Privacy Policy

1. Information We Collect

Account Information: When you create an account, we collect your name, email address, company name, phone number, and territory preferences (zip codes, cities, state).

Business Contact Data: You import or create business contact records (names, titles, phone numbers, emails, company information) for your sales outreach purposes. This is business-to-business (B2B) data that you provide.

Usage Data: We collect information about how you use the service, including pages visited, features used, call/email activity logs, IP addresses, and browser type.

Payment Information: If you purchase credits, payment processing is handled by Stripe. We do not store your credit card numbers.

API Credentials: If you provide third-party API keys (OpenAI, ZoomInfo, LinkedIn, etc.), they are stored in encrypted form using AES-256 symmetric encryption.

2. Categories of Personal Information (CCPA Disclosure)

Under the California Consumer Privacy Act and similar state laws, we collect the following categories of personal information:

• Identifiers: Name, email address, phone number, IP address, account username
• Commercial Information: Purchase history (credit purchases), products/services considered
• Internet Activity: Browsing history within the Service, search queries, interaction data
• Professional Information: Company name, job title, territory, business contact data you upload
• Geolocation: Approximate location derived from IP address

We do not collect: Social Security numbers, driver's license numbers, financial account numbers, precise geolocation, biometric data, protected classification characteristics, or sensory data.

3. How We Use Your Information

• To provide and maintain the CRM service
• To generate AI-powered sales emails and recommendations
• To process billing and credit purchases
• To improve the service and fix bugs
• To communicate service updates and important notices
• To detect and prevent fraud, abuse, or security incidents
• To comply with legal obligations

4. Data Sharing and Third-Party Processors

We do not sell, rent, or share your personal information with third parties for their marketing purposes. We share data only with:

• OpenAI: Contact and company data is sent to OpenAI's API (servers in the United States) to generate personalized email content. OpenAI's data usage policy applies. Data sent includes: contact names, titles, company names, industry information, and company descriptions. OpenAI does not use API data to train their models.
• Stripe: Payment information is processed by Stripe (PCI-DSS compliant) under their privacy policy. We receive only a transaction ID and confirmation.
• Email Providers: If you connect Outlook or Gmail, emails are sent through your connected account using OAuth tokens. We do not access your inbox.
• Legal Requirements: We may disclose data if required by law, subpoena, or court order, or to protect our rights, safety, or property.

International Data Transfers: Your data is processed and stored in the United States. When data is sent to OpenAI's API, it is processed on servers located in the United States. By using the Service, you consent to your data being transferred to and processed in the United States.

5. Data Security

We implement industry-standard security measures including:

• Encrypted data transmission (HTTPS/TLS)
• Encrypted storage of API keys and sensitive credentials (AES-256 Fernet)
• Hashed passwords (PBKDF2 with salt)
• Rate limiting to prevent brute-force attacks
• CSRF protection on all forms
• Content Security Policy headers
• Regular automated database backups
• User data isolation (multi-tenant architecture)

6. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

• Notify affected users via email within 72 hours of discovering the breach
• Notify applicable state attorneys general as required by state breach notification laws
• Provide details about: the nature of the breach, categories of data affected, approximate number of individuals affected, and steps being taken to address the breach
• Offer guidance on steps you can take to protect yourself

This notification procedure complies with breach notification laws in all 50 U.S. states, including California (Cal. Civ. Code 1798.82), New York (General Business Law 899-aa), Texas (Bus. & Com. Code 521.053), and other state requirements.

7. Data Retention

Your data is retained as long as your account is active. Upon account deletion:

• All personal data, contacts, companies, emails, and activity logs are permanently deleted within 30 days
• Backup copies are purged within 60 days
• We may retain anonymized, aggregated data (not personally identifiable) for analytics
• We retain billing transaction records for 7 years as required by tax law

8. Your Rights

Regardless of your state of residence, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and all associated data
• Portability: Export your data in CSV format at any time via the Export feature
• Opt-Out: Opt out of non-essential communications
• Non-Discrimination: We will not discriminate against you for exercising any of these rights

To exercise these rights, contact us at the email address below. We will respond within 45 days (or 30 days for California residents).

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by CPRA):

• Right to know what personal information we collect, use, disclose, and sell
• Right to delete your personal information
• Right to opt out of the sale or sharing of personal information — we do not sell or share personal information
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information — we only use it to provide the Service

You may designate an authorized agent to make a request on your behalf. We may require verification of your identity before fulfilling requests.

10. Additional State Privacy Rights

Residents of the following states have additional privacy rights under their respective state privacy laws:

• Virginia (VCDPA): Right to access, correct, delete, obtain a copy, and opt out of targeted advertising and sale of personal data.
• Colorado (CPA): Right to opt out of targeted advertising, sale of personal data, and profiling. Right to access, correct, delete, and obtain portable data.
• Connecticut (CTDPA): Right to access, correct, delete, obtain portable data, and opt out of sale, targeted advertising, and profiling.
• Utah (UCPA): Right to access, delete, and obtain portable data. Right to opt out of sale and targeted advertising.
• Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, Kentucky, Rhode Island: Similar rights to access, correct, delete, and opt out as applicable under each state's data privacy law.

We honor all applicable state privacy rights. To exercise your rights, contact us using the information below.

11. CAN-SPAM Compliance

Our service is designed to help you send compliant business outreach emails. You are responsible for ensuring your use of the platform complies with CAN-SPAM requirements, including:

• Including a clear unsubscribe mechanism in all commercial emails
• Including your physical business address in all emails
• Honoring unsubscribe/opt-out requests within 10 business days
• Using honest and non-deceptive subject lines
• Clearly identifying the message as an advertisement where applicable

12. TCPA Compliance

The call planning features are tools to organize your outreach. You are responsible for compliance with the Telephone Consumer Protection Act, Telemarketing Sales Rule, and applicable state Do Not Call regulations when making calls. This includes:

• Checking the Federal Do Not Call Registry before calling
• Maintaining your own internal Do Not Call list
• Honoring do-not-call requests immediately
• Calling only during permitted hours (8 AM to 9 PM in the recipient's time zone)
• Complying with any additional state telemarketing restrictions

13. Children's Privacy

The Service is intended for business use by individuals 18 years of age or older. We do not knowingly collect personal information from children under 13 (or under 16 in states where applicable). If we discover that we have collected data from a child, we will promptly delete it. If you believe a child has provided us personal information, please contact us immediately.

14. Do Not Track Signals

Our Service does not currently respond to "Do Not Track" browser signals, as there is no industry standard for compliance. However, we do not track users across third-party websites.

15. Cookies and Tracking

We use essential session cookies to maintain your login state. We do not use third-party advertising or analytics cookies. The session cookie is:

• HttpOnly (not accessible via JavaScript)
• SameSite=Lax (prevents cross-site request attacks)
• Secure (HTTPS only in production)

16. Changes to This Policy

We may update this policy from time to time. We will notify registered users of material changes via email or in-app notification at least 30 days before the changes take effect. Continued use of the Service after changes constitutes acceptance.

17. Contact

For privacy questions, data access/deletion requests, or complaints, contact:

Email: privacy@YOUR_DOMAIN.com

We will acknowledge your request within 10 business days and provide a substantive response within 45 days (30 days for California residents).