Privacy policy
Last updated : 2026-05-18
1. Who we are
outsend is a B2B prospecting SaaS tool published by [Publisher — see Legal notice]. This policy describes how outsend processes personal data in the context of service use.
2. Scope of this policy
This policy covers only the data processed by outsend in the context of managing the user account (data for which outsend is the controller).
Regarding the data collected through outsend (leads, Google Maps records, etc.), the user is the data controller within the meaning of GDPR and outsend acts as the processor. For that data, the user's own privacy policy applies to the people targeted by outreach.
3. Data collected by outsend (about the account)
| Data | Purpose | Legal basis |
|---|---|---|
| Identification, transactional communication (password, alerts, support) | Contract performance | |
| Password (hashed) | Authentication | Contract performance |
| Technical logs (IP, user-agent, login dates) | Security, traceability, fraud prevention | Legitimate interest |
| Audit log (admin actions, deletions) | Regulatory traceability | Legal obligation + legitimate interest |
| Billing data (upcoming) | Invoicing, accounting | Contract performance + legal obligation |
4. Data collected by outsend (about activity)
outsend also stores the data necessary for the service to operate:
- Jobs launched (type, parameters, status, results — CSV files)
- Configured pipelines
- Auto monitoring watches and their runs
- User preferences (chosen Claude AI model, etc.)
- Messages sent in the support chat
This data belongs to the user (controller of the collected leads). outsend hosts it as a processor. It is never shared with another user nor resold.
5. Retention period
- Active account: all data is retained as long as the account is active. No automatic purge.
- Account deletion: all data collected about the account and through its activity is deleted immediately and permanently. Only anonymized technical logs and accounting data legally required (10 years for invoicing) remain.
- Sessions: expire automatically after the configured duration (default: a few weeks), purged automatically.
- Reset tokens (password, email verification): expire after a few hours and are purged automatically.
6. Recipients
Data collected by outsend is not shared with any third party, except:
- Technical providers strictly necessary for the service: hosting (Hetzner Online GmbH, Germany, EU), transactional mail (Resend, under DPA conditions), internal analytics (Matomo, hosted by outsend)
- The competent authority under judicial requisition
7. Transfers outside the EU
outsend hosts its data at Hetzner (EU — Germany and Finland). No systematic transfer of user data outside the EU.
The user may, at their discretion, provide their own Anthropic (Claude) API key to enable certain AI features. In that case, API calls leave to Anthropic (United States) under the user's responsibility. The API key is encrypted server-side at outsend before being stored.
8. GDPR rights
In accordance with articles 15 to 22 of GDPR, the following rights apply:
- Right of access: data retrievable via the Settings page → "Export my data" (full ZIP)
- Right to portability: the export is delivered in JSON + CSV, structured and machine-readable
- Right to erasure: account deletion via Settings → "Danger zone"
- Right to rectification: account info editable via Settings or by emailing contact@outsend.xyz
- Right to object / restrict: write to contact@outsend.xyz
- Right to withdraw consent at any time
- Right to lodge a complaint with the CNIL: cnil.fr/fr/plaintes
9. Security
outsend implements technical and organizational measures to protect personal data:
- User passwords hashed with a modern algorithm (never stored in clear)
- Sessions secured with httpOnly + Secure cookie (HTTPS)
- End-to-end encrypted HTTPS/TLS communication
- At-rest encryption of the storage volume (LUKS) — being deployed
- Daily encrypted off-site backups — being deployed
- Audit log of all sensitive admin actions
- Strict per-account isolation in the database (no cross-user access, verified by audit)
- Rate limiting on sensitive endpoints (login, reset password, etc.)
10. Cookies
outsend only uses cookies strictly necessary to operate the service:
outsend_session: authentication cookie, httpOnly + Secure, expires with the session
outsend also runs a self-hosted Matomo instance to measure service usage. For now, the Matomo instance collects the maximum data useful to product improvement. Analytics are kept while the Matomo instance is active. A stricter anonymization policy will be put in place at commercial launch.
11. Data breach notification
In the event of a personal data breach likely to result in a risk to the rights and freedoms of the data subjects, outsend will notify the CNIL within 72 hours of becoming aware of the breach, in accordance with article 33 of GDPR, and will inform the affected users as soon as possible if the risk is high.
12. Policy changes
This policy may evolve. Substantive changes will be notified by email or via an in-app notification. The last update date is at the top of this page.
13. Contact
For any question regarding this policy or exercising GDPR rights: contact@outsend.xyz.