Privacy Policy
sendpebble is operated by First Commit LLC(“we,” “us,” or “our”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our email-journey platform (the “Service”).
1. Who we are
sendpebble is a B2B cold-outreach and email-journey SaaS that lets you connect your own Gmail or Outlook mailbox, import contacts, author multi-step email sequences, and track engagement. We are reachable at privacy@sendpebble.com and at the mailing address listed at the end of this policy.
2. Information we collect
Account information
When you create an account, we collect your name, email address, and a hashed copy of your password. Passwords are never stored in plain text.
Mailbox connection data
If you connect Gmail or Outlook via OAuth, we receive an access token and a refresh token plus metadata about the authorized address. Refresh tokens are encrypted at rest with industry-standard AES-256 encryption before they touch our database. We access your mailbox only to send the messages you author and to read incoming mail strictly to detect replies, bounce and delivery-failure notices, and unsubscribe requests relating to messages you sent through us — never to read unrelated mail or for any other purpose.
Contacts & message content
We store the contacts you import (name, email, custom fields you map) and the journeys / templates you author. Sent messages are recorded with delivery status and engagement events (opens, replies, unsubscribes) for reporting.
Billing information
Subscription payments are processed by Stripe. We never see or store your full payment-card number. Stripe's privacy practices govern that data.
Usage data
We collect basic usage signals (which pages you visit, which features you use, your device class and browser) to keep the Service running and improve it.
Marketing consent records
When you opt in to or out of marketing email, we record the timestamp and the source of the action (signup form, settings page, or one-click unsubscribe). This audit trail is retained while your account is active and is used solely to demonstrate compliance with anti-spam laws (CAN-SPAM, GDPR) if asked.
3. How we use your information
- To provide, maintain, and improve the Service.
- To send messages on your behalf, via your connected mailbox, only when triggered by journeys you author.
- To record delivery, open, reply, and unsubscribe events so we can give you accurate reports.
- To send you operational email about your account (verification, password reset, billing receipts, important security alerts).
- To send product updates and tips only if you opted in — and only until you unsubscribe.
- To detect and prevent fraud, spam, abuse, and violations of our Terms of Service.
- To comply with legal obligations.
4. Sub-processors
We share data with the following sub-processors strictly to operate the Service. We do not sell personal information.
Transactional email provider (US)
Platform-owned transactional email — verification, password reset, and receipts. Not used for user-generated outreach.
Payment processor (US)
Subscription billing, invoices, and the customer portal.
Cloud database provider (US)
Application database hosting.
Application hosting provider (US)
Web application hosting and serverless function execution.
Google
OAuth, sending, and reply detection on behalf of users who connect a Gmail mailbox.
Microsoft
OAuth, sending, and reply detection on behalf of users who connect an Outlook mailbox.
A current list of named sub-processors — including specific vendor identities and processing locations — is available in our Data Processing Agreement on request. Contact privacy@sendpebble.com for a copy.
5. Google user data — Limited Use compliance
sendpebble's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
When you connect a Gmail mailbox, we request the following OAuth scopes and use them only for the purposes stated:
gmail.send
Send the journey messages you authored from your connected mailbox, on your behalf.
gmail.readonly
Poll the connected inbox strictly to (a) detect and classify replies to your outreach so we can surface the conversation and automatically stop the sequence, (b) detect bounce and delivery-failure notices so we can pause sending and protect your deliverability, and (c) detect reply-based unsubscribe requests so we honor opt-outs. We read only the message metadata and content needed for this matching and classification, and we do not use mailbox contents for advertising, profiling, or any unrelated purpose.
userinfo.email and userinfo.profile
Identify the owner of the connected mailbox so the correct sender address and display name are attached to outgoing messages and shown in your mailbox-connection settings.
We make the following Limited Use commitments without exception:
- We do not transfer Google user data to any third party except where strictly necessary to provide or improve user-facing features of the Service, to comply with applicable law, or as part of a merger, acquisition, or sale of assets in which the acquiring party offers equivalent privacy protections.
- We do not use Google user data for advertising of any kind.
- We do not allow humans to read Google user data, except where you give explicit consent for specific messages, where it is necessary for security purposes (for example, investigating abuse), where required to comply with applicable law, or where the data has been aggregated and anonymized for internal operations.
- We do not use Google user data to develop, improve, or train generalized AI or machine-learning models.
Google refresh tokens issued to sendpebbleare encrypted at rest with industry-standard AES-256 encryption before they are written to our database, and are never returned to client-side code or written to application logs. You can revoke our access at any time from your Google Account's third-party access settings or by disconnecting the mailbox in sendpebble.
6. Our role under data-protection law
sendpebble plays two different roles under GDPR, UK GDPR, and comparable regimes depending on the data in question:
Customer account data — we are the controller
For data about a sendpebblecustomer's own account (the workspace owner's name, email address, billing information, and OAuth tokens for their connected mailbox), sendpebble is the data controller and determines the purposes and means of processing.
Recipient data — we are the processor
For data the customer uploads about their recipients (contact email addresses, custom fields, and the message-event records generated when journeys run), the customer is the controller and sendpebbleis the processor. We process recipient data only as necessary to deliver the Service in line with the customer's documented instructions — namely, the journeys, templates, and enrollments they author.
A Data Processing Agreement (DPA) is available on request for customers subject to GDPR or UK GDPR. Email privacy@sendpebble.com to request one.
7. Data retention
Active account data (contacts, journeys, message history) is retained while your account is active. Message-event records are archived in a compact form after 90 days; full row data is retained for the lifetime of the account.
When you delete your account, all of your workspace data is soft-deleted immediately, you are signed out everywhere, and the rows are permanently removed 30 days later. Marketing consent audit rows are retained for 24 months after deletion to demonstrate compliance.
8. Breach notification
If we become aware of a personal data breach affecting your information, we will notify you without undue delay and, where feasible, no later than 72 hours after becoming aware of it, consistent with Article 33 of the GDPR. Notifications are sent by email to the address registered on your account.
Where sendpebbleis acting as a processor — that is, where the breach affects recipient data uploaded by a customer — we will notify the affected customer (as controller) without undue delay so that they can meet their own notification obligations to data subjects and supervisory authorities.
9. Your rights
Depending on where you live (GDPR for the EU/UK; CCPA/CPRA for California; similar laws elsewhere), you have the right to:
- Access the personal information we hold about you.
- Correct inaccurate information.
- Delete your account and associated data.
- Export your data in a portable, machine-readable format.
- Opt out of non-essential email (one-click from any marketing message, or via the unsubscribe page).
- Restrict or object to certain processing, where applicable.
To exercise these rights, email privacy@sendpebble.com or use the controls in your account settings.
10. Cookies & tracking
We use first-party cookies strictly for authentication and session management. We do not run third-party advertising trackers on the dashboard. Manage cookie preferences in your browser settings.
11. International transfers
Our infrastructure is hosted in the United States. If you access the Service from another country, your information will be transferred to and processed in the U.S. under appropriate safeguards.
12. Children
The Service is not directed to children under 16, and we do not knowingly collect personal information from anyone under 16.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the Service. Continued use after a change takes effect constitutes acceptance.
14. Contact
Questions about this policy? Email privacy@sendpebble.com, call (646) 491-7513, or write to us at: