Privacy Policy

Last updated: March 15, 2026

dm-the-boss ("we", "our", "us") is a web application that helps job seekers find relevant contacts at companies and send personalized cold emails. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

1. Information We Collect

Account information: When you sign in with Google, we receive your name, email address, and profile information from your Google account. We store your email address and display name to operate your account.

Google OAuth tokens: We securely store your Google OAuth access and refresh tokens on our server to send outreach emails from your Gmail account on your behalf. These tokens are never exposed to the client or shared with third parties.

Campaign data: When you create an outreach campaign, we store the company name, role, team, and location you provide. We also store the contacts discovered by our AI and the emails generated for each campaign.

Payment information: When you subscribe, your payment is processed by Dodo Payments, our merchant of record. We do not directly collect or store your credit card number or payment details. Dodo Payments handles all payment processing, tax collection, and compliance. We store only your subscription status, Dodo customer ID, and associated email address to manage your account access.

2. How We Use Your Information

To authenticate you and maintain your session
To search for relevant contacts at companies you specify
To generate personalized outreach emails
To send emails from your Gmail account after you review and approve each one individually
To display your outreach history and campaign results
To sign your outreach emails with your display name

3. Google API Services — Limited Use Disclosure

dm-the-boss uses Google API Services to provide its core functionality. Specifically, we request the following Google OAuth scope:

gmail.send — Used solely to send outreach emails from your Gmail account on your behalf, after you review and approve each email. We do not read, scan, delete, or modify your existing emails, contacts, calendar, or any other Gmail data.

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

We only request the minimum permissions necessary (gmail.send) to send emails from your Gmail on your behalf.
We do not read, scan, or access your existing emails, contacts, or any other Gmail data.
We do not use your Google data for advertising, market research, or any purpose unrelated to providing the dm-the-boss service.
We do not sell, lease, or share your Google data with third parties.
Emails are only sent when you explicitly review and click Send for each individual email. No emails are ever sent automatically.
Your Google OAuth tokens are stored securely server-side, encrypted at rest, and are never exposed to the browser or shared with any third party.

4. Third-Party AI Services

We use the following AI and search services to power our contact discovery and email generation features:

Anthropic (Claude) — Used to analyze company information and structure contact search results. We send company names, roles, team names, and publicly available search results. We do not send your personal information (email, name, or Google data) to this service.
Google Gemini — Used to generate personalized outreach emails. We send company names, roles, contact names/titles, and your display name (for the email signature). We do not send your email address or Google data to this service.
SerpAPI — Used to perform Google web searches for company information and LinkedIn profiles. Search queries contain only company names and role descriptions, not your personal data.

These services process data according to their own privacy policies. We do not control how they handle data after we send it, but we minimize the personal information shared with them.

5. Data Storage and Security

Your data is stored in a Supabase (PostgreSQL) database. Google OAuth tokens are stored server-side and are never exposed to the browser. All data is transmitted over HTTPS. All database operations are scoped to your user account — you can only access your own data.

6. Data Retention and Deletion

We retain your data for as long as your account is active. You may request deletion of your account and all associated data at any time by contacting us at the email address below. Upon account deletion, we will remove all your data from our systems, including campaigns, contacts, emails, and stored OAuth tokens.

7. Your Rights

You can view and edit your display name at any time from the Profile page.
You can revoke dm-the-boss's access to your Google account at any time via your Google Account permissions page.
You can request a copy of your data or request deletion by contacting us.

8. Cookies

We use a single authentication cookie to maintain your login session. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

9. Children's Privacy

dm-the-boss is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of any material changes by updating the "Last updated" date at the top of this page.

11. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: rajat@astav.tech