Privacy Policy

1. Who we are

CMass ("CMass", "we", "our", or "us") provides a Gmail mail merge and email outreach tool delivered as a Chrome browser extension and associated web services. Our registered address is 28 Geary St., Suite 650, San Francisco, CA 94108, United States. Questions about this policy can be sent to privacy@cmass.io.

2. What data we collect

• Google account data:When you connect your Google account, we receive your email address, name, and profile photo via Google OAuth. We do not receive or store your Google password.
• Gmail data:We access your Gmail account via the official Gmail API to send emails on your behalf, read email thread history for AI personalization, and detect replies to your campaigns. We do not read, index, or store email content beyond what is needed to provide the service.
• Google Sheets data:If you import contacts from a Google Sheet, we read the sheet data you specify. We do not retain sheet data beyond your active import session.
• Campaign data:We store the campaigns, recipient lists, and email templates you create in CMass, along with tracking data (opens, clicks, bounces, unsubscribes) associated with your campaigns.
• Usage data:We collect standard web server logs including IP addresses, browser type, and pages visited on cmass.io for security and analytics purposes.
• Payment data:Payments are processed by our payment provider. We do not store credit card numbers or payment details on our servers.

3. How we use your data

• To provide the service:Send emails on your behalf, track campaign performance, manage unsubscribes and bounces, and generate AI-personalized content.
• AI personalization:When you enable AI personalization, recipient data from your imported list (name, company, role, and any custom columns) is sent to Anthropic's Claude API to generate personalized email content. This data is processed per Anthropic's privacy policy and is not used to train their models.
• Product improvement:Aggregate, anonymized usage data helps us improve CMass features and performance. We do not sell individual user data.
• Communications:We may send you transactional emails (receipts, alerts) and, with your consent, product updates. You can unsubscribe from marketing emails at any time.

4. Google API data — limited use disclosure

CMass's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: (a) we only request Gmail and Sheets access scopes necessary to provide the features you use; (b) we do not use Google user data to serve advertising; (c) we do not allow humans to read your Gmail data except for security purposes, to comply with applicable law, or with your explicit permission; (d) we do not sell Google user data.

5. Data retention

We retain your campaign data and account information for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where retention is required by law. You can request deletion at any time by emailing privacy@cmass.io.

6. Data sharing

• Anthropic:Recipient data used for AI personalization is processed by Anthropic's Claude API. Anthropic does not use this data to train models.
• Google:We interact with Google APIs (Gmail, Sheets) on your behalf. Google's privacy policy governs their handling of that data.
• Infrastructure providers:We use cloud hosting and database providers to store and process your data. These providers are contractually bound to protect your data.
• Legal requirements:We may disclose data if required by law, court order, or to protect the rights and safety of CMass or its users.
• We do not sell your data:We do not sell, rent, or trade your personal data to third parties for marketing purposes.

7. Your rights (GDPR & CCPA)

Depending on your location, you may have the following rights regarding your personal data:

• Access:Request a copy of the personal data we hold about you.
• Correction:Request correction of inaccurate data.
• Deletion:Request deletion of your personal data ('right to be forgotten').
• Portability:Request your data in a portable format.
• Objection:Object to certain types of processing, including direct marketing.
• Opt-out of sale:California residents: we do not sell personal data, so there is nothing to opt out of.

8. Unsubscribes and CAN-SPAM compliance

Every email sent through CMass includes a one-click unsubscribe link compliant with CAN-SPAM and RFC 8058. When a recipient unsubscribes, their address is permanently added to a suppression list and will not receive further emails from that CMass account. Our physical mailing address is: 28 Geary St., Suite 650, San Francisco, CA 94108, United States.

9. Security

We encrypt OAuth tokens at rest using AES-256 encryption. All data in transit is protected by TLS. We use rate limiting, input validation, and HTTP security headers on all API endpoints. Despite these measures, no system is completely secure — if you discover a security issue, please report it to privacy@cmass.io.

10. Children's privacy

CMass is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@cmass.io and we will delete it promptly.

11. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or by posting a notice on cmass.io. Continued use of CMass after changes take effect constitutes acceptance of the updated policy.

12. Contact

For privacy questions, data requests, or to exercise your rights, contact us at privacy@cmass.io or write to us at 28 Geary St., Suite 650, San Francisco, CA 94108, United States.