Skip to content

Privacy Policy

Last updated: March 14, 2026

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password (stored as a bcrypt hash). We never store plaintext passwords.

Payment Information

Payments are processed by Stripe. We do not store credit card numbers or payment details on our servers. We receive a transaction record from Stripe including the amount and credit pack purchased.

Workflow and Lead Data

When you run workflows, we store: search queries, lead business names, websites, contact emails, phone numbers, AI-generated quality scores, outreach drafts, and close value estimates. In continuous agent mode, we also store agent memory data including learned quality patterns, search variation history, and your approval/rejection patterns.

SMTP Credentials

If you connect an email account for outreach, we store your SMTP host, port, username, password, and from name. Your SMTP password is encrypted at rest. These credentials are used solely to send emails on your behalf and are never shared with third parties.

Workflow Snapshots

Full workflow state is captured and stored as snapshots for service improvement and debugging. Snapshots include leads, AI-generated content, quality scores, review decisions, and agent memory patterns. Snapshots also record which leads were human-reviewed versus auto-reviewed.

Review Decision Tracking

Each lead tracks review metadata including reviewed_by (human or auto), reviewed_at timestamp, and review_notes. This data is used to improve AI quality scoring and maintain an audit trail of lead approval and rejection decisions.

Agent Thinking Data

Before taking actions, the AI agent performs reasoning steps. We store these "agent thoughts" including the question asked, the AI response, the decision made (follow, deviate, or observe), and the reasoning. This data is used for transparency (visible in activity feeds), quality improvement (e.g., regenerating low-quality emails), and fine-tuning AI models. Agent thinking data is scoped to your account and included in workflow snapshots.

Chat Data

When you use the AI Chat Assistant, your chat messages and conversation history are sent to our AI provider (Anthropic) for processing. Chat conversations are not persistently stored on our servers — message history exists only in your browser session and is cleared when you navigate away. Your account data (leads, workflows, credits) is retrieved in real time to provide context for chat responses but is not stored separately for chat purposes.

Usage Data

We log workflow activity including stages executed, credits consumed, errors encountered, agent thinking events, chat message counts, and agent cycle counts for operational monitoring and debugging.

2. How We Use Your Information

  • To operate the Service and process your workflow requests.
  • To maintain credit balances and transaction history.
  • To train your personal agent memory (quality patterns, preferences) — this data is scoped to your account and not shared.
  • To send transactional emails (account verification, purchase receipts, workflow status notifications such as completed, paused, or error alerts).
  • To analyze workflow snapshots, agent thinking records, and user feedback (thumbs up/down) to improve AI agent performance.
  • To use review decision data to refine AI lead qualification accuracy.
  • To send outreach emails on your behalf through your connected SMTP provider.
  • To process AI Chat Assistant queries by retrieving your account data and sending it to our AI provider for response generation.
  • To improve the Service and fix bugs.

3. AI Processing

AutoReach uses third-party AI models (Anthropic Claude) to generate lead qualifications, outreach content, and search query variations. Lead data is sent to these AI providers for processing. We do not use your data to train third-party AI models. Our AI providers process data under their respective data processing agreements.

4. Data Sharing

We do not sell your personal data. We share data only with:

  • Stripe — for payment processing.
  • Anthropic — for AI-powered lead qualification, outreach generation, and agent decisions.
  • Google Places API — business search queries (no personal data is sent).
  • Your Email Provider — when you connect SMTP (e.g., Gmail, Outlook), outreach emails are sent through your email provider using your credentials. AutoReach does not store sent email content.
  • Law enforcement — only when required by law or valid legal process.

5. Data Storage and Security

  • Data is stored in PostgreSQL hosted on Supabase (AWS us-west-2).
  • API keys and SMTP passwords are encrypted at rest using AES-256-GCM.
  • All connections use TLS encryption in transit.
  • Passwords are hashed with bcrypt (12 rounds).
  • JWT tokens expire after 7 days.

6. Data Retention

Account data, workflow history, workflow snapshots, agent thinking records, and SMTP credentials are retained for as long as your account is active. When you delete your account, all personal data, workflows, leads, snapshots, agent thoughts, SMTP credentials, review decisions, and agent memory are permanently deleted within 30 days. Credit transaction records may be retained for accounting purposes as required by law.

7. Your Rights

  • Access your personal data via the dashboard or API.
  • Export your lead data (including quality scores) as CSV at any time.
  • Delete your account and all associated data.
  • Opt out of non-essential communications.

8. Cookies

We use a JWT token stored in localStorage for authentication. We do not use tracking cookies or third-party analytics trackers.

9. Children

The Service is not intended for use by anyone under 18. We do not knowingly collect data from minors.

10. Changes to This Policy

We may update this policy at any time. We will notify you of material changes via email. Continued use after changes constitutes acceptance.

11. Contact

Privacy questions? Contact us at privacy@autoreach.work.