Gaidme -- Privacy Policy

Effective date: 2026-05-05 Last updated: 2026-05-05

This Privacy Policy describes how Gaidme ("Gaidme", "we", "us", "our"), a service operated by H2Op, collects, uses, and shares information when you visit gaidme.com, use the app.gaidme.com portal as a Gaidme Client, or are a prospect contacted via Gaidme-operated outreach.

1. Scope

This Policy applies to:

  • Visitors to gaidme.com
  • Clients (B2B companies engaging Gaidme's managed cold email outreach service)
  • Authorized users of app.gaidme.com (Client owners, reviewers, viewers)
  • Individuals (typically business contacts at target companies) whose information is processed as part of Gaidme's outreach operations on a Client's behalf

This Policy does NOT govern data processed by third-party services Gaidme integrates with. Those services have their own privacy policies, listed in Section 7.

2. Information we collect

2.1 Client account information

When a Client engages Gaidme:

  • Company name, website, billing address
  • Authorized-user names, work emails, phone numbers (optional)
  • Sales-contact designation (who receives engaged-lead reports)
  • Stripe billing token (we do not store card numbers)
  • Order Form details (pricing, term, ICP, target geography)

2.2 Client-provided campaign material

  • Approved offer descriptions, brand voice, ICP definitions
  • Approved cold-email copy and sequences
  • Approved prospect-list criteria

This information is used solely to operate Client's campaigns.

2.3 Prospect information (processed on Client's behalf)

To perform Gaidme's services, we process information about target prospects, sourced from:

  • Public business signal data via the Keendai PAM backend (Google Maps, YouTube, scraped websites, jobs boards, ads libraries, etc.)
  • Verified contact data from Apollo and Hunter (under partner contract or BYOK)
  • Phone line-type metadata from Telnyx Lookup

For each prospect, we may process:

  • Business name, domain, public phone, public address, industry
  • Decision-maker contact (name, work email, title, LinkedIn URL when public)
  • Public business signals (recent hiring activity, location changes, review patterns, ads activity)
  • Email send timestamps, open/click events, bounce status, reply content

2.4 Reply content

When a prospect replies to a Gaidme-operated email, the reply content is captured, classified, and stored. This includes:

  • Full reply body
  • Sender email address
  • Date/time
  • Gemini AI classification (engaged / not engaged) with reasoning
  • Final billable status after dispute window

2.5 Usage information (collected automatically)

  • IP address (security and rate limiting; not retained beyond 30 days in identifiable form)
  • Browser, device, OS info
  • Pages visited within app.gaidme.com, click events, time on page
  • Audit log of all admin actions

2.6 Cookies and tracking

We use:

  • Essential cookies for authentication and session management
  • Analytics cookies via Google Analytics 4 and Microsoft Clarity
  • Anti-fraud via reCAPTCHA Enterprise

3. How we use information

We process information to:

  • Provide the Service to Clients per the executed Order Form and Terms of Service
  • Provision dedicated sending infrastructure (domains, inboxes, Smartlead sub-account) per Client
  • Send cold emails on Client's behalf to target prospects
  • Receive, classify, and forward engaged replies to Client's designated personnel
  • Generate engaged-lead reports and invoices
  • Operate, secure, monitor, and improve the Service
  • Handle disputes
  • Process billing via Stripe
  • Comply with applicable law (CAN-SPAM, CCPA, etc.)
  • Respond to support requests

We do NOT sell personal information to third parties for monetary or other valuable consideration.

4. Lawful basis (United States operations)

Gaidme operates in the United States. We process information under:

  • Contract: to provide the Service to Clients per the executed Order Form
  • Legitimate interest: to operate, secure, and improve the Service; to conduct B2B commercial outreach within applicable legal limits
  • Consent: where required (marketing communications, certain Client cookies)
  • Legal obligation: where compliance with law requires processing

5. Cold email and CAN-SPAM compliance

Gaidme operates cold email outreach on behalf of Clients to United States B2B prospects in compliance with the CAN-SPAM Act:

  • Each email contains a valid physical mailing address (2160 Barranca Parkway #1210, Irvine, CA 92606), provided through a virtual mailbox arrangement with iPostal1
  • Each email contains a clear, working unsubscribe mechanism processed automatically by the underlying sending platform
  • From-line and subject-line are not deceptive
  • The Client (on whose behalf the message is sent) is identifiable in the message
  • Outreach is targeted only at B2B prospects in the United States

Gaidme does NOT operate outreach to:

  • Consumer (B2C) prospects
  • Prospects in the European Union, United Kingdom, or other jurisdictions with cold-email restrictions analogous to GDPR

6. How we share information

6.1 Subprocessors

We share information with the following subprocessors, each contractually bound to confidentiality and data-protection terms:

Subprocessor Purpose Location
Google Cloud Platform Hosting, Firestore, Cloud Run, Identity Platform, Vertex AI, Cloud Storage, Logging USA
Smartlead Cold email sending, warmup, reply tracking USA
MailForge Inbox provisioning USA
Cloudflare DNS, edge security, domain management USA
GLOCKAPPS Inbox-placement audits USA
Stripe Payment processing USA
Apollo (under partner contract or BYOK) Verified contact enrichment USA
Hunter (under partner contract or BYOK) Email verification USA
Telnyx Lookup Phone line-type metadata USA
iPostal1 (or comparable) CAN-SPAM mailing address USA
Google Analytics 4 Site analytics USA
Microsoft Clarity Session analytics USA
Sentry / Cloud Logging Error reporting USA

Material additions to subprocessors will be communicated to Clients with at least thirty (30) days' notice.

6.2 With Clients

Each Client has access to data within their own workspace, including engaged-lead reports, reply content from prospects who replied to that Client's campaigns, and campaign analytics. Cross-Client data access is forbidden by Gaidme's internal security policy.

6.3 Legal disclosures

We may disclose information when required by law, court order, or to protect rights and safety.

6.4 Business transfers

In connection with a merger, acquisition, or asset sale, information may be transferred to the successor entity.

7. Third-party services

When Clients connect their CRM (HubSpot, Salesforce, Pipedrive, Close, etc.) to receive engaged-lead exports, the data flow is governed by both this Policy and the third-party provider's privacy policy.

8. Data retention

Category Retention
Active Client account data While the engagement is active
Client account data after termination Per Section 4.4 of the Terms of Service (typically 30 days read-only, then deleted)
Prospect information While Client engagement is active and prospect remains within Client's ICP. Per-prospect deletion on request per Section 9.3.
Reply content While Client engagement is active. Permanently deleted thirty (30) days after final invoice settlement following Client termination.
Server logs 30 days
Billing and invoice records 7 years (per tax/accounting requirements)
Audit logs 7 years
Backup snapshots 30-90 days
Marketing-list email Until unsubscribe

You may request earlier deletion under Section 9.

9. Your rights

9.1 California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect
  • Request deletion
  • Request correction
  • Opt out of "sale" or "sharing" (we do not sell personal information)
  • Limit the use of sensitive personal information
  • Non-discrimination for exercising these rights

To exercise these rights, contact privacy@gaidme.com.

9.2 Client account holders

You may, via the workspace settings or by contacting us:

  • Access your account data
  • Export reports and reply data as CSV
  • Request correction of inaccurate data
  • Request deletion of your account
  • Withdraw consent for marketing communications

We aim to respond within 30 days.

9.3 Prospect-data subjects

If you are a person whose business contact information has been processed as part of Gaidme's outreach operations (i.e., you received a cold email sent by Gaidme on a Client's behalf, or your business contact information has been processed for outreach):

  • You may unsubscribe from Client-specific outreach via the unsubscribe link in any cold email; that prevents the specific Client from contacting you further via Gaidme.
  • You may request deletion of your business contact information from Gaidme's processing systems by contacting privacy@gaidme.com.
  • You may request a list of all Gaidme-operated campaigns under which you have been contacted.

We will process such requests within thirty (30) days.

Note: opting out of Client-A's outreach does not prevent Client-B from independently mining and contacting you, as we currently do not maintain a global do-not-contact list across Clients. We may add this feature in future versions.

10. International data transfers

The Service is operated in the United States. Data is stored and processed in the United States. The Service is NOT designed for use by, or for outreach to, individuals in the European Union, United Kingdom, or other regions with cold-email restrictions analogous to GDPR.

11. Security

We implement administrative, technical, and physical safeguards including:

  • TLS 1.2+ encryption in transit
  • Encryption at rest via Google Cloud's managed encryption (with optional Customer-Managed Encryption Keys for Enterprise tier)
  • Multi-factor authentication available on all accounts; required on Owner role
  • API-key storage in Google Cloud Secret Manager, never logged
  • Workforce Identity Federation for staff GCP access; no service-account keys downloaded
  • Audit logs for admin actions
  • Per-Client physical isolation of sending infrastructure (dedicated domains, dedicated inboxes, dedicated Smartlead sub-account) to prevent cross-Client data exposure
  • Regular vulnerability scanning of containers and dependencies
  • Cloud Armor WAF protection on customer-facing endpoints

If we discover a security incident affecting your data, we will notify affected Clients (and prospects, where applicable and required by law) per applicable law.

12. Children's privacy

The Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If we learn we have collected information from a child, we will delete it.

13. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-product notice, email to Clients, or both, at least thirty (30) days before the change takes effect. The "Last updated" date at the top reflects the most recent revision.

14. Contact

For privacy questions or requests:

  • Email: privacy@gaidme.com
  • Mail: 2160 Barranca Parkway #1210, Irvine, CA 92606, United States
← Back to home