Privacy Policy

ColdMarketer.io ("ColdMarketer", "we", "us") provides an autonomous cold-email outreach platform. This policy explains what personal data we collect, why, and how we handle it. It applies to our website, web application, and APIs.

• Account data: name, email, company name, password hash, billing details, time zone.
• Campaign data: campaign settings, ICP filters, sender names, copy you write or generate.
• Lead data: contact records you upload, import, or that our scouts discover from public sources (name, work email, job title, employer, public profiles).
• Outreach data: emails sent, replies received, deliverability metadata (open and bounce events from Resend or Gmail).
• Connected-inbox data: if you connect a Gmail account, we store an OAuth refresh token to send on your behalf. We never read your inbox.
• Usage telemetry: page views, agent run logs, API timings, error traces, IP and user-agent for security.

• Operate the product: run agents, send emails, attribute replies, surface analytics.
• Bill correctly: track plan usage and process payments via Stripe.
• Improve quality: aggregate, anonymized signals to refine deliverability gates and lead scoring.
• Communicate: account, security, billing, and rare product announcements.
• Protect the platform: detect abuse, enforce CAN-SPAM and GDPR, prevent spam and credential stuffing.

We never sell your data and we do not show third-party advertising.

We rely on a small set of vetted vendors. Each receives only the data needed to do its job:

• Supabase (database, auth) - stores account, campaign, lead, and audit data.
• Resend (email delivery) - sends managed-mode outbound and receives bounce / inbound webhooks.
• Anthropic (LLM) - generates personalized email copy and runs deliverability scoring agents. Your prospect data and email bodies pass through Anthropic for these calls and are not retained for training.
• Google (OAuth + Gmail API) - if you connect Gmail, Google handles the OAuth flow and we use the Gmail API to send on your behalf.
• Stripe (billing) - processes subscription payments. Stripe stores card details; we do not.
• Vercel (hosting) - serves the application.

Account, campaign, and lead data are stored in the United States on Supabase infrastructure. We retain account data for as long as your account is active. After account closure, we retain a minimal audit log for up to 90 days for compliance and dispute resolution, then delete or anonymize.

• Access and export: download your campaign and lead data on request.
• Correction: update profile and campaign data in Settings or by emailing us.
• Deletion: request account deletion at any time. We will confirm and complete within 30 days.
• Opt out: any prospect can reply unsubscribe or use the unsubscribe link; we honor those globally across all clients.
• GDPR / CCPA: EU and California residents have the rights described in the relevant statutes; contact us to exercise them.

All traffic is encrypted in transit (TLS 1.2+). Passwords are hashed by Supabase Auth. OAuth tokens are stored encrypted at rest. We use Row Level Security policies so one client's data is never returned to another. We log every administrative access.

The product is for business use. We do not knowingly collect personal data from anyone under 16.

We will update this policy when our practices materially change. We will email you at the address on your account at least 14 days before any change that reduces your rights.

Questions, deletion requests, or compliance inquiries: arham@coldmarketer.io. We respond within 5 business days.