Superkabe LogoSuperkabe

Privacy Policy

Last updated: April 30, 2026

1. Introduction & Scope

Superkabe ("Superkabe", "we", "our", "us") operates an AI cold email platform with built-in deliverability protection. This Privacy Policy describes how we collect, use, share, retain, and safeguard personal data — and the rights individuals have under applicable data-protection laws including the EU/UK General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), India's Digital Personal Data Protection Act 2023 ("DPDP"), Singapore's Personal Data Protection Act and equivalent ASEAN frameworks ("PDPA"), the US CAN-SPAM Act, and Canada's Anti-Spam Legislation ("CASL").

This policy applies to data we process in connection with the Superkabe platform, our website (superkabe.com), and our customer support channels.

2. Our Role: Controller vs Processor

Superkabe processes two distinct categories of personal data, in two distinct roles:

  • As a Data Controller / Data Fiduciary: for personal data of our customers (the people who sign up for and pay for Superkabe accounts), including names, email addresses, billing details, and account telemetry.
  • As a Data Processor / Data Processor: for personal data of our customers' recipients (the people our customers send cold emails to). Our customers are the Controller / Data Fiduciary for this data; we process it solely on their documented instructions, under our standard Data Processing Addendum (DPA), available on request from privacy@superkabe.com.

Where this Privacy Policy describes your rights, those rights are addressed to whichever role applies to your relationship with us. If you are a recipient of email sent through our platform, your data-protection rights are exercised first against our customer (the sender). We will assist any of our customers in responding to such requests.

3. Information We Collect

From customers (Controller relationship):

  • Account Information: name, business email, organization name, password (stored as bcrypt hash), authentication tokens.
  • Billing Information: processed by our payments provider (Polar.sh); we receive only billing reference identifiers, plan tier, and transaction status.
  • Mailbox Connection Data: OAuth tokens for Google Workspace and Microsoft 365 mailboxes (encrypted at rest with AES-256-GCM); SMTP credentials for self-hosted mailboxes (encrypted at rest with AES-256-GCM).
  • CRM Connection Data: if you connect HubSpot or Salesforce via OAuth, we store the access token, refresh token, and provider-specific identifiers (HubSpot portal_id, Salesforce instance_url) — all encrypted at rest with AES-256-GCM. Scope of contact data read/written is detailed in §6.1.
  • Lead-Source Connection Data: if you connect a paid contact database (Apollo.io, ZoomInfo) via API key, we store the API key encrypted at rest (AES-256-GCM) plus the workspace identifiers and credit balance returned by the provider. Imported contact data is detailed in §6.2.
  • Dialer Connection Data: if you connect Outreach.io via OAuth, we store the access token, refresh token, and Outreach user identifiers — all encrypted at rest with AES-256-GCM. Outreach is push-only: we send prospects + sequence-state writes, never read prospect data back. Detailed in §6.3.
  • One-Time Import Keys: if you import campaigns from another platform, we hold your admin API key encrypted at rest for at most 72 hours, then auto-discard.
  • Usage Telemetry: sequence performance metrics, mailbox health metrics, send/bounce/reply counts, audit logs of administrative actions.
  • Support Data: records of support correspondence, screenshots you share, and feature requests.

From recipients (Processor relationship — controlled by our customers):

  • Recipient Identity: email address, name, company, title, persona, lead score, custom fields ingested from your enrichment source (e.g., Clay).
  • Engagement Signals: opens, clicks, replies, bounces, unsubscribes, spam complaints — used to compute deliverability metrics.
  • Inbox Replies: when our IMAP reply worker classifies inbound email as a reply to a sequence we sent, we store the message body for the customer's inbox view, until the customer deletes it.

Automatically collected:

  • Device & Connection Data: IP address, browser type, operating system, referrer.
  • Cookies: session cookies for authentication; analytics cookies (where consented).

4. How We Use Your Information

  • Operate and improve the Superkabe platform: authentication, sending, validation, deliverability monitoring, AI sequence generation.
  • Process payments through our payments provider.
  • Send service-related communications: outage notices, security alerts, billing receipts, customer-onboarding emails.
  • Provide customer support and respond to inquiries.
  • Detect, prevent, and respond to fraud, abuse, security incidents, and policy violations.
  • Comply with legal obligations and enforce our Terms.
  • Train and improve internal AI models only on de-identified, customer-uploaded copy you affirmatively submit through "Feedback" channels. We do not train models on recipient data, mailbox content, or live sequences.

