Privacy Policy

1. Information we collect

1.1 Account information

When you create a Basereach account we collect your email address, name, and authentication identifiers from the provider you sign in with (Google or email + password).

1.2 Workspace and outreach data

You provide content while using the Service, including:

• Product and campaign settings (sender name, sender email, product description, example emails, schedule, signature)
• Contact records you upload, paste, or that Basereach scrapes from public sources on your instruction
• Email drafts produced by the Basereach AI agent on your behalf
• Replies received in response to your outbound emails

1.3 Google user data (Gmail integration)

If you choose to connect a Google account to a Basereach product, we request the following Google OAuth scopes:

• gmail.readonly — read-only access to your Gmail messages and headers, used to detect replies to outbound campaigns you sent through Basereach.
• userinfo.email — your primary Google account email, so we can show you which account is connected.

We do not request permission to send mail, modify mail, manage labels, or access attachments through this integration.

1.4 Information collected automatically

• Device and browser information (user agent, operating system)
• Log data such as IP address, request paths, and error diagnostics
• Cookies and similar technologies used for authentication, preferences, and usage analytics

2. How we use information

We use the information we collect to:

• Operate, maintain, and improve the Service
• Generate personalized email drafts you can review, edit, and send
• Send your outbound emails through our email infrastructure provider
• Surface replies and intent signals in your Basereach inbox so you can follow up
• Notify you about delivery, replies, billing, and security events
• Detect abuse and enforce our terms
• Comply with legal obligations

3. Limited use of Google user data

Basereach's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• Gmail data is used solely to identify replies to outbound campaigns sent through Basereach and to display them in your Basereach inbox alongside the matching outbound message.
• We do not use Gmail data to serve advertisements of any kind.
• We do not sell Gmail data or transfer it to third parties except as necessary to provide and improve the Service, to comply with applicable law, or as part of a merger or acquisition (subject to the protections described in this policy).
• We do not allow humans to read Gmail data unless we have your explicit consent for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for internal operations where the data has been aggregated and anonymized.
• We do not use Gmail data to train, fine-tune, or develop generalized AI or machine learning models. The Basereach AI agent only reads the body of a specific reply when explicitly asked to draft a follow-up to that reply, and that interaction is bounded to your account.

4. How we share information

We do not sell your personal data. We share information only in the following circumstances:

• With service providers that operate the Service on our behalf: cloud hosting (Vercel, Neon), email delivery (Resend), AI inference (Anthropic), payment processing (Stripe), web scraping (Firecrawl), and analytics
• With recipients of email you choose to send through Basereach (the “To” and “CC” addresses you specify)
• When required by law, court order, or other lawful request
• To protect the rights, safety, and integrity of Basereach, our users, or others
• In connection with a merger, acquisition, or sale of assets, where you will be notified of any change in ownership or data handling

5. Data retention

We retain personal information only for as long as needed to provide the Service and for legitimate business purposes such as billing, abuse prevention, and legal compliance.

Gmail-derived data: when you disconnect Gmail from a Basereach product, we stop polling Gmail and delete the encrypted refresh token. Replies that were already mirrored into your Basereach inbox remain there because they are part of your outreach history under your account; you can delete them individually or request full account deletion at any time.

You may request deletion of your account and associated data by emailing the address in the Contact section. Some information may be retained where required to comply with legal obligations or to resolve disputes.

6. Data security

We use reasonable administrative, technical, and organizational measures to protect your information, including TLS in transit, encryption at rest for sensitive credentials (Gmail refresh tokens are encrypted using AES-256-GCM with a key separate from the database), and role-based access controls on internal systems.

No method of transmission or storage is completely secure. We cannot guarantee absolute security.

7. Your rights and choices

Depending on your location, you may have rights regarding your personal data, including the right to access, correct, delete, export, or restrict processing of your information, and the right to withdraw consent where consent is the legal basis for processing.

You can disconnect Gmail at any time from the Inbox routing section of your product settings, or revoke our access entirely from your Google account permissions page.

To exercise any of these rights, contact us using the details in the Contact section.

8. Children's privacy

The Service is intended for business use and is not directed to children under 13 (or the minimum age required by applicable law). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will take appropriate action.

9. International data transfers

Your information may be transferred to and processed in countries other than your own, including the United States. Where required we take appropriate safeguards to ensure adequate protection of personal data.

10. Third-party services

The Service may contain links to third-party websites or services, including Google, Stripe, Resend, and others. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page, and the “Last updated” date will be revised. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy or our data practices, contact us at:

Basereach (a product of Sublevel)
Email: hello@basereach.io