HomePrivacy Policy
GDPR & CCPA Compliant

Privacy Policy

This Privacy Policy explains how Emacron AI Technologies (“we”, “us”, “our”) collects, uses, shares, and protects your personal information when you use OutreachAgentat crm.emacronai.com.

Last updated: April 16, 2026·Effective: April 16, 2026

1. Overview & Scope

Emacron AI Technologies (“we”, “us”, “our”) operates the OutreachAgentplatform available at crm.emacronai.com and through our mobile applications (collectively, the “Service”).

This Privacy Policy applies to all users of the Service, including visitors to our marketing website, registered users, and workspace administrators. It describes:

  • What personal data we collect and how
  • How we use your data and the legal basis for processing
  • With whom we share your data
  • How long we retain your data
  • Your rights and how to exercise them
  • How to contact us or our Data Protection Officer

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data We Collect

2.1 Account & Profile Data

When you register, we collect your name, email address, company name, job title, and password (stored as a salted bcrypt hash). If you sign up via Google or Microsoft OAuth, we receive your profile information from those providers.

2.2 Usage & Activity Data

We log the features you use, pages you visit, actions performed (e.g., campaigns sent, leads imported), timestamps, and interaction patterns to improve the Service and provide analytics to workspace admins.

2.3 CRM & Contact Data

As part of the core Service, you and your team store contact records, conversation histories, emails, notes, and deal information within the platform. This data belongs to your workspace and you are the data controller for it. We process it as your data processor under a Data Processing Agreement (DPA).

2.4 Communications Data

We process emails, WhatsApp messages, and SMS messages routed through the Service solely to deliver our features. Message content is encrypted at rest and in transit.

2.5 Technical & Device Data

We collect IP address, browser type, operating system, device identifiers, referring URLs, session length, and error logs for security, fraud prevention, and debugging purposes.

3. How We Use Your Data

We use your personal data to:

Provide the Service
Operate accounts, process outreach campaigns, deliver AI features, and maintain your workspace.
Improve & develop
Analyse usage patterns (in aggregate) to improve product quality, add features, and fix bugs.
Personalise experience
Tailor AI suggestions, onboarding flows, and in-app recommendations to your role and usage.
Security & fraud prevention
Detect suspicious activity, enforce rate limits, authenticate users, and prevent abuse.
Communications
Send transactional emails (e.g., password reset, billing), product updates, and — with consent — marketing newsletters.
Billing & compliance
Process payments, issue invoices, comply with tax obligations and legal requests.

5. Data Sharing & Third Parties

We do not sell your personal data. We share data only in the following limited circumstances:

Infrastructure & Database
Hetzner Online GmbH — VPS cloud servers (Germany, EU) used to host and run the OutreachAgent application and API servers. Supabase, Inc. — PostgreSQL database hosted on AWS (ap-south-1 region). Cloudflare, Inc. — R2 object storage for file and asset uploads. Amazon Web Services (AWS) — Lambda functions used for email validation.
AI & Machine Learning
OpenRouter, Inc. — AI model routing service used to generate personalised email drafts and AI-assisted reply suggestions. Message content may be sent to OpenRouter for processing.
Lead Discovery
Google LLC — Google Cloud Platform (Places API, Vertex AI Search) used for business lead discovery and enrichment.
Authentication
Google LLC — Google OAuth for user sign-in and Gmail email sending. Microsoft Corporation — Microsoft OAuth (Entra ID / Azure AD) for user sign-in and Outlook email sending.
Payment Processing
Razorpay Software Pvt Ltd — Payment processing for Indian customers. PayPal, Inc. — Payment processing for international customers.
Integration Partners
When you connect third-party integrations (e.g., Meta/Facebook, WhatsApp Business API, Instagram, Yahoo Mail, Zoho Mail), data is shared with those services according to your workspace configuration. You control which integrations are active.
Legal & Regulatory Requirements
We may disclose data if required by law, court order, or regulatory authority. We will notify you of such requests where legally permitted.
Business Transfers
In the event of a merger, acquisition, or asset sale, your data may be transferred to the successor entity, with appropriate privacy protections in place.

6. Meta Platform Data

Emacron AI Technologies is an authorised Meta Technology Provider. When you connect your Meta (Facebook), Instagram, or WhatsApp Business account to OutreachAgent via Meta Embedded Signup or Facebook Login for Business, we receive and process certain data from Meta platforms. This section describes our practices specific to Meta platform data.

6.1 Data We Receive from Meta

When you authorise the integration, we may receive:

  • Your Facebook/Instagram profile name, email address, and user ID
  • Facebook Page names, IDs, and page access tokens you grant permissions for
  • WhatsApp Business Account ID and phone number ID
  • Messages sent and received through WhatsApp Business API, Facebook Messenger, and Instagram Direct
  • Message metadata (timestamps, delivery/read status)
  • Ad account information for Click-to-WhatsApp (CTWA) ad analytics

6.2 How We Use Meta Data

Meta platform data is used exclusively to:

  • Enable you to send and receive messages through WhatsApp, Messenger, and Instagram within the unified inbox
  • Display conversation histories and contact information within your workspace
  • Provide analytics and reporting on messaging performance
  • Route and assign incoming conversations to your team members
  • Power AI-assisted reply suggestions for your conversations

6.3 Meta Data Restrictions

We comply fully with the Meta Platform Terms, Meta Developer Policies, and all applicable supplemental terms. Specifically:

  • We do not sell, license, or otherwise transfer Meta platform data to any third party, including data brokers, ad networks, or data resellers.
  • We do not use Meta platform data for independent advertising, marketing, or to build or augment user profiles for targeting purposes.
  • We do not use Meta data for surveillance, discrimination, or any purpose that violates Meta policies or applicable law.
  • We do not share Meta platform data with third parties except as necessary to provide the Service to you, and only with sub-processors bound by appropriate data protection agreements.
  • Meta platform data is stored encrypted at rest (AES-256-GCM) and encrypted in transit (TLS 1.3).
  • Access tokens received from Meta are encrypted before storage and are only used to make authorised API calls on your behalf.

6.4 Meta Data Retention & Deletion

Meta platform data is retained only for as long as your integration remains active and your account is open. When you disconnect a Meta integration or delete your account:

  • Access tokens are immediately revoked and deleted from our systems.
  • Message data associated with the Meta channel is deleted within 30 days.
  • Page/account IDs and connection metadata are removed within 30 days.
  • We honour Meta's data deletion callback requests and process them within 48 hours.

You may also request deletion of your Meta platform data at any time by contacting us at [email protected] or by visiting our Data Deletion page.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data: Retained while your account is active. Deleted within 30 days of verified account deletion request.
  • CRM & contact data: Retained for the duration of your subscription. Exported and deleted within 30 days of termination.
  • Usage logs & analytics: Retained for 12 months, then aggregated and anonymised.
  • Billing records: Retained for 7 years to comply with financial regulations.
  • Security logs: Retained for 6 months for fraud and abuse prevention.

8. Security Measures

We implement industry-leading technical and organisational measures to protect your data:

AES-256-GCM encryption
All sensitive credentials and tokens encrypted at rest
TLS 1.3 in transit
All data encrypted between client and server
TOTP 2FA
Two-factor authentication with replay-attack protection
Role-based access
Granular permissions: owner, admin, agent, viewer
Audit logging
Immutable log of all sensitive actions and data access
Rate limiting
Per-IP and per-user rate limits on all endpoints
SOC 2 Type II
Annual third-party security audit
GDPR DPA
Data Processing Agreements with all sub-processors

9. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

Right to access (Art. 15)Request a copy of all personal data we hold about you.
Right to rectification (Art. 16)Request correction of inaccurate or incomplete data.
Right to erasure (Art. 17)Request deletion of your personal data (“right to be forgotten”).
Right to restriction (Art. 18)Request we limit how we use your data while a dispute is resolved.
Right to portability (Art. 20)Receive your data in a structured, machine-readable format.
Right to object (Art. 21)Object to processing based on legitimate interests or direct marketing.
Right to withdraw consentWhere processing is based on consent, you may withdraw at any time.
Right to lodge a complaintFile a complaint with your local Data Protection Authority (DPA).

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. Data Processing Agreement (DPA)

When you use OutreachAgent, you may upload, submit, or process personal data of your contacts, leads, and customers. In this context, you are the Data Controller and Emacron AI Technologies acts as the Data Processor under applicable data protection law (including GDPR Article 28).

Our Data Processing Agreement (DPA) governs how we process personal data on your behalf and includes:

  • The scope, nature, and purpose of data processing
  • Your rights and our obligations as processor, including security measures
  • Sub-processor management and prior notification of changes
  • Data breach notification within 72 hours
  • Data return and deletion upon contract termination
  • EU Standard Contractual Clauses (SCCs) for international transfers
  • Technical and organisational measures (TOM) including encryption, access control, and audit logging

Our DPA is available to all OutreachAgent customers at no additional charge. You can review and download it from our DPA page or request a signed copy by emailing [email protected].

11. Cookies & Tracking

We use cookies and similar technologies to operate and improve the Service:

TypePurposeDuration
EssentialSession authentication (outreach_session)Session
FunctionalUser preferences, UI state (theme, sidebar)1 year
AnalyticsAggregate product usage (no PII)12 months
SecurityCSRF tokens, rate limit identifiersSession

We do not use cross-site advertising cookies or sell data to ad networks. You can disable non-essential cookies in your browser settings.

12. International Transfers

Our infrastructure is primarily hosted in the EU (Supabase Frankfurt). Where data is transferred to the United States or other countries, we ensure adequate protection through:

  • EU Standard Contractual Clauses (SCCs) with all sub-processors
  • EU-US Data Privacy Framework (DPF) where applicable
  • Adequacy decisions recognised by the European Commission

13. Children's Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will promptly delete it.

14. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:

  • Right to know what personal information we collect, use, disclose, and sell
  • Right to delete your personal information
  • Right to opt out of the sale or sharing of your personal information
  • Right to non-discrimination for exercising your privacy rights
  • Right to correct inaccurate personal information
  • Right to limit the use and disclosure of sensitive personal information

We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising.

To exercise your CCPA rights, contact us at [email protected] or call us. We will verify your identity and respond within 45 days.

15. Data Deletion

You have the right to request deletion of your personal data at any time. You can do so by:

  • Visiting our Data Deletion page at crm.emacronai.com/data-deletion
  • Emailing your request to [email protected]
  • Using the "Delete Account" option in your account settings

For Meta platform data specifically, we also support Meta's data deletion callback. When Meta sends us a data deletion request for your account, we will:

  • Delete all Meta platform tokens and credentials within 24 hours
  • Delete all Meta-sourced conversation and message data within 30 days
  • Provide a confirmation URL and tracking code for verification

For more details, visit our Data Deletion page.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Send an email notification to all account holders
  • Display an in-app banner for 30 days after the change

Continued use of the Service after the effective date constitutes acceptance of the updated policy.

17. Contact & DPO

For privacy-related questions, data subject requests, or to reach our Data Protection Officer:

Privacy Team
Emacron AI Technologies
Fourth Floor, City Vista, Kharadi, Pune 411014, India
[email protected]
Data Protection Officer
For GDPR-specific requests
[email protected]