LEGAL
Privacy Policy
1. INTRODUCTION AND COMPANY IDENTITY
This Privacy Policy ("Policy") explains how Outmate.ai ("Outmate", "we", "us", or "our") collects, uses, discloses, retains, and protects personal data. Outmate.ai is a business-to-business ("B2B") go-to-market ("GTM") intelligence platform whose core capability is the identification and de-anonymization of business website visitors, together with related sales-intelligence, enrichment, signal-detection, workflow-automation, and AI-assistant ("Copilot") features.
Outmate.ai is operated by Outmate.
We are committed to handling personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Indian Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 ("DPDP"), and the ePrivacy Directive 2002/58/EC as implemented in EU and EEA member states.
Please read this Policy together with our Cookie Policy, Terms and Conditions, Acceptable Use Policy, and, where applicable, our Data Processing Agreement, each of which is incorporated by reference.
2. CONTROLLER AND PROCESSOR ROLES
Data protection law distinguishes between a "controller" (the party that determines the purposes and means of processing personal data) and a "processor" (the party that processes personal data on behalf of a controller). Outmate acts in different roles depending on the data concerned.
Outmate as Controller. We act as a controller for: (a) personal data of our registered users, account holders, and authorized representatives of subscribers; (b) personal data of visitors to our own website and marketing properties; and (c) billing, support, and business-administration data.
Outmate as Processor. When a subscriber deploys the Outmate visitor-tracking pixel on the subscriber's own website and uses our platform to identify and enrich that website's visitors, the subscriber is the controller of that visitor data and Outmate acts as the subscriber's processor, processing the data in accordance with the subscriber's instructions and our Data Processing Agreement.
Service-Improvement and Identification Network. Outmate maintains identification and enrichment infrastructure (including a pseudonymous cross-account identity layer) used to resolve visitor identities and improve identification accuracy across the service. To the extent Outmate determines the purposes and means of this infrastructure, Outmate may act as a controller or joint controller for those limited purposes. Where required, the respective responsibilities of Outmate and a subscriber are set out in our Data Processing Agreement.
3. SCOPE OF THIS POLICY
This Policy applies to: (a) visitors to our own website and any person whose personal data we process as a controller; (b) registered users and authorized representatives of subscribers; and (c) identified B2B contacts and the website visitors of our subscribers, in respect of whom we generally act as a processor.
This Policy does not apply to the independent privacy practices of our subscribers, of third-party websites that deploy our pixel, or of third-party services that a subscriber connects to the platform. Those parties maintain their own privacy notices.
4. CATEGORIES OF DATA WE COLLECT
User Account Data (Outmate as controller). When you register for or use the platform, we collect: full name; business email address; company or workspace name; hashed account password (passwords are stored only as a one-way PBKDF2-SHA256 hash and are never stored or accessible in plain text); onboarding and configuration preferences; ideal-customer-profile ("ICP") settings; integration configuration; role and permission attributes; and records of your acceptance of our terms.
Authentication and Security Data. We collect data necessary to authenticate you and secure your account, including session tokens (JSON Web Tokens), token-version and token-identifier values used for session revocation, and security and audit logs. Authentication tokens are stored in your browser's local storage; the Outmate application itself does not set authentication cookies (see our Cookie Policy).
Visitor Identification Data (Outmate generally as processor). Through the visitor-tracking pixel that a subscriber deploys on the subscriber's website, we collect data about that website's visitors, as described in Section 5.
Enrichment Data. We append additional business and contact data to identified companies and persons from third-party data providers, as described in Section 6.
Behavioral and Signal Data. We collect and derive behavioral metrics and buying-intent signals, including page views, dwell time, scroll depth, call-to-action interactions, page sequences, engagement scores, intent scores, predicted persona and buying stage, and externally sourced business signals (for example, hiring changes, funding events, or news mentions relating to a company).
