Privacy Policy

This Privacy Policy explains what personal data we process, why we process it, how long we keep it, which subprocessors we rely on, and how data subject rights can be exercised.

Effective Date: February 11, 2026 | Version: 2026-02-11

1. Scope and Roles (GDPR Baseline)

This Policy applies to personal data processed when you create an account, connect providers, configure campaigns, and use this service.

For account administration, billing, security, and product operations, we generally act as an independent controller.

For contact lists, invitation recipient data, and campaign content that you upload or manage, we generally act as a processor on your behalf, and you act as controller (or processor with onward authority).

Our Data Processing Addendum sets out the controller-processor terms for business customers.

2. Categories of Data We Process

  • User identity and workspace data: name, login email, workspace and role metadata, authentication identifiers, and account preferences.
  • Linked provider data: connected Google account identifiers, OAuth authorization metadata, and integration status information.
  • Contact and recipient data: contact emails, optional contact names, suppression/opt-out related state, and delivery outcome metadata.
  • Campaign and event metadata: event title, description, location URL, timezone, schedule windows, selected sending accounts, and campaign status.
  • Operational, security, and audit data: IP addresses, user agent strings, request logs, compliance attestation records, and anti-abuse signals.
  • Commercial data (if applicable): plan tier, billing status, invoice references, and payment processor references.

3. Purposes and Legal Bases

  • Contract performance: to provide authentication, account access, campaign execution, invitation delivery through connected providers, and customer support.
  • Legitimate interests: to secure the platform, detect abuse, prevent fraud, monitor reliability, improve product performance, and enforce our Terms and Acceptable Use Policy.
  • Legal obligations: to maintain required records, respond to lawful requests, and comply with applicable law, regulation, or court orders.
  • Consent (where required): for optional communications or processing activities that legally require consent; you can withdraw consent where applicable.

4. Retention Periods

  • Account profile and workspace records: retained while your account is active and for up to 24 months after closure, unless a longer retention period is legally required.
  • Connected provider metadata and tokens: retained while an integration remains connected and removed within up to 30 days after disconnect, account deletion, or justified security revocation workflows.
  • Contact lists, campaign data, and event metadata: retained until deleted by the customer or for up to 24 months after workspace closure for recovery, audit, and legal defensibility.
  • Operational and security logs: typically retained for 90 days; selected audit or incident records may be retained for up to 24 months.
  • Billing and financial records: retained for up to 7 years where required by accounting, tax, or legal obligations.

5. Subprocessors and Service Providers

We use service providers (subprocessors where applicable) to operate the platform. Current categories include infrastructure hosting, authentication/storage, provider integrations, and billing.

  • Hosting and edge infrastructure: Vercel (application hosting, CDN, deployment infrastructure).
  • Application data platform: Supabase (database, auth/session infrastructure, and related storage/operational services).
  • Provider integrations and delivery rails: Google (Google Workspace / Calendar APIs used for linked account operations and invitation workflows).
  • Payments: Stripe (subscription and payment processing for paid plans).
  • Analytics and observability: first-party service logs and security telemetry; when third-party analytics tools are enabled, they are covered by this Policy and corresponding contractual controls.

6. International Transfers and Safeguards

Data may be processed in countries different from your own. Where required, we apply appropriate safeguards for cross-border transfers, such as contractual commitments and approved transfer mechanisms.

7. Data Subject Rights and Contact

Depending on applicable law, you may have rights to access, correct, delete, restrict, object to, or port personal data, and to lodge a complaint with a supervisory authority.

For customer-controlled data, we support controllers in fulfilling data subject requests as required by the Data Processing Addendum.

You can submit privacy and data rights requests through your account support channels or your contractual notice channel (including your assigned account manager for B2B customers).

8. Policy Updates

We may update this Privacy Policy from time to time. Updates are effective when posted unless a later effective date is stated.