Privacy Policy

Effective Date: May 16, 2026
Last Updated: May 16, 2026
Version: 2.0

1. Introduction

Kenny Bianchi LLC, a Delaware limited liability company, doing business as Automatoir ("Automatoir," "we," "us," or "our"), operates the Automatoir platform at www.automatoir.com(the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you or your organization use the Service.

1.1 Two roles, two regimes

This Privacy Policy describes our practices in two distinct roles:

Where we act as a controller(also called a "business" under U.S. state privacy laws): for personal data about our customer account holders — the individuals and organizations who sign up for, pay for, and operate the Service. This includes account information, billing information, and usage telemetry. Part A of this Policy applies.
Where we act as a processor(also called a "service provider" under U.S. state privacy laws): for personal data that our customers upload, ingest, or otherwise instruct us to process through the Service — most importantly the contents of email mailboxes our customers connect, and information about prospects, contacts, and other third parties our customers research, import, or contact through the Service. For this data, our customer is the controller, and you should direct privacy inquiries about it to that customer in the first instance. Part B of this Policy applies.

If you are an individual whose information is being processed by Automatoir on behalf of one of our customers (for example, you received an email sent through Automatoir or you appear in a customer's prospect database), please read Part B (Section 12) in particular. Your rights are real, but you should usually exercise them with the customer who controls your data.

1.2 Scope and acceptance

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

This Policy applies to the Service as offered by Automatoir directly through automatoir.com. It does not apply to third-party websites, products, or services to which we may link, even if accessed through the Service.

Part A — Where Automatoir acts as a controller (account holders)

This Part A applies to personal data we collect about you when you create an Automatoir account, pay for the Service, and operate your dashboard. For this data, Automatoir is the controller.

2. Information we collect about account holders

2.1 Account information

When you create an account, we collect your name, email address, organization name (if applicable), and a password (stored only as a salted hash). This information is required to provide you access to the Service.

2.2 Payment information

Payment processing is handled entirely by Stripe. We do not receive, store, or process your full credit card number, CVV, or bank account number. Stripe shares with us limited information for record-keeping, including the last four digits of your card, card brand, expiration date, billing ZIP code, and transaction history. Please review Stripe's Privacy Policy for details on Stripe's handling of your payment information.

2.3 Usage data

We collect information about how you interact with the Service, including feature usage, API request logs (used for cost tracking and debugging), pages visited, and actions taken within your dashboard. This data is used to operate, secure, and improve the Service.

2.4 Device and connection data

We collect technical information automatically when you use the Service, including IP address, browser type and version, operating system, device type, referring URL, and timestamps. This data is used for security, fraud prevention, and analytics.

2.5 Support communications

If you contact us by email or through our help features (including our help-chat widget), we receive and retain the contents of those communications. Help-chat conversations are processed by an AI model to generate responses (see Section 5).

2.6 Cookies and similar technologies

We use a minimal set of cookies necessary for authentication and session management. We do not use third-party advertising cookies, cross-context behavioral advertising trackers, or analytics cookies that share information with third parties for marketing purposes. Your browser may allow you to disable cookies, but doing so may prevent you from using authenticated features of the Service.

3. How we use account holder information

We use the information described in Section 2 to:

Provide the Service — operate your dashboard, sync your connected mailbox, manage your subscription, and deliver features you have activated.
Bill and collect — charge your payment method, manage subscription changes, and address payment issues.
Communicate with you — send transactional emails (account confirmations, billing notices, security alerts, product announcements material to your use of the Service) and respond to support inquiries.
Secure the Service — detect and prevent unauthorized access, fraud, and abuse.
Analyze and improve the Service — measure feature usage, identify bugs, and improve performance. We do not use your User Content (defined below in Part B) to train artificial intelligence or machine-learning models.
Comply with law — meet legal, regulatory, and tax obligations.

3.1 Marketing communications

We may send you marketing communications about the Service if you have opted in or if permitted by applicable law. You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by emailing hello@automatoir.com. Opting out of marketing communications does not affect transactional or account-related emails.

We do not sell your personal information, and we do not share your personal information with third parties for cross-context behavioral advertising. We share your information only in the following circumstances:

4.1 Subprocessors

We use the third-party service providers listed in Section 9 (Subprocessors) to operate the Service. Each subprocessor receives only the data necessary for its designated purpose.

4.2 Legal compliance

We may disclose your information if required by law or in response to valid requests by public authorities (such as a court order, subpoena, or government investigation), provided we have a good-faith basis to believe the disclosure is required and, where lawful, after notifying you.

4.3 Protection of rights

We may disclose information when we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others, investigate fraud, or respond to a government request.

