PRIVACY POLICY

Effective date: May 3, 2026

This Privacy Policy explains how ColdMsg ("we", "us", "ColdMsg") collects, uses, stores, and shares personal information when you use our website, product, and related services. It covers two distinct categories of personal data: information about you, our user (the founder operating an account), and information about investor contacts that ColdMsg compiles into its investor database. The investor-database section below is also published as a standalone notice for investors at /investors/privacy .

By using ColdMsg you agree to this Privacy Policy. Please also review our Terms of Service and, if you are an enterprise customer or a controller subject to GDPR / UK GDPR, our Data Processing Addendum , which is incorporated by reference into your agreement with us.

1. INFORMATION WE COLLECT

Account information. Email, name, password hash, OAuth identifiers (Google, LinkedIn), profile fields, timezone, and authentication metadata.

Project content. Pitch deck PDFs you upload, deck analysis output, project descriptions, campaign drafts, sent email copy, inbound replies, AI-generated reply scoring, and any notes you add.

Sending configuration. The sending domain or subdomain you connect (DNS records you publish, DKIM/SPF/DMARC verification status), Mailgun route identifiers, mailbox addresses tied to your campaigns, sender display names, and signature blocks (including the postal address required by anti-spam law).

Recipient interaction data. For each email sent on your behalf: timestamps, delivery status, bounces, opens (where enabled), reply content, parsed unsubscribe / opt-out signals, and any suppression entries this generates.

Investor database records. ColdMsg maintains a curated database of investor records (fund name, partner names, professional email addresses, stage / geography / industry / check-size signals). See Section 7 for the full controller-level disclosure.

Billing data. Subscription plan, billing events, Stripe customer and invoice identifiers, transaction records. Full card numbers are stored by Stripe; we do not store them.

Usage data. Server logs (IP address, user agent, request paths, timestamps), product actions, performance and diagnostic events, and — if you consent to cookies — anonymous product analytics.

Communication data. Support messages, inbound and outbound emails between you and us, and related metadata.

2. HOW WE USE YOUR INFORMATION

  • Provide and secure the service, including authentication and account management.
  • Analyse and score uploaded pitch decks using third-party AI model providers.
  • Match your project against records in the investor database.
  • Generate, schedule, and send outbound emails on your behalf.
  • Operate scheduled autonomous workflows (drip sequences, follow-ups, domain warmup, deliverability checks) without per-execution approval, on your configured settings.
  • Capture inbound replies, route them to your inbox, and use AI to score reply intent (positive / negative / neutral).
  • Maintain global suppression lists so that recipients who opt out are not contacted again from any account.
  • Train, evaluate, and improve ColdMsg's own machine-learning models, classifiers, scoring systems, and platform-wide analytics, including by combining your content with content provided by other ColdMsg users. This first-party training is described further in Section 4 below. We do not surface raw content authored by one user to any other user; cross-user benefit flows only through model outputs and aggregated or derived signals.
  • Process billing, subscriptions, plan limits, and usage metering via Stripe.
  • Monitor quality, prevent abuse, investigate incidents, and improve reliability.
  • Send service notices and product communications.
  • Comply with legal obligations.

3. WHY WE PROCESS DATA (LAWFUL BASES)

For data about you (our user), we process personal data on the following lawful bases under GDPR / UK GDPR:

  • Performance of a contract (Art. 6(1)(b)) — service delivery, billing, sending email on your behalf, support.
  • Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, abuse detection, product improvement, deliverability protection.
  • Legal obligation (Art. 6(1)(c)) — tax records, lawful requests.
  • Consent (Art. 6(1)(a)) — optional cookies and product analytics, marketing emails to you.

For investor-database records, our lawful basis is legitimate interests (Art. 6(1)(f)) — providing founders with a curated business directory of investors who publicly hold themselves out as actively investing in startups. Section 7 sets out our balancing test, the rights available to investors, and how to opt out.

We do not sell personal data. We do not permit our third-party AI providers to train their models on your content (Section 4). ColdMsg does use your content to train and improve its own first-party models and platform analytics, on the basis of legitimate interests and the licence granted in our Terms of Service. You may object to this processing at any time (Section 11).

4. AI PROCESSING

Third-party AI providers. We send pitch-deck text, project descriptions, prompt context, campaign copy, and inbound replies to large language model providers (currently OpenAI and Anthropic) to extract deck signals, draft outreach copy, score inbound replies, and run other model-driven features. Providers are bound by data-processing agreements that prohibit training their models on our customers' content. Generated content may be inaccurate; you remain responsible for reviewing every message before it is sent and for any outcome that follows from sending it.

First-party (ColdMsg) models. ColdMsg also uses the same content — your outbound emails, inbound replies received on your behalf, deck text, scoring outputs, and related metadata — to train, evaluate, and improve its own machine-learning models and platform analytics, including models that draft, score, classify, and route email. This may include combining your content with content provided by other ColdMsg users to produce shared models that benefit the platform as a whole.

No cross-user disclosure of raw content. Even where a model has been trained on the broader user base, ColdMsg does not surface the raw text of one user's outbound messages or inbound replies to any other user through the product. Other users see only model-generated outputs and aggregated or derived signals — never another user's raw email content.

Derived Data. Aggregate statistics, behavioural patterns, classifications, scores, embeddings, and other features computed from your content ("Derived Data", as defined in our Terms of Service) may be retained and used by ColdMsg for any purpose consistent with these policies, including after your account is deleted, to the extent the Derived Data no longer identifies you.

5. HOW WE SHARE INFORMATION

We share data with the following sub-processors under data-processing agreements. We do not sell personal data and do not share it for cross-context behavioural advertising.

