← Back to sign in

Privacy Policy

Effective date: June 4, 2026

This Privacy Policy describes how CroSeven (“we”, “us”) handles personal data when you use the CroSeven Outreach web application at outreach.croseven.com (the “Service”).

1. Who we are

The Service is operated by CroSeven, a freelance web development business. For privacy-related questions, contact: marko@croseven.com.

2. What the Service does

CroSeven Outreach helps authorized users manage cold-outreach leads and email sequences. The Service creates drafts in your Gmail account; you send messages manually from Gmail. The Service does not send bulk email on your behalf.

3. Data we collect

Account and authentication

  • Google account sign-in via Supabase Auth (email, name, profile).
  • Google OAuth tokens (access and refresh) stored securely on our servers to access Gmail on your behalf.

Gmail data (with your consent)

When you connect Google, we may access:

  • Ability to compose drafts in Gmail (gmail.compose).
  • Ability to read mailbox data needed to detect when drafts were sent and when replies arrive (gmail.readonly).
  • Your email address (userinfo.email).

We use this access only to provide Service features (draft preparation, send/reply detection, bounces). We do not use Gmail data for advertising.

Data you enter in the Service

  • Lead and list information (names, emails, notes, tags, status).
  • Sequence templates and outreach activity logs.
  • In-app notifications and analytics derived from your usage.

Technical data

  • Session cookies required for authentication.
  • Standard server and hosting logs (e.g. via Vercel).

4. How we use data

  • Authenticate you and keep your session secure.
  • Store and display your leads, lists, sequences, and analytics.
  • Create Gmail drafts and track outreach progress.
  • Detect sent messages, replies, and bounces to update lead status.
  • Run scheduled jobs (e.g. follow-up reminders, Gmail watch renewal).
  • Improve reliability and security of the Service.

5. Where data is stored

Data is stored in Supabase (PostgreSQL) and processed on Vercel (application hosting). Google processes OAuth and Gmail API requests under Google's Privacy Policy.

6. Sharing with third parties

We do not sell your personal data. We share data only with:

  • Google — OAuth and Gmail API (as you authorize).
  • Supabase — database and authentication infrastructure.
  • Vercel — hosting and edge delivery.
  • Google Cloud Pub/Sub — push notifications for Gmail mailbox changes.

We may disclose data if required by law or to protect our rights, users, or the security of the Service.

7. Retention

We retain your data while your account is active and as needed to provide the Service. Lead data may use soft-delete. You may request deletion of your account and associated data by contacting us.

8. Security

We use HTTPS, row-level security in the database (each user sees only their own data), and server-side storage of Google tokens (never exposed to the browser). No method of transmission or storage is 100% secure.

9. Your rights

Depending on your location (including the EU/EEA under GDPR), you may have the right to access, correct, delete, restrict, or port your personal data. Contact marko@croseven.com. You may also revoke Gmail access in your Google Account permissions.

10. Children

The Service is not intended for users under 16. We do not knowingly collect data from children.

11. Changes

We may update this policy from time to time. We will post the new version on this page with an updated effective date.

12. Contact

CroSeven — marko@croseven.com
See also our Terms of Service.