outreach

Privacy Policy

Last updated: May 2026

1. What Data We Collect

We collect the following categories of data when you use Outreach:

  • Account data: name, email address, password (stored as a bcrypt hash), workspace name, and role.
  • Lead data: contact information you upload, including names, email addresses, company, phone numbers, and notes.
  • Email activity: sent emails, open events, click events, reply events, and bounce notifications received from your email provider.
  • SMTP credentials: sender account credentials you provide, stored encrypted using AES-256-GCM.
  • Usage data: activity logs, session tokens, and IP addresses for security and rate-limiting purposes.

2. How We Use It

We use the data we collect to:

  • Provide and operate the Service, including sending emails on your behalf.
  • Authenticate your identity and maintain your session.
  • Display analytics and metrics about your outreach campaigns.
  • Detect and prevent abuse, fraud, and unauthorized access.
  • Improve and develop new features of the Service.
  • Comply with legal obligations.

We do not sell your data or your leads' data to third parties.

3. Email Sending and Unsubscribe Rights

You are responsible for ensuring that you have the legal right to contact everyone in your lead lists. Outreach provides built-in unsubscribe handling:

  • Any lead who unsubscribes is immediately blocked from receiving future emails through Outreach.
  • Unsubscribe status is permanent and workspace-scoped.
  • You must honour unsubscribe requests from your recipients in compliance with CAN-SPAM and GDPR.

4. Data Retention

We retain your data for as long as your account is active. Upon account deletion, we will delete your personal data, workspace data, and lead data within 30 days, except where retention is required by law. Email activity logs may be retained in anonymized form for security and fraud prevention purposes.

5. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights under GDPR:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Ask us to correct inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data ("right to be forgotten").
  • Portability: Receive your data in a structured, machine-readable format.
  • Restriction: Ask us to limit how we process your data.
  • Objection: Object to processing of your data for certain purposes.

To exercise any of these rights, contact us at the address below.

6. Security

We take reasonable technical and organizational measures to protect your data, including TLS encryption in transit, AES-256-GCM encryption for sensitive credentials at rest, bcrypt password hashing, and httpOnly cookie-based session management. No system is perfectly secure; we will notify you of any breach that affects your data as required by applicable law.

7. Cookies

We use essential cookies only: an httpOnly access token cookie (15-minute expiry) and a refresh token cookie (7-day expiry) to maintain your session. We do not use tracking or advertising cookies.

8. Contact Information

For privacy-related enquiries, data access requests, or to report a concern, please contact us at: privacy@outreach.app. We aim to respond within 30 days.

Terms of ServiceSign In