Privacy Policy

Inmailer LLC (“InMailer,” “we,” “us,” “our”) respects your privacy. This Privacy Policy describes what personal information we collect, how we use it, with whom we share it, how we protect it, and your rights and choices.

This policy applies to your use of:

• The InMailer AI website at inmailer.ai and related domains
• The InMailer AI web application at platform.inmailer.ai and any whitelabel domains
• The InMailer AI Chrome browser extension
• Our APIs
• Email and other communications from InMailer

It does not apply to third-party services (LinkedIn, Unipile, Whop, etc.), which have their own privacy policies.

1.1 Information You Provide Directly

• Account registration: name, email, password (stored hashed), company name, role, country
• Billing information: name, billing address, payment method details (held by our payment processor, Whop, on PCI-DSS Level 1 infrastructure, we never store full card numbers)
• Workspace content: campaigns, lead lists you upload (which may contain third-party personal data, see Section 1.4), message templates, voice notes, ICPs, internal notes
• LinkedIn session credentials: li_at cookie, li_a premium token, user-agent string, captured via our Chrome extension or pasted by you, stored encrypted at rest and used solely to call third-party LinkedIn integration providers on your behalf
• Support correspondence: emails, Telegram messages, screenshots, or other content you share with our support team

1.2 Information Collected Automatically

• Usage data: pages visited, features used, button clicks, search queries, IP address, browser type, device type, referrer URL, timestamps
• Cookies and similar technologies: session cookies for authentication, preference cookies, analytics cookies (see Section 7)
• Log data: server logs, API request logs, error logs, including IP addresses and request metadata, retained for security and debugging purposes

1.3 Information from Third Parties

• Whop: subscription status, payment receipts, customer ID, billing events (via Whop’s webhooks)
• LinkedIn (via Unipile): profile metadata of accounts you connect, message threads, connection events. We do not access content of LinkedIn DMs not initiated through the Service.
• OpenAI / Anthropic / ElevenLabs: AI-generated responses for content you submit for processing
• Google Analytics, Cloudflare: anonymized traffic data for our website

1.4 Personal Data You Upload About Third Parties (Prospect Data)

When you upload prospect lists, your CSV files may contain personal data about LinkedIn users who are not InMailer customers (“Prospects”). You are the data controller of Prospect Data and you are responsible for ensuring you have a lawful basis under applicable law (GDPR, CCPA, etc.) to collect and contact those Prospects. InMailer acts as a data processor on your behalf solely to provide the Service.

We process the following Prospect Data:

• Names, LinkedIn profile URLs, public LinkedIn profile fields, public job titles and companies
• Personalized message variables you provide
• LinkedIn message thread content (sent and received) for the chats you operate through the Service

We do not:

• Sell Prospect Data
• Use Prospect Data to train AI models
• Disclose Prospect Data to other InMailer customers
• Re-share Prospect Data outside the processors listed in Section 4

We use the information we collect to:

• Provide the Service: authenticate your account, deliver features you request, send messages on your behalf via the connected LinkedIn account, sync inbox replies, store campaign state
• Process payments: via Whop and our other payment partners
• Communicate with you: transactional emails (receipts, billing notices, security alerts), product updates, support responses, and occasional marketing (which you can opt out of)
• Improve the Service: aggregated, anonymized analytics; bug investigation; performance monitoring
• Train AI features: prompts you submit to our AI Setter and Conversational Agent are sent to OpenAI/Anthropic for inference. We do not use your data, your prospect data, or your messages to train the underlying foundation models, and we do not retain this data with the LLM providers beyond what is necessary for the inference call, per our data processing agreements with each provider
• Comply with legal obligations: tax, accounting, anti-fraud, anti-money-laundering, and law-enforcement requests
• Protect the Service: detect and prevent fraud, abuse, security incidents, and ToS violations
• Enforce our Terms: investigate breaches and pursue remedies

For customers and prospects subject to the EU or UK GDPR, our legal bases for processing personal data are:

• Performance of a contract (Art. 6(1)(b)): to provide the Service you purchased
• Legitimate interests (Art. 6(1)(f)): to operate, improve, and secure the Service; to communicate about your account; to enforce our Terms; to defend against fraud
• Compliance with legal obligations (Art. 6(1)(c)): for tax, accounting, and law-enforcement requirements
• Consent (Art. 6(1)(a)): for non-essential marketing communications and analytics cookies (where required by law)

For Prospect Data uploaded by Customers, the Customer is the controller and InMailer is the processor. The Customer represents to InMailer that the Customer has a lawful basis (typically legitimate interest under Art. 6(1)(f), or B2B exemption under ePrivacy where applicable) to contact each Prospect.

