🔒 Privacy

Privacy Policy

Last updated: May 8, 2026 Effective immediately
PitchDart is a B2B sales tool. We collect the minimum data needed to run the service. We do not sell it, share it for advertising, or use it to train AI models. This page explains exactly what we collect, why, and what your rights are over it.
Section 01

What We Collect

Category Data Why
Account Email address, name, password (hashed) Authentication and account management
Billing Subscription plan, billing country, payment status Subscription management (card details go to Razorpay, never us)
Campaigns Campaign names, descriptions, targeting criteria Running your outreach campaigns
Prospects Names, email addresses, companies, LinkedIn URLs, notes Generating personalized outreach for your targets
Emails Generated email drafts, sent email content, open/reply status Tracking your outreach performance
Usage Pages visited, features used, session timestamps Product improvement and debugging (no ad tracking)
Technical IP address, browser type, device type Security, fraud prevention, and error diagnosis
Location Approximate geographic location (country, city, region) derived from IP address at login/signup Analytics and security monitoring
Prospect Data (Auto-Discovery) Publicly available business information — names, professional email addresses, company names, job titles, LinkedIn URLs — collected from web sources via our AI prospect finder Helping users find and research potential prospects for their campaigns
Email Open Events Timestamp and IP address of email opens, detected via a tracking pixel embedded in sent outreach emails Campaign performance tracking — showing you when prospects open your emails
Prospect Replies Reply content and metadata (sender, subject, timestamp) from your connected Gmail inbox, for prospects you are actively campaigning Automatic reply detection and campaign status updates

We do not collect: social security numbers, government IDs, biometric data, health information, or financial account details.

Section 02

How We Use It

Your data is used to:

  • Run the service — process your campaigns, generate prospect research, draft and send emails
  • Manage your account — handle authentication, billing, and subscription status
  • Improve the product — understand how features are used to prioritize improvements (aggregated, never individual-level targeting)
  • Provide support — diagnose bugs, answer questions, and resolve issues
  • Comply with law — retain records required by applicable regulations, respond to lawful requests

Auto-Discovery (Prospect Finder): When you use PitchDart's automated prospect discovery feature, our AI searches publicly available web sources (company websites, professional directories, LinkedIn public profiles) to collect business contact information — names, professional email addresses, company names, job titles, and public profile URLs. This data is collected on your behalf to populate your prospect lists. It is not collected directly from the individuals concerned; we are acting as a data processor under your instruction. Under GDPR Article 14, if you send outreach to EU-based prospects discovered this way, you are responsible for notifying them of the data source in your first communication. We recommend including a brief note such as "I found your contact through public professional sources."

Geographic location data: We collect approximate geographic location (country, city, region) derived from IP addresses at login and signup events. This data is used for platform analytics (understanding our user geography) and security monitoring (detecting unusual login patterns). It is not used for advertising targeting or shared with third parties beyond our hosting infrastructure.

What we don't do with your data: We do not use your prospect lists, email content, or campaign data to train AI models. We do not run advertising. We do not build behavioral profiles for resale. Your sales intelligence stays yours.

Section 03

Who We Share With

The short answer: no one, for commercial purposes.

We use a small number of infrastructure providers to operate the service. These are subprocessors — they process data on our behalf, under contract, and cannot use it for their own purposes:

Provider Purpose Data shared
Neon / PostgreSQL Database hosting All stored data (encrypted at rest)
Render Cloud infrastructure Application runtime, logs
Razorpay Payment processing Billing contact info, subscription data
Polsia AI AI inference for prospect research & email generation Prospect summaries, campaign context (no PII beyond names/roles)

We do not share data with advertising networks, data brokers, or analytics companies that resell data. We do not sell your data. Ever.

Legal disclosure: We may disclose data if required by law, court order, or to protect against fraud or harm — and only to the extent required.

Section 04

Data Retention

We retain data for as long as your account is active, plus a short window to handle disputes or legal obligations:

Data type Retention period
Account information Until deletion requested, or 30 days after cancellation
Campaign and prospect data 30 days after subscription cancellation, then deleted
Email logs (sent records) 90 days (for compliance and deliverability diagnosis)
Billing records 7 years (legal/tax requirement)
Usage analytics Aggregated after 12 months; raw logs deleted after 90 days

You can request earlier deletion at any time. See Your Rights below.

Section 05

Your Rights

You have the following rights over your data, regardless of where you're located:

👁 Access

Request a copy of all personal data we hold about you

✏️ Correction

Request correction of inaccurate or incomplete data

🗑 Deletion

Request deletion of your personal data (right to be forgotten)

📦 Portability

Export your data in a machine-readable format (CSV/JSON)

Restriction

Request that we limit processing while a dispute is resolved

🚫 Objection

Object to processing based on legitimate interests

To exercise any of these rights, email support@pitchdart.com with the subject line "Data Request — [your request type]". We respond within 30 days. No fees for reasonable requests.

If you believe we've mishandled your data, you have the right to lodge a complaint with your local data protection authority.

Section 06

Security Measures

We take data security seriously. The measures in place:

  • Encryption at rest: All database contents are encrypted using AES-256
  • Encryption in transit: All connections use TLS 1.2 or higher — no unencrypted HTTP for data transmission
  • Access controls: Staff access to production systems is limited to engineers who need it, uses multi-factor authentication, and is logged
  • Password security: Passwords are hashed using bcrypt with per-user salts — we cannot recover them in plaintext
  • Dependency monitoring: We monitor dependencies for known vulnerabilities
  • Breach notification: If a breach occurs affecting your data, we will notify you within 72 hours of becoming aware, consistent with GDPR Article 33

No security system is perfect. If you discover a vulnerability, report it responsibly to support@pitchdart.com.