4.4 Business transfers

If Automatoir is involved in a merger, acquisition, financing, reorganization, or sale of all or substantially all of its assets, your information may be transferred as part of that transaction, subject to standard confidentiality protections. We will provide notice on this page before your information is transferred and becomes subject to a different privacy policy.

4.5 With your consent

We may share your information for any other purpose disclosed to you and to which you consent.

5. AI processing

Automatoir uses artificial intelligence to power core features of the Service. The following describes how AI is used in our platform.

5.1 What AI does

Email classification and drafts. Email content (subject line, body text, sender information, thread context) from connected mailboxes is sent to the Anthropic Claude API for classification (e.g., lead, support, billing, spam) and to generate draft replies you can review before sending.
Lead qualification. Prospect data and your Ideal Customer Profile criteria are sent to the Claude API for qualification scoring and brief reasoning summaries.
Competitive intelligence and prospect generation. Publicly available information from web search results is analyzed via the Claude API to generate competitor research summaries and prospect suggestions matching your Ideal Customer Profile.
Knowledge base embeddings. Documents and URLs you upload as a knowledge base are processed by Voyage AI to generate text embeddings (numerical vector representations) stored in our database for retrieval-augmented generation.
Outreach sequences. The Claude API generates personalized email drafts for multi-step sequences based on your prospect data, your knowledge base, and your templates.
Help chat. Our in-app help assistant uses the Claude API to answer your product questions, drawing on our published documentation and a limited summary of your account state (counts and status flags only — no personal data of prospects or message bodies).

5.2 No AI training on your data

Automatoir uses the Anthropic commercial API. Anthropic represents in its commercial usage policy that customer API content is not used to train Anthropic's models. We rely on Anthropic's commitments as in effect from time to time. See Anthropic's policies. Voyage AI processes text content to return numerical vectors and does not retain content for training. We do not authorize any subprocessor to use your User Content for AI or machine-learning model training, and we do not do so ourselves.

5.3 Human review and automated decision-making

AI-generated content (classifications, drafts, scores, summaries) is presented to you as suggestions. You retain control over what the Service does with those suggestions:

Outbound emails generated by AI are subject to your review settings. When review mode is enabled — which is the default for new sequences — you approve the sequence template and individual steps before they are sent on your behalf. You may configure sequences to send automatically by disabling review mode in the sequence settings.
Prospect qualification scores do not produce any external effect without an action you initiate.
The Service does not make decisions with legal or similarly significant effects about any individual without action initiated by you.

5.4 Accuracy of AI-generated information about third parties

AI-generated research summaries, competitive intelligence, prospect dossiers, and qualification reasoning may include statements about identifiable individuals or organizations. These statements are generated by language models and may be inaccurate or incomplete. We do not warrant the accuracy of any such statement. You are responsible for verifying any factual claim before relying on it or republishing it (including in any communication you send through or outside the Service).

5.5 Disabling AI features

You may disconnect your email mailbox at any time from your dashboard, which stops all AI processing of your email. You may also delete your knowledge base entries at any time. Disconnecting integrations and deleting data takes effect promptly and is reflected in the retention windows in Section 7.

6. Data security

We implement appropriate technical and organizational measures to protect personal data, including:

TLS encryption for data in transit.
Encryption at rest for database storage.
AES-256-GCM encryption of OAuth tokens for connected integrations (email, CRM); decryption occurs only at the point of use.
Role-based access controls and database row-level security policies on tables containing customer data.
Webhook signature verification for inbound integrations.
Single sign-on for our internal access to production systems, with logging.

No system is perfectly secure. In the event of a breach affecting your personal data, we will notify you and any applicable regulatory authorities without undue delay and, where feasible, within 72 hours of becoming aware of the breach, with the information then available, and will follow up as more facts develop.

7. Data retention (account holder data)

Data category	Retention
Account information	Duration of your active subscription, plus a 30-day wind-down period to allow data export.
Billing records	7 years after the relevant transaction, to comply with U.S. tax and accounting obligations.
Usage logs and API request logs	13 months from the date of the request, used for cost tracking and debugging.
Support communications	3 years from the close of the matter.
Database backups	Up to 8 days after deletion from the primary system, on rolling daily backup schedules.
Marketing-suppression records	Indefinitely after opt-out, to honor your opt-out.

We may retain personal data for longer where required by law, where necessary to enforce our agreements, defend legal claims, or address security incidents.

8. Your rights as an account holder

Depending on your jurisdiction, you have the following rights regarding personal data we hold about you as a controller:

Access. Request a copy of the personal data we hold about you.
Correction. Request that we correct inaccurate or incomplete personal data.
Deletion. Request that we delete your personal data, subject to legal retention requirements.
Portability. Request a machine-readable export of your data.
Objection or restriction. Object to certain processing or request that we restrict processing.
Opt out of "sale" or "sharing" (as defined under U.S. state privacy laws). We do not sell or share personal data as those terms are defined; this right has no operational effect on Automatoir, but you may confirm your status by contacting us.
Limit use of sensitive personal information (where applicable). We do not collect sensitive personal information for purposes that would trigger this right.

8.1 California (CCPA / CPRA)

If you are a California resident, the above rights apply, and you may also designate an authorized agent to exercise rights on your behalf. We will respond within 45 days, extendable by an additional 45 days where permitted, with notice. We do not knowingly sell or share personal information of California residents.

8.2 Other U.S. states

Residents of states with comprehensive privacy laws — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Iowa, Indiana, Tennessee, Montana, Delaware, New Jersey, Maryland, Minnesota, and others as such laws come into force — have rights substantially similar to those described above, including a right to appeal a denial of a request, exercisable by contacting us at hello@automatoir.com.

8.3 Canada (PIPEDA and provincial laws)

If you are located in Canada, you have rights of access and correction under PIPEDA and applicable provincial laws (including Quebec's Law 25). To exercise these rights, contact us at hello@automatoir.com.

8.4 How to exercise your rights

To exercise any of these rights, please email us at hello@automatoir.com with the subject line "Privacy Request." We will:

Acknowledge receipt promptly.
Verify your identity by matching identifying information against our records (we may request additional information if we cannot verify identity from the account itself).
Substantively respond within the period required by applicable law (within 30 days under most laws, within 45 days under CCPA/CPRA, in each case extendable as permitted by law).

We will not discriminate against you for exercising these rights.

9. Subprocessors (account holder data)

We use the following subprocessors. Each receives only the data necessary for its designated purpose. We will provide at least 30 days' advance notice of changes to this list by updating this page.

Subprocessor	Purpose	Region
Supabase (via AWS)	Database hosting, authentication, real-time data	United States (us-west-2, Oregon)
Vercel	Application hosting, edge functions, CDN	United States (primary)
Stripe	Payment processing, subscription management	United States
Anthropic (Claude API)	AI email classification, draft generation, prospect qualification, research summaries, help chat	United States
Voyage AI	Text embeddings for knowledge base retrieval	United States
Nylas	Email OAuth connection, mailbox sync (Gmail, Outlook)	United States
Resend	Transactional email delivery	United States
Enrich.so	Prospect email enrichment	United States
HubSpot	CRM integration via OAuth	United States
Salesforce	CRM integration via OAuth	United States
Sentry	Error monitoring	United States
Better Stack	Uptime monitoring	United States / EU
ImprovMX	Inbound email forwarding	European Union

We may engage additional subprocessors in the future. Customers with active data processing agreements may object to new subprocessors as set out in their DPA.

10. International data transfers

The Service is hosted in the United States. Our database is hosted on Supabase in AWS region us-west-2 (Oregon). By using the Service, you understand and consent to the transfer, storage, and processing of your information in the United States.

The Service is intended for users in the United States and Canada. We do not market the Service to individuals located in the European Economic Area, the United Kingdom, or Switzerland, and we may decline or terminate accounts we identify as operating from those jurisdictions. We have not implemented data transfer mechanisms (such as Standard Contractual Clauses) for transfers from those regions. If you access the Service from those jurisdictions, you should not provide personal data through the Service. See also Section 11.

11. Eligibility and geographic scope

The Service is intended for businesses operating in the United States and Canada. We do not market or sell the Service to users in the European Economic Area, the United Kingdom, or Switzerland, and we may decline or terminate accounts we identify as operating from those jurisdictions. The Service may not be used to target individuals located in the European Economic Area, the United Kingdom, Switzerland, or any other jurisdiction where such use would not comply with applicable law. See the Terms of Service, Section 5, for further detail.

The Service is not intended for, and may not be used by, individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a person under 18, we will delete it promptly. If you believe we have collected information from a person under 18, please contact us at hello@automatoir.com.

Part B — Where Automatoir acts as a processor (data about prospects and other third parties)

This Part B applies to personal data that Automatoir processes on behalf of our customerswhen those customers use the Service. For this data, the customer is the controller and Automatoir is a processor (or "service provider" under U.S. state privacy laws).

12. Notice to individuals whose data is processed by our customers

If you appear in an Automatoir customer's prospect database, received an email sent through the Service, or otherwise had your personal data ingested into the Service by one of our customers, this Section 12 is the notice we provide to you.

12.1 Categories of personal data processed

When our customers use the Service, we may process the following categories of personal data about you on their behalf:

Identifiers: name, work email address, work phone number, business mailing address, professional profile URLs (such as LinkedIn).
Professional information: employer, job title, role, function, seniority, work history.
Communication content: the contents of emails sent or received between you and our customer through the customer's connected mailbox, including subject lines, message bodies, attachments (if any), timestamps, and thread metadata.
Inferences: AI-generated qualification scores and reasoning summaries that our customers configure the Service to produce about you.

12.2 Sources

Personal data about you reaches the Service from one or more of the following sources:

The customer's connected email mailbox (Gmail or Outlook), via Nylas, after the customer authorizes the connection.
The customer's manual input or upload (CSV, knowledge base documents, manual entry).
Enrich.so email enrichment, where the customer requests enrichment of contact information.
Public web sourcesretrieved via the Claude API web search tool for competitive research and prospect suggestions matching the customer's Ideal Customer Profile.
CRM integrations (HubSpot, Salesforce), where the customer pushes or pulls contact records.

12.3 Purposes and lawful basis

Our customers use the Service to qualify prospects, send commercial outreach, conduct competitive research, and synchronize contact data with their CRM. Lawful basis for that processing is determined by the customer as the controller. Where our customers tell us they rely on legitimate interest under Article 6(1)(f) of the GDPR — for example, for B2B prospecting in jurisdictions where that is permitted — they are responsible for documenting their balancing test. Automatoir's use of personal data is limited to processing on documented customer instructions to deliver the Service.

We do not target the Service at individuals located in the European Economic Area, the United Kingdom, or Switzerland, and our Terms of Service prohibit our customers from using the Service to contact individuals located in those jurisdictions.

12.4 Retention

We retain personal data processed on behalf of customers for the duration of the customer's subscription, unless and until the customer deletes it. When the customer deletes your record, or terminates their subscription, we delete the data from production systems within 30 days, with database backups purged on rolling daily-backup schedules within an additional 8 days.

12.5 How to exercise your rights — controller first

For most rights — including the right to access, correct, delete, port, or object to processing of your personal data — the customer who controls your data is the responsible party, not Automatoir. To exercise your rights:

Identify the customer.If you received an email sent through the Service, the customer is the sender (or the sender's organization). If you appear in a prospect database, the customer is the organization conducting outreach to you.
Contact the customer directly.Make your request to the customer's published privacy contact.

If you are unable to identify the customer or the customer does not respond within a reasonable period (we suggest 30 days), you may contact us at hello@automatoir.com with the subject line "Prospect Data Request." We will use reasonable efforts to:

Identify the controlling customer and forward your request, or
Where appropriate and lawful, delete or restrict processing of your data on our systems, and confirm the action to you.

12.6 Opting out of email contact

If you wish to stop receiving email contact from one of our customers, you may:

Reply to any email from that customer with "unsubscribe" — our automated systems detect replies to outreach sequences and will unenroll you from that customer's active sequences.
Click any unsubscribe link in the email.
Email us at hello@automatoir.com identifying yourself and the customer; we will use reasonable efforts to honor your request.

12.7 Direct rights against Automatoir as joint controller

In a limited set of circumstances — including when we make decisions about the categories of data, retention periods, or security measures applicable across all customers, or when we use Enrich.so email enrichment or web-search-based prospect generation to add data to the Service that the customer did not have — Automatoir may be considered a joint controller with the customer. In those circumstances:

Lawful basis. We rely on Article 6(1)(f) GDPR (legitimate interest) to the extent applicable, and on the comparable bases under U.S. state laws (which generally do not require an articulated lawful basis for B2B contact data, but require honoring opt-outs and certain rights).
Rights against us. You may exercise your rights directly against Automatoir for processing where we are a joint controller, by contacting hello@automatoir.com.
Data minimization. We process only what is necessary to provide the Service to our customers; we do not market to prospects on our own behalf and do not sell prospect data.

12.8 No sale of personal information

We do not sell personal information about prospects or any other individuals to third parties. We do not share personal information for cross-context behavioral advertising.

Part C — Common provisions

13. Cookies and similar technologies

See Section 2.6.

14. Changes to this policy

We may update this Privacy Policy from time to time. For material changes — including any change that expands the categories of personal data we process, the purposes of processing, the subprocessors we use, or that materially reduces your rights — we will provide at least 30 days' advance notice by updating this page and, where we have an account email on file, by emailing you. Your continued use of the Service after the effective date of any change constitutes acceptance of the updated Policy. If you do not accept a material change, you must stop using the Service before the effective date.

15. Contact

If you have any questions about this Privacy Policy or our data practices:

Email: hello@automatoir.com
Mailing address: Provided on request to hello@automatoir.com.

For privacy-specific requests, please use the subject line "Privacy Request" or "Prospect Data Request" so we can route your message appropriately.