← All legal documents

⚠ DRAFT — LAWYER REVIEW REQUIRED

This is an AI-generated first draft for internal review only. It is not legal advice and must be reviewed, edited, and approved by qualified counsel before it is relied upon or shown to customers.

Privacy Policy

Version 2026-06-16-draft · Last updated June 16, 2026

This Privacy Policy explains how [LEGAL ENTITY NAME] (“ApexReach”) collects, uses, and shares personal data. It covers two distinct categories: (a) data about our customers (account holders who use ApexReach), and (b) lead data — business-contact personal data that customers obtain and process through the Service about third parties. Our roles differ for each (see “Our roles”).

Our roles (controller vs. processor)

For customer account data we act as a controller. For lead data that customers process through the Service, the customer is the controller and ApexReach acts as a processor on the customer’s behalf under our Data Processing Addendum.

Data we collect

  • Account data: name, email, company, and authentication data (via Clerk).
  • Billing data: subscription and payment metadata (processed by Stripe; we do not store full card numbers).
  • Usage data: log data, device/browser data, and feature usage.
  • Lead data (on behalf of customers): business names, addresses, phone numbers, websites, ratings, social profiles, job titles, and business email addresses, sourced from public listings (Google Maps via Apify) and enrichment/verification providers (Apollo, Bouncer).

How we use data

  • To provide, operate, secure, and improve the Service.
  • To process payments and manage subscriptions.
  • To generate outreach drafts using AI providers (OpenAI, Anthropic) based on customer instructions.
  • To communicate with customers about their account and the Service.
  • [COUNSEL: confirm lawful bases under GDPR Art. 6 for each purpose, and any legitimate-interest assessments for lead data.]

Sharing & subprocessors

We share data with the third-party providers listed on our Subprocessors page, who process it on our behalf under contract. We do not sell personal data. [COUNSEL: confirm whether any processing constitutes a “sale” or “sharing” under CCPA/CPRA.]

International transfers

Data may be processed in the United States and other countries. [COUNSEL: specify transfer mechanism, e.g. Standard Contractual Clauses, for EU/UK data.]

Retention

We retain account data for the life of the account and as required by law. Lead data is retained per customer configuration and deleted on account deletion. [COUNSEL/ENG: specify concrete retention periods.]

Your rights

Depending on your location, you may have rights to access, correct, delete, or port your data, and to object to or restrict processing (GDPR), or to opt out of sale/sharing and limit use of sensitive data (CCPA/CPRA). Individuals whose data appears in lead data should contact the relevant ApexReach customer (the controller); we will assist customers in responding. Submit requests to [[email protected]].

Cookies

See our Cookie Policy for details on cookies and similar technologies.

Contact

Controller: [LEGAL ENTITY NAME, address]. Privacy contact / DPO: [[email protected]]. [COUNSEL: appoint EU/UK representative if Art. 27 applies.]