Privacy Policy

This Privacy Policy ("Policy") explains how ColdDMs Pro ("ColdDMs Pro," "we," "us," or "our") collects, uses, discloses, retains, and protects personal information when you access or use our website, web application, browser extension, mobile experiences, APIs, marketplace, support channels, marketing communications, and any related products or services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with any part of it, you must not use the Service. This Policy is incorporated by reference into our Terms & Conditions and applies in addition to any region-specific notices we provide.

For information we collect about visitors, account holders, and end users of the Service, ColdDMs Pro generally acts as the "data controller" (or "business") under applicable law. For information you upload, import, or process through the Service relating to your own contacts, leads, or recipients ("Customer Data"), ColdDMs Pro generally acts as a "data processor" (or "service provider") acting on your documented instructions, and you are the controller responsible for the lawful basis and appropriate disclosures to those individuals.

Depending on how you interact with the Service, we may collect the following categories of information:

• Account & identity data: name, email address, username, password (hashed), profile photo, business name, time zone, and account preferences.
• Billing & transaction data: billing name and address, country, last four digits of payment card, payment processor tokens, subscription tier, invoices, refund history, and chargeback indicators. Full payment card details are processed directly by our PCI-compliant payment processors and are not stored on our systems.
• Usage & device data: IP address, approximate location derived from IP, browser type and version, operating system, device identifiers, referring/exit pages, language, timestamps, click events, feature interactions, session duration, crash logs, and diagnostic data.
• Customer Data: connected account metadata, message templates, contact and lead lists, prospect identifiers, outreach activity, conversation history, AI-generated drafts, CRM notes, and campaign performance metrics.
• Communications & support data: messages, attachments, screenshots, screen recordings you submit, survey responses, feedback, and call/chat transcripts.
• Security & integrity data: authentication events, device fingerprints, abuse and fraud signals, risk scores, rate-limit data, and audit logs.
• Marketing data: email engagement, ad-attribution identifiers, UTM parameters, and consent records.

We do not knowingly collect government identifiers, biometric data, precise geolocation, health data, or other categories of sensitive personal information, and we ask that you not submit such data through the Service.

We collect information (a) directly from you when you create an account, configure the Service, or contact us; (b) automatically from your devices, browsers, and product usage through cookies, SDKs, server logs, and similar technologies; and (c) from third parties, including payment processors, analytics providers, anti-fraud vendors, identity verification services, advertising partners, single sign-on providers, and platforms you authorize to integrate with the Service.

Where the GDPR, UK GDPR, or comparable laws apply, we rely on the following legal bases:

• Performance of a contract — to provide, maintain, bill for, and support the Service you have requested.
• Legitimate interests — to secure the Service, prevent fraud and abuse, defend legal claims, perform analytics, develop new features, and conduct direct B2B marketing, balanced against your rights and interests.
• Consent — for non-essential cookies, certain marketing communications, and other processing where consent is required; you may withdraw consent at any time without affecting prior lawful processing.
• Legal obligation — to comply with tax, accounting, anti-money-laundering, and law-enforcement obligations.
• Vital interests / public interest— in rare cases where processing is necessary to protect a person's life or safety.

We use personal information to:

• Create, authenticate, and administer accounts and authorized seats.
• Provide, operate, maintain, and improve features of the Service.
• Process subscriptions, free trials, invoices, taxes, refunds, and disputes.
• Personalize the user experience and remember your preferences.
• Provide customer support, training, and transactional communications.
• Detect, investigate, and prevent fraud, abuse, spam, security incidents, and violations of our Terms.
• Generate aggregated, statistical, or de-identified data that does not identify any individual.
• Train, evaluate, and improve our internal models and product features using Customer Data only as permitted in Section 09.
• Send marketing or promotional communications subject to applicable consent and opt-out rules.
• Comply with legal obligations, enforce agreements, and protect our rights, property, users, and the public.

