Privacy Policy
Effective date: June 23, 2026 Last updated: July 8, 2026
Sleet Labs LLC (the "Company," "we," "us," or "our") operates the SEC/OUTBOUND service at secoutbound.com (the "Service"). This Privacy Policy explains how we handle information when you visit the website, fill out a form, or engage SEC/OUTBOUND as a client.
We collect only what we need to run the Service. We do not sell personal information.
1. Who we are
| Legal entity | Sleet Labs LLC, a Wyoming limited liability company |
| Mailing address | 5830 E 2nd St, Ste 7000, Casper, WY 82609, USA |
| Contact email | privacy@secoutbound.com |
| Data Protection Officer | We have assessed that we are not required to appoint a Data Protection Officer. Privacy inquiries are handled via privacy@secoutbound.com. |
| Our role | For personal data of the prospects we email, Sleet Labs LLC acts as an independent "business" under US state privacy laws (and an independent controller for any residual UK/EU data): we determine the purposes and means of the processing, operate the sending infrastructure on domains we own, and source the data. Our clients are separate, independent businesses/controllers for their own use of any data we deliver to them. We do not act as our clients' service provider or processor for that outbound prospecting. Scheduling/calendar exception (under review): where we operate a meeting scheduler on a client's behalf and hold authorization to write to that client's calendar, we may act as that client's processor/service provider for that specific booking-and-calendar processing. That role determination is being finalized; until it is, no real booking data is processed, and any processor relationship will be governed by a data processing addendum with the client. |
2. What information we collect
From visitors to secoutbound.com
- Contact form submissions: name, work email, company name, and any message content you provide. Submitted through our own form endpoint and delivered via Resend (see §6 Sub-processors).
- Standard server logs: IP address, user agent, referrer URL, timestamps. Retained for up to 30 days for security and abuse detection.
- No advertising cookies, no cross-site tracking, no third-party analytics by default. If we add analytics later, we will use a privacy-respecting tool (e.g., Plausible, Fathom) that does not require a cookie banner, and we will update this policy.
From prospects we email to promote our clients' offers
- Business contact data: name, job title, work email address, company name, public LinkedIn URL, company size, industry. Sourced from Apollo.io (an independent third-party B2B data provider — see §6) or verified by MillionVerifier.
- Engagement data: whether you opened our email, clicked links, or replied. Stored in Smartlead (our outbound platform) and Supabase (our CRM and per-client dashboard, a Postgres database with row-level security).
- Booking and scheduling data (when a prospect books a meeting): booker name, work email, requested meeting time and time zone, event type/meeting title and any context or answers entered on the booking form, the organizer and client contact metadata, and booking-lifecycle status (confirmed, rescheduled, cancelled, attended, or no-show). Booking records are keyed to an internal opaque identifier and deliberately exclude sourcing, enrichment, lead-score, and personalized-opener fields. This data is processed only through the meeting scheduler and connected calendar described in §6. While we evaluate a self-hosted scheduler (cal.diy), this flow uses synthetic test data only; no real prospect booking data is processed until that scheduler stack is reviewed and listed in §6.
- We do not collect personal phone numbers, home addresses, or any special-category data (health, religion, biometrics, etc.).
From clients
- Business contact and account details: company name, primary contact, billing email, payment information processed by Stripe (we do not store card numbers on our systems).
- Service data: what you share during onboarding about your ideal customer profile, sales process, and prior outreach history.
3. How we use information
| Purpose | Legal basis |
|---|---|
| Respond to inquiries from the contact form | Legitimate interest |
| Send outbound emails promoting our clients' offers (as an independent controller) | Legitimate interest (B2B prospecting) |
| Provide the Service to clients we have engaged | Contract performance |
| Comply with legal obligations (tax, anti-fraud, CAN-SPAM, etc.) | Legal obligation |
| Improve the Service (aggregate analytics) | Legitimate interest |
We do not use information for behavioral advertising or for profiling decisions with legal effect.
4. How we share information
We share information only with:
- Sub-processors that help us deliver the Service (see §6).
- Clients we are providing the Service to — limited to the data of prospects who engage with our outreach (e.g., reply or book a meeting) and the related meeting details. We deliver meetings (outcomes) and engaged-prospect details, not a sourced prospect list or data on prospects who do not engage.
- Legal authorities when compelled by valid legal process (subpoena, court order, regulatory request).
- Successors in a business transfer. If SEC/OUTBOUND merges, is acquired, or sells assets, your information may transfer to the successor entity subject to this policy.
We do not sell personal information to third parties. We do not "share" personal information for cross-context behavioral advertising (CCPA term of art).
5. Geographic scope and international transfers
We operate from, and provide the Service to clients and prospects located in, the United States only. We do not currently offer the Service in, or send outbound email to recipients in, any other country. We will add other geographies (United Kingdom, Canada, European Union, Australia, etc.) only after we complete jurisdiction-specific legal review.
Residual non-US data: our website is reachable from outside the United States, so we may incidentally receive personal data from non-US visitors (for example, a UK visitor who submits the contact form). Where we hold such data, we process it in the United States; for any UK or EU personal data, we rely on an appropriate transfer mechanism — the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, or the EU–US Data Privacy Framework (and its UK Extension) where a sub-processor is certified. We do not target or market to individuals outside the United States.
6. Sub-processors
We use the following third-party services. Each provider that processes live client or prospect data is bound by a data processing agreement or equivalent contractual protection. A provider listed ahead of a feature going live is marked as pending its data processing agreement and processes no real client or prospect data until that agreement is executed:
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Vercel, Inc. | Website hosting, form endpoint, AI Gateway | Server logs, form submissions, AI inputs/outputs |
| Cloudflare, Inc. | DNS, registrar, network security | IP addresses, request metadata |
| Railway Corp. | Application hosting/compute, managed PostgreSQL database, and Redis cache for the self-hosted cal.diy booking scheduler. Data processing agreement executed (DocuSign, 2026-07-09) — synthetic test data only until the cal.diy scheduler goes live; no real booking data yet. | Server and application logs; once live, booking records (booker name, work email, meeting time and time zone, event/meeting title, connected-calendar references, booking-form answers) |
| Plus Five Five, Inc. (d/b/a Resend) | Transactional email delivery — contact-form notifications now; booking confirmations, reminders, reschedules, and cancellations once the self-hosted scheduler is live | Form submission data (name, email, message); booking-lifecycle email and its metadata |
| Google LLC | Workspace (mailbox, calendar) | Email content, contact metadata |
| ZenLeads Inc. (d/b/a Apollo.io) | Third-party B2B data source (independent provider) | We retrieve public business contact data |
| GBD Software as a Service Ltd. (d/b/a MillionVerifier) | Email address verification | Email addresses (verification only) |
| 521 Products Pty Ltd (d/b/a Smartlead) | Outbound email sending and tracking | Prospect contact data, email content, engagement events |
| Anthropic PBC (via Vercel AI Gateway) | AI-assisted email personalization | Prospect public profile snippets sent to the model; inputs are not used to train the model under our Vercel AI Gateway / Anthropic commercial terms |
| Supabase, Inc. | Per-client dashboard + CRM (Postgres with row-level security) | Prospect engagement data |
| Cal.com, Inc. (hosted scheduler only) | Meeting scheduling | Booking details, calendar metadata |
| Pluot Communications, Inc. (d/b/a Daily.co) | Cal Video meeting rooms for cal.diy booking events (video/screen-share hosting). Data processing agreement in effect (Daily online DPA, incl. US state-law service-provider terms) — synthetic test data only until the cal.diy scheduler goes live; no real booking data yet. | Participant display name, IP address, in-call audio/video/screen-share media (not recorded), room/session metadata |
| Stripe, Inc. | Payment processing for clients | Billing details (we never see full card data) |
ZenLeads Inc. (Apollo.io) and GBD Software as a Service Ltd. (MillionVerifier) are independent third-party data sources from which we obtain or verify business contact data as an independent controller; the other entities are sub-processors that process data on our behalf. Self-hosted cal.diy is not approved for real booking personal data until each newly added processor's data processing agreement is executed, the connected-calendar authorization (Google Calendar OAuth) model is reviewed, and clients receive any required change notice. The application hosting/compute layer, the managed PostgreSQL database, and the Redis cache have been selected and are listed above — Railway Corp. — and the booking email-delivery layer (Resend) and the video/meeting-link provider (Cal Video, provided by Pluot Communications, Inc. (d/b/a Daily.co)) have also been selected and are listed above; Railway's and Daily's data processing agreements are now executed and in effect; real booking data will flow only after the self-hosted scheduler completes its go-live readiness review, and the scheduler otherwise uses synthetic test data only for now.