5. Lawful Basis for Processing (GDPR Art. 6)

For data subjects in the European Economic Area, United Kingdom, or Switzerland, we rely on the following lawful bases:

  • Performance of Contract (Art. 6(1)(b)): for processing necessary to provide Superkabe services to our customers under our subscription agreement.
  • Legitimate Interest (Art. 6(1)(f)): for security monitoring, fraud prevention, product improvement, and processing recipient engagement signals where the customer has established its own lawful basis as the Controller.
  • Consent (Art. 6(1)(a)): for marketing communications and non-essential cookies, where withdrawal is available at any time without affecting the lawfulness of prior processing.
  • Legal Obligation (Art. 6(1)(c)): where required by applicable law (e.g., tax records, compliance with binding orders).

6. Data Sharing & Sub-Processors

We do not sell, rent, or trade personal information. We engage the following sub-processors to deliver the platform; each is bound by data-processing terms and appropriate transfer mechanisms:

  • Railway (United States): backend infrastructure hosting.
  • Vercel (United States): frontend hosting and CDN.
  • Polar.sh (United States): subscription and payment processing.
  • Resend (United States): transactional email delivery (account notices, support replies).
  • Google LLC (United States): when you connect a Google Workspace mailbox via OAuth, Postmaster Tools data fetching, and AI services where used.
  • Microsoft Corporation (United States): when you connect a Microsoft 365 mailbox via OAuth.
  • OpenAI / Anthropic (United States): AI sequence generation and reply classification on prompts you submit; we do not retain inputs for training in these services beyond their default retention.
  • MillionVerifier (United States): third-party email validation for the optional API verification stage.

A current list of sub-processors is available at privacy@superkabe.com on request, and customers will receive notice of any addition or replacement.

We may also disclose information (a) to comply with applicable law, regulation, or binding legal process; (b) to protect the rights, property, or safety of Superkabe, our customers, or others; and (c) in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality undertakings and continued protection consistent with this policy.

6.1 Optional CRM Integrations (HubSpot, Salesforce)

Customers may optionally connect their HubSpot or Salesforce account to Superkabe via OAuth. These services are not Superkabe sub-processors — your contractual relationship with HubSpot or Salesforce governs that data. When connected, the following data flows occur:

Data we read from your CRM:

  • Contact email, first name, last name, full name
  • Contact company, job title, phone number
  • Email-opt-out / suppression flags (e.g., HubSpot hs_email_optout, Salesforce HasOptedOutOfEmail)
  • Lists / List Views the connecting user selects for import

We do not read deals, opportunities, notes, conversations, files, custom objects, or any data unrelated to outbound email. The OAuth scopes we request are limited to the minimum surface needed for the integration to function and are documented per-provider in our developer docs.

Data we write to your CRM:

  • One Note (HubSpot) or Task (Salesforce) per Superkabe activity event — sent, opened, clicked, replied, bounced — attached to the matching contact via the standard contact-association mechanism.
  • We do not modify contact properties, create or delete contacts, or write to any other object.

Token storage and security:

  • OAuth access tokens and refresh tokens are encrypted at rest with AES-256-GCM, decrypted only at the moment a per-organization API call is made.
  • Tokens are never written to logs or surfaced in error messages; defensive truncation is applied to provider error responses.
  • Disconnecting a CRM integration immediately wipes the encrypted token blob and cancels all pending activity-push items for that connection.
  • OAuth refresh failures mark the connection expired; further sync stops until the user re-authorizes.

GDPR right-to-erasure (HubSpot):

Superkabe subscribes to HubSpot's contact.privacyDeletion webhook. When a HubSpot user permanently deletes a contact for GDPR reasons, HubSpot fires the event to a signed endpoint at Superkabe (HMAC-SHA256, with replay protection). Within seconds we (a) locate every Superkabe lead linked to that HubSpot contact, (b) cancel any pending activity-push items for those leads, (c) block the lead from outbound sending across all campaigns, (d) delete the contact-link mapping, and (e) audit-log the action. The underlying Superkabe lead record is retained but blocked, because the same person may exist in your account from another lawful processing basis. For full Lead-level erasure use the Data Rights page, which handles GDPR Article 17 across all Superkabe data regardless of CRM origin.

Salesforce equivalent:

Salesforce does not currently expose a real-time GDPR-deletion webhook. We respect the Salesforce HasOptedOutOfEmail flag at every read and decline to process any contact marked opted-out. For Salesforce-side hard deletions, the customer should also disconnect or rotate the Superkabe lead via the Data Rights page.

