Privacy Policy

1. Introduction

Automated BDR ("we," "us," or "our") is committed to protecting your privacy and the privacy of the prospects you contact through our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI BDR sales automation service. We comply with applicable data protection laws including the GDPR, CCPA, and CAN-SPAM Act.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, company name, job title, phone number
• Payment Information: Credit card details processed securely by Stripe — we never store card numbers on our servers
• Campaign Data: Target ICP definitions, email templates, prospect lists, sequence configurations
• Integration Credentials: API keys for Apollo.io, Gmail OAuth tokens, Twilio credentials — all encrypted at rest
• Communications: Support tickets, feedback, and emails you send us

2.2 Information We Collect Automatically

• Usage Data: Pages viewed, features used, actions taken within the platform
• Device Information: IP address, browser type, operating system, screen resolution
• Session Data: Authentication tokens, session duration, login timestamps
• Campaign Metrics: Email open rates, click rates, reply rates, bounce rates

2.3 Information from Third Parties

• Data Providers: Prospect contact information from Apollo.io (name, email, company, title, phone)
• OAuth Providers: Profile information when you sign in with Google (name, email, profile picture)

3. How We Use Your Information

• Provide, operate, and improve the Service
• Process subscriptions and send billing notifications
• Send transactional emails (account verification, password resets, usage alerts)
• Generate AI-personalized outreach content on your behalf
• Enrich prospect data through authorized third-party integrations
• Analyze usage patterns to optimize platform performance
• Detect and prevent fraud, abuse, and security threats
• Respond to support requests and communications
• Comply with legal obligations and enforce our Terms

4. How We Share Your Information

We do NOT sell your personal information. We share data only with:

4.1 Service Providers

• Payment Processing: Stripe (PCI DSS Level 1 compliant)
• Data Enrichment: Apollo.io (prospect research and enrichment)
• Email Delivery: Gmail API (sending emails from your connected account)
• AI Services: Anthropic Claude API (content generation — no prospect data stored by Anthropic)
• SMS Delivery: Twilio (text message sending and delivery status)
• Infrastructure: Railway, Vercel (hosting and deployment)

4.2 Business Transfers

In the event of a merger, acquisition, or asset sale, your information may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

4.3 Legal Requirements

We may disclose information if required by law, subpoena, court order, or government request, or to protect the rights, safety, or property of Automated BDR, our users, or the public.

5. Data Security

We implement comprehensive security measures to protect your data:

5.1 Encryption

• All data in transit is encrypted via TLS 1.3
• All data at rest is encrypted using AES-256
• API keys and OAuth tokens are encrypted before database storage
• Passwords are hashed using bcrypt with per-user salts

5.2 Access Controls

• JWT-based authentication with short-lived access tokens and refresh token rotation
• Role-based access control (RBAC) for multi-user organizations
• Rate limiting on all API endpoints to prevent abuse
• CORS policies restricting access to authorized origins only

5.3 Infrastructure

• Hosted on Railway with automatic TLS certificates
• PostgreSQL database with automated daily backups
• Security headers (HSTS, CSP, X-Frame-Options) on all responses
• Dependency vulnerability scanning and regular updates

While we implement industry-standard security practices, no system is 100% secure. We encourage you to use strong, unique passwords and enable all available security features.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service:

• Account data: Retained while your account is active
• Campaign data: Retained while your account is active and for 90 days after deletion
• Usage logs: Retained for 12 months for analytics and security
• Billing records: Retained for 7 years as required by tax law
• Support communications: Retained for 3 years

After account deletion, all personal data and campaign data is permanently deleted within 90 days, except where retention is required by law.

7. Your Rights & Choices

7.1 Access & Portability

You can request a copy of all your data in a machine-readable format (JSON or CSV). Contact privacy@automatedbdr.com to make a request.

7.2 Correction

You can update your account information at any time through your dashboard settings.

7.3 Deletion

You can request complete account deletion. We will remove all your personal data and campaign data within 90 days.

7.4 Opt-Out of Marketing

You can unsubscribe from marketing emails by clicking the "unsubscribe" link in any email. You cannot opt out of transactional emails related to your account.

7.5 Object to Processing

You can object to certain processing activities. Contact us to discuss your specific concerns.

8. International Data Transfers

Your data is primarily processed in the United States. If you are located outside the US, your data will be transferred to and processed in the US. We ensure appropriate safeguards (including Standard Contractual Clauses where required) are in place for international transfers in compliance with GDPR and other applicable regulations.

9. Children's Privacy

The Service is a B2B platform intended for use by business professionals. We do not knowingly collect information from individuals under 18 years of age. If we learn we have collected data from a minor, we will promptly delete it. Contact us at privacy@automatedbdr.com if you believe a minor has provided us with personal information.

10. Cookies & Tracking

• Essential Cookies: Required for authentication, session management, and core platform functionality. Cannot be disabled.
• Analytics Cookies: Help us understand how you use the Service to improve the user experience.
• Preference Cookies: Remember your settings like dark mode and language preferences.