We share information only with the following categories of recipients, and only as necessary:

We do not sell personal data. We do not share personal data with third-party advertisers, data brokers, or any party for cross-context behavioral advertising.

InMailer is established in the United States (Wyoming). When you use the Service from outside the United States, your data is transferred to and processed in the US and other jurisdictions where our processors operate.

For transfers from the EU/UK/Switzerland to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and UK ICO, supplemented by technical and organizational measures.

We retain personal data only as long as necessary for the purposes described in this policy:

• Account data: while your subscription is active, plus 30 days after termination, plus up to 12 months in backups for disaster recovery
• Prospect data and message threads: controlled by you; deleted when you delete the corresponding campaign or chat; otherwise retained for the same period as account data
• Billing records: retained for seven (7) years for tax and audit compliance, as required by US and applicable foreign tax law
• Support correspondence: retained for three (3) years
• Server logs: retained for 90 days
• Anonymized analytics: indefinitely

Our website and web application use:

• Strictly necessary cookies: authentication, security, session management, cannot be disabled
• Preference cookies: remember your settings (theme, workspace selection)
• Analytics cookies: Google Analytics or similar, anonymized, opt-in where required by law (EU/UK cookie banner)

We do not use advertising cookies, tracking pixels for behavioral advertising, or cross-site tracking technologies.

We implement industry-standard technical and organizational measures to protect your data, including:

• TLS 1.2+ encryption in transit
• AES-256 encryption at rest for sensitive credentials (LinkedIn cookies, API keys)
• Role-based access control with least-privilege principles
• MongoDB Atlas encrypted backups
• Regular security audits and dependency scans
• Multi-factor authentication available on all accounts
• Incident response procedures with 72-hour breach-notification commitment (where required by GDPR/CCPA)

No system is perfectly secure. While we work hard to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify you and applicable authorities as required by law.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: request a copy of your personal data (EU, UK, US under CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and others)
• Rectification: correct inaccurate data (EU, UK, several US states)
• Erasure / Deletion: request deletion of your personal data (EU, UK, US under CCPA, and others)
• Restriction: limit processing (EU, UK)
• Portability: receive your data in a portable format (EU, UK, US under CCPA)
• Objection: object to certain processing (EU, UK)
• Withdraw consent: for processing based on consent (all jurisdictions where consent applies)
• Opt-out of sale/sharing for cross-context behavioral advertising: US under CCPA/CPRA. Not applicable as we do not sell or share for advertising.
• Non-discrimination: for exercising rights (US under CCPA)
• Lodge a complaint with a supervisory authority: EU (your local DPA), UK (ICO)

To exercise any right, email andrej@inmailer.ai with subject line PRIVACY REQUEST, [your account email]. We will respond within thirty (30) days (or sixty (60) days for complex requests, with notice). We may require you to verify your identity before fulfilling the request.

For California residents, this section supplements the rest of the policy.

Categories of personal information collected (per CCPA categories): identifiers, customer records, commercial information, internet activity, geolocation (approximate, via IP), professional/employment information, inferences drawn from the above.

Sources: directly from you, automatically from your device, from third parties listed in Section 1.3.

Business purposes: as described in Section 2.

Categories disclosed for business purposes: all of the above to the recipients listed in Section 4, solely to operate the Service.

Categories sold or shared for cross-context behavioral advertising: NONE. We do not sell personal information and we do not share for cross-context behavioral advertising.

Retention: as described in Section 6.

Rights: as described in Section 9.

Authorized agent: you may use an authorized agent to submit requests on your behalf. We will verify both your identity and the agent’s authorization.

Contact for CCPA requests: andrej@inmailer.ai

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact andrej@inmailer.ai and we will delete it.

Our website does not respond to “Do Not Track” browser signals at this time, as there is no industry standard for compliance. We do not engage in cross-site tracking that “Do Not Track” is designed to prevent.

We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or in-app notice at least fourteen (14) days before taking effect. The policy in effect at the time you use the Service governs that use.

For privacy questions, data-subject requests, or to exercise any right described in this policy:

EU/UK representative: Not currently designated. EU/UK users may contact andrej@inmailer.ai directly or lodge a complaint with their local supervisory authority.