Privacy Policy

Last updated: March 12, 2026

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password (stored as a bcrypt hash). We never store plaintext passwords.

Payment Information

Payments are processed by Stripe. We do not store credit card numbers or payment details on our servers. We receive a transaction record from Stripe including the amount and credit pack purchased.

Workflow and Lead Data

When you run workflows, we store: search queries, lead business names, websites, contact emails, phone numbers, AI-generated quality scores, outreach drafts, and close value estimates. In continuous agent mode, we also store agent memory data including learned quality patterns, search variation history, and your approval/rejection patterns.

Usage Data

We log workflow activity including stages executed, credits consumed, errors encountered, and agent cycle counts for operational monitoring and debugging.

2. How We Use Your Information

  • To operate the Service and process your workflow requests.
  • To maintain credit balances and transaction history.
  • To train your personal agent memory (quality patterns, preferences) — this data is scoped to your account and not shared.
  • To send transactional emails (account verification, purchase receipts).
  • To improve the Service and fix bugs.

3. AI Processing

AutoReach uses third-party AI models (Anthropic Claude) to generate lead qualifications, outreach content, and search query variations. Lead data is sent to these AI providers for processing. We do not use your data to train third-party AI models. Our AI providers process data under their respective data processing agreements.

4. Data Sharing

We do not sell your personal data. We share data only with:

  • Stripe — for payment processing.
  • Anthropic — for AI-powered lead qualification, outreach generation, and agent decisions.
  • Google Places API — business search queries (no personal data is sent).
  • Law enforcement — only when required by law or valid legal process.

5. Data Storage and Security

  • Data is stored in PostgreSQL hosted on Supabase (AWS us-west-2).
  • API keys are encrypted at rest using AES-256-GCM.
  • All connections use TLS encryption in transit.
  • Passwords are hashed with bcrypt (12 rounds).
  • JWT tokens expire after 7 days.

6. Data Retention

Account data and workflow history are retained for as long as your account is active. When you delete your account, all personal data, workflows, leads, and agent memory are permanently deleted within 30 days. Credit transaction records may be retained for accounting purposes as required by law.

7. Your Rights

  • Access your personal data via the dashboard or API.
  • Export your lead data (including quality scores) as CSV at any time.
  • Delete your account and all associated data.
  • Opt out of non-essential communications.

8. Cookies

We use a JWT token stored in localStorage for authentication. We do not use tracking cookies or third-party analytics trackers.

9. Children

The Service is not intended for use by anyone under 18. We do not knowingly collect data from minors.

10. Changes to This Policy

We may update this policy at any time. We will notify you of material changes via email. Continued use after changes constitutes acceptance.

11. Contact

Privacy questions? Contact us at privacy@autoreach.io.