Legal
Privacy Policy
Effective date: May 9, 2026
This Privacy Policy explains how Outreach Monkey Inc. (“Outreach Monkey,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information in connection with our websites, applications, APIs, and related services (collectively, the “Service”). It applies to visitors to our marketing site, registered users, and individuals whose information is processed through the Service. Capitalized terms not defined here have the meanings given in our Terms of Service.
1. Scope and Roles
This Privacy Policy describes our practices in two capacities:
- As a controller, with respect to information we collect about visitors, prospective customers, customers, and Authorized Users when they interact with our marketing site, sales and support channels, and the Service itself.
- As a processor(or “service provider” under U.S. state laws), with respect to personal information that our customers submit to or generate within the Service about their own contacts, prospects, and recipients (“Customer Personal Data”). For Customer Personal Data, our customer is the controller and is responsible for the lawful basis for processing, providing notice to data subjects, and responding to their rights requests, except as we agree in a data processing agreement.
2. Who We Are
Outreach Monkey Inc. is a corporation incorporated under the laws of Canada and is the data controller for personal information processed in our capacity as a controller. You can reach our privacy team at privacy@outreachmonkey.com.
3. Information We Collect
3.1 Information You Provide
- Account information. Name, email, password, company name, role, time zone, and account preferences.
- Billing information. Billing name, address, and tax ID. Payment card details are collected directly by Stripe; we receive only limited tokens and metadata such as the last four digits of the card and its brand.
- Customer Personal Data. Information you upload, import, or generate within the Service, including prospect contact details (name, email, role, company, social handles, public URLs), message content, templates, notes, attachments, and campaign data.
- Connected mailbox data. If you connect a mailbox (for example, via SMTP, Google Workspace, or Microsoft 365), we access and process the messages, headers, threads, and metadata necessary to send, receive, and track your outreach.
- Communications. Information you share when you contact support, request a demo, respond to surveys, or engage with us on social media.
3.2 Information Collected Automatically
- Device and log data. IP address, device identifiers, browser type and version, operating system, language, referrer URL, pages visited, session duration, and timestamps.
- Usage data. Actions taken in the Service, feature usage, performance metrics, and error events captured via Sentry.
- Cookies and similar technologies. See the Cookies section below.
3.3 Information from Third Parties
- Identity providers. If you sign in with a third party (such as Google), we receive identifiers and basic profile information you authorize the provider to share.
- Enrichment and public sources.The Service may retrieve publicly available information about prospects you research (such as content on public websites, AI search results, or social profiles). You are responsible for ensuring your use of this information complies with applicable law and the source’s terms.
- Partners and integrations. If you connect a third-party service (such as a CRM, email provider, or analytics tool), we receive data necessary to provide that integration.
4. How We Use Information
We use personal information to:
- provide, maintain, secure, and improve the Service;
- create and manage Accounts, authenticate users, and process transactions;
- deliver outreach messages, manage replies, and surface analytics about campaign performance;
- power AI Features, including drafting, summarizing, classifying, enriching, and analyzing content;
- provide customer support and respond to inquiries and feedback;
- send transactional and account-related communications, including security alerts, billing notices, and product updates;
- send marketing communications about features, content, and offers, where permitted by law and subject to your right to opt out;
- monitor, detect, prevent, and respond to fraud, abuse, security, and legal risks;
- conduct research, generate de-identified analytics, and improve our models, infrastructure, and Service;
- comply with legal obligations and enforce our agreements.
5. AI Processing
AI Features in the Service rely on our own systems and on third-party AI providers, which currently include OpenAI, Anthropic, Google (Gemini), Perplexity, and xAI (Grok). When you use AI Features, the relevant inputs and Customer Data are transmitted to one or more of these providers for processing under their data-handling commitments, which generally prohibit using your inputs and outputs to train general-purpose models. We may select, route, or fall back between providers based on availability, cost, latency, or feature support.
We do not sell personal information to AI providers. We do not permit third-party AI providers to use Customer Personal Data to train their general-purpose models, and we will not use Customer Personal Data to train our own models without appropriate notice or consent. Some models retain limited input/output data for abuse-prevention or trust and safety purposes; those retention periods are described in each provider’s documentation.
6. Legal Bases for Processing (EEA, UK, Switzerland)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR and UK GDPR:
- Contract. To provide the Service to you and our customers, manage Accounts, and process payments.
- Legitimate interests. To secure and improve the Service, prevent fraud, conduct analytics, and engage in business-to-business marketing, balanced against your rights.
- Consent. Where required by law, including for certain cookies and direct marketing communications. You may withdraw consent at any time.
- Legal obligation. To comply with applicable laws and respond to lawful requests.
7. How We Share Information
7.1 Service Providers and Subprocessors
We share personal information with vendors who help us operate the Service. These subprocessors are bound by contractual obligations to protect the data and use it only for the purposes we direct. Our current subprocessors include:
| Vendor | Purpose | Primary Region |
|---|---|---|
| Stripe, Inc. | Payment processing and billing | United States |
| Vercel Inc. | Application hosting, edge delivery, and logging | United States / Global |
| Amazon Web Services, Inc. (Amazon SES) | Transactional and outreach email delivery | United States / Global |
| PostHog, Inc. | Product analytics, session replay, and feature flags | United States |
| Google LLC (Google Analytics) | Website and marketing analytics | United States / Global |
| Functional Software, Inc. (Sentry) | Error monitoring and performance tracing | United States |
| OpenAI, L.L.C. | Generative AI features (drafting, summarization, classification) | United States |
| Anthropic, PBC | Generative AI features (drafting, summarization, reasoning) | United States |
| Google LLC (Gemini API) | Generative AI features | United States / Global |
| Perplexity AI, Inc. | AI-powered search and research features | United States |
| X.AI Corp. (Grok) | Generative AI features | United States |
We may update this list as our Service evolves. If you would like to receive advance notice of changes to our subprocessor list, contact privacy@outreachmonkey.com.
