Privacy Policy

For account-related data (your name, email, billing details, account activity), we are the controller.

For Customer Data that you upload into the Service (your contacts, journalist lists, pitches, contracts, files, client portal users), you are the controller and we are the processor acting on your documented instructions under our Data Processing Addendum.

• Account data: name, email, password hash, role, firm name, phone (optional), profile photo (optional).
• Billing data: processed by our payment processor (Paddle Merchant of Record). We receive last 4 digits, card brand, billing country, and transaction metadata — not full card numbers.
• Customer Data: data you upload, including contacts, journalists, campaigns, pitches, contracts, invoices, files, and messages.
• Usage data: log data, IP address, device and browser type, pages viewed, timestamps, feature interactions, and error reports.
• Cookies & similar: see our Cookie Notice.
• Integrations you authorize: e.g., Gmail OAuth tokens to send and track outbound mail. Scopes are limited to the features you enable.
• Communications: emails or messages you send to our support team.

• To provide, secure, maintain, and improve the Service.
• To process payments and prevent fraud.
• To send transactional emails (account, billing, security, invitations, digests). You can opt out of non-essential emails.
• To respond to support requests.
• To detect and prevent abuse, spam, or security incidents and to enforce our Terms.
• To comply with legal obligations (tax, accounting, lawful requests).
• With your consent (where required), to send product updates or marketing.

• Contract — to deliver the Service you purchased.
• Legitimate interests — to secure the Service, prevent fraud, improve features, and conduct ordinary business operations, balanced against your rights.
• Legal obligation — tax, accounting, regulatory.
• Consent — for non-essential cookies and marketing emails. You may withdraw consent at any time.

We do not sell personal data and do not "share" personal data for cross-context behavioral advertising as defined by the CCPA/CPRA. We disclose data to vetted service providers acting on our behalf:

• Hosting & database: Supabase / AWS (US, EU regions).
• Edge & CDN: Cloudflare (global).
• Email delivery: Resend / Postmark (US, EU).
• Payments: Paddle.com Market Limited (UK, Merchant of Record).
• AI providers: Google (Gemini), OpenAI — for AI-assisted features only when you invoke them. AI providers do not train on your data.
• Analytics & error monitoring: first-party logs only.

A current list of sub-processors is available on request. We may also disclose data to comply with law, lawful requests, or to protect rights, safety, or property.

We are based in the United States. Personal data may be transferred to and processed in the U.S. and other countries that may not provide the same level of protection as your home country. Where required, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and supplementary technical and organizational measures (encryption in transit and at rest, access controls, audit logging). Where you act as controller for your end users' data, our DPA incorporates the SCCs.

We retain account data for the life of your account plus 30 days (export window) and then delete or anonymize, except where a longer period is required by law (typically up to 7 years for tax and accounting records) or needed to resolve disputes. Customer Data retention is governed by your account configuration and the DPA.

We implement reasonable technical and organizational measures including TLS 1.2+ in transit, encryption at rest, role-based access control, row-level security in our database, audit logs, principle of least privilege, secret management, and incident response procedures. No system is perfectly secure; we cannot guarantee absolute security.

Depending on where you live, you may have rights to: access, rectify, delete, restrict, or object to processing of your personal data; data portability; withdraw consent; and lodge a complaint with a supervisory authority. California residents have additional CCPA/CPRA rights including the right to know, delete, correct, and to limit use of sensitive personal information. We do not discriminate against you for exercising these rights.

To exercise rights, contact your account administrator (for Customer Data) or contact us through the in-app support channel (for account data). We will respond within applicable legal timeframes (typically 30 days under GDPR, 45 days under CCPA).

The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing.

We will post any updates here and, for material changes, notify you by email or in-app at least 14 days before they take effect.

GCPR Communications LLC, a New Jersey limited liability company. Contact our privacy team via the in-app support channel. EU/UK representatives can be designated on request from qualifying customers under Art. 27 GDPR / UK GDPR.