Privacy Policy

Last updated: May 3, 2026

1. Introduction

Outpace-AI, Inc. (“Outpace,” “we,” “us,” or “our”) operates outpace-ai.com and provides AI-powered sales development services (the “Services”). This Privacy Policy describes how we collect, use, and protect your information.

2. Information We Collect

Information you provide:

• Name, work email address, company name, and job title
• ICP and targeting preferences provided during onboarding
• Communications you send to our team

Information collected automatically:

• Browser type, device information, and IP address
• Usage data and analytics
• Cookies and similar technologies (see Section 7)

Information we process to deliver our Services:

• Publicly available business contact information used to identify and reach your target prospects on your behalf
• Email content of replies received from prospects, captured via our inbound mail relay (see Section 10)

3. How We Use Your Information

We use your information to:

• Deliver and improve our AI SDR services
• Generate and send outbound emails on your behalf based on your ICP and signal data
• Process payments and manage your account
• Send transactional emails related to your account
• Send marketing communications (you may opt out at any time)
• Meet our legal obligations

We do not use your data to train shared AI models. All processing is performed in isolation per account.

4. Data Security

We protect your data using AES-256 encryption at rest and TLS 1.3 in transit. Each customer's account data is isolated from all other accounts. While we follow industry-standard practices, no system is completely immune to risk. Please contact us immediately if you suspect unauthorized access.

5. CAN-SPAM Compliance

All outbound emails sent through our platform include accurate sender identification, a functional opt-out mechanism, and comply with the CAN-SPAM Act. We honor all opt-out requests within 10 business days.

6. Your Privacy Rights

California Residents (CCPA)

You have the right to know what personal information we collect, request deletion of your data, opt out of the sale of your personal information (we do not sell personal information), and be free from discrimination for exercising these rights.

To submit a request, email official@outpace-ai.com. We will respond within 45 calendar days.

EEA and UK Residents (GDPR)

You have the right to access, correct, delete, or restrict processing of your personal data. To exercise these rights, email official@outpace-ai.com.

7. Cookies

We use essential cookies required for the site to function and optional analytics cookies to understand usage patterns. You can manage cookie preferences through your browser settings.

8. Third-Party Services

We use trusted third-party providers to operate our Services. These providers process data only as necessary to deliver their respective functions and are bound by their own privacy policies. Key providers include:

• Google (Gmail, Calendar) — outbound email send and calendar integration. See Section 9 for the Limited Use disclosure governing our use of Google user data.
• Microsoft (Azure AD, Microsoft Graph) — outbound email send for Outlook customers.
• Cloudflare — edge networking, DNS, and our inbound mail relay (Email Routing on the reply.outpace-ai.com sub-domain).
• Resend — transactional email delivery (account notifications, relay mirror messages).
• Vercel — application hosting.
• Neon (PostgreSQL) — primary database.
• Lemon Squeezy — payment processing.

9. Google API Services User Data — Limited Use

Outpace's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We request the following Google OAuth scopes, each tied to a specific user-facing feature:

• https://www.googleapis.com/auth/gmail.send — required to send AI-drafted outbound emails on your behalf via the Gmail API. We only send messages you have explicitly approved through our AI Inbox interface; no automated mass-sends.
• https://www.googleapis.com/auth/calendar.events — required to create calendar events with Google Meet links when you accept an AI-drafted reply that proposes a meeting.
• https://www.googleapis.com/auth/calendar.readonly — required to read your free/busy times via calendar.freebusy.queryso the AI can propose meeting slots that don't conflict with your existing events. We do not read event titles, descriptions, attendees, or any other event details.

What we DO with Google user data:

• Use it solely to provide or improve user-facing features of the Outpace product that are prominent in the requesting application's user interface
• Store it only as long as necessary to deliver the requested feature (see Section 11)
• Encrypt it at rest (AES-256) and in transit (TLS 1.3); access is restricted to authorized employees on a need-to-know basis

What we do NOT do with Google user data:

• We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users
• We do not use Google user data to train AI/ML models for use by other customers, generalized models, or any model that benefits anyone other than the user whose data was collected
• We do not sell Google user data
• We do not use Google user data for advertising purposes, including targeting ads, retargeting, personalized advertising, or interest-based advertising
• We do not use Google user data for credit-worthiness assessment or lending purposes
• We do not allow humans to read Google user data unless we have your affirmative consent for specific messages, it is necessary for security purposes (e.g. investigating abuse), to comply with applicable law, or for internal operations where the data has been aggregated and anonymized

10. Email Routing & Reply Capture

To deliver core product features (reply tracking, bounce detection, out-of-office filtering, AI follow-up suppression when you reply manually), Outpace operates a transparent email relay between you and your prospects. This section discloses the data flow.

Outbound (your messages to prospects)

• Sent via gmail.users.messages.send using your OAuth access token. The envelope From header is your address; we add a Reply-To header pointing at our inbound relay so we can capture replies.
• Optional advanced setup: customers may delegate a sub-domain MX record (mail.<your-domain>) to our inbound endpoint for fully domain-aligned reply routing. Opt-in only; default outbound stays on your primary address.

Inbound (prospect replies)

• Replies addressed to our relay (reply+<token>@reply.outpace-ai.com) land on a Cloudflare Email Worker. The raw RFC822 is stored in Cloudflare R2 (encrypted at rest) for audit + replay; the parsed body is captured into our database, classified (reply / bounce / out-of-office), and surfaced in your AI Inbox.
• We do not read the prospect's mailbox.The relay only sees messages that were addressed to us in the first place — Outpace has no Gmail read scope on your account or anyone else's.

Mirror (your view of replies inside Gmail)

• When a prospect reply arrives, we send a mirror copy to your primary Gmail inbox via Resend (from relay-<token>@outpace-mail.com) so the conversation stays continuous in your Gmail UI. The mirror's From and Reply-To are both set to our domain so any Reply you click in Gmail routes back through us — that's how we forward your reply to the original prospect via gmail.send, keeping the thread in sync without ever needing Gmail read access.

11. Data Retention

We retain your data for as long as your account is active or as needed to provide Services. Upon account closure, your data is deleted within 30 days. Billing records are retained as required by applicable law. You may request deletion at any time by emailing official@outpace-ai.com.

Specific retention periods for relay-captured email content:

• Cleaned reply body (used for AI classification and your AI Inbox display) — capped at 8,000 characters per message and retained for the lifetime of the associated lead record (deleted when the lead is deleted)
• Cached reply body on the send log (used for thread reconstruction) — capped at 4,000 characters
• Raw RFC822 in Cloudflare R2 (used for replay if classification needs to be re-run) — automatically deleted after 90 days via R2 object lifecycle policy
• OAuth refresh tokens — stored encrypted at rest; deleted within 30 days of account closure or when you revoke access via Google Account Permissions

12. How to Revoke Access

You can disconnect Outpace's access to your Google account at any time:

• Inside Outpace: visit Settingsand click “Disconnect” next to your connected account.
• Directly with Google: go to myaccount.google.com/permissions, find Outpace, and click Remove Access.

Revoking access immediately invalidates our OAuth tokens. We delete your stored tokens within 24 hours of revocation; associated email content is purged according to the retention schedule in Section 11.

13. Children's Privacy

Our Services are intended for business use by adults. We do not knowingly collect information from individuals under 18.

14. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email or posted on our website. Continued use of our Services after changes constitutes acceptance.

15. Contact

Outpace-AI, Inc.
Email: official@outpace-ai.com