⚠️ THIS IS A WORKING DRAFT. DO NOT PUBLISH WITHOUT ATTORNEY REVIEW.
This template was generated by Claude on 2026-05-11. It is a starting point, not legal advice. Before publishing to
secoutbound.com/privacy, have a lawyer or a vetted template service (Termly, iubenda, Termageddon, Iubenda) review the content for your jurisdiction, entity structure, and actual data practices. Replace every[PLACEHOLDER]with real values and remove this disclaimer block.
Privacy Policy
Effective date: [DATE — set on first publication] Last updated: [DATE]
[LEGAL ENTITY NAME] (the "Company," "we," "us," or "our") operates the SEC/OUTBOUND service at secoutbound.com (the "Service"). This Privacy Policy explains how we collect, use, share, and protect information when you visit the website, fill out a form, or engage SEC/OUTBOUND as a client.
We respect your privacy. We collect only the information we need to operate the Service, and we never sell personal information.
1. Who we are
| Legal entity | [LEGAL ENTITY NAME], a [STATE] [LLC / Corporation] |
| Mailing address | [PHYSICAL MAILING ADDRESS — PO Box, virtual office, or registered agent] |
| Contact email | privacy@secoutbound.com |
| Data Protection Officer | Not required for our size; inquiries handled by [NAME], [ROLE] |
2. What information we collect
From visitors to secoutbound.com
- Contact form submissions: name, work email, company name, and any message content you provide. Submitted through Formspree (see §6 Sub-processors).
- Standard server logs: IP address, user agent, referrer URL, timestamps. Retained for up to 30 days for security and abuse detection.
- No advertising cookies, no cross-site tracking, no third-party analytics by default. If we add analytics later, we will use a privacy-respecting tool (e.g., Plausible, Fathom) that does not require a cookie banner and will update this policy.
From prospects we email on behalf of our clients
- Business contact data: name, job title, work email address, company name, public LinkedIn URL, company size, industry. Sourced from Apollo.io (a public B2B contact database) or verified by Million Verifier.
- Engagement data: whether you opened our email, clicked links, or replied. Stored in Smartlead (our outbound platform) and Notion (our CRM).
- We do not collect personal phone numbers, home addresses, or any special-category data (health, religion, biometrics, etc.).
From clients
- Business contact and account details: company name, primary contact, billing email, payment information processed by Stripe (we do not store card numbers on our systems).
- Service data: information you share during onboarding about your ideal customer profile, sales process, and prior outreach history.
3. How we use information
| Purpose | Legal basis (GDPR) |
|---|---|
| Respond to inquiries from the contact form | Legitimate interest |
| Send outbound emails to prospects on behalf of clients | Legitimate interest (B2B prospecting) |
| Provide the Service to clients we have engaged | Contract performance |
| Comply with legal obligations (tax, anti-fraud, CAN-SPAM, etc.) | Legal obligation |
| Improve the Service (aggregate analytics) | Legitimate interest |
We do not use information for behavioral advertising or profiling decisions with legal effect.
4. How we share information
We share information only with:
- Sub-processors that help us deliver the Service (see §6).
- Clients we are providing the Service to — limited to engagement data on the prospects we contact on their behalf.
- Legal authorities when compelled by valid legal process (subpoena, court order, regulatory request).
- Successors in a business transfer — if SEC/OUTBOUND merges, is acquired, or sells assets, your information may transfer to the successor entity subject to this policy.
We do not sell personal information to third parties. We do not "share" personal information for cross-context behavioral advertising (CCPA term of art).
5. Geographic scope and international transfers
We operate from the United States. The Service is currently offered to clients and prospects located in the United States and United Kingdom only. Additional geographies (Canada, European Union, Australia, etc.) will be added after we complete jurisdiction-specific legal review.
UK and EU personal data: where we process data on individuals in the UK or EU, we rely on the legitimate interest legal basis for B2B prospecting and process the data in the United States. We use the UK and EU Standard Contractual Clauses with our sub-processors where applicable.
6. Sub-processors
We use the following third-party services. Each is bound by a data processing agreement or equivalent contractual protection:
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Vercel, Inc. | Website hosting, AI Gateway | Server logs, AI inputs/outputs |
| Cloudflare, Inc. | DNS, registrar, network security | IP addresses, request metadata |
| Formspree (Forspring, Inc.) | Contact form processing | Form submission data |
| Google LLC | Workspace (mailbox, calendar) | Email content, contact metadata |
| Apollo Data Co. | B2B contact data sourcing | We retrieve public business contact data |
| Million Verifier | Email address verification | Email addresses (verification only) |
| Smartlead | Outbound email sending and tracking | Prospect contact data, email content, engagement events |
| Anthropic PBC (via Vercel AI Gateway) | AI-assisted email personalization | Prospect public profile snippets sent to the model |
| Notion Labs, Inc. | Internal CRM | Engagement summary data |
| Cal.com, Inc. | Meeting scheduling | Booking details, calendar metadata |
| Stripe, Inc. | Payment processing for clients | Billing details (we never see full card data) |
A current list is maintained at [URL — TBD]. We will give clients 30 days' notice of material sub-processor changes via email.
7. Data retention
| Data type | Retention period |
|---|---|
| Contact form submissions | 24 months from submission, then deleted |
| Server logs | 30 days |
| Prospect engagement data | 12 months from last activity, then anonymized |
| Client data | For the duration of the engagement + 7 years (tax/legal) |
| Marketing list (people who explicitly subscribed) | Until unsubscribe |
| Unsubscribe / opt-out lists | Indefinitely (legally required to honor opt-outs) |
8. Your rights
Depending on where you live, you have the right to:
- Access the information we hold about you
- Correct inaccurate information
- Delete your information (subject to legal exceptions, e.g., we must keep opt-out records)
- Opt out of marketing and outbound outreach
- Object to processing based on legitimate interest
- Data portability — receive your data in a portable format
- Lodge a complaint with your data protection authority (UK: ICO; EU: your national DPA; California: California Privacy Protection Agency)
To exercise any right, email privacy@secoutbound.com. We will respond within 30 days. To unsubscribe from outbound emails, use the unsubscribe link in any email or email unsubscribe@secoutbound.com.
9. Cold email and unsubscribe (CAN-SPAM, GDPR, UK PECR)
We process outbound email under the following standards:
- Every email identifies us as the sender and includes our physical mailing address.
- Every email includes a one-click unsubscribe link plus standard
List-UnsubscribeandList-Unsubscribe-Postmail headers (RFC 8058). - Unsubscribe requests are processed within one business day and respected indefinitely.
- We do not process recipients in jurisdictions where we have not completed legal review (currently outside US and UK).
10. Security
We use industry-standard technical and organizational measures to protect information:
- TLS for all data in transit
- Encryption at rest where supported by sub-processors
- Access controls with two-factor authentication for all systems
- Audit logs of administrative access
- Regular review of sub-processor security posture
No system is perfectly secure. If we discover a data breach affecting your personal information, we will notify you within the time required by applicable law (typically 72 hours under GDPR).
11. Children's privacy
The Service is intended for business use only. We do not knowingly collect information from anyone under 16. If we learn we have collected information from a minor, we will delete it.
12. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email to clients and posted to this URL with a revised "Last updated" date. Continued use of the Service after a change indicates acceptance.
13. Contact
Questions about this Privacy Policy or your data:
[LEGAL ENTITY NAME] [PHYSICAL MAILING ADDRESS] Email: privacy@secoutbound.com
This policy was last reviewed by [ATTORNEY NAME OR FIRM] on [DATE]. — to fill in after legal review.