You can control non-essential cookies through your browser settings. Disabling essential cookies may prevent you from using the Service.

11. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request what personal information we collect and how it is used
• Right to Delete: Request deletion of your personal information
• Right to Opt Out of Sale: We do NOT sell personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Information: Request limits on use of sensitive personal information

To exercise these rights, email privacy@automatedbdr.com. We will respond within 45 days.

12. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA) or UK, you have rights under the General Data Protection Regulation:

• Right of Access: Obtain a copy of your personal data
• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion ("right to be forgotten")
• Right to Restrict Processing: Limit how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interest
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

Our lawful basis for processing is typically legitimate interest (for B2B outreach tools) or contract performance (for providing the Service). You may also lodge a complaint with your local data protection authority.

13. AI & Automated Processing

Our Service uses artificial intelligence (Anthropic Claude API) to:

• Research prospects and synthesize public information about them
• Generate personalized email and SMS content
• Analyze campaign performance patterns

AI processing is performed on your behalf and under your control. We do not use AI to make automated decisions that significantly affect individuals without human oversight. Prospect data sent to AI providers is processed according to their data processing agreements and is not used to train their models.

14. Google API Services & Gmail Integration

Automated BDR integrates with Google APIs to allow you to send emails from your connected Gmail or Google Workspace account. Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

14.1 Gmail Scopes We Request

When you connect your Gmail account, we request the following OAuth scopes:

• gmail.send — Send emails on your behalf through your connected Gmail account as part of your configured outreach campaigns. Emails are only sent when you create and activate a campaign.
• gmail.readonly — Read incoming emails to detect replies from prospects you have contacted. This allows us to automatically mark leads as "replied" and pause further outreach to them, preventing duplicate follow-ups.
• gmail.modify — Modify email metadata (labels and read status) to organize campaign-related emails in your inbox. This is used to label outreach replies and mark detected replies as read when processed.

14.2 How We Use Gmail Data

• We only access your Gmail data to send outreach emails you have configured and to detect replies from contacted prospects
• We do not read, scan, index, or store the content of your personal emails unrelated to campaigns
• Reply detection only checks emails from addresses that match leads in your active campaigns
• We do not use Gmail data for advertising, market research, or any purpose unrelated to providing the Service
• We do not share Gmail data with third parties except as necessary to provide the Service (e.g., our infrastructure provider for hosting)

14.3 Token Storage & Security

• Your Gmail OAuth tokens (access token and refresh token) are encrypted using AES-256 before storage in our database
• We never store your Google password — authentication is handled entirely through Google's OAuth 2.0 flow
• You can revoke access at any time by disconnecting your Gmail account in the Integrations page, or by revoking access in your Google Account permissions

14.4 Limited Use Disclosure

Automated BDR's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we limit our use of Google user data to providing and improving the email sending and reply detection features of the Service. We do not use Google user data for serving advertisements or for any purpose not explicitly disclosed in this policy.

15. Microsoft Outlook Integration

Automated BDR integrates with Microsoft Graph APIs to allow you to send emails from your connected Outlook or Microsoft 365 account.

15.1 Microsoft Scopes We Request

• Mail.Send — Send emails on your behalf through your connected Outlook account as part of your configured outreach campaigns.
• Mail.Read — Read incoming emails to detect replies from prospects you have contacted, enabling automatic lead status updates and follow-up pausing.
• User.Read — Read your basic profile information (name and email address) to identify your connected account in the dashboard.
• offline_access — Maintain your connection without requiring you to re-authenticate frequently. This allows background email sending and reply detection to continue while you are not actively using the platform.

15.2 How We Use Outlook Data

• Identical data use policies as described in Section 14.2 for Gmail apply to Outlook data
• We only access your Outlook mailbox to send campaign emails and detect prospect replies
• You can revoke access at any time by disconnecting your Outlook account in the Integrations page, or by revoking access in your Microsoft Account app permissions

16. Chrome Extension

The Automated BDR LinkedIn Connector Chrome Extension reads your LinkedIn session cookies (li_at and JSESSIONID) from your browser and transmits them to your configured Automated BDR server instance to perform LinkedIn outreach actions on your behalf.

Data Collected by the Extension

• LinkedIn session cookies (li_at and JSESSIONID) — read from your browser only when you click "Connect" or "Refresh Cookies"
• Server URL and access token — stored locally in your browser using Chrome's storage API to connect to your Automated BDR instance

How Extension Data Is Used

• Cookies are sent only to the server URL that you configure in the extension settings
• Cookies are used solely to authenticate LinkedIn API requests for outreach you have configured
• No data is sent to any analytics, advertising, or third-party services
• No browsing history, personal information, or data from other websites is collected
• You can disconnect and clear all local data at any time

Extension Permissions

• cookies: Required to read LinkedIn session cookies from your browser
• storage: Required to save your server configuration locally
• host_permissions (linkedin.com): Required to access cookies from the LinkedIn domain

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or prominent notice within the Service at least 30 days before taking effect. The "Last updated" date at the top indicates the most recent revision. We encourage you to review this policy periodically.

18. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices: