Skip to main content
Trust & security

Your prospect data has a clear path.

See what AI Outreach receives, which providers process it, how long records are kept, and the contract terms available for customer data.

Last reviewed July 15, 2026

Security at a glance

No LinkedIn credentials

The core workflow accepts profile URLs or identifiers. It does not ask for a LinkedIn password, session cookie, or account connection.

Access is scoped

Workspace data is returned only after authenticated owner or authorized-team checks on protected application paths.

Lifecycle controls

Portable export and deletion-request controls support customer access and erasure workflows, subject to legal retention needs.

Data flow

From upload to customer-directed delivery

Prospect data is used to run the workflow the customer requested. Payment processing is separate from enrichment and generation.

  1. 1

    Collect

    A customer creates an account and uploads or enters a prospect list.

    Account details, campaign instructions, prospect contact fields, company details, and professional-profile URLs or identifiers.

  2. 2

    Store and isolate

    The application stores workspace records in its database and scopes access to the authenticated owner or authorized team.

    Workflow configuration, source rows, provider responses, research, qualification, generated drafts, and operational metadata.

  3. 3

    Enrich

    When a workflow requests profile enrichment, the configured profile provider receives the minimum lookup input needed for that request.

    Usually a LinkedIn profile URL or identifier; Bright Data or a RapidAPI-hosted provider returns professional-profile data.

  4. 4

    Research and generate

    AI providers process selected profile, company, and campaign context to produce research, qualification, and message drafts.

    Relevant professional-profile fields, company context, customer instructions, prompts, and generated output sent to Perplexity, Z.AI, or Google Gemini.

  5. 5

    Deliver and delete

    Results remain in the customer workspace until viewed, exported, integrated, or removed under the retention and deletion controls below.

    Selected results may be exported to Google Sheets or a customer-configured destination. Billing stays on a separate Stripe flow.

Application controls

Security built around the workflow

These statements describe controls visible in the application and repository. Deployment-specific assurance is confirmed separately during security review.

Account and tenant boundaries

Protected workspace routes apply authenticated user ownership or explicit team authorization before returning workspace data.

Protected transport

Production outbound webhook destinations require HTTPS, and sensitive webhook credentials are encrypted at rest.

Scoped provider sharing

Provider requests are tied to a workflow purpose and carry the context needed for enrichment, research, generation, export, or billing.

User-controlled lifecycle

Customers can request a portable account export and account deletion; deletion is delayed by a grace period to prevent accidental loss.

Bounded diagnostics

Raw API diagnostics use a bounded retention job before deletion, while privacy-preserving cost totals can remain aggregated.

Signed integrations

Customer-configured completion webhooks use rotating HMAC secrets, signed payloads, delivery logs, and expiring download links.

Service providers

Where customer data can go

A provider receives data only when the corresponding product path is configured or requested. The list below covers the core enrichment, research, generation, export, and billing integrations.

AI Outreach core subprocessors and data use
ProviderWhy it is usedData involvedWhen
Bright Data(opens provider information in a new tab)Professional-profile enrichmentRetrieve public professional-profile data for a customer-requested workflow.LinkedIn profile URL or identifier, request metadata, and the resulting public profile response.Only when Bright Data is the configured enrichment provider for the requested profile.
RapidAPI(opens provider information in a new tab)API marketplace and professional-profile enrichmentRoute a profile lookup to the configured LinkedIn-data API publisher.LinkedIn profile URL or identifier, API request metadata, and the provider response.Only when a RapidAPI-hosted enrichment provider handles the requested profile.
Perplexity(opens provider information in a new tab)Web-grounded researchResearch a prospect or company and return grounded context for qualification and drafting.Prompt instructions, relevant professional-profile data, company or domain context, and generated response.When a workflow uses Perplexity research or a user invokes Perplexity-assisted autofill.
Z.AI(opens provider information in a new tab)Primary outreach message generationGenerate customer-requested outreach drafts from selected campaign and prospect context.Prompt instructions, relevant professional-profile fields, company and campaign context, and generated response.When user-visible message writing or prose synthesis uses the configured Z.AI primary provider.
Google(opens provider information in a new tab)Gemini generation and Google Sheets exportGenerate research or message drafts and export customer-selected workflow results to a sheet.Prompt and workflow context for Gemini; selected result fields and connection identifiers for Google Sheets.When Gemini generation is configured or a customer requests a Google Sheets integration.
Stripe(opens provider information in a new tab)Payments and subscription managementProcess checkout, subscriptions, credit purchases, invoices, fraud prevention, and customer billing support.Customer and account identifiers, email, order and plan metadata, and payment details entered directly into Stripe.When a customer starts or manages a paid transaction. Prospect lists are not part of the billing flow.

Deployment-specific hosting, email, monitoring, and abuse-prevention vendors are confirmed in an executed DPA or customer security review because they vary by environment.

Retention

Bounded by purpose and customer control

A shorter period applies when data is deleted and no legal retention obligation remains. A litigation hold or legal obligation can require a limited record to be kept longer.

Account and workspace data

While the account is active; certain account records may be retained for up to 1 year after closure.

An earlier deletion request is honored unless a narrower record must be kept for legal, fraud-prevention, or dispute purposes.

Prospect and workflow data

Up to 2 years, or earlier when the customer deletes the data or completes an account-deletion request.

The deletion workflow covers source prospects, enrichment, research, generated messages, and associated images.

Anonymous live demo

Demo inputs, generated research, and results are deleted within 7 days.

A daily retention task purges the demo submission, its dedicated workflow graph, and any copied showcase content.

Payment and tax records

Up to 7 years where accounting, tax, chargeback, or other legal obligations require it.

Stripe handles card data. The application retains transaction references and business records needed for billing obligations.

Usage, security, and diagnostic logs

Usage and security records may be retained up to 12 months. Raw API request/response diagnostics are configured for 30–60 days (45 days by default).

The raw API-log retention job aggregates cost totals before deleting diagnostic rows; aggregates do not preserve prompt or response bodies.

The Privacy Policy remains the public policy of record for individual privacy rights and retention commitments.

LinkedIn stance

Independent, credential-free, and customer-directed

AI Outreach is not affiliated with, endorsed by, or sponsored by LinkedIn. Its core workflow does not request LinkedIn account credentials or directly operate a customer's LinkedIn account.

Customers provide profile URLs and must have a lawful basis to use prospect information. LinkedIn's current terms restrict unauthorized scraping and automation. A subscription to AI Outreach does not grant permission to violate LinkedIn's rules, privacy law, anti-spam law, or a third party's rights.

Customers should review LinkedIn's User Agreement (opens in a new tab) and use supported methods or obtain permission where required. Generated messages are drafts for customer review; customers remain responsible for how and where they send them.

Start a data-processing review

Download the editable DPA draft, complete the party and transfer details, and send it for review. The template is not an executed agreement or legal advice.

Privacy requests: privacy@aioutreach.io

Download draft