Outboundby UstackStart free

Privacy Policy

Effective May 23, 2026 · See also our Terms of Service.

1. Who we are

Outbound by Ustack ("Outbound", "we", "us", "our") is an AI-native sales outreach platform operated by Ustack AI Inc. ("Ustack"). We are accountable for the personal data we process in connection with our website at outbound.ustack.ai and the Outbound application accessible at the same domain (collectively, the "Service").

Questions about this policy or your data: privacy@ustack.ai.

2. Data we collect

2.1 Account data

When you create an organization or accept an invitation, we collect: your email address, name, role within the organization, and authentication tokens (magic-link tokens or Google OAuth tokens you've authorized).

2.2 Outreach data you upload

When you upload a contact list, we collect the contact information you provide (name, email, company, role, etc.) and any list-context fields you fill in (description, connection point, sequence goal). This data belongs to your organization and is processed on your behalf to generate personalized outreach drafts.

2.3 Research data (created by us on your behalf)

For each prospect you ask us to research, we query publicly available web search providers and use AI models to extract structured insights about the prospect's company and role. We cache this research per-organization and refresh it according to your organization's TTL setting.

2.4 Email-related data (from Google / Microsoft / SMTP)

When you connect a mailbox to Outbound, we receive only the data necessary to send outbound emails on your behalf and to capture replies to mail you sent through us. See section 4 for the Google-specific disclosures.

2.5 Usage and telemetry

We collect minimal usage telemetry for billing accuracy and platform reliability: number of drafts created, sends dispatched, API calls made, model and search-provider costs, and error logs. We do not use third-party advertising trackers on the Service.

3. How we use your data

  • To provide the Service — generating drafts, sending email, tracking replies.
  • To bill you accurately based on your subscription plan and usage.
  • To improve platform reliability by aggregating anonymized telemetry across customers.
  • To detect and prevent fraud and abuse (rate limiting, suppression list enforcement).
  • To comply with our legal obligations (CAN-SPAM record-keeping, tax records).

We do not use your data to train AI models. We do not sell your data. We do not share your data with advertisers or data brokers.

4. Google API Services User Data Policy — Limited Use

Outbound's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. The following sub-sections describe the Google user data we access, why we need it, what we do with it, and how long we keep it.

4.1 Scopes we request

When you connect a Google account, we request these OAuth scopes:

  • https://www.googleapis.com/auth/userinfo.email
  • https://www.googleapis.com/auth/userinfo.profile
  • https://www.googleapis.com/auth/gmail.send
  • https://www.googleapis.com/auth/gmail.modify

4.2 Why we need gmail.modify

The gmail.modify scope lets us read mail in your Gmail mailbox only when that mail is a direct reply to a message Outbound previously sent on your behalf. We match by the standard In-Reply-To and References mail headers against message IDs we recorded at send time. Mail that is not a reply to one of our outbound messages is ignored by our polling worker and never stored.

We use modify rather thanreadonly so that we can mark the matched reply as read after ingesting it. This prevents you from seeing the same unread reply twice — once in your Gmail inbox and once in Outbound's Mail view.

4.3 Limited Use commitment

We commit that Outbound's use of Google user data will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We will only use Google user data to provide or improve user-facing features that are prominent in the requesting application's user interface (i.e., the Mail view that surfaces replies to your outreach).
  • We will not transfer Google user data to third parties except as necessary to provide or improve user-facing features, in compliance with applicable laws, or as part of a merger, acquisition, or sale of assets.
  • We will not use Google user data for serving advertisements.
  • We will not allow humans to read Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or for our internal operations where the data has been aggregated and anonymized.

4.4 Data retention for Google user data

Matched-reply messages are stored in our database as Message rows. They are retained for as long as the originating outreach sequence is active in your organization, plus 90 days after the sequence ends, to support reply history and analytics. You can request immediate deletion of any specific message or all your Google-sourced data by emailing privacy@ustack.ai — see section 7.

4.5 Revoking access

You can revoke Outbound's access to your Google account at any time:

Upon revocation we stop polling your mailbox immediately. Already-ingested replies stay in your Outbound conversation history until you request deletion.

5. Microsoft / SMTP mailbox integrations

The same Limited Use principles apply when you connect a Microsoft 365 or SMTP mailbox: we read only replies that match mail we previously sent through Outbound. Non-matching mail is discarded before persistence.

6. Sharing and sub-processors

We use the following sub-processors to deliver the Service:

  • Vercel (USA) — hosting, edge network
  • Managed Postgres (USA) — database
  • OpenAI (USA) — AI model inference for draft generation and research extraction. We send anonymized prospect data; we do not send full Gmail mailbox contents.
  • Anthropic (USA) — AI model inference (alternate / cheaper tier)
  • Resend (USA) — email delivery fallback when you have not connected a mailbox
  • Keiro / Serper / Tavily (USA / international) — web search for research
  • Stripe (USA / Ireland) — subscription billing

Each sub-processor has its own privacy policy. None of these parties receive your Gmail user data; matched replies stay in our database and are only displayed back to you through Outbound's Mail view.

7. Your rights

You have the right to:

  • Access — request a copy of personal data we hold about you
  • Correction — fix inaccurate data
  • Deletion — request we delete your data (subject to legal retention obligations such as billing records)
  • Portability — receive your data in a machine-readable format
  • Withdraw consent — revoke OAuth permissions and ask us to delete what we collected under that consent

To exercise any right, email privacy@ustack.ai. We respond within 30 days.

8. Data retention

  • Account data — kept while your account is active; deleted within 30 days of account closure
  • Contact lists you uploaded — kept while your organization exists; exported on request
  • Drafts and sent emails — kept indefinitely while your organization is active for reply matching and audit. Deleted on request.
  • Gmail-sourced replies — see section 4.4
  • Audit logs — 90 days for Free / Solo / Team plans; 365 days for Scale; per-contract for Enterprise
  • Billing records — 7 years (US tax requirement)

9. Security

We protect your data using industry-standard practices: TLS 1.2+ for data in transit, encryption at rest for OAuth credentials and provider API keys, role-based access control with audit logging, and multi-tenant isolation enforced both at the database query layer and via static-analysis tests in our CI pipeline.

If we ever experience a data breach affecting you, we will notify you within 72 hours of becoming aware of it, with a description of what happened and what we're doing about it.

10. International transfers

Our infrastructure is primarily in the United States. If you are located outside the US, your data will be transferred to and processed in the US. By using Outbound, you consent to this transfer. We rely on Standard Contractual Clauses where required.

11. Children's privacy

Outbound is a business tool not directed at children under 18. We do not knowingly collect data from children. If we discover we have collected such data, we will delete it.

12. Changes to this policy

We will notify all account holders by email at least 30 days before material changes take effect. The latest version is always available at outbound.ustack.ai/privacy.

13. Contact

Ustack AI Inc.
Privacy inquiries: privacy@ustack.ai
General contact: hello@ustack.ai