash). If you sign in with Google, we receive your name, email, and profile picture from Google.

Business Profile Data

During onboarding, you provide information about your business including product description, target audience (job titles, industries, company sizes, geography), outreach tone preferences, and scheduling links.

LinkedIn Data

When you connect your LinkedIn account, we access your LinkedIn profile information and messaging data through our integration partner (Unipile). This includes conversation messages, contact names, job titles, company information, and profile URLs.

Google Calendar Data

If you connect Google Calendar, we access your calendar events solely to detect meeting bookings with prospects and update lead status accordingly.

Usage Data

We collect information about how you use the Service, including pages visited, features used, campaign performance metrics, and error logs.

• AI Processing: We send your business profile and conversation data to Anthropic’s Claude AI to generate lead scores, outreach sequences, reply classifications, and suggested responses.
• Campaign Execution: We use your LinkedIn connection to send outreach messages on your behalf according to the sequences and schedules you configure.
• Email Notifications: We send you notifications about replies, meetings, and campaign performance via email through Resend.
• Service Improvement: We use aggregated, anonymized data to improve our AI models and platform features.

We share data with the following third-party services to operate the platform:

• Anthropic (Claude AI): Receives conversation content and business profiles for AI analysis. Anthropic does not use your data to train their models. See Anthropic’s Privacy Policy.
• Unipile: Provides LinkedIn messaging integration. Processes LinkedIn messages and profile data.
• Google: OAuth authentication and Calendar API integration. See Google’s Privacy Policy.
• Resend: Delivers transactional and notification emails on our behalf.
• Stripe: Processes payments and manages subscriptions. Stripe receives your payment information directly; we do not store credit card numbers. See Stripe’s Privacy Policy.
• Vercel: Hosts the application. May process server logs containing IP addresses and request metadata.
• Sentry: Error monitoring service that receives error reports and performance data.

We retain your account data for as long as your account is active. After account deletion, we retain your data for 30 days to allow for recovery, after which it is permanently deleted. Aggregated, anonymized analytics data may be retained indefinitely. Backup copies are purged within 90 days of deletion.

You have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your account and associated data. Contact us at the address below.
• Data Export: Request an export of your data in a machine-readable format.
• Opt-Out: Unsubscribe from notification emails at any time via the unsubscribe link or your notification preferences.

We use the following cookies:

• Session Cookie (next-auth.session-token): Essential for authentication. Expires when you sign out or after the session duration.
• CSRF Token (next-auth.csrf-token): Essential for security. Prevents cross-site request forgery attacks.

We do not use advertising or tracking cookies. If we add analytics cookies in the future, we will update this policy and request your consent where required.

We implement industry-standard security measures including encryption in transit (TLS/HTTPS), encryption at rest for sensitive data (AES-256-GCM), secure password hashing (bcrypt), CSRF protection, and Content Security Policy headers. Access to production systems is restricted and monitored.

If you are located in the European Economic Area (EEA), you have additional rights under GDPR:

• Legal Basis: We process your data based on contractual necessity (to provide the Service) and legitimate interest (to improve the Service and prevent abuse).
• Data Transfer: Your data is processed in the United States. We rely on standard contractual clauses for international transfers.
• DPA: Enterprise customers may request a Data Processing Agreement.
• Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used.
• Request deletion of your personal information.
• Opt out of the sale of personal information. We do not sell your personal information.
• Non-discrimination for exercising your privacy rights.

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 30 days before they take effect. The “Last updated” date at the top reflects the most recent revision.

For privacy-related questions or to exercise your data rights, contact us at: support@outboundeasy.io