Reach

Privacy Policy

Last updated: May 24, 2026

Billslash, Inc. ("Billslash", "we", "us") operates the Billslash Reach platform ("the Service"). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have under the EU General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable privacy laws.

Data Controller: Billslash, Inc., 2261 Market Street #4854, San Francisco, CA 94114, USA. Contact: privacy@billslash.app.

1. Data We Collect

  • Account data — name, email, password hash, profile picture, role.
  • Workspace data — company name, mailing address, billing details, team members.
  • CRM content you upload — leads, contacts, companies, notes, email templates, campaign content.
  • Email-sending metadata — sender domain, recipient address, subject, send timestamp, open/click/bounce events.
  • Technical data — IP address, browser, device, log timestamps, crash reports.

2. How We Use Your Data

  • To operate the Service (Article 6(1)(b) GDPR — performance of contract).
  • To improve deliverability, detect abuse, and prevent fraud (Article 6(1)(f) — legitimate interest).
  • To send service announcements and billing notices (Article 6(1)(b)).
  • To comply with legal obligations including CAN-SPAM, CASL, and tax law (Article 6(1)(c)).

We do not sell your data, share it for advertising, or use your CRM content to train public AI models.

3. Sub-processors

We engage trusted vendors to operate the Service: cloud hosting (Cloudflare, Supabase), email delivery (Resend), payments (Stripe), error monitoring, and customer support. A current list is available on request at privacy@billslash.app. All sub-processors are bound by data-protection agreements and EU Standard Contractual Clauses where applicable.

4. International Transfers

Personal data may be transferred to the United States. We rely on the EU-US Data