  • Mailgun (Sinch) — outbound email delivery, inbound reply capture, suppression handling.
  • Stripe — payment processing, subscriptions, invoicing, tax handling.
  • OpenAI, Anthropic — AI model providers used for deck analysis, copy drafting, and reply scoring.
  • Google, LinkedIn — OAuth identity providers (only if you sign in via OAuth).
  • Sentry — error monitoring (optional, scrubbed of secrets).
  • Hetzner — EU-region cloud hosting and storage.
  • Mavlin Analytics — privacy-friendly product analytics, loaded only after you accept cookies.

We may also disclose data when required by law, to enforce our Terms, or to protect rights and safety.

6. COOKIES AND TRACKING

Strictly necessary: a session cookie keeps you signed in; a signed "remember me" cookie (valid 14 days) lets you return without re-entering your password. Both are essential and exempt from consent.

Analytics (optional): if you click "Accept" on the cookie banner we load Mavlin Analytics, which records anonymous page visits. You can revoke consent at any time by clearing coldmsg:cookies in your browser's local storage.

7. THE INVESTOR DATABASE

ColdMsg maintains a curated database of investor records used to power matching and outreach. This is the activity for which ColdMsg acts as an independent data controller (and not as a processor for any user). The full disclosure required by Article 14 of the GDPR is published as a standalone Investor Privacy Notice at /investors/privacy and summarised here.

Categories of data. Fund name, partner names, professional email addresses, public profile links, stated investment stage, geography, industry focus, typical check size, and other signals derived from publicly available professional sources.

Sources. Fund websites, public filings, press releases, regulatory disclosures, public LinkedIn data, and licensed third-party business directories. We do not knowingly include data sourced from breached datasets or scraped consumer profiles.

Lawful basis. Legitimate interests (Art. 6(1)(f)) — providing founders with a curated business directory of investors who publicly hold themselves out as actively making investments. We have documented a balancing test that weighs founders' interest in efficient discovery against the limited intrusion of receiving a contextually relevant cold email at a professional address.

Investor rights. Investors have the right to access, rectify, restrict, object to, and erase their record, and to lodge a complaint with their supervisory authority. We honour valid objection requests by suppressing the record across the entire platform.

Opt out. An investor (or anyone acting on their behalf) can email investors@coldmsg.com from any address associated with the record, and we will suppress the record across the entire platform within 30 days. Replying "unsubscribe", "remove", or substantively similar language to any email sent through ColdMsg also triggers global suppression.

8. EMAIL SENDING AND ANTI-SPAM HYGIENE

Every email sent through ColdMsg includes (a) accurate sender identification, (b) a working opt-out mechanism — the recipient may reply with words such as "unsubscribe", "remove", or "stop" and ColdMsg will parse the reply and globally suppress the address, and (c) a postal mailing address for the sender. ColdMsg also injects an RFC 8058 List-Unsubscribe header on every outbound message so that recipient mail clients can present a one-click opt-out.

You confirm that you have a lawful basis to contact each recipient you select, and that your outreach complies with CAN-SPAM, GDPR, the UK PECR, CASL, and any other law that applies to you. You are responsible for the content of every message sent on your behalf.

9. DATA RETENTION

  • Account and project content: retained while your account is active. On deletion we soft-delete immediately and purge personal content within 30 days.
  • Suppression list entries: retained indefinitely (deleting them would defeat the purpose of an opt-out).
  • Billing records: retained up to 7 years to meet accounting and tax obligations.
  • Server logs: retained up to 90 days, then rotated.
  • Investor-database records: retained while the investor remains professionally active and the record is plausibly accurate; deleted on opt-out request or when the underlying public source no longer supports inclusion.
  • De-identified, aggregated, and Derived Data (as defined in the Terms of Service), and any first-party machine-learning models trained on your content while your account was active, may be retained indefinitely.

10. SECURITY

We use technical and organisational safeguards including TLS in transit, encryption at rest for sensitive credentials (AES-256-GCM for OAuth tokens and integration secrets), least-privilege database access, audit logging of administrative actions, and regular dependency patching. Payments are handled entirely by Stripe; we do not store full card numbers. No method of storage or transmission is perfectly secure, so absolute security cannot be guaranteed.

11. YOUR CHOICES AND RIGHTS

Under GDPR, UK GDPR, and comparable regimes, you have the rights to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with your supervisory authority. To exercise any right, email privacy@coldmsg.com from the address associated with your account. We respond within 30 days.

12. US STATE PRIVACY RIGHTS

If you are a resident of a US state with applicable privacy legislation (such as California, Colorado, Connecticut, Virginia, Texas, or similar), you may have additional rights including the right to access, correct, delete, or port your personal information, and the right to opt out of certain data sharing. We do not sell personal information and do not use it for cross-context behavioural advertising. To exercise your rights, contact privacy@coldmsg.com.

13. INTERNATIONAL DATA TRANSFERS

Some sub-processors (notably AI model providers and Stripe) are based in the United States. Transfers from the EEA / UK rely on the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and where applicable the EU-U.S. Data Privacy Framework.

14. CHILDREN

ColdMsg is not directed at individuals under 18 and we do not knowingly collect data from children. If you believe a child has provided us with personal data, contact privacy@coldmsg.com and we will delete it.

15. CHANGES TO THIS POLICY

We may update this Privacy Policy. The effective date above indicates the current version. Material changes will be announced by email. Continued use after the effective date constitutes acceptance.

16. CONTACT

Privacy inquiries: privacy@coldmsg.com
Investor-database inquiries: investors@coldmsg.com
General support: support@coldmsg.com