Privacy

Privacy Policy

Last updated April 23, 2026 Version 1.0 California, USA

This Privacy Policy explains how PLATFORM GLOBAL LLC, a California limited liability company with its principal place of business at Silicon Valley Center, 2570 N. First Street, 2nd Floor, San Jose, CA 95131, United States (EIN 38-4027473) (“Outpulse”, “we”, “our”, or “us”), collects, uses, discloses, and protects personal data in connection with the Outpulse service (the “Service”). It applies to customers of the Service, prospective customers who visit our website, and end users whose personal data is processed through the Service.

01Our roles

Depending on the context, we act either as a controller or as a processor under the EU and UK General Data Protection Regulation (“GDPR”):

We are the controller of personal data we collect directly from you when you visit our website, create an account, subscribe to a plan, or contact support.
We act as a processor of personal data that you (our customer) import into, or instruct us to obtain for, the Service — for example prospect contact details, email drafts, reply content, and analytics from your outreach campaigns. In those cases you are the controller and our processing is governed by our Data Processing Addendum (“DPA”).

02Data we collect

Account data

When you sign up, we collect your name, business email address, company name, and hashed credentials. If you sign in with Google or Microsoft, we receive your verified email and basic profile details from those providers. We store the last sign-in time and IP address for security.

Company & campaign data

During onboarding, you provide information about your company (website URL, one-liner, buyer persona, tone of voice). We also fetch and analyse the contents of your public website to pre-fill fields and to help our AI generate more relevant outreach. You can edit or remove this information from your settings at any time.

Prospect data

The Service allows you to build lists of prospects for your campaigns. Prospect records typically include business contact information — name, job title, company, business email address, LinkedIn URL, and firmographic or enrichment attributes — obtained from our data partner Apollo.io or imported by you. We do not knowingly collect special-category data (for example health, political, religious, or biometric data) as prospect information.

Mailbox & campaign content

When you connect a sending mailbox (Gmail, Microsoft 365, or a custom SMTP/IMAP server), we access only the scopes necessary to send on your behalf and to detect replies. We store the emails we send through the Service, any replies routed back, and associated metadata (opens, clicks, bounces, unsubscribes) for analytics and reply detection. We do not read unrelated messages in your inbox.

Payment data

Payments are processed by Stripe, Inc. We do not receive or store full payment-card numbers. Stripe provides us with the last four digits, card brand, and an opaque customer token that we use to manage your subscription.

Device & usage data

We collect standard web-server logs (IP address, user agent, referrer, pages viewed, timestamps) and product-analytics events (features used, error reports). We use minimal cookies — see Section 09 Cookies & tracking.

03How we use personal data

We process personal data for the purposes below, each associated with a GDPR legal basis:

Providing the Service — to create and maintain your account, authenticate sessions, generate AI drafts, send emails on your behalf, detect replies, and display analytics. Basis: performance of a contract (Art. 6(1)(b)).
Billing — to process subscriptions, invoices, refunds, and tax compliance. Basis: performance of a contract and legal obligations (Art. 6(1)(b), (c)).
Product analytics & improvement — to understand how features are used and to fix issues. Basis: our legitimate interest in improving the Service (Art. 6(1)(f)), balanced against your rights.
Security & fraud prevention — to detect, investigate, and prevent abuse, unauthorised access, or policy violations. Basis: legitimate interest and legal obligations.
Customer support — to respond to your questions, bug reports, and feedback. Basis: performance of a contract and legitimate interest.
Marketing communications — to send you product updates, tips, or occasional offers. Basis: legitimate interest for existing customers; consent (Art. 6(1)(a)) where required. You can opt out at any time via the unsubscribe link.
Legal & compliance — to comply with applicable laws, respond to lawful requests, and enforce our terms. Basis: legal obligation and legitimate interest.

04AI processing

Our AI features draft email copy, classify replies, and make recommendations. To do this, we send relevant portions of your company information, prospect attributes, and prior email exchanges to our AI sub-processor (currently Anthropic, PBC). These calls are transmitted over TLS, and content is not used to train generally available foundation models. You can review, edit, or reject AI-generated content before it is sent to any recipient.

You are responsible for reviewing AI-generated output for accuracy, tone, and compliance with applicable law before it is transmitted to any prospect.

05Sharing & sub-processors

We share personal data only with the sub-processors listed below, with recipients of the emails you send through the Service, and where required by law. We do not sell personal data.

