Legal

Privacy Policy

Last updated: April 20, 2026

OutreachOS is a personal job-outreach pipeline tool. We take your privacy seriously — especially given that you grant us access to your Gmail account. This policy explains exactly what we collect, why, and what we will never do with it.

Data we handle

WhatWhyLevel

Google account email & nameAuthentication — identify who is logged inlow

Gmail send permissionSend outreach emails from your own Gmail address on your behalfgoogle-scoped

Lead & contact recordsStore the contacts you ingest and the emails you send themsensitive

Email open & click eventsPixel tracking so you can see when recipients engagesensitive

Telegram messages (if used)Ingest leads forwarded via the Telegram bot integrationlow

Hunter.io enrichment dataVerify and enrich contact email addresseslow

Who we are

OutreachOS (“we,” “us,” or “our”) is a personal productivity tool for job-seekers to manage outbound outreach to hiring managers and recruiters. The service is operated as a private, invite-only beta.

For privacy enquiries, contact us at: privacy@outreachos.in

Information we collect

We collect information in three ways:

A. Account informationGoogle OAuth

When you sign in with Google, we receive your Google account email address and display name. We store these in our database (Supabase) to identify your account.

B. Gmail access (separate, explicit step)Sensitive scope

Gmail access is not requested during sign-up. After creating your account, you may optionally connect your Gmail from the Settings page. This triggers a dedicated OAuth consent screen that requests two scopes: gmail.send — to send outreach emails from your own Gmail address — and email — to read your Gmail address so we can display which account is connected. We request access_type=offline so that scheduled and queued emails can be sent even when you are not actively using the app. We do not read, index, or store the contents of your inbox. We only ever send emails you explicitly compose or approve inside OutreachOS. Gmail OAuth tokens are stored encrypted (AES-256-GCM) and are never shared with third parties.

C. Lead and outreach data

Contact records, organisations, job listings, composed emails, and outreach events (opens, clicks, replies) that you add or that arrive through connected integrations (Telegram bot, CSV upload, API) are stored in your account and are accessible only by you and designated admins.

How we use your information

To authenticate you and maintain your session
To send outreach emails on your behalf via the Gmail API
To display your pipeline, analytics, and signal feed inside the app
To enrich contact records using Hunter.io when you trigger enrichment
To process leads forwarded from the Telegram bot integration
To track email opens and clicks via a 1×1 tracking pixel embedded in sent emails
To monitor service health and debug errors

We will never use your data for advertising, sell it to data brokers, or share it with third parties for their own marketing purposes.

Google user data — additional disclosures

Google API Limited Use Policy Compliance

OutreachOS's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to develop, improve, or train generalised AI or ML models. We do not share Google user data with third parties except as strictly necessary to operate the service (i.e. the Gmail API send call itself).

Narrow use: OutreachOS's access to Gmail data is used only to send outreach emails that you explicitly compose or approve within the OutreachOS product. This access is not used for serving advertisements, building user profiles, or for any purpose other than providing the OutreachOS email-sending feature to you.

Human access to Gmail data: OutreachOS does not allow any humans to read your Gmail data unless (a) you have given us your affirmative agreement to access specific messages for support purposes, (b) doing so is necessary for security reasons such as investigating abuse, or (c) it is required to comply with applicable law. In all cases, such access is logged and limited to the minimum data necessary.

What we will never do with Gmail access:

Read, scan, index, search, or store the contents of your inbox or any existing emails
Access Gmail labels, threads, message metadata, or drafts
Modify, delete, archive, or move any emails in your mailbox
Use Gmail data to build user profiles or for any advertising purpose
Use Gmail data to develop, improve, or train any AI or machine-learning model
Share Gmail tokens or delegated send permissions with any third party beyond the Gmail REST API itself

Sign-in uses Google OAuth for authentication only (email and profile scopes via Supabase Auth). No Gmail API access is requested or stored at sign-in.
Gmail connection is a separate, optional step initiated from the Settings page. It requests exactly two scopes: gmail.send — to send outreach emails on your behalf — and email — to read your Gmail address so we can display which account is connected. We do not request access to read, modify, or delete any emails in your inbox.
We request access_type=offline (a refresh token) so that scheduled and queued emails can be delivered even when you are not actively using OutreachOS. The refresh token is stored encrypted (AES-256-GCM) and used exclusively to renew short-lived access tokens for the Gmail API.
Google user data (including Gmail tokens) is used solely to send emails explicitly composed and approved by you inside OutreachOS. It is not used for any other purpose.
We do not transfer Google user data to third parties except as necessary to provide the OutreachOS service (e.g. the Gmail API send call itself), and never for advertising or data-broker purposes.
You can revoke Gmail access at any time from your Google Account permissions page or from the Settings page inside OutreachOS. Revoking access from Google's permissions page will automatically disconnect your Gmail from OutreachOS — no further action inside the app is needed.

Token storage and security:

OAuth refresh tokens are encrypted at rest using AES-256-GCM with a secret key stored in environment variables, never in client-side code or the database in plaintext.
Access tokens are short-lived (typically 1 hour), requested on demand for each Gmail API call, and never persisted to the database beyond the call itself.
No OutreachOS employee or contractor can read your Gmail tokens. The encryption key is held server-side only and never logged or transmitted.
When you disconnect Gmail from Settings, or revoke access via your Google Account, the stored token row is deleted immediately — there is no retention period for credentials after disconnection.

Third-party services

SupabaseDatabase & authentication

Google (Gmail API / OAuth)Authentication & email sending

Hunter.ioContact email verification and enrichment

TelegramLead ingestion via bot (if enabled)

Data retention

Your account data is retained as long as your account is active. Lead records, emails, and events you create are retained until you delete them or close your account. Upon account deletion, we will remove your personal data within 30 days, except where retention is required by law.

Gmail OAuth tokens: If you disconnect Gmail access from the Settings page (or revoke access via your Google Account permissions), your stored OAuth tokens are deleted from our database immediately — there is no retention period for credentials after disconnection.

Cookies and local storage

We use a Supabase session cookie to keep you logged in. We also store your selected UI theme (dark/light) in localStorage under the key oos-theme. We do not use any advertising or analytics cookies.

07a

Email tracking — disclosure to recipients

Outreach emails sent via OutreachOS may contain a 1×1 tracking pixel and wrapped links that allow you (the sender) to see when a recipient opens the email or clicks a link. This tracking is embedded in emails delivered to non-users (your email recipients), who have not accepted our Terms of Service.

What we collect from recipients: IP address, User-Agent string, approximate time of open/click, and destination URL (for clicks). This data is stored in our database and displayed only to the sender in their OutreachOS dashboard.

Opting out of tracking: As a sender, you can disable open and click tracking for your outreach emails in the Settings page. When tracking is disabled, no pixel or link-wrapping is added to emails you send, and no event data is collected from recipients.

Your rights

Depending on your location, you may have the right to:

Access or export the personal data we hold about you
Correct inaccurate data
Request deletion of your account and associated data
Withdraw consent for Gmail access (via Google Account settings)
Lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@outreachos.in.

Security

All data is transmitted over HTTPS. Database credentials and OAuth tokens are stored using environment-variable secrets and are never exposed to client-side code. Gmail tokens are stored encrypted at rest. We conduct periodic reviews of our security posture and update this policy when our practices change.

Children

OutreachOS is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

Changes to this policy

We may update this policy from time to time. We will notify users of material changes by updating the “Last updated” date at the top of this page and, where appropriate, via an in-app notice. Your continued use of OutreachOS after changes constitutes acceptance of the updated policy.