We use first- and third-party cookies, local storage, pixels, SDKs, and similar technologies for authentication, security, load balancing, fraud prevention, analytics, performance measurement, A/B testing, preference storage, and marketing attribution. Where required by law, we present a cookie consent mechanism for non-essential cookies. You may also control cookies through your browser settings, but disabling certain cookies may impair the functionality of the Service. We do not respond to browser "Do Not Track" signals at this time, but we honor recognized opt-out preference signals (such as Global Privacy Control) where legally required.

We do not sell personal information for monetary consideration. We disclose personal information in the following circumstances:

• Service providers and sub-processors performing services on our behalf, including cloud hosting, database, email delivery, customer support, analytics, error tracking, fraud detection, and payment processing, all bound by written contracts limiting their use of the data.
• Third-party integrationsthat you connect or authorize, in which case data is shared per your instructions and is subject to the third party's own privacy practices.
• Affiliates and corporate group companies under confidentiality obligations consistent with this Policy.
• Professional advisors such as auditors, accountants, insurers, bankers, and lawyers under confidentiality obligations.
• Authorities and other parties where we believe in good faith that disclosure is required by law, subpoena, court order, or other legal process, or is necessary to protect rights, property, safety, prevent fraud, or address security or technical issues.
• Business transfers in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets; in such cases we will require the recipient to honor commitments materially consistent with this Policy.
• With your consent or at your direction for any other purpose disclosed at the time of collection.

We may disclose aggregated or de-identified information that cannot reasonably be used to identify you for any lawful purpose without restriction.

Certain features use artificial-intelligence and machine-learning systems, including third-party model providers, to generate drafts, suggestions, summaries, or insights. Inputs and outputs may be processed by these providers under contractual protections. We do not use your Customer Data to train publicly available third-party foundation models for the benefit of unrelated third parties. We may use aggregated, de-identified, or non-personal signals derived from product usage to maintain, evaluate, and improve our own systems and abuse-detection models. AI-generated outputs may be inaccurate; you are responsible for reviewing them before use.

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Typical retention periods include:

• Account data: for the life of the account and up to 24 months after closure for legitimate business purposes.
• Billing and tax records: generally 7–10 years to comply with tax, audit, and accounting laws.
• Customer Data & campaign content: for the term of your subscription, with deletion or de-identification within a reasonable period after termination, subject to backup retention cycles and legal holds.
• Security & abuse logs: typically 12–24 months for fraud prevention and incident response.
• Support correspondence: up to 36 months from the last interaction.
• Marketing data: until you opt out, plus a suppression record kept indefinitely to honor your opt-out.

When retention is no longer required, we delete, anonymize, or aggregate the information. Information held in encrypted backups will be purged on standard backup rotation cycles.

We operate globally and may transfer, store, and process personal information in countries other than your own, including the United States and other jurisdictions whose data-protection laws may differ from those of your country of residence. Where required, we implement appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, the Swiss-equivalent transfer mechanisms, and supplementary technical and organizational measures. A copy of the applicable transfer mechanism is available upon written request.

We maintain a security program with administrative, technical, and physical safeguards designed to protect personal information, including encryption of data in transit (TLS) and at rest where appropriate, network segmentation, role-based access controls, multi-factor authentication for administrative accounts, secrets management, vulnerability scanning, logging, monitoring, vendor due diligence, and employee confidentiality obligations. Despite these controls, no system or transmission method is completely secure, and we cannot guarantee absolute security. You are responsible for safeguarding your own credentials and access tokens.

If we become aware of a confirmed unauthorized acquisition or disclosure of personal information that triggers a notification obligation under applicable law, we will notify affected users and/or regulators without undue delay in accordance with legal requirements.

Subject to applicable law and verification of your identity, you may have the right to:

• Access the personal information we hold about you and receive information about its processing.
• Correct inaccurate or incomplete information.
• Delete personal information (subject to legal exceptions, such as records we must retain).
• Restrict or object to certain processing, including processing based on legitimate interests and direct marketing.
• Withdraw consent for processing that relies on consent.
• Receive your information in a portable, machine-readable format.
• Appeal our decision regarding your request where required by law.
• Lodge a complaint with your local data-protection authority.

