Privacy Policy

1. Introduction

This Privacy Policy ("Policy") applies to all the services offered by ColdCheck, Inc., a Delaware corporation, and its affiliates (collectively "ColdCheck"). This Policy also applies to information we collect when you apply for a job at ColdCheck. This Policy covers our usage of data provided by you to ColdCheck on our website or any other ColdCheck platform.

"Customer" refers to an entity that directly engages with ColdCheck to use our services. "Customer's End Users" are end-users who use Customer platforms and thus indirectly use ColdCheck services.

ColdCheck is committed to protecting the privacy of both Customers and Customer's End Users.

2. Information We Collect

Personal Data

"Personal Data" means information relating to an identified or identifiable person.

Website Data

We may collect:

• Name, company name, email address, phone number
• Other identifiers that allow contact online or offline

Customer Data

We may collect:

• Account information
• Customer usage activity within the Services
• Website navigational information: cookies, IP addresses, browser/device data, clickstream

We use this to:

• Deliver and bill for Services
• Improve and secure Services
• Troubleshoot, enforce agreements, comply with law

Customer's End User Data

ColdCheck may process certain data about Customer's End Users, depending on Customer's integration. This may include identifiers, metadata, and embeddings.

If Customer is using GenAI Services, Customer content (including End User data) may be transmitted — in anonymized form or as-is — to third-party AI providers (e.g., OpenAI) authorized by Customer. Once transmitted, such providers' terms apply. ColdCheck cannot control data after it leaves our environment.

End Users should review the applicable Customer's privacy policy to understand what information is collected and shared.

ColdCheck will not review, share, or distribute End User data except as required by law or under the terms of our agreement with Customer.

End Users seeking access, correction, or deletion of their data must contact the Customer directly. Upon verified Customer request, ColdCheck will respond within agreed SLA timelines.

AI Model Training: ColdCheck does not operate its own AI models. We use third-party AI providers (OpenAI, Anthropic) via their API services. Per their published policies, OpenAI and Anthropic do not use API customer data to train their models. ColdCheck does not use identifiable Customer or End User content to train any AI models.

Non-Personal Data

ColdCheck may collect non-identifiable data such as:

• Browser/device info, IP-based geolocation
• Referral/exit URLs
• Aggregated usage statistics

We use this for analytics, diagnostics, compliance, and improvement.

Cookies & Tracking

We use cookies, pixel tags, and web beacons to improve Service functionality and measure performance. You can control cookies through your browser settings.

3. What We Do Not Collect

We do not knowingly collect or solicit personal data from anyone under 18. If we discover such data, we will delete it.

4. Sharing of Data

No Sale of Data

We do not sell personal data.

Authorized Third-Party Service Providers

We share data only with subprocessors as necessary to provide Services. These include:

• Google Cloud (hosting, compute, storage, caching, background jobs, Pub/Sub)
• Google Analytics (basic traffic/usage data)
• Supabase (database hosting, realtime subscriptions, vector storage for development, local, and production)
• SendGrid (transactional email delivery)
• HubSpot (contact forms only)
• Google Auth (authentication)
• Microsoft Auth (authentication)
• OpenAI (text embeddings)
• Anthropic (AI processing)
• Gleap (customer feedback and support)
• Stripe (payment processing, subscription management, billing)

The updated list is available at: coldcheck.ai/subprocessors

Mergers / Acquisitions

If ColdCheck merges, is acquired, or files bankruptcy, data may transfer to the successor entity subject to this Policy.

Law Enforcement & Extraordinary Circumstances

We may disclose data if required by law or necessary to protect rights, property, safety, or prevent imminent harm.

5. Data Retention

• We retain data until Customer requests deletion or account termination.
• Embeddings are retained; raw text/audio is not.
• Our AI providers retain API data per their own policies: OpenAI retains data for up to 30 days; Anthropic retains data for up to 30 days. These retention periods are set by the providers, not ColdCheck.

6. Data Controller, Data Processor & DPO

• Customers are Controllers of their End User Data.
• ColdCheck acts as Processor.

Our Data Protection Officer (DPO) can be contacted at: privacy@coldcheck.ai

7. Security

We implement industry-standard safeguards including:

• Encryption at rest and in transit
• Access controls
• Logging and monitoring
• Incident management procedures
• Employee confidentiality training

Details: coldcheck.ai/security

8. State Privacy Rights

Residents of CA, VA, CO, CT, UT, TX, OR, and DE have specific rights:

• Right to know/access
• Right to correction
• Right to deletion
• Right to portability
• Right to opt-out (targeted ads, sale, profiling)
• Right to non-discrimination

Requests can be sent to: privacy@coldcheck.ai

We respond within statutory timelines (generally 45 days).

Resources:

• California (CCPA/CPRA): https://oag.ca.gov/privacy/ccpa
• Virginia (VCDPA): https://www.oag.state.va.us/consumer-protection
• Colorado (CPA): https://coag.gov/resources/data-privacy/
• Connecticut (CTDPA): https://portal.ct.gov/AG/Sections/Privacy/Privacy
• Utah (UCPA): https://dcp.utah.gov/
• Texas (TDPSA): https://www.texasattorneygeneral.gov/divisions/consumer-protection/data-privacy
• Oregon (OCPA): https://www.doj.state.or.us/consumer-protection/
• Delaware (DPDPA): https://attorneygeneral.delaware.gov/fraud/consumer-protection/

9. Third-Party Websites

This Policy applies only to ColdCheck Services. Third-party sites have their own policies.

10. Email Choice / Opt-Out

If you opt in, we may send emails about new products or offers. You can unsubscribe anytime.

11. Browser Extension

The ColdCheck Chrome Extension provides access to ColdCheck draft generation directly within Gmail, Outlook, and LinkedIn. This section describes additional data practices specific to the extension.

Data the Extension Accesses

• Compose window content on Gmail and Outlook (to detect active compose windows and insert generated drafts)
• Recipient email addresses visible in the Gmail or Outlook compose context (to personalize generated drafts)
• Email thread content when you choose to include conversation context
• On LinkedIn, the extension detects only whether you are on a messaging or feed page to auto-select the correct channel. No page content, profile information, or compose text is read.

Data the Extension Does Not Access

• The extension does not read your inbox, sent mail, contacts, or browsing history
• The extension does not access any page content outside of compose windows on Gmail and Outlook
• On LinkedIn, the extension does not read any page content; it only detects which section you are in

How Data Is Processed

• Compose context and recipient information are sent to ColdCheck servers for draft generation only when you explicitly request a draft
• ColdCheck analyzes your writing style patterns (sentence structure, vocabulary, tone) and stores these patterns as numerical embeddings — not the original text
• Generated drafts are stored in your ColdCheck account and can be deleted at any time

Authentication and Token Storage

• The extension authenticates via your existing ColdCheck account using a secure OAuth-style flow
• Short-lived access tokens are stored in chrome.storage.session (cleared when the browser closes)
• Refresh tokens are stored in chrome.storage.local (encrypted at rest by Chrome) and are hashed (SHA-256) before being stored server-side
• You can revoke all extension tokens from within the extension or by signing out

Permissions

The extension requests only the permissions necessary to function: detecting compose windows, displaying the side panel, and authenticating your account. Host access is limited to mail.google.com, outlook.live.com, outlook.office.com, outlook.office365.com, and linkedin.com.

12. Complaints

For privacy concerns: privacy@coldcheck.ai
For legal matters: legal@coldcheck.ai
For support: support@coldcheck.ai