Integration Data. Where you connect third-party services, we process the data exchanged with those services and store encrypted credentials and access tokens, as described in Section 8.
AI and User-Generated Content. We process the prompts, instructions, sequences, workflows, knowledge-base content, and other content you submit to the platform, together with the outputs generated by our AI features.
Communications and Support Data. We process the content of communications you send to us and records of your support interactions.
We do not knowingly collect special categories of data (such as health, religion, or political opinions) and instruct subscribers not to use the platform to process such data.
5. HOW THE VISITOR-TRACKING PIXEL WORKS AND WHAT IT CAPTURES
The Outmate visitor-tracking pixel is a small JavaScript file that a subscriber chooses to install on the subscriber's own website. When a visitor loads a page on which the pixel is active and the applicable consent conditions are met (see Section 5.4), the pixel transmits event data to Outmate.
Data Captured by the Pixel. The pixel may capture and transmit: the visitor's IP address; user-agent string; full page URL; HTTP referrer; page title and primary heading; event type (such as page view or page exit); timestamps; viewport dimensions; effective network connection type; dwell time on page; maximum scroll depth; counts of clicks on high-intent elements (such as pricing, demo, sign-up, booking, or contact elements); a first-party visitor identifier; and a device characteristics hash (a "fingerprint") derived from browser and device attributes such as canvas and WebGL rendering characteristics, screen and device-pixel-ratio values, time zone, language, platform, and similar signals.
Email Capture. The pixel captures a visitor's email address only where (a) the visitor submits an email address through a form on the subscriber's website, or (b) the subscriber's website explicitly passes an email address to the pixel through the documented identify function. Email addresses used solely to log in to the subscriber's own services, and email addresses associated with Outmate account logins, are not fed into the enrichment pipeline.
Consent Gating. The pixel is designed to respect end-user consent and tracking-preference signals. Before activating, the pixel checks for: a stored opt-out flag; the browser "Do Not Track" signal; the Global Privacy Control ("GPC") signal; and recognized consent-management platforms, including the IAB Transparency and Consent Framework ("TCF 2.0"), Cookiebot, and OneTrust. For visitors the pixel determines to be located in the EU, EEA, United Kingdom, or Switzerland (detected through explicit configuration, the presence of a consent-management platform, or time-zone indicators), the pixel defaults to a consent-denied ("fail-closed") state and does not track unless an affirmative consent signal is received from a consent-management platform for the relevant purposes.
Client-Side Storage Set by the Pixel. On the subscriber's website, the pixel may store a first-party visitor identifier and, where applicable, a captured email address and an opt-out flag, using browser local storage and first-party cookies with a lifetime of up to 365 days. These identifiers and the consent mechanism are described further in our Cookie Policy.
Subscriber Responsibility. The subscriber, as controller of its own website visitor data, is responsible for providing notice to its website visitors, for obtaining any legally required consent, and for configuring the pixel's privacy settings appropriately. These obligations are set out in our Terms and Conditions and Data Processing Agreement.
6. PERSON-LEVEL AND COMPANY-LEVEL DATA FIELDS
Identification. Outmate seeks to resolve anonymous website visits to a company and, where supported and lawful, to an individual professional, using a tiered confidence model. Identification signals may include: reverse IP and IP-to-company lookups; corporate-domain resolution from a captured business email address; reverse DNS and registration (RDAP) data; a pseudonymous cross-account identity layer; and third-party identity and enrichment providers (see Section 7).
Company-Level Fields. For identified companies we may store and display: company name and normalized name; primary corporate domain; industry; approximate employee count or headcount band; funding and firmographic attributes; technologies in use; headquarters and location; and company social and web profiles.
Person-Level Fields. Where an individual is identified, we may store and display business-context personal data, including: full name; business email address; job title and seniority; LinkedIn or professional profile URL; and, where provided by a data provider and enabled by the subscriber, business telephone number.
Geolocation Fields. From the visitor's IP address we derive approximate geolocation, including country, region, and city, and associated network attributes such as the autonomous-system organization and indicators of mobile, proxy, hosting, or residential connections. We do not collect precise GPS location through the pixel.
Derived and Internal Fields. We compute and store derived attributes such as identity confidence scores, intent scores, identity tiers, filtering classifications (for example, bot, internal, or consumer-ISP traffic), and source/method metadata used for quality assurance.
Encryption of Identity Data. Where enabled, sensitive person-level fields (including email address, full name, telephone number, professional profile URL, and job title) are encrypted at rest using authenticated symmetric encryption, with deterministic hashes maintained to support lookup and deletion.
7. THIRD-PARTY ENRICHMENT PROVIDERS (SUBPROCESSORS)
To identify and enrich companies and contacts, Outmate uses third-party data and infrastructure providers acting as subprocessors. Depending on configuration, these may include geolocation and IP-intelligence providers (including ip-api and IPinfo), business and contact data providers (which may include enrich.so, Explorium, ContactOut, Apollo, Hunter, and BetterContact), web-search and research providers (including Serper and Tavily), and, where expressly enabled, identity-cooperative providers (which may include People Data Labs or LiveRamp).
Our large-language-model ("LLM") processing is routed exclusively through OpenRouter, which in turn provides access to Anthropic Claude models. Prompt and response content processed for AI features may be transmitted to these providers for the sole purpose of generating the requested output.
Core infrastructure subprocessors include our cloud hosting and platform provider (Microsoft Azure), our managed database provider (Supabase), and our managed cache and queue provider (Upstash).
A current list of subprocessors, including their processing purpose and location, is available on request and, where required, is maintained in or alongside our Data Processing Agreement.
8. INTEGRATIONS
Subscribers may connect third-party services to the platform, including customer-relationship-management systems (for example, HubSpot, Salesforce, Pipedrive, Zoho), email and outreach tools (for example, Google Gmail via the Gmail API, Microsoft Outlook, and others), messaging tools (for example, Slack), productivity tools (for example, Google Workspace applications), and automation tools (for example, Zapier or Make).
When you connect an integration, we exchange data with that service as necessary to provide the requested functionality and store the associated access credentials and tokens in encrypted form. Where you connect Google services, Outmate requests only the scopes necessary for the selected functionality; basic sign-in requests only your OpenID, email, and profile, while functional scopes (such as sending email via the Gmail API) are requested separately and only with your additional consent.
Outmate's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Third-party services are controlled by their respective providers and governed by their own terms and privacy policies. We are not responsible for the data practices of third-party services.
9. HOW WE USE PERSONAL DATA
We use personal data to: (a) provide, operate, secure, and maintain the platform; (b) identify and de-anonymize business website visitors on behalf of subscribers; (c) enrich company and contact records; (d) detect and score buying-intent and business signals; (e) build and prioritize sales pipeline and match records to a subscriber's ICP; (f) trigger and execute workflows and automations configured by the subscriber; (g) generate AI-assisted insights, drafts, and recommendations through Copilot; (h) authenticate users and manage access and security; (i) provide support and communicate with you; (j) process billing and administer the business relationship; (k) improve and develop the platform, including the accuracy of identification and enrichment; and (l) comply with legal obligations and enforce our terms.
Automated Processing. The platform performs automated scoring and classification (for example, intent scoring, ICP matching, and signal scoring) to prioritize records and surface insights. These processes do not produce legal or similarly significant effects on the individuals concerned. AI-generated outputs are intended to assist human users and require human review (see our AI Disclaimer).
10. LEGAL BASES FOR PROCESSING
GDPR / UK GDPR (where applicable). Where we act as a controller, we rely on the following lawful bases under Article 6(1): (a) performance of a contract, to provide the platform to our users and subscribers; (b) legitimate interests, for operating, securing, and improving the platform, for B2B relationship and sales-intelligence purposes, and for protecting against fraud and abuse, balanced against the rights and freedoms of data subjects; (c) consent, where required, including for certain tracking technologies; and (d) compliance with legal obligations. Where we act as a processor for visitor identification on behalf of a subscriber, the subscriber is responsible for establishing the lawful basis (which, for tracking technologies and de-anonymization in the EU/EEA/UK, will ordinarily require end-user consent under the ePrivacy regime).
CCPA/CPRA. We process the categories of personal information described in this Policy for the business and commercial purposes stated here. The B2B and employment partial exemptions under the CCPA expired on 1 January 2023; accordingly, B2B contact personal information is treated as personal information subject to the CCPA/CPRA. We do not "sell" personal information for money. To the extent that disclosures to data and advertising partners constitute "sharing" or a "sale" under the CCPA/CPRA, we honor opt-out rights as described in Section 13.
India DPDP. Under the DPDP Act and Rules, processing of personal data is principally consent-based and requires itemized notice and purpose-limited retention. Where we process the personal data of individuals in India as a Data Fiduciary, we rely on consent or on legitimate uses permitted by the DPDP Act, and we provide the notices and honor the rights required by that law.
11. DATA SHARING AND DISCLOSURE
We disclose personal data to: (a) subprocessors and service providers, as described in Section 7, under contractual confidentiality and data-protection obligations; (b) third-party services that a subscriber chooses to connect, as directed by the subscriber; (c) the subscriber that controls the relevant visitor data; (d) professional advisers, auditors, and insurers; (e) authorities, regulators, or other parties where required by law or to protect rights, safety, and the integrity of the platform; and (f) a successor entity in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
We do not disclose personal data to third parties for their own independent marketing without an appropriate lawful basis.
12. INTERNATIONAL DATA TRANSFERS
Outmate operates across, and serves users in, the United States, India, and the European Union and other regions. Personal data may be transferred to, stored in, and processed in countries other than the country in which it was collected, including the United States and India, whose data-protection laws may differ from those of your country.
Where we transfer personal data out of the EEA, the United Kingdom, or other regions with transfer restrictions, we implement appropriate safeguards, which may include the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and supplementary measures. The primary hosting regions for our database and infrastructure are our designated cloud region and our designated cloud region. A copy of the relevant safeguards may be requested using the contact details in Section 18.
13. YOUR RIGHTS AND CHOICES
Rights under GDPR / UK GDPR. Subject to conditions and exemptions, you have the right to: access; rectification; erasure; restriction of processing; data portability; objection to processing (including processing based on legitimate interests and direct marketing); and the right not to be subject to solely automated decisions producing legal or similarly significant effects. You may also withdraw consent at any time where processing is based on consent.
Rights under CCPA/CPRA. Subject to conditions, California residents have the right to: know and access the categories and specific pieces of personal information collected; delete personal information; correct inaccurate personal information; opt out of the "sale" or "sharing" of personal information; limit the use and disclosure of sensitive personal information (which, for Outmate, may include precise-adjacent network-derived location data); and not be subjected to discrimination for exercising these rights.
Rights under India DPDP. Subject to conditions, data principals in India have the right to: access a summary of personal data processed; correction, completion, updating, and erasure; grievance redressal; and to nominate another individual to exercise rights in the event of death or incapacity.
Exercising Your Rights. You may exercise your rights using the contact details in Section 18. Where Outmate acts as a processor (for example, in respect of a subscriber's website visitor data), we will refer your request to the relevant subscriber (the controller) and assist them in responding, or act on the subscriber's instructions. We will verify your identity before acting and will respond within the timeframes required by applicable law. You may authorize an agent to act on your behalf where permitted.
Complaints. You have the right to lodge a complaint with a supervisory or data-protection authority, including your local EU/EEA supervisory authority, the UK Information Commissioner's Office, or the Data Protection Board of India, as applicable.
