Trust & compliance

We’re a B2B cold-outreach platform run from the United States. We send through your own mailbox, encrypt OAuth tokens at rest, give you one-click unsubscribe out of the box, and treat list quality as a first-class concern.

sendpebble is operated by First Commit LLC, a United States company. Our infrastructure is hosted in the U.S. and the Service is offered under U.S. jurisdiction.

Sensitive credentials — including mailbox refresh tokens — are encrypted at rest with industry-standard AES-256 encryption. All traffic to and from the Service is protected in transit with TLS. Internal access follows the principle of least privilege; production access is limited to the people who need it to operate the Service.

If a personal data breach affects your information, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of it, consistent with GDPR Article 33. See our Privacy Policy for the full commitment.

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In summary:

• We do not transfer Google user data to third parties except as strictly necessary to provide user-facing features, comply with law, or in connection with a merger or acquisition with equivalent privacy protections.
• We do not use Google user data for advertising of any kind.
• We do not allow humans to read Google user data, except with your explicit consent, for security investigations, where required by law, or in aggregated and anonymized form for internal operations.
• We do not use Google user data to develop, improve, or train generalized AI or machine-learning models.

For scope-by-scope detail, see the Google user data section of our Privacy Policy.

You can delete your account at any time. On request, we hard-delete your workspace data. We retain only what we are legally required to keep — namely billing and tax records held by our payment processor, and suppression-list entries that prevent re-mailing of people who unsubscribed. See the retention section of our Privacy Policy for specifics.

We rely on a small number of vendors strictly to operate the Service. Generic categories are listed in our Privacy Policy: a transactional email provider, a payment processor, a cloud database provider, and an application hosting provider.

A current, named list of sub-processors is available in our Data Processing Agreement on request. Email privacy@sendpebble.com for a copy.

The Service is designed to support compliance with U.S. CAN-SPAM, Canada's CASL, the EU/UK GDPR, and California's CPRA. How these obligations are met in practice — including controller vs. processor roles, data-subject rights, and breach notification — is documented in our Privacy Policy and our Terms of Service.

List quality is a first-class concern. The platform enforces the following controls by default:

• Compliance attestation on every import. Before any CSV is accepted, the importer must affirm: “I confirm these contacts have a legitimate business reason to hear from me, were not purchased, rented, scraped, or harvested, and that I am responsible for compliance with CAN-SPAM, CASL, GDPR, and other applicable laws.” We timestamp and retain that attestation.
• MX and role-address pre-flight at import. Every imported address is checked for a valid MX record and screened against common role-account prefixes (info@, sales@, etc.) so high-risk entries are surfaced before send.
• Mandatory one-click unsubscribe. Every outbound message includes RFC 8058 List-Unsubscribe and List-Unsubscribe-Post headers, plus a visible unsubscribe link in the body. There is no way to disable this.
• Per-mailbox warmup ramp.Newly connected mailboxes start at a low daily volume and ramp up over time, protecting both the sender's reputation and the provider's ecosystem.
• Automatic pause on bounce spikes. If the hard-bounce rate at any journey step crosses 5%, sends for that step are paused automatically pending review.
• Per-mailbox rolling-7d throttle. A rolling seven-day send cap is enforced per connected mailbox to keep volume within healthy limits, independent of plan limits.

For legal notices, contact legal@sendpebble.com. For privacy questions, data-subject requests, or DPA requests, contact privacy@sendpebble.com.

For abuse reports and security-vulnerability disclosures, contact privacy@sendpebble.com in the interim. A dedicated abuse alias is planned. General questions can also be sent via our contact form.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. Sub-processor relationships exist solely to operate the Service on your behalf.