Privacy Policy

Account information. When you sign up we collect your name, email address, school, target firms, and any profile information you choose to provide. If you authenticate via Google or another single-sign-on provider we receive your name and email from that provider.

Email-account integration. If you connect a Gmail or Outlook account we request the minimum scopes needed to draft and send email on your behalf and to read replies to threads you started through the Service. We do not read mail unrelated to those threads. You can revoke this access at any time from your email provider’s account settings.

Payment information. Payment cards and billing details are collected and stored by our payment processor, Stripe, Inc. We never see or store your full card number; we only receive Stripe’s tokenized identifiers, the last 4 digits, expiration, and brand for receipts and refunds.

Usage and device data. Like most web services we collect basic technical information about your device and browser (IP address, user agent, page paths, referrer, and timing) so we can run the Service securely and improve it.

Content you create. Notes, draft emails, contact tags, and other data you produce in the Service.

• To provide, maintain, and improve the Service;
• To authenticate you, prevent fraud, and protect the Service and its users;
• To draft personalized outreach emails on your request, using AI models from third-party providers (see Subprocessors below);
• To process subscription payments and issue refunds via Stripe;
• To send transactional and account-related email (receipts, security alerts, billing reminders);
• To analyze aggregate, de-identified usage so we can understand which features work and where we should invest;
• To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We do not use your private content to train general-purpose AI models for other customers.

We share information with the following service providers strictly to operate the Service:

• Vercel— hosting and edge delivery (United States).
• Clerk— authentication and session management.
• Neon / Postgres host— managed database storage.
• Stripe, Inc.— payments, billing, and tax handling.
• Google (Gmail OAuth) and Microsoft (Outlook OAuth)— only if you connect a mailbox.
• Groq, Inc.and other large-language- model providers — to generate draft outreach copy. Prompts contain only the context needed to draft a single message and are not retained for model training.
• Apollo.io— for keeping the alumni directory current.

Each subprocessor is bound by its own privacy and security commitments. We will update this list as our vendors change.

We use a small number of strictly-necessary cookies for authentication and CSRF protection. We may also use first-party analytics to understand how the Service is used; we do not use cross-site advertising trackers. You can clear or block cookies in your browser, but doing so may break login.

We share information only (a) with the subprocessors above, (b) when you direct us to (e.g., when you send an email through your connected mailbox), (c) when required by law, valid legal process, or to protect rights and safety, and (d) in connection with a corporate transaction such as a merger or asset sale, in which case we will provide notice and choices where required.

We keep account and usage information while your account is active and for a limited period afterward to comply with legal, accounting, and audit obligations (typically up to seven years for billing records, less for content). You can request deletion at any time via /u/data; we will delete content within thirty (30) days of a verified request, except where retention is required by law.

Depending on where you live you may have rights to access, correct, port, delete, or object to our use of your personal information, including under the California Consumer Privacy Act (CCPA), the EU/UK General Data Protection Regulation (GDPR), and similar U.S. state laws. To exercise any of these rights email privacy@reachroute.ai or use the data portal at /u/data. We will not discriminate against you for exercising any right.

The Service maintains a directory of public professional information about alumni (name, current employer, role, school) so that students can find people to reach out to. If you appear in our directory and want to be removed, visit /u/remove or email privacy@reachroute.ai and we will remove your record within thirty (30) days and prevent re-addition.

We use industry-standard administrative, technical, and physical safeguards to protect information, including encryption in transit (TLS), encryption at rest for database records, scoped OAuth tokens, and least-privilege access controls. No system is perfectly secure, and we cannot guarantee absolute security; please use a strong, unique password and enable two-factor authentication wherever it is offered.

The Service is not directed to children under 13 and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

Reach Route is operated from the United States and our infrastructure is located in the U.S. If you access the Service from outside the U.S. you understand that your information will be transferred to and processed in the U.S., which may have different data-protection laws than your country. By using the Service you consent to that transfer.

We may update this Policy from time to time. If we make a material change we will notify you by email or via a notice in the Service before it takes effect. The “Effective” date at the top of this page indicates when the current version was published.

Privacy questions, deletion requests, or rights inquiries: privacy@reachroute.ai. General support: support@reachroute.ai.