14. B2B CONTACT AND VISITOR OPT-OUT
Visitor Opt-Out. Individuals identified through the visitor-tracking pixel may opt out of tracking. The pixel honors browser-level signals (including Do Not Track and Global Privacy Control), recognized consent-management platforms, and an opt-out mechanism that records the visitor's choice and prevents further tracking of that visitor.
Do-Not-Contact and Suppression. If you are a business contact and do not wish to have your business-context personal data processed or appear in Outmate-generated records, you may submit a request using the contact details in Section 18. We maintain suppression and opt-out mechanisms and will action verified requests, including by suppressing future processing of the relevant identifiers.
Right to Erasure of Visitor Data. We provide a mechanism to erase visitor identification data associated with a visitor identifier or email address across the service, including associated visit records, sessions, alerts, and pseudonymous identity-layer entries, and we maintain an audit record of such actions.
15. COOKIES AND TRACKING TECHNOLOGIES
The Outmate application and dashboard do not set advertising or analytics cookies and do not embed third-party analytics or advertising trackers on our own authenticated product surfaces. Authentication state is maintained in browser local storage rather than cookies.
The visitor-tracking pixel, when deployed by a subscriber on the subscriber's website, uses first-party cookies, local storage, and device-characteristic signals (including a device fingerprint) to identify and de-anonymize visitors, subject to the consent gating described in Section 5.4.
Full details of the cookies and similar technologies we and our pixel use, their purposes, and their durations, together with the consent mechanism, are set out in our Cookie Policy.
16. DATA RETENTION
We retain personal data for as long as necessary to fulfil the purposes described in this Policy, to provide the platform, to comply with legal obligations, to resolve disputes, and to enforce our agreements.
Account Data. We retain user and account data for the duration of the account relationship and for a limited period thereafter, unless a longer period is required by law.
Visitor Identification and Enrichment Data. We retain visitor identification, enrichment, and signal data for a limited period, after which it is deleted or anonymized, unless a subscriber instruction, legal obligation, or live opt-out/suppression record requires otherwise.
Opt-out and suppression records are retained for as long as necessary to honor the opt-out, currently up to two years for visitor opt-out tokens.
Where we no longer require personal data, we delete or anonymize it. Backups are overwritten on a rolling basis.
17. SECURITY
We implement technical and organizational measures designed to protect personal data, including: encryption in transit (TLS); access controls and authentication, including token-version-based session revocation; one-way hashing of account passwords; encryption at rest for sensitive identity fields where enabled; least-privilege access; secret management; rate limiting on sensitive endpoints; audit logging of access to sensitive personal data; and restricted, whitelist-based cross-origin access.
No method of transmission or storage is completely secure. While we strive to protect personal data, we cannot guarantee absolute security. We maintain processes to detect, investigate, and notify relevant parties of personal-data breaches as required by applicable law.
18. CONTACT AND DATA PROTECTION REPRESENTATION
For privacy questions, requests, or complaints, contact us at gautam@outmate.ai or by post at .
Data Protection Officer. We have assessed that we are not required to appoint a statutory Data Protection Officer; you may direct all privacy inquiries to our privacy contact below.
EU/UK Representative. Where required by applicable law, we will appoint and identify our representatives in the European Union and the United Kingdom.
India Grievance Contact. For data principals in India, our contact for grievance redressal under the DPDP Act is gautam@outmate.ai.
19. CHILDREN'S DATA
The platform is intended exclusively for B2B use by professionals and is not directed to, or intended for, individuals under the age of 18 (or the age of majority in the relevant jurisdiction). We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will delete it.
20. CHANGES TO THIS POLICY
We may update this Policy from time to time. When we make material changes, we will update the "Last Updated" date and, where required by law, provide additional notice. Your continued use of the platform after the effective date of a revised Policy constitutes acceptance of the changes, to the extent permitted by law.
This document is provided for general information and does not constitute legal advice. Items shown highlighted are subject to final confirmation before publication.