Privacy Policy
Last updated: April 18, 2026
This Privacy Policy describes how Metis Information Technologies Ltd ("OutMass", "we", "us") collects, uses, and protects your personal data when you use the OutMass Chrome extension and related services. We are committed to protecting your privacy and complying with the UK GDPR, the EU General Data Protection Regulation (GDPR), and other applicable data protection laws.
1. Data Controller
Metis Information Technologies Ltd
Registered in England and Wales
Company number: 17114932
Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Email: support@getoutmass.com
2. Data We Collect
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Name and email address (your account) | Account creation, communication | Contract performance |
| Microsoft OAuth tokens | Sending emails via Graph API | Contract performance |
| Campaign content you author (subject lines and body text) | Rendering and sending the campaign, merge-tag personalization, performance reports | Contract performance |
| Recipient list you upload (email addresses, names, custom CSV columns) | Sending the campaign to the people you chose, merge-tag personalization, unsubscribe handling | Contract performance |
| Campaign metadata (send times, recipient counts, status) | Campaign management, analytics | Contract performance |
| Email open and click events | Tracking and reporting | Legitimate interest |
| Usage statistics (features used, session duration) | Product improvement | Legitimate interest |
| Payment information | Subscription billing (processed by Stripe — card details never touch our servers) | Contract performance |
3. Data We Do NOT Collect
- We do not read your Outlook inbox or any messages you receive.
- We do not copy or store emails that other people have sent you.
- We do not store your Microsoft password — authentication is handled by Microsoft's own OAuth 2.0 flow.
- We do not store your payment card details — Stripe handles them directly.
- We do not sell your data, recipient lists, or campaign content to third parties.
- We do not use your campaign content to train AI models.
Note on campaign content: when you author an email campaign in OutMass, we do store the subject line, body, and recipient list so we can actually send the campaign on your behalf, apply merge-tag personalization, and report open/click performance back to you. This is distinct from "reading your inbox" — we only handle outbound content that you explicitly create inside the extension.
4. Microsoft OAuth Data
When you sign in with Microsoft, we request the following permissions:
- Mail.Send — to send emails on your behalf via Microsoft Graph API
- Mail.Read — to detect replies for follow-up automation
- Files.Read.All / Files.ReadWrite (optional) — only requested if you opt into the OneDrive attachment feature. We use these scopes solely to read the metadata of files you explicitly select in the OneDrive picker and to generate anonymous "view" sharing links for those files. We never download, browse, modify, or read the contents of your OneDrive files. The sharing links live in your own OneDrive — they are not stored on OutMass servers.
OAuth access tokens are stored securely and are never shared with third parties. You can revoke access at any time from your Microsoft account settings. The OneDrive scopes are optional — if you never use the OneDrive attachment feature, they are never requested.
5. How We Use Your Data
- To provide and operate the Service
- To send emails on your behalf through Microsoft Graph API
- To track campaign performance (opens, clicks)
- To manage your subscription and process payments
- To communicate with you about your account and the Service
- To improve and develop new features
6. Third-Party Services
We use the following third-party services that may process your data:
- Supabase — Database hosting (PostgreSQL)
- Stripe — Payment processing
- Upstash — Redis queue for email scheduling
- Microsoft Graph API — Email sending
Each service operates under their own privacy policies and data protection agreements.
7. Data Retention
- Account data is retained while your account is active.
- Campaign metadata is retained for 12 months after creation.
- Tracking data (opens, clicks) is retained for 6 months.
- Upon account deletion, all personal data is removed within 30 days.
- Audit log. For fraud prevention, legal defence, and compliance with the Turkish Tax Procedure Law (VUK) and equivalent UK/EU obligations, we retain a limited record of account activity for 5 years. These records contain: a one-way SHA-256 hash of your email address, the type of action (login, campaign creation, send trigger, account deletion, etc.), a timestamp, and the IP address from which the action originated. IP addresses are anonymised to /24 (IPv4) or /48 (IPv6) after 12 months as an additional data-minimisation measure. These records do not contain email content, recipient addresses, or campaign bodies. This processing is based on our legitimate interest (GDPR Art. 6(1)(f)) and legal obligations (GDPR Art. 6(1)(c)) and overrides the right to erasure under GDPR Art. 17(3).
8. Your Rights (GDPR)
If you are located in the United Kingdom, European Economic Area (EEA), or Turkey, you have the following rights:
- Access — Request a copy of your personal data
- Rectification — Request correction of inaccurate data
- Erasure — Request deletion of your data ("right to be forgotten"). You can delete your account yourself at any time from OutMass sidebar → Account tab → Danger Zone. Deletion removes all personal data and content immediately; only the anonymised audit record described in Section 7 is retained, for fraud prevention and legal compliance.
- Portability — Request your data in a portable format
- Restriction — Request restriction of processing
- Objection — Object to processing based on legitimate interest
To exercise any of these rights, email us at support@getoutmass.com. We will respond within 30 days.
9. Cookies
The OutMass Chrome extension does not use cookies. Our website (landing page) may use minimal cookies for:
- Essential cookies — Required for basic site functionality
- Analytics cookies — To understand how visitors use our site (optional, with consent)
You can disable cookies in your browser settings at any time.
10. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encrypted data transmission (HTTPS/TLS)
- Secure OAuth token storage
- Access controls and authentication
- Regular security reviews
11. International Data Transfers
Your data may be processed in countries outside your country of residence. We ensure appropriate safeguards are in place for any international transfers in compliance with GDPR.
12. Children's Privacy
OutMass is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top reflects the most recent revision.
14. Contact Us
For any privacy-related questions or requests:
Email: support@getoutmass.com
Company: Metis Information Technologies Ltd