Privacy Policy

1. Our Roles: Controller vs. Processor

SimplyWarmup operates in two distinct data-processing roles, and this distinction matters for how your data is protected:

• Data Controller — for our own business purposes: account registration, authentication, billing, security, abuse prevention, service improvement, and regulatory compliance. In this role, SimplyWarmup determines the purposes and means of processing and bears full controller responsibilities.
• Data Processor / Service Provider — for the email warmup, spam-rescue, and deliverability operations we perform on your behalf and at your direction. In this role, we process mailbox data and Customer Content under your instructions. Our Data Processing Addendum governs this relationship.

Where processing is mixed, we handle the data under the applicable role and disclose both purposes in this Policy.

2. Data We Collect

We collect data across the following categories:

Account & Identity Data

Email address, password (hashed and salted, never stored in plaintext), role within the tenant, email confirmation status, and the organization your account is associated with (tenant).

Subscription & Billing Data

Stripe Customer ID, Stripe Subscription ID, subscription plan and status, billing period dates, and the count of Connected Inboxes. We do not store full payment-card numbers, bank-account details, or CVVs. That data is handled exclusively by Stripe.

Connected Inbox Data

Business email address of each Connected Inbox, inbox provider (Google or Microsoft), encrypted access token, encrypted refresh token, token expiry timestamp, and connection status. Tokens are protected in storage and used only for authorized Service operations.

Warmup Configuration Data

Pacing settings, warmup activity levels, and operational parameters you configure for each Connected Inbox.

Operational Email Data

Sender inbox identifier, recipient inbox identifier, external Provider message ID, thread ID, email subject line, delivery status, timestamps, and warmup-pool interaction metadata. Note: We do not durably store the full body content of warmup emails in our primary database, though content is necessarily accessed in memory when generating, sending, and processing warmup messages through Provider APIs.

Inbox Health & Analytics Data

Health scores, spam-folder detection events, inbox-placement outcomes, rescue operation records, pacing metrics, and aggregate deliverability statistics associated with your Connected Inboxes.

Authentication & Session Data

When you sign in, we issue a secure, signed session cookie to maintain your authenticated state across requests. This cookie identifies you, your role, and your organization within the platform. It is valid for up to 14 days and refreshes automatically on each visit (sliding window). It is destroyed when you sign out. We do not store passwords in session cookies; only a cryptographically signed identity token is used.

Usage & Service Logs

Server access logs, API request/response logs, background job execution records, error logs, and security event logs. These are retained for operational troubleshooting, abuse detection, and legal compliance.

3. How We Use Data

We use data we collect for the following purposes:

• Providing the Service: operating inbox connections, running warmup dispatches, executing spam rescue, calculating health scores, and delivering analytics dashboards.
• Account Management: registering tenants, authenticating users, managing permissions, and enabling email confirmation.
• Billing & Subscriptions: processing payments through Stripe, enforcing subscription limits, and managing billing cycles.
• Security & Abuse Prevention: detecting unauthorized access, preventing Pool abuse, protecting the platform and other customers, and responding to legal requests.
• Service Improvement: analyzing aggregate platform performance to improve features, reliability, and deliverability outcomes. We do not use mailbox content for advertising or model training without your consent.
• Legal Compliance: meeting our obligations under applicable law, responding to lawful government requests, and enforcing our Terms.
• Support: diagnosing issues reported by customers, investigating abuse complaints, and providing technical assistance.

4. Google Workspace Data

When you connect a Google Workspace inbox, we request the following OAuth scopes:

• openid, email, profile — to identify and verify the connected mailbox account;
• gmail.send — to send AI-generated warmup messages from your inbox into the Clean Pool network;
• gmail.modify — to move warmup messages out of the spam folder as part of the spam-rescue workflow (no other modifications are made to your mailbox); and
• gmail.readonly — to poll inbox and spam-folder placement of warmup messages and calculate deliverability health metrics.

Google-derived data (including mailbox messages accessed through these scopes) is used exclusively to provide warmup operations, spam rescue, and related deliverability analytics. It is:

• not sold or transferred to any third party except as necessary to provide the Service;
• not used for advertising or marketing;
• not used to train AI or machine learning models by SimplyWarmup;
• not accessed by humans except for security review, abuse investigation, or legal compliance, with appropriate controls; and
• handled in accordance with the minimum scope needed for each operation.

You can revoke SimplyWarmup's access to your Google account at any time through Google Account Permissions. Upon revocation or inbox disconnection, we will cease active operations on that inbox and delete stored tokens as described in Section 10.

5. Microsoft 365 Data

When you connect a Microsoft 365 inbox, we request the following Microsoft Graph OAuth scopes:

• openid, profile, email, User.Read — to identify the mailbox account;
• offline_access — to obtain a refresh token and maintain the connection across sessions;
• Mail.ReadWrite — to read mail metadata and perform warmup-coordination and spam-rescue operations; and
• Mail.Send — to send warmup messages from your inbox.

Microsoft-derived data is used solely to deliver warmup, spam-rescue, and analytics services. It is subject to the same use restrictions described in the Google Workspace section above and to the requirements of Microsoft's identity platform terms.

You can revoke SimplyWarmup's Microsoft access at any time through Microsoft My Apps or by disconnecting the inbox within your SimplyWarmup account. Revocation ends active operations on that inbox and initiates token deletion.

6. AI Processing

SimplyWarmup uses Google Gemini (operated by Google LLC) to generate the subjects, bodies, and replies of warmup messages. To produce this content, the Service transmits generation prompts to Google's Gemini API. These prompts contain warmup configuration parameters and stylistic instructions — they do not contain the raw contents of your inbox, your contact lists, or identifiable personal data beyond what is operationally required.

SimplyWarmup does not use your mailbox messages or Customer Content to fine-tune, train, or otherwise improve any AI or machine-learning model. AI Output generated by the Service is used solely to conduct warmup operations within the Clean Pool.

Google may retain API request data in accordance with its own policies. For details, see Google's Privacy Policy and the Gemini API Terms. If Google's AI data practices are a compliance concern for your organization, contact [email protected] before connecting inboxes.

7. Payment Processing (Stripe)

Billing is processed by Stripe, Inc. SimplyWarmup stores only Stripe-assigned identifiers (Customer ID, Subscription ID) in our database. Full payment-card numbers, bank-account credentials, and CVVs are never entered into or stored by SimplyWarmup systems.

When you complete checkout or manage billing, you interact with Stripe's hosted payment interface, subject to Stripe's Privacy Policy. Stripe may use cookies or tracking technologies on their hosted payment pages independent of SimplyWarmup's cookie practices.

8. Cookies & Tracking

We use a small number of cookies to operate the Service. See our Cookie Notice for the full list and purposes.

In summary: we currently use only strictly necessary cookies required to maintain your authenticated session and protect form submissions. We do not currently use advertising, tracking, or analytics cookies from third-party networks.

9. Sharing & Subprocessors

We do not sell, rent, or share your personal data with third parties for their own commercial or marketing purposes. We share data only in the following circumstances:

• Service providers and subprocessors that help us operate the Service under strict data processing obligations (see Data Processing Addendum);
• Stripe, Inc. for payment processing as described in Section 7;
• Google LLC for Gmail API warmup operations and Gemini AI content generation;
• Microsoft Corporation for Microsoft Graph API warmup operations;
• Law enforcement and regulatory compliance: when required by a valid court order, subpoena, warrant, or other legal process, or when disclosure is necessary to protect SimplyWarmup's legal rights, investigate fraud or abuse, or prevent imminent harm;
• Business transfers: in connection with a merger, acquisition, financing, or sale of all or substantially all of our assets, with appropriate advance notice and, where required by applicable law, your consent.

10. Retention & Deletion

Account data is retained for the duration of your active account and for up to 90 days following account closure to allow for dispute resolution, legal holds, and abuse prevention review.

Connected Inbox tokens are deleted promptly following inbox disconnection or account termination. We do not retain OAuth tokens after the authorized connection is ended.

Operational email logs and warmup metadata are retained for up to 24 months to support health-score calculations, abuse investigation, and legal compliance.

Billing records are retained for at least 7 years as required for tax and financial compliance.

Security and access logs are retained for up to 12 months and then deleted or anonymized.

You may request deletion of your account and associated personal data by contacting [email protected]. We will process requests within 30 days, subject to legal retention obligations and active dispute or investigation holds.

11. Security

We implement reasonable technical and organizational measures to protect your data, including:

• encrypted storage of OAuth access and refresh tokens;
• HTTPS/TLS for all data in transit;
• hashed and salted password storage (no plaintext passwords);
• role-based access control limiting data access by function;
• HttpOnly, SameSite authentication cookies to reduce cross-site scripting and CSRF exposure;
• server-side antiforgery token validation on all state-changing requests;
• restricted administrative access to production systems.

No security system is infallible. In the event of a data breach that poses material risk to your rights, we will notify you and, where legally required, the relevant supervisory authority within applicable timeframes.

12. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: the right to obtain a copy of the personal data we hold about you;
• Correction: the right to request correction of inaccurate data;
• Deletion: the right to request erasure of personal data, subject to legal retention obligations;
• Restriction: the right to request restricted processing in certain circumstances;
• Portability: the right to receive your data in a structured, machine-readable format;
• Objection: the right to object to processing based on legitimate interests; and
• Withdraw consent: where processing is based on consent, the right to withdraw at any time without affecting prior lawful processing.

To exercise any of these rights, contact [email protected]. We will respond within the timescale required by applicable law (generally 30 days for GDPR, 45 days for CCPA, etc.) and may request identity verification before acting.

EU and UK data subjects may also lodge a complaint with the supervisory authority in their member state or the UK Information Commissioner's Office (ICO) if they believe their rights have been infringed.

13. Children

The Service is designed for business professionals and is not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If we learn that data from a minor has been collected, we will promptly delete it and, if applicable, notify the relevant guardian.

14. Policy Changes & Contact

We may update this Privacy Policy to reflect changes in our practices, legal obligations, or the Service. We will notify you of material changes by email or in-app notice at least fifteen (15) days before the effective date. The “Effective” date at the top of this page will always reflect the current version.

For privacy questions, rights requests, or concerns, contact: