Legal

Privacy Policy

Last updated: 2026-06-02

1. Who we are

OSINT AI Labs LLC ("we", "us", "our") operates the Concierge Sales Tool, a sales-prospecting service that helps sales teams discover candidate buyer companies for their products. We are the data controller for the personal data described in this policy. Contact: legal@osintail.com.

2. Information we collect about you

• Account data — your email address and an opaque identifier from our authentication provider (Supabase).
• Usage data — counts and timestamps of discovery and briefing requests, used to enforce per-plan quotas and improve the service.
• Billing data — if you subscribe to a paid plan, Stripe collects and processes your payment details. We store only a Stripe customer identifier and the current subscription status; card numbers never touch our servers.
• Content you create — product catalogs you ingest, saved discovery reports, AI briefings, candidate notes, and in-app notifications, stored against your workspace.
• Calendar data (optional)— if you connect a Microsoft calendar, we store upcoming event subjects, locations, and times to match meetings to prospects and pre-generate briefings. The OAuth access and refresh tokens are encrypted at rest (see §10) and are never exported or logged.
• CRM data (optional) — if you connect HubSpot, we store your portal id and the email of the connected account, an audit record of prospects you push to the CRM, and encrypted OAuth tokens.
• Microsoft Teams data (optional) — if you connect our Teams bot, we store your Teams object id, tenant id, and conversation reference so we can deliver notifications. No per-user OAuth tokens are stored for this integration.
• Referral data— an opaque referral code and, when you sign up via someone's referral link, an attribution row linking you to the referrer.
• Mobile phone number (optional, opt-in)— if you are part of the beta-tester program and enable the in-app Tester Feedback feature, you may add your mobile number after explicitly checking a consent box on the Settings page. We store the number in E.164 format and the timestamps of your consent and any later opt-out. See §13 for the full SMS terms.
• Administrative logs — if you contact support or an administrator acts on your account, we keep an audit record of the action.

3. Information about prospects and other third parties

The service displays information about companies retrieved from public sources — the Google Places API and publicly-reachable company websites that we politely scrape while respecting robots.txt. On paid plans, our email-enrichment provider (Hunter.io) may also return a business email address for an individual at a company (for example, jane.smith@company.com) where that company publishes one, in addition to generic inboxes such as info@. Our legal basis for processing this data is our and our customers' legitimate interest in business-to-business outreach. If you are an individual whose business contact information appears in the service and you wish to object or request deletion, email us at the address in §1 and we will action your request.

4. AI processing

Briefings and narrative decks are generated with Google's Gemini API. To produce them, we send the relevant product-catalog details, candidate-company information, and — for calendar-triggered briefings — the meeting subject and context to Google for processing under Google's API terms. We do not use your content to train our own models.

5. How we use your data

• To authenticate you and maintain your account.
• To run discovery queries and generate briefings you request.
• To enforce usage limits and apply billing entitlements.
• To deliver the optional calendar, CRM, Teams, and SMS features you connect.
• To diagnose errors and improve reliability and security.

We do not sell or share your personal data, and we do not send marketing email without your explicit opt-in.

6. Cookies

We use only strictly-necessary cookies — the authentication and session cookies set by Supabase to keep you signed in. We do not use advertising or analytics cookies. Our error-monitoring provider (Sentry) runs without collecting personal data and sets no tracking cookies. Because we use no non-essential cookies, no cookie-consent banner is required.

7. Legal bases (GDPR)

• Performance of a contract — operating the service you signed up for.
• Legitimate interests — surfacing prospect companies, securing the service, and monitoring errors.
• Consent — the optional SMS Tester Feedback program.
• Legal obligation — retaining billing records for tax and accounting.

8. Your rights

Depending on where you live, you have rights to access, correct, delete, port, restrict, or object to the processing of your personal data. If you are a California resident, you also have the right to know what we collect, to delete it, to correct it, and to non-discrimination for exercising these rights — we do not sell or share personal information as those terms are defined under the CCPA/CPRA.

You can exercise the core rights yourself: go to Settings → Your data to export everything we hold about you (a JSON download) or to permanently delete your account. Deletion is not a soft-delete — your rows are removed from our database and any active paid subscription is cancelled at the same time. The same controls are available via the API (GET /api/v1/me/export and DELETE /api/v1/me). Email us if you need any other assistance.

9. International transfers

We and our sub-processors are based in or process data in the United States. Where a sub-processor transfers personal data out of the EEA/UK, that transfer is covered by the sub-processor's Standard Contractual Clauses or an equivalent safeguard.

10. Security

Data is encrypted in transit with TLS. OAuth access and refresh tokens for connected calendars and CRMs are encrypted at rest and never appear in logs, exports, or API responses. Access to production data is restricted to administrators who need it to operate the service.

11. Sub-processors

• Supabase (authentication)
• Stripe (payments)
• Google Places API (candidate discovery)
• Google Gemini API (AI briefing and narrative synthesis)
• Hunter.io (paid-tier email enrichment, when enabled)
• Microsoft Graph (calendar integration, when connected)
• Microsoft Teams / Bot Framework (Teams notifications, when connected)
• HubSpot (CRM integration, when connected)
• Twilio (SMS delivery for the opt-in Tester Feedback feature only)
• Sentry (error monitoring)
• Railway (application hosting)

12. Retention

Account, usage, report, and integration data are retained until you delete your account, at which point they are removed — including your SMS opt-in record and any feedback conversation history, because once your account is gone we will never message you again. Billing records may be retained by Stripe independently per their own policies, for tax and accounting purposes.

13. SMS / mobile information (Tester Feedback program)

The Tester Feedback program collects your mobile phone number only after you explicitly opt in via a consent checkbox on the Settings page. We use your number for one purpose only: to deliver SMS responses to feedback you submit through the in-app dialog.

We do not share your mobile phone number, SMS opt-in information, or the content of SMS messages with third parties or affiliates for marketing or promotional purposes. Your number is shared only with our SMS delivery provider (Twilio) to the extent strictly necessary to send and receive the messages you have consented to, and with the administrators of this service to the extent they are the recipients of the feedback you submit. No mobile information is sold.

You may opt out at any time by replying STOPto any SMS we send, or by removing your number from the Settings page. Opt-out is honored immediately. While your account remains active we retain a record of your prior consent and opt-out timestamp for regulatory compliance (TCPA and the US carrier 10DLC program); the number itself is no longer used for any communication after opt-out. If you delete your account, these SMS records are deleted along with it (see §12).

14. Changes

We will update the "Last updated" date above whenever this policy changes, and notify active users by email when the change is material.

15. Contact

Questions, requests, or to report a data-protection concern, email legal@osintail.com.