HeyBoringAgent← Back to home

Privacy Policy

Last updated: May 7, 2026

This policy describes what data HeyBoring Agent collects, how we use it, and your rights. We try to keep it short and not lawyerly.

What we collect

  • Account information. The information you provide during signup: company name, vertical, owner email, signer details, physical mailing address, ICP filters, brand colors.
  • Gmail OAuth tokens. When you connect Gmail, Google issues us a refresh token that lets us send mail and read replies on your behalf. We encrypt this token at rest with a key (Fernet) held by us, separate from your data row.
  • Email content we generate or process. The cold emails we draft, the replies that arrive, and the LLM token usage tied to each. Stored in our database, used to train per-tenant personalization and surface in your daily report.
  • Stripe billing records. Stripe holds the payment instrument; we hold a customer ID and subscription ID linked to your tenant.
  • Apollo prospect data. Pulled per-tenant under our shared Apollo seat. Stored in your tenant's lead table; not commingled with other tenants.

What we don't do

  • We do not read or process Gmail messages outside of threads we initiated or replies to threads we initiated.
  • We do not sell, rent, or share your data with third parties for their marketing purposes.
  • We do not use your customers' or prospects' data to train models that benefit other tenants.

Subprocessors

We use the following third parties to operate the Service. By using the Service you authorize us to share the necessary data with them:

  • Google (Gmail API) — sending and reading the threads we initiate.
  • Anthropic — drafting cold emails, classifying replies, generating quotes.
  • Apollo.io — prospect data pulls.
  • Stripe — payment processing.
  • Resend — transactional email (signup pings, approval emails, magic-links).
  • Railway / Vercel — hosting the API and dashboard respectively.
  • Sentry — error monitoring (if enabled by the deployment).

Retention

We retain account data while your subscription is active. After cancellation, account data is retained for 30 days for reactivation, then deleted. Unsubscribe records are retained indefinitely (this is required by CAN-SPAM — we can't legally email someone who opted out, even if you re-add them later).

Your rights

You can export, correct, or delete your account data at any time by emailing hola@heyboring.com. EU/UK and California residents have additional rights under GDPR and CCPA respectively; we honor them on request.

Security

Gmail OAuth tokens are encrypted at rest. Database connections are TLS-encrypted. Admin access is gated by a secret you control. We don't have a SOC 2 yet — if that's a blocker for your business, tell us.

Children

The Service is not intended for individuals under 16, and we do not knowingly collect data from them.

Changes

We'll announce material changes via the dashboard and email at least 14 days before they take effect.

Contact

hola@heyboring.com.