Customer responsibilities:

  • You remain the data controller for contact data inside your CRM and are responsible for compliance with your contractual relationship with HubSpot or Salesforce.
  • You are responsible for ensuring that contacts you import into Superkabe have an appropriate lawful basis (consent, legitimate interest, contract) for outbound email under your jurisdiction's rules.
  • You may disconnect at any time from /dashboard/integrations/crm; tokens are wiped and pending pushes cancelled within seconds.

6.2 Optional Lead-Source Integrations (Apollo.io, ZoomInfo)

Customers may optionally connect a paid contact database to Superkabe via API key in order to import enriched contacts as Superkabe leads. These services are not Superkabe sub-processors — your contractual relationship with Apollo.io / ZoomInfo governs the underlying contact data, and you are responsible for ensuring you have a lawful basis to email any contact you import.

Data we read from the provider:

  • Contact identity fields: email, first/last/full name, title, company, phone, LinkedIn URL.
  • Workspace metadata: account name, account ID, credit balance and limit (read at connect-time and after each import to display in your dashboard).
  • Contact-search filter parameters parsed out of the URL you paste (titles, locations, industries, etc.) — these are stored on the import job for auditability and re-running.

Data we write to the provider:

None. Lead-source integrations are read-only — we never write activity, leads, or any other data back. Personal-email reveal (when you opt in) calls Apollo's /v1/people/bulk_match endpoint, which costs Apollo credits but does not write any data into your Apollo workspace.

Imported leads enter the standard Superkabe lifecycle:

  • Email validation (disposable / catch-all / role-based detection).
  • Suppression-list checks at every send — unsubscribes, hard bounces, and spam complaints flip the lead globally for your workspace.
  • Deduplication on (organization_id, email) — re-importing the same URL upserts existing leads rather than duplicating them.

Customer responsibilities:

  • You confirm that contacts you import have a lawful basis under your jurisdiction's rules (consent, legitimate interest, contract) for outbound email.
  • You manage credit consumption: personal-email reveal is opt-in per import, and every import accepts a hard cap (default ceiling: 50,000).
  • You may disconnect at any time from /dashboard/integrations/lead-sources; the encrypted API key is wiped and any pending imports are cancelled within seconds.

6.3 Optional Dialer Integrations (Outreach.io)

Customers may optionally connect Outreach.io via OAuth so the Superkabe cold call list can be pushed straight into an Outreach sequence. Outreach.io is not a Superkabe sub-processor — your contractual relationship with Outreach.io governs that data.

Data we read from Outreach:

  • The list of sequences you can add prospects to (id, name, share-type, active-prospect count) — surfaced in the export-to-Outreach picker.
  • The list of mailboxes you can send through (id, email, owning user) — required because every Outreach SequenceState specifies a mailbox.
  • The OAuth-granted user's id + email (whoami) so the dashboard can show "connected as you@your.co".

Data we write to Outreach:

  • Prospects, upserted on email — first/last name, title, company, phone, LinkedIn URL when available, plus a "Superkabe" tag.
  • SequenceStates — one per (prospect, sequence, mailbox) tuple to add the prospect to the chosen sequence. Outreach dedupes these server-side.
  • (Optional) New empty sequences — when the user clicks "+ Create new sequence" in the export dialog, we POST a single sequence shell that the user fills with steps inside Outreach's editor.

Customer responsibilities:

  • You confirm prospects you export have a lawful basis under your jurisdiction's rules for outbound contact via Outreach.
  • You may disconnect at any time from /dashboard/integrations/outreach; tokens are wiped, pending exports cancelled within seconds. Prospects already pushed to Outreach stay where they are — managing them after disconnect is your responsibility.

7. International Transfers

Personal data may be processed outside your country of residence, including in the United States. For transfers from the EEA, UK, and Switzerland to countries that have not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses ("SCCs"), the UK International Data Transfer Addendum, or other lawful transfer mechanisms.

For DPDP-governed transfers from India, we transfer only to jurisdictions permitted under applicable Indian government notifications. For PDPA-governed transfers from Singapore, recipients are bound to provide a comparable standard of protection.

8. Data Security

  • Encryption in transit (TLS 1.2+) and at rest (AES-256-GCM for credentials and import keys).
  • Role-based access control with the principle of least privilege.
  • Audit logging of administrative actions retained for 12 months.
  • Regular dependency-vulnerability scans and prompt patching.
  • Background checks and confidentiality undertakings for personnel with production access.

