Privacy Policy

We collect three categories of data:

Account data — your business email address, name, company name, billing details, and the password you set to sign in.

Connected mailbox data — when you authorize Fish for Leads to access your Gmail or Outlook account via OAuth, we receive an access token + refresh token from Google or Microsoft. We use these tokens to read incoming messages (so we can match replies to your outreach) and send messages on your behalf. We do not store your Google or Microsoft password.

Outreach data — the leads you import or discover via the Service, the emails you compose and send, the replies you receive, and any tags, notes, attachments, or templates you create.

• To provide the Service: discover leads, draft emails, send messages from your mailbox, poll for replies, and store your CRM data.
• To process billing and prevent fraud.
• To respond to your support requests.
• To improve the Service in aggregate (e.g., measure feature adoption). We do not train AI models on your data.
• To send service-related notifications (deliverability alerts, billing, security).

We will never:

• Read or scan the content of your outreach or replies except as needed to deliver the Service (e.g., showing you AI-drafted replies).
• Share your leads or your customers' data with third parties for marketing.
• Sell your data.
• Send mail from your mailbox without your action (manual click or autopilot you have configured).

To provide the Service, the following processors receive limited data:

• Anthropic — when you use AI features (draft email, draft reply, lead extraction), the relevant text content is sent to Anthropic's API for processing. Anthropic does not train on this data per its commercial terms.
• Google — when you connect a Gmail mailbox, OAuth communicates with Google. Diplofze's use of information from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
• Microsoft — same, when you connect an Outlook / Microsoft 365 mailbox via Microsoft Graph.
• SerpAPI — when you run web-search-based lead discovery, your search query is sent to SerpAPI to obtain organic search results.
• Supabase — our managed Postgres database provider, hosting your account and CRM data in EU-West (Ireland).
• Vercel — our application hosting provider.
• Stripe — payment processing for paid plans. Stripe receives billing details directly; we do not store full card numbers.

We have data processing agreements (DPAs) in place with each processor.

Your data is stored in EU-West (Ireland) by default. While the Service operates, we retain your data for as long as your account is active.

If you cancel your subscription, we retain your data for 30 days to allow restoration if you change your mind, then permanently delete it. You can request immediate deletion at any time by emailing privacy@diplofze.com.

Backups are kept for 7 days for disaster recovery and are encrypted at rest.

• All data in transit is encrypted via TLS 1.2+.
• OAuth tokens and other sensitive credentials are encrypted at rest.
• Access to production systems is limited to a small number of authorized engineers and requires two-factor authentication.
• We log access to our systems and review logs for anomalies.

No system is perfectly secure. If we detect a breach affecting your data, we will notify you within 72 hours per applicable law (including GDPR Article 33).

Depending on your location, you may have the right to:

• Access the data we hold about you
• Correct inaccurate data
• Delete your data ("right to be forgotten")
• Export your data in a portable format
• Object to or restrict our processing of your data
• Withdraw consent
• Lodge a complaint with a supervisory authority

To exercise any of these, contact privacy@diplofze.com. We respond within 30 days.

We use a single first-party cookie (dpfz_admin_session) to keep you signed in. We do not use third-party advertising cookies. Anonymous product analytics may be collected via PostHog (no cross-site tracking).

Fish for Leads provides tools for sending email, but YOU are the sender and YOU are responsible for compliance with applicable law:

• CAN-SPAM (US) — include unsubscribe link (we do this automatically), identify yourself accurately, honor opt-outs.
• GDPR (EU) — process personal data of EU residents lawfully (legitimate interest or consent), provide a clear opt-out, honor data subject requests.
• CASL (Canada), UK PECR, and other regional laws.

The Service's built-in features (unsubscribe link, do-not-contact list, blocklist) help you stay compliant, but the legal responsibility for what you send rests with you.

The Service is intended for businesses and not directed to children under 16. We do not knowingly collect data from children.

If we make material changes to this Policy, we will notify you by email at least 30 days before the changes take effect. Continued use after the effective date constitutes acceptance.

Diplo FZE Limited
Tema, Ghana
Email: privacy@diplofze.com