A current list of our sub-processors is published at https://secoutbound.com/subprocessors, where clients may subscribe to receive change notices. We will give clients at least 30 days' notice of material sub-processor changes by email before the new sub-processor begins processing their data.
7. Data retention
| Data type | Retention period |
|---|---|
| Contact form submissions | 24 months from submission, then deleted |
| Server logs | 30 days |
| Prospect engagement data | 12 months from last activity, then anonymized |
| Booking & scheduling records (scheduler + connected calendar) | 12 months from last booking activity, then anonymized or deleted; calendar references removed on deletion; deletion/objection requests honored within 30 days |
| Client data | For the duration of the engagement + 7 years (tax/legal) |
| Marketing list (people who explicitly subscribed) | Until unsubscribe |
| Unsubscribe / opt-out lists | Indefinitely (legally required to honor opt-outs) |
8. Your rights
Depending on where you live, you have the right to:
- Access the information we hold about you
- Correct inaccurate information
- Delete your information, subject to legal exceptions (e.g., we must keep opt-out records)
- Opt out of marketing and outbound outreach
- Object to processing based on legitimate interest
- Receive your data in a portable format
- Lodge a complaint with your data protection authority (California: California Privacy Protection Agency; other US states: your state Attorney General)
If you are a California resident, see Section 8A for additional rights under the CCPA/CPRA.
To exercise any right, email privacy@secoutbound.com. We will respond within 30 days. To unsubscribe from outbound emails, use the unsubscribe link in any email or write to unsubscribe@secoutbound.com.
8A. California residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA):
- Right to know / access. You can request the categories and specific pieces of personal information we have collected about you, the sources, the business purpose for collecting it, and the categories of third parties to whom we disclose it.
- Right to delete. You can request deletion of personal information we hold about you, subject to legal exceptions (for example, we must retain opt-out/suppression records and information needed to comply with law).
- Right to correct inaccurate personal information.
- Right to opt out of "sale" or "sharing." We do not sell personal information and do not "share" it for cross-context behavioral advertising, so there is nothing to opt out of. If this ever changes, we will provide a "Do Not Sell or Share My Personal Information" mechanism.
- Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined by the CPRA.
- Right to non-discrimination for exercising any of these rights.
The categories of personal information we collect are described in §2 — principally identifiers and professional/employment information; we do not collect sensitive personal information; and we retain it as described in §7. To exercise these rights, email privacy@secoutbound.com or write to the address in §13. You may use an authorized agent, in which case we may verify your identity and the agent's authority. We will respond within 45 days (extendable by an additional 45 days with notice).
9. Cold email and unsubscribe (CAN-SPAM)
For outbound email, we follow these rules:
- Every email identifies us as the sender and includes our physical mailing address.
- Every email has a one-click unsubscribe link plus standard
List-UnsubscribeandList-Unsubscribe-Postmail headers (RFC 8058). - We process unsubscribe requests within one business day and honor them indefinitely.
- We do not email recipients located anywhere outside the United States.
- Where we obtain a prospect's details from a third-party source (such as Apollo / ZenLeads Inc.), our first email to that prospect links to this Privacy Policy, which identifies the source of the data and how to opt out.
10. Security
We use standard technical and organizational measures to protect information:
- TLS for all data in transit
- Encryption at rest where supported by sub-processors
- Access controls and multi-factor authentication on the systems that store personal data
- Logging of administrative access to key systems
- Regular review of sub-processor security posture
No system is perfectly secure. If we discover a personal-data breach, we will notify affected individuals without undue delay where the breach is likely to result in a high risk to them, and we will notify regulators where and within the time required by applicable law (for any residual UK/EU data, the relevant supervisory authority within 72 hours of becoming aware where the breach is reportable; and as otherwise required by applicable US state law).
11. Children's privacy
The Service is intended for business use only. We do not knowingly collect information from anyone under 16. If we learn we have collected information from a minor, we will delete it.
12. Changes to this policy
We may update this policy from time to time. We will email clients about material changes and post the revised policy at this URL with a new "Last updated" date. Continued use of the Service after a change means you accept it.
13. Contact
Questions about this Privacy Policy or your data:
Sleet Labs LLC 5830 E 2nd St, Ste 7000 Casper, WY 82609, USA Email: privacy@secoutbound.com