To exercise rights, contact hello@colddmspro.com. We may need to verify your identity before responding and may deny requests where permitted by law (for example, where granting the request would infringe another person's rights, would compromise ongoing investigations, or where exemptions apply). We do not discriminate against users for exercising their privacy rights.

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, or another U.S. state with a comparable consumer privacy law, you may have rights to know, access, correct, delete, port, and appeal, and to opt out of "sale," "sharing," targeted advertising, profiling with legal or similarly significant effects, and certain uses of sensitive personal information. In the preceding 12 months, we have collected the categories of personal information described in Section 03 for the business and commercial purposes described in Section 06 and disclosed those categories to the recipients described in Section 08. We do not sell personal information for monetary consideration, and we do not knowingly sell or share personal information of consumers under 16. To exercise rights, use the contact details in Section 24. An authorized agent may submit a request on your behalf with appropriate written authorization.

"Shine the Light" (California Civil Code § 1798.83): California residents may request information about our disclosures of certain personal information to third parties for their direct marketing purposes by contacting us; we generally do not engage in such disclosures.

We use automated systems (including rules-based and machine-learning systems) for fraud detection, abuse prevention, billing reconciliation, and routine product functionality. We do not use automated decision-making that produces legal or similarly significant effects on you without human review. Where required by law, you have the right to request human review of an automated decision that materially affects you.

We may send promotional communications about our products, features, offers, and content. You may opt out at any time by using the unsubscribe link, adjusting account preferences, or contacting us. We may continue to send non-promotional communications related to your account, security, billing, legal notices, and the operation of the Service even if you opt out of marketing.

The Service may contain links to, or interact with, third-party websites, applications, advertisements, and platforms (including Meta/Instagram, X, payment networks, and analytics providers). We are not responsible for those third parties' content, policies, security practices, or data handling. We encourage you to review the privacy notices of any third party before providing your information. ColdDMs Pro is not endorsed by, sponsored by, or affiliated with any third-party platform unless expressly stated.

The Service is intended for users who are at least 18 years old and is not directed to children. We do not knowingly collect personal information from children under 18 (or the higher minimum age in your jurisdiction). If we learn that we have collected personal information from a child in violation of applicable law, we will delete it promptly. Parents or guardians who believe their child has provided personal information should contact us using the details in Section 24.

We may create de-identified or aggregated data from personal information. We maintain such data in a de-identified form, do not attempt to re-identify it (except to test our de-identification controls), and contractually require any recipient to do the same. We may use and disclose such data for any lawful business purpose, including research, benchmarking, and product development.

We engage carefully selected sub-processors to support hosting, storage, communications, analytics, payments, and security. We require sub-processors to commit to data-protection obligations no less protective than those in this Policy and our Data Processing Addendum ("DPA"). A current list of sub-processors and a copy of our DPA are available on written request to hello@colddmspro.com.

When you submit Customer Data, you represent and warrant that you have all rights, lawful bases, and consents required to upload, process, and instruct us to process that data, including for outreach, enrichment, and storage. You are responsible for providing required notices and honoring opt-outs of the individuals to whom the data relates, and for complying with anti-spam, marketing, and data-protection laws applicable to your campaigns (including the GDPR, UK GDPR, CCPA/CPRA, CAN-SPAM, CASL, TCPA, and platform rules).

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. We will post the updated version with a revised "Last updated" date. If changes are material, we will provide additional notice (such as by email or in-product notification) where practical and as required by law. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

Questions, complaints, privacy requests, or requests for our DPA, sub-processor list, or transfer documentation can be sent to hello@colddmspro.com. If you are located in the EEA, UK, or Switzerland and we do not resolve your concern, you have the right to lodge a complaint with your local supervisory authority.