No system can be guaranteed completely secure. If we discover a personal-data breach affecting you, we will notify the relevant supervisory authority (where required by GDPR/DPDP/PDPA) within 72 hours of becoming aware, and notify affected individuals where required.

9. Data Retention

  • Account data: retained for the life of the account plus 30 days post-cancellation, then deleted.
  • Billing records: retained for 7 years for tax and accounting compliance.
  • Recipient data & sequence logs: retained while you remain a customer; deleted within 30 days of account closure or upon documented Controller-instructed deletion.
  • Inbox replies: retained until the customer deletes them.
  • Audit logs: 12 months.
  • One-time import API keys: at most 72 hours from paste, or 24 hours after import completion (whichever first); also wipeable on demand.
  • Backups: rolling 30-day retention; deletion requests are honored in production immediately and propagate through backup expiration.

10. Your Rights

To exercise any of the rights below, contact privacy@superkabe.com. We will respond within the timeframe required by the applicable law (generally 30 days under GDPR/DPDP, 45 days under CCPA, 30 days under PDPA). We may need to verify your identity before responding. You will not be discriminated against for exercising any of these rights.

10.1 GDPR / UK GDPR rights (EEA, UK, Switzerland)

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / "right to be forgotten" (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object, including to direct marketing (Art. 21)
  • Right not to be subject to a decision based solely on automated processing (Art. 22)
  • Right to withdraw consent at any time, where processing is based on consent
  • Right to lodge a complaint with your local supervisory authority

10.2 CCPA / CPRA rights (California residents)

Under California law, you have the right to know what personal information we collect, the categories of sources, the business or commercial purposes for collection, and the categories of third parties we share it with. You also have the right to:

  • Request deletion of personal information we have collected from you
  • Request correction of inaccurate personal information
  • Limit the use and disclosure of sensitive personal information
  • Opt out of the sale or sharing of personal information
  • Be free from discrimination for exercising these rights
  • Designate an authorized agent to exercise rights on your behalf

We do not sell or share personal information for cross-context behavioral advertising as defined under the CCPA/CPRA.

10.3 DPDP rights (India)

  • Right to access information about the personal data we process about you
  • Right to correction and erasure
  • Right of grievance redressal — contact our Grievance Officer at privacy@superkabe.com
  • Right to nominate another individual to exercise rights in the event of death or incapacity
  • Right to withdraw consent

10.4 PDPA rights (Singapore + ASEAN frameworks)

  • Right of access — request information about your personal data and how it has been used or disclosed in the past 12 months
  • Right of correction
  • Right to withdraw consent for collection, use, or disclosure
  • Right to escalate unresolved concerns to the Personal Data Protection Commission (PDPC) of Singapore or the equivalent regulator in your jurisdiction

10.5 Other jurisdictions

Residents of Brazil (LGPD), Canada (PIPEDA / Quebec Law 25), Japan (APPI), South Korea (PIPA), and other jurisdictions have analogous rights. Contact us to exercise them.

11. Cookies and Similar Technologies

We use strictly necessary cookies to authenticate sessions and maintain platform functionality. We use functional cookies for product preferences. With your consent (where required), we use analytics cookies to understand product usage. You can manage cookies through your browser; blocking strictly-necessary cookies will impair the platform.

12. Children's Privacy

Superkabe is a B2B service intended for users aged 18 and older. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

13. Frameworks That Do Not Apply

To set clear expectations, the following regulatory frameworks do not apply to Superkabe and we make no representations of compliance with them:

  • HIPAA — not a Business Associate. Superkabe is not a HIPAA Business Associate, does not sign Business Associate Agreements, and is not designed to handle Protected Health Information ("PHI") as defined under the US Health Insurance Portability and Accountability Act. Customers must not transmit, store, or process PHI through Superkabe. If your use case requires HIPAA-compliant cold email, Superkabe is not the appropriate tool.
  • DPPA — not applicable. Superkabe does not access, use, or process motor-vehicle records and is therefore outside the scope of the US Driver's Privacy Protection Act.
  • GLBA, FERPA, COPPA — not applicable. We do not handle non-public financial information of consumers (GLBA), education records (FERPA), or knowingly collect data from children under 13 (COPPA).

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy here with a revised "Last updated" date. For material changes affecting your rights, we will provide additional notice (e.g., email or in-product banner).

15. Contact Us

For privacy questions, rights requests, or to engage our Data Protection Officer / Grievance Officer:

Superkabe — Privacy Office

Email: privacy@superkabe.com

For DPDP grievances (India): privacy@superkabe.com (subject line: "DPDP Grievance")