Privacy Policy

This Privacy Policy explains how GreenDoorAI Ltd ("GreenDoorAI", "we", "us", or "our") collects, uses, shares, and protects personal data when you visit www.greendoorai.com (the "Website") or use the GreenDoorAI platform and related services (the "Service").

We act as a data controller for personal data we collect about visitors to our Website, people who contact us, and account holders of our Service. When our customers use the Service to process personal data about their own prospects, leads, or contacts (for example, by connecting an email account so we can analyse messages), our customer is the controller and we act as a data processor on their behalf, governed by a Data Processing Agreement (DPA).

1. Who we are and how to contact us

GreenDoorAI Ltd is a company incorporated in England and Wales (company number 17077033), with its registered office at 28 Nursery Place, Sevenoaks, England, TN13 2RH.

For any privacy-related question, request, or complaint, please contact:

• Email: privacy@greendoorai.com
• Post: Privacy Team, GreenDoorAI Ltd, 28 Nursery Place, Sevenoaks, England, TN13 2RH

We do not currently maintain an establishment in the European Economic Area or actively offer the Service to people located there. If and when we begin actively offering the Service in the EEA, we will appoint a representative under Article 27 EU GDPR and update this Policy with their details. In the meantime, EEA-based individuals may contact us using the details above.

2. The personal data we collect

We collect personal data in three main ways:

2.1 Data you give us directly

• Account data: name, work email address, company name, role, password (hashed).
• Billing data: billing name, billing address, VAT number, plan, invoices. Payment card details are entered directly with our payment processor (Stripe) and are not stored on our servers.
• Communications: messages you send us by email, support requests, demo bookings, survey responses, and content you post in product feedback channels.
• Configuration data: Ideal Customer Profile (ICP) definitions, personas, segments, messaging preferences, sender identities you configure in the Service.

2.2 Data we collect automatically when you use the Website or Service

• Device and connection data: IP address, approximate location (country/city derived from IP), browser type and version, operating system, device identifiers, language settings.
• Usage data: pages viewed, features used, timestamps, click events, referring URL, session duration, errors encountered.
• Cookies and similar technologies: see our Cookie Policy for details and how to manage your preferences.

2.3 Data we receive from third parties or generate from connected accounts

• Connected mailbox / calendar / CRM data (only when you explicitly connect them): email subjects and bodies, attachments, recipient and sender addresses, calendar events, meeting transcripts you provide, CRM records you sync. This may include personal data about your own colleagues, customers, and prospects.
• Enrichment data from third-party providers (for example, Apollo) and from publicly available sources: business contact details (work email, phone), job title, employer, public professional profile information, company firmographics.
• Authentication providers: if you sign in via Google or Microsoft, we receive the basic profile information those providers send (name, email, profile image).
• Payment provider: Stripe shares the result of payment authorisations and limited card metadata (last 4 digits, brand, expiry) for receipts and fraud prevention.

We do not knowingly collect special category data (racial or ethnic origin, health, political opinions, etc.) and we ask that you do not submit such data into the Service.

3. How and why we use personal data

Purpose	Categories of data
Provide, operate, and personalise the Service	Account, configuration, connected mailbox/CRM content, usage data
Authenticate users and secure accounts	Account, device, connection data, cookies
Process payments and manage subscriptions	Billing data, account data
Provide customer support	Account, communications, usage data
Improve the Service (debugging, performance, feature analytics)	Usage data, device data, error logs
Send service messages (security alerts, billing, product changes)	Account data
Send marketing communications (only with consent or to existing customers under soft opt-in)	Account, communications
Detect and prevent fraud, abuse, and security incidents	Account, device, usage, billing
Comply with legal obligations and respond to lawful requests	As required

4. Our legal bases (UK / EU GDPR)

If you are in the UK or EEA, we rely on the following legal bases:

• Performance of a contract — to provide the Service you have signed up for, take pre-contractual steps, and process payments.
• Legitimate interests — to secure the Service, prevent fraud, run analytics on usage, improve our products, and conduct limited B2B marketing to existing customers. We balance these interests against your rights and you can object at any time.
• Consent — for non-essential cookies and for some marketing communications. You can withdraw consent at any time without affecting prior processing.
• Legal obligation — to keep accounting records, respond to lawful requests, and comply with applicable law.

5. AI processing and model training

The Service uses large language models (LLMs) and other AI systems to draft outreach, summarise conversations, extract MEDDPICC/BANT signals, and generate next-best-action suggestions. We currently use models hosted by OpenAI, Anthropic, and Google. To deliver these features, prompts and relevant context (which may include connected email content, meeting outputs, and CRM data) are sent to those providers via their enterprise APIs.

Outputs generated by AI may contain inaccuracies. The Service is designed to keep a human in the loop for outbound communication. You are responsible for reviewing AI-generated content before it is sent to a recipient.

We do not use solely automated decision-making that produces legal or similarly significant effects on individuals within the meaning of Article 22 UK/EU GDPR.

6. Data about prospects and other third parties

The Service helps customers identify and engage with prospective business contacts. As a result, we process personal data about people who are not our users — for example, business contact details sourced from public professional profiles, the customer's own CRM, or third-party data providers such as Apollo.

For this prospect data:

• We process it as a processor on behalf of our customer for personalisation, segmentation, and engagement features. The customer is the controller of how the data is used in outreach.
• For enrichment data we obtain directly from third-party providers and surface to multiple customers (for example, generally available firmographic and contact data), we may act as a controller or joint controller with the provider.
• We rely on legitimate interests (Article 6(1)(f) UK/EU GDPR) for B2B contact data, balanced against the rights of data subjects, and we apply data minimisation.
• We do not knowingly process the contact data of consumers in their personal capacity for outbound prospecting.

If you are a prospect and wish to access, correct, or delete your data, or object to our processing, please email privacy@greendoorai.com. We will action valid requests and, where applicable, instruct our customer and our enrichment providers to do the same.

7. Who we share data with

We share personal data only with trusted service providers ("sub-processors") that help us operate the Service, and only as necessary. A current list, with locations and purposes, is published at /subprocessors.html and includes (at the date of publication):

• Stripe — payment processing
• Apollo — B2B contact enrichment
• OpenAI — LLM inference (no training)
• Anthropic — LLM inference (no training)
• Google — Gemini LLM inference (no training)
• Amazon Web Services (AWS) — hosting and infrastructure

We may also disclose personal data:

• to professional advisers (lawyers, accountants, auditors) under confidentiality;
• to a buyer or successor in the event of a merger, acquisition, or sale of assets, subject to this Policy;
• to comply with law, a court order, or a lawful request from a public authority; and
• to enforce our terms or protect the rights, property, or safety of GreenDoorAI, our users, or others.

We do not sell personal data.

8. International data transfers

We are based in the United Kingdom. Some of our sub-processors are located in the United States or in other countries outside the UK and EEA. When we transfer personal data outside the UK or EEA, we rely on one or more of the following safeguards:

• An adequacy decision made by the UK Government or the European Commission for the destination country.
• The EU Standard Contractual Clauses (2021), supplemented for UK transfers by the UK International Data Transfer Addendum issued by the ICO.
• Where applicable, certification of the recipient under the EU–US Data Privacy Framework and the UK Extension to the DPF.

You can request a copy of the safeguards we apply by emailing privacy@greendoorai.com.

9. How long we keep data

We keep personal data only as long as we need it for the purposes set out in this Policy:

Category	Default retention
Account data	Duration of the account, plus up to 90 days after closure for backups and recovery
Connected mailbox / meeting / CRM content	For as long as the integration is connected; deleted within 30 days of disconnection or account closure
Billing and tax records	7 years from the relevant tax year, as required by UK law
Support communications	Up to 3 years from last contact
Server and security logs	Up to 12 months
Cookies and analytics	See our Cookie Policy

We may retain anonymised or aggregated data — which can no longer be associated with you — for longer periods.

10. Security

We use technical and organisational measures designed to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest for production databases and backups.
• Role-based access control with least-privilege principles and periodic access reviews.
• Multi-factor authentication for staff access to production systems.
• Audit logging of administrative actions.
• Vendor risk reviews for sub-processors.
• Regular dependency, vulnerability, and configuration scanning.

No method of transmission or storage is 100% secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (and you, where required) without undue delay.

11. Your rights

If you are in the UK or EEA, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten") in certain circumstances.
• Restrict our processing of your data.
• Object to processing based on legitimate interests, including profiling and direct marketing.
• Receive your data in a portable, machine-readable format.
• Withdraw consent at any time, where we rely on consent.
• Lodge a complaint with a supervisory authority — see Section 16.

To exercise any right, email privacy@greendoorai.com. We will respond within one month. We may need to verify your identity before acting on a request.

12. Notice to California residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose.
• Request deletion of your personal information.
• Request correction of inaccurate personal information.
• Opt out of the "sale" or "sharing" of personal information.
• Limit the use of "sensitive personal information".
• Be free from discrimination for exercising your rights.

We do not sell or share personal information as those terms are defined under the CCPA/CPRA. We do not use or disclose sensitive personal information beyond the purposes permitted without offering a right to limit. To make a verifiable consumer request, email privacy@greendoorai.com. You may use an authorised agent.

13. Cookies and similar technologies

We use cookies and similar technologies to operate the Website and Service, remember your preferences, understand how the Website is used, and (with your consent) for analytics and marketing. Full details, including a list of cookies we use and their retention, are in our Cookie Policy. You can change your cookie choices at any time via the "Cookie preferences" link in the footer.

14. Children

The Service is intended for business use and is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact privacy@greendoorai.com and we will delete it.

15. Changes to this policy

We may update this Policy from time to time. When we make material changes, we will notify registered users by email and/or through the Service before the change takes effect. The "Last updated" date at the top reflects the most recent change. Earlier versions are available on request.

16. Contact and complaints

For any question or to exercise your rights, contact us at privacy@greendoorai.com.

If you are in the UK and you are unhappy with our response, you can complain to the Information Commissioner's Office (ICO). If you are in the EEA, you can contact your local data protection authority. We would, however, appreciate the chance to address your concerns first.