Sub-processor	Purpose	Region
Supabase, Inc.	Authentication, database, file storage	United States / EU
Anthropic, PBC	AI model inference (drafting, classification)	United States
Apollo.io	Prospect discovery & enrichment	United States
Google LLC	Mailbox API (Gmail, Workspace)	United States / global
Microsoft Corporation	Mailbox API (Microsoft 365, Outlook)	United States / global
Stripe, Inc.	Payment processing	United States / Ireland
Vercel, Inc.	Application hosting, edge delivery	United States / global edge
Cloudflare, Inc.	Content delivery, DDoS protection	Global edge
PostHog, Inc.	Product analytics	United States / EU
Sentry (Functional Software, Inc.)	Error monitoring	United States

We select sub-processors for their security and privacy posture, put written data-processing terms in place with each, and review them periodically. We will notify you via email or in-app at least thirty (30) days before adding a new sub-processor that materially changes how we handle your data, and you may object on reasonable grounds.

06International transfers

Because we and our sub-processors operate internationally, personal data may be transferred to and processed in countries outside your country of residence, including the United States. Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed adequate, we rely on the European Commission’s Standard Contractual Clauses (2021/914/EU), the UK International Data Transfer Addendum, and supplementary safeguards as appropriate.

07Data retention

We retain personal data only for as long as it is necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements.

Account data — for as long as your account is active, plus up to twelve (12) months after closure for archival, legal, and tax purposes.
Campaign & prospect data — for the duration of your subscription; you can delete specific records or entire workspaces at any time. After account closure, we permanently delete or anonymise this data within ninety (90) days, except where retention is legally required.
Invoice & tax records — retained for the period required by applicable tax law (typically seven (7) years in the US, ten (10) years in several EU member states).
Server logs — retained for up to ninety (90) days for security and debugging.

08Your rights

Subject to applicable law, you have the right to:

Access — receive a copy of the personal data we hold about you;
Rectify — correct inaccurate or incomplete data;
Erase — request deletion (“right to be forgotten”), subject to legal exceptions;
Restrict — request that we pause processing in certain circumstances;
Object — object to processing based on legitimate interests, including direct marketing;
Portability — receive your data in a structured, machine-readable format;
Withdraw consent — where processing is based on consent, withdraw it at any time;
Lodge a complaint — with your local data-protection authority; in the EU this may be your national supervisory authority.

California residents have additional rights under the CCPA/CPRA, including the right to know the categories of personal information collected, sold, or shared, and the right to opt out of “sale” or “sharing” of personal information. We do not sell personal information as defined under California law.

To exercise any of these rights, email privacy@outpulse.ai. We respond within the timeframes required by applicable law (typically thirty (30) days).

09Cookies & tracking

We use a small number of first-party cookies and comparable technologies:

Essential cookies — required for authentication, session management, and CSRF protection. These cannot be disabled.
Preference cookies — remember your UI preferences (for example light/dark mode).
Analytics cookies — used by PostHog to measure feature usage. Aggregated and anonymised; we do not allow third-party advertising networks on our application.

We do not use advertising cookies or cross-site trackers. Where required by law, we present a cookie banner allowing you to accept or decline non-essential cookies.

10Security

We take the security of personal data seriously and apply administrative, technical, and physical safeguards appropriate to the risk, including:

TLS 1.2+ for all data in transit;
encryption at rest for databases and backups;
role-based access control and multi-factor authentication for employee accounts;
least-privilege sub-processor scopes (for example, read-only Apollo API keys, minimum Gmail scopes);
periodic vulnerability scanning and external penetration testing;
an incident-response process and breach-notification procedures consistent with applicable law.

No system is completely secure. You are responsible for keeping your account credentials safe and using a strong, unique password (or SSO where offered).

11Children’s privacy

The Service is intended for business use and is not directed to children under sixteen (16). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

12Prospects & recipients of your emails

If you are a prospect whose data has been processed through Outpulse on behalf of one of our customers, that customer — not Outpulse — is the controller of your personal data. We act as their processor. You may exercise your rights by contacting the customer who sent you the email (their identity and contact details appear in the message footer), or by contacting us at privacy@outpulse.ai and we will forward your request to the customer.

13Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Service at least thirty (30) days before the change takes effect. The “Last updated” date at the top of this page always reflects the current version.

14Contact us

If you have questions about this Privacy Policy or our data practices, please contact:

PLATFORM GLOBAL LLC
Silicon Valley Center
2570 N. First Street, 2nd Floor
San Jose, CA 95131, United States
EIN: 38-4027473
Attn: Privacy · privacy@outpulse.ai

For GDPR matters concerning customers or prospects in the EU/EEA, our EU Representative can be appointed on request — contact us at the email above to obtain the current designation.