Section 07

Cookies

PitchDart uses a minimal set of cookies:

Cookie Purpose Duration
session Keeps you logged in to the dashboard 7 days or until logout
csrf_token Prevents cross-site request forgery Session
polsia_analytics Anonymous product analytics (page views, feature usage) 30 days

We do not use advertising cookies or third-party analytics that share data externally. You can disable cookies in your browser, though this will prevent you from staying logged in.

Email open tracking pixel: Outreach emails sent through PitchDart include a small invisible tracking pixel (a 1×1 transparent image). When a recipient opens the email and their email client loads images, this pixel registers an open event — recording the timestamp and approximate location. This data is used solely to show you open rates in your campaign dashboard. If you prefer not to use open tracking, contact support@pitchdart.com to disable it for your account.

Section 08

Gmail — Sending & Reply Detection

PitchDart can connect to your Gmail account to send outreach emails and automatically detect prospect replies. This connection is entirely optional and only activated when you explicitly authorize it via Google OAuth.

Detail Description
OAuth scopes requested gmail.send — sends emails on your behalf; gmail.readonly — reads inbox to detect replies from your prospects
Inbox access Limited. We scan your inbox using the gmail.readonly scope to detect replies from prospects you are actively campaigning. We do not read, store, or process any other inbox messages — drafts, labels, promotional emails, or messages unrelated to active campaign prospects.
Contacts access None. We do not access your Google Contacts or address book.
Attachments We do not read, download, or store any of your email attachments.

What we access and why: We use gmail.send to send your outreach emails, and gmail.readonly to automatically detect when prospects reply — so your campaign status updates without you having to check manually. We scan only for reply messages from known campaign prospects; we do not read, store, or process any other content in your inbox. We never store the body of any sent email after delivery confirmation. Reply content from prospects is stored only to display it in your campaign dashboard and mark the prospect as replied.

Section 09

How We Use Gmail Data

The Gmail connection is used for two purposes: sending sales outreach emails from your Gmail address, and automatically detecting replies from your prospects.

  • AI-generated cold outreach emails are sent from your Gmail address to the prospects you've approved in your campaign
  • Automated follow-up emails in your outreach sequences are sent from your Gmail address on your configured schedule
  • Because emails originate from your Gmail account, prospects reply directly to you — not to a shared sending pool or third-party domain
  • We periodically scan your connected inbox (using gmail.readonly) to detect replies from active campaign prospects and update their status in your dashboard automatically

What we never do with your Gmail data: We do not use your Gmail connection, inbox content, or sending history for advertising, profiling, AI training, analytics resale, or any purpose other than the two stated above. Scanned inbox messages are checked for prospect reply matches only — their content is not stored beyond what is needed to display the reply in your campaign dashboard. We do not read, index, or retain any non-prospect messages from your inbox.

Section 10

What We Store & Token Security

When you connect Gmail, here is the complete list of Gmail-related data we store:

Data Details
OAuth refresh token Encrypted at rest using AES-256-GCM. Never stored in plaintext. Used solely to obtain short-lived access tokens for sending.
Connected Gmail address Your Gmail email address (e.g., you@gmail.com), stored to identify which account is connected and display it in your dashboard.
Sent-email metadata Recipient address, subject line, timestamp, and delivery status (sent / bounced / failed). Used for campaign performance tracking.
Email body Not stored after send confirmation. The message body is discarded once the Gmail API confirms delivery. We do not retain email content.

Token security details:

  • Encryption: Tokens are encrypted using AES-256-GCM. Encryption keys are stored as environment variables in our secure Render deployment environment — they are never committed to source code and are not accessible to the database.
  • Auto-refresh: Access tokens expire every hour. We use the refresh token to obtain a new access token automatically, so you stay connected without re-authorizing.
  • No password storage: We never see, request, or store your Gmail password. The OAuth flow is handled entirely by Google.
  • No human access: No PitchDart employee can read your Gmail tokens. Access to production credentials requires multi-factor authentication and is logged.
  • Immediate deletion on disconnect: When you disconnect Gmail from PitchDart (or delete your account), both the access token and refresh token are deleted from our database immediately. PitchDart permanently loses the ability to send emails from your account.
  • No third-party token sharing: Your Gmail tokens are never shared with any third party, subprocessor, or partner.
Section 11

How to Revoke Gmail Access

You can revoke PitchDart's access to your Gmail account at any time through either of these methods:

  • From PitchDart: Go to Settings → Gmail → Disconnect in your dashboard. This immediately deletes your tokens from our system.
  • From Google: Visit myaccount.google.com/permissions, find PitchDart in the list of connected apps, and click Remove Access.

Once revoked by either method, PitchDart permanently loses the ability to send emails from your Gmail account. Any scheduled emails in your queue will fail to send and will be marked as failed in your campaign dashboard.

Section 12

Google API Services User Data Policy — Limited Use

PitchDart's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Specifically, data received via Google APIs is:

  • Used only to provide or improve user-facing features of PitchDart that are prominent in our interface
  • Not transferred to third parties except as necessary to provide the service (e.g., sending the email via Gmail's API on your behalf)
  • Not used for serving advertisements or for any advertising-related purpose
  • Not used to train generalized AI or ML models
  • Not shared with humans except when you request support, we obtain your permission, or we're required by law
Section 13

Privacy Contact

For any privacy-related question, request, or concern:

✉️

Privacy Requests

support@pitchdart.com — Subject: "Privacy Request — [your request]"

We aim to respond to all privacy requests within 30 days. For urgent matters, note "URGENT" in your subject line.

This policy was last updated on May 8, 2026. We'll notify you by email if we make material changes. The latest version is always at pitchdart.com/privacy.

Also see our full Terms of Service for the complete Service Agreement.