Privacy Policy

Last updated: May 27, 2026

OutReach (“we”, “our”, or “us”) operates the OutReach platform, an AI-powered outbound email service. This Privacy Policy explains what information we collect, how we use it, and what rights you have over your data.

By using OutReach you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Account information

When you sign in via Google OAuth or Microsoft OAuth, we receive your name, email address, and profile picture from the OAuth provider. We do not collect or store passwords.

Google user data

When you connect a Gmail mailbox, OutReach requests the following Google API scopes:

  • https://www.googleapis.com/auth/gmail.send — to send emails on your behalf
  • https://www.googleapis.com/auth/gmail.readonly — to read replies sent to your mailbox
  • https://www.googleapis.com/auth/gmail.modify — to mark threads as read

We use this access solely to operate the OutReach service: sending campaign emails you authorize, reading replies to classify them, and syncing thread state. We do not use Google user data for advertising, profiling, or any purpose unrelated to the service you requested.

Google OAuth tokens are encrypted at rest using AES-256-GCM and stored in our database. We do not sell, rent, or share your Google user data with third parties, except as required to operate the service (e.g., our AI provider processes email body text to generate classifications and suggestions).

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Microsoft user data

When you connect a Microsoft Outlook or Microsoft 365 mailbox, OutReach requests the following Microsoft Graph scopes: Mail.Send, Mail.Read, Mail.ReadWrite, and offline_access. These are used exclusively for the same purposes as Gmail scopes above. Microsoft OAuth tokens are encrypted at rest using the same AES-256-GCM standard.

Campaign and prospect data

Prospect lists (names, email addresses, company, title, and any custom fields) that you upload are stored in our database and used solely to power your campaigns. We do not use prospect data for our own marketing or analytics.

Usage data

We collect standard server logs (IP addresses, request paths, timestamps) for security monitoring and debugging. We may collect aggregated, anonymized product analytics (feature usage counts, error rates) to improve the product. This data is not linked to individual users.

2. How We Use Your Information

  • Providing, operating, and improving the OutReach platform
  • Sending campaign emails on your behalf through your connected mailbox
  • Syncing and classifying replies from your mailbox
  • Generating AI-powered email sequences and optimization suggestions
  • Detecting and preventing fraud, abuse, and security incidents
  • Responding to support requests
  • Billing and subscription management

We do not use your data to train AI models beyond the session in which the data is processed. We do not serve advertisements.

3. Data Sharing

We share your data only in the following limited circumstances:

  • AI provider: Email body text may be sent to our AI provider (currently InferexAI) to generate classifications, sequences, and suggestions. This data is processed under a data processing agreement and is not used to train their models on your data.
  • Infrastructure providers: We use cloud infrastructure providers (database, Redis, object storage) who process data on our behalf under data processing agreements.
  • Legal requirements: We may disclose your information if required by law, court order, or to protect the rights and safety of OutReach and its users.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data is subject to a different privacy policy.

We do not sell your personal data to third parties.

4. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records for 7 years in some jurisdictions).

Campaign analytics data (aggregate open/click/reply counts) may be retained in anonymized form after account deletion.

5. Data Security

We implement industry-standard security measures including:

  • AES-256-GCM encryption for OAuth tokens at rest
  • TLS 1.2+ for all data in transit
  • OAuth-only authentication — no passwords stored
  • Role-based access control for multi-tenant data isolation
  • Regular security reviews

No system is completely secure. If you discover a security vulnerability, please report it to security@outreach.io before disclosing publicly.

6. Your Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your personal data.
  • Portability: Request your data in a machine-readable format.
  • Revoke OAuth: You can revoke OutReach's access to your Google or Microsoft account at any time through your Google Account or Microsoft Account security settings. Revoking access will disable connected mailboxes.

To exercise any of these rights, email us at privacy@outreach.io.

7. Cookies

OutReach uses session cookies necessary for authentication. We do not use third-party tracking cookies or advertising cookies. You can disable cookies in your browser settings, but this will prevent you from signing in.

8. Children's Privacy

OutReach is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@outreach.io and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the app at least 14 days before the changes take effect. Continued use of OutReach after changes take effect constitutes acceptance.

10. Contact

For privacy questions or data requests, contact us at: privacy@outreach.io