7.2 Legal and Safety Disclosures
We may disclose information when we believe in good faith that disclosure is necessary to: comply with applicable law, regulation, legal process, or governmental request; enforce our agreements; investigate and prevent fraud or abuse; or protect the rights, property, or safety of Outreach Monkey, our users, or others.
7.3 Business Transfers
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction. We will notify you and, where required, provide choices about your information.
7.4 With Your Direction or Consent
We share information with third parties when you instruct us to do so, for example by enabling an integration, generating a public artifact, or sending an outreach message.
We do not sell personal information for monetary consideration. Some analytics and advertising activities may be considered a “sale” or “sharing” under certain U.S. state privacy laws; see the U.S. State Rights section for opt-out details.
8. International Data Transfers
We are headquartered in Canada and use service providers located in the United States and other countries. When personal information is transferred outside your jurisdiction, we rely on appropriate transfer mechanisms, which may include the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions, the Canadian framework under PIPEDA, and other lawful safeguards. Contact us to obtain a copy of the safeguards we use.
9. Data Retention
We retain personal information for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, enforce our agreements, and operate our business. Retention periods vary depending on the type of data and the context, including:
- Account data: for the life of your Account and a reasonable period after closure (typically 30 to 180 days) for recovery, audit, and tax purposes.
- Customer Personal Data:as instructed by the relevant customer, generally for the duration of the customer’s Subscription and a short window thereafter for export and deletion.
- Billing records: for the period required by tax and accounting laws (typically up to seven years).
- Logs and security events: typically 30 to 365 days, depending on the system.
- Backups: rolled off according to our backup schedule, which is typically up to 90 days.
10. Security
We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS) and at rest, access controls, least-privilege principles, audit logging, secure software development practices, and vendor risk reviews. No method of electronic transmission or storage is completely secure, however, and we cannot guarantee absolute security.
If you become aware of a security issue, please contact us at privacy@outreachmonkey.com.
11. Your Rights and Choices
11.1 EEA, UK, and Switzerland
Subject to certain conditions and exceptions, you have the right to:
- access the personal information we hold about you;
- request correction of inaccurate or incomplete information;
- request erasure (the “right to be forgotten”);
- restrict or object to certain processing;
- request data portability;
- withdraw consent at any time where processing is based on consent;
- lodge a complaint with your local supervisory authority. We encourage you to contact us first so we can try to resolve your concern.
11.2 United States State Privacy Rights
If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, or another U.S. state with a comprehensive privacy law, you may have the right to:
- know or access the categories and specific pieces of personal information we collect, use, disclose, and (where applicable) sell or share;
- request correction of inaccurate personal information;
- request deletion of personal information;
- opt out of the sale or sharing of personal information and the processing of personal information for targeted advertising;
- limit the use and disclosure of sensitive personal information;
- appeal a decision we make about your request, where applicable;
- be free from unlawful discrimination for exercising your rights.
We honor opt-out preference signals, including Global Privacy Control (GPC), to the extent required by applicable law. To exercise your rights, contact us at privacy@outreachmonkey.com. We will verify your request, typically by asking you to authenticate via the email associated with your Account. You may use an authorized agent to submit a request, subject to our verification of the agent’s authority.
11.3 Canada (PIPEDA and Provincial Laws)
If you are in Canada, you may request access to and correction of your personal information, withdraw consent (subject to legal or contractual restrictions), and lodge a complaint with the Office of the Privacy Commissioner of Canada or your provincial regulator. We respond to access and correction requests within statutory timelines.
11.4 Customer Personal Data Requests
If your request concerns Customer Personal Data (for example, you received outreach generated by one of our customers), we generally forward the request to the relevant customer, who is the controller and best positioned to act on the request.
12. Marketing Choices
You can opt out of marketing emails by clicking the unsubscribe link in our messages or by contacting us. We will continue to send transactional and service-related communications.
13. Children
The Service is not directed at children, and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without appropriate consent, we will delete it.
14. Cookies and Similar Technologies
We and our service providers use cookies, pixels, local storage, and similar technologies (collectively, “Cookies”) to operate and analyze the Service. We use the following categories:
- Strictly necessary. Required to provide the Service, authenticate users, and protect security. These cannot be turned off.
- Functional. Remember preferences such as language and time zone.
- Analytics. Help us understand how visitors and users interact with our website and Service. Providers include PostHog and Google Analytics.
- Marketing. If enabled, used to measure marketing campaigns and serve relevant advertising.
You can control Cookies through your browser settings, our cookie preference center (where available), and platform-specific opt-outs (such as the Google Analytics opt-out browser add-on). Blocking some Cookies may affect the functionality of the Service.
We honor the Global Privacy Control (GPC) browser signal where required by applicable law. The Service does not currently respond to Do Not Track (DNT) signals because no consistent industry standard exists.
15. Automated Decision-Making
We do not use personal information to make decisions producing legal or similarly significant effects without human involvement.
16. Changes to This Policy
We may update this Privacy Policy to reflect changes to our practices or for legal, operational, or regulatory reasons. When we make material changes, we will provide notice as required by applicable law, for example by updating the effective date and, where appropriate, providing additional notice through the Service or by email.
17. Contact Us
Questions, requests, or complaints regarding this Privacy Policy can be sent to:
- Privacy team: privacy@outreachmonkey.com
- Legal team: legal@outreachmonkey.com
We will respond within the timelines required by applicable law, typically within 30 days, and will work with you to resolve any concerns.