Privacy Policy

1. Introduction

OutreachAll ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered email campaign platform. Our services are operated from the European Union, and we are committed to compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Information We Collect

2.1 Account Information

When you create an account via Google OAuth, we collect:

• Name and email address
• Profile picture (if provided through Google)
• Account preferences and settings

2.2 Profile Information

You may optionally provide additional profile information, including:

• Job title and company name
• Email signature (HTML)
• Sender email address for campaigns

2.3 Campaign Recipient Data

When you create a campaign, we fetch contact information from third-party data providers based on your targeting criteria. This data includes:

• Recipient name, job title, and company information
• Business email address
• Company industry, size, and location

This data is stored in our database for the duration of the campaign and a retention period of 90 days after campaign completion, after which it is permanently deleted. Each campaign fetches contacts independently — we do not maintain a persistent contact database or reuse contacts across campaigns.

2.4 Email Content

We store email content (subject lines and body text) that you create or generate using our AI tools. Email body content is automatically deleted 180 days after sending. Delivery metadata (status, timestamps) is retained for the lifetime of your account.

2.5 Usage Data

We collect product usage analytics (page views, feature usage, campaign funnel steps) via PostHog. This tracking is subject to your cookie consent — you may decline all analytics tracking via our cookie banner. We do not track campaign content, recipient data, or email content in analytics.

When analytics are enabled, we associate usage data with your internal user ID and email address to provide product insights. No analytics data is collected if you decline cookies.

2.6 Payment Information

Payments are processed by Stripe. Charges will appear on your bank statement as "KEETCODE". We do not store credit card numbers or payment method details. We retain transaction records (amount, date, plan, invoice links) as required by tax and accounting regulations.

3. How We Use Your Information

We use the collected information to:

• Provide, maintain, and improve our services
• Process and send your email campaigns
• Generate AI-powered personalized email content
• Analyze campaign performance and provide delivery analytics
• Process payments and maintain billing records
• Prevent abuse, including automatic campaign suspension for high bounce or spam complaint rates
• Communicate with you about your account and service updates

4. AI Content Generation

To generate personalized email content, we send the following data to OpenAI's API:

• Recipient name, job title, company name, and industry
• Sender name and company name
• Your product description and custom instructions

Email addresses are never sent to AI providers. AI usage is logged for billing and cost tracking purposes only (model used, token count, estimated cost). Prompt content is not stored in usage logs.

OpenAI processes this data under their API data usage policy, which states that API inputs and outputs are not used to train their models.

5. Data Sharing and Third-Party Providers

We share data with the following categories of service providers, solely for the purposes described in this policy:

• Third-party data providers — contact data for recipient discovery
• OpenAI — AI content generation (recipient business data only, no email addresses)
• Resend — email delivery service (sends emails from our managed domain)
• Stripe — payment processing
• PostHog — product analytics (subject to your cookie consent)
• Supabase — authentication provider (Google OAuth)
• Railway — infrastructure hosting (EU region)

We do not sell your personal information to third parties. We may disclose information if required by law or to protect our legal rights.

6. Data Storage and Security

All data is hosted in the European Union via Railway.app. We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS) and at rest
• Authentication via Google OAuth (we do not store passwords)
• Access controls and role-based permissions
• Regular database backups within the EU

7. Data Retention

We apply the following retention periods:

• Account data: Retained while your account is active
• Campaign recipient data: Deleted 90 days after campaign completion
• Email body content: Deleted 180 days after sending
• Email delivery metadata: Retained for the lifetime of your account
• AI usage logs: Billing metrics only (token counts, costs), retained for the lifetime of your account
• Payment transactions: Retained as required by tax law, even after account deletion
• Unsubscribe list: Email addresses of recipients who unsubscribed are maintained indefinitely to prevent future contact (legal requirement under CAN-SPAM and GDPR)

8. Account Deletion

You can delete your account at any time from your account settings. Upon deletion:

• Your account enters a 30-day grace period during which you can restore it by logging in
• After 30 days, all data is permanently and irreversibly deleted, including: your profile, campaigns, contacts, email content, saved prompts, AI usage logs, and billing records
• Payment transaction records may be retained beyond this period as required by tax regulations
• Unsubscribe records are retained to honor recipient opt-out requests

9. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate personal information
• Erasure — request deletion of your data (via account deletion or by contacting us)
• Restrict processing — request that we limit how we use your data
• Data portability — receive your data in a structured, machine-readable format
• Object — object to processing of your data for specific purposes
• Withdraw consent — withdraw consent at any time (e.g., disable analytics via cookie settings)

To exercise any of these rights, contact us at the email address below.

10. Cookies and Tracking

We use the following types of cookies:

• Essential cookies: Required for authentication and core functionality. These cannot be disabled.
• Analytics cookies: Used by PostHog for product usage analytics. These are only enabled if you accept cookies via our consent banner.

You can change your cookie preferences at any time. Declining analytics cookies fully disables all product usage tracking.

11. Email Recipient Rights

Recipients of emails sent through our platform can:

• Unsubscribe from future communications via the unsubscribe link included in every email
• Unsubscribed recipients are added to a global suppression list and will not be contacted by any future campaign from the same account

Campaigns are automatically paused if they exceed a 2% bounce rate or 0.08% spam complaint rate to protect both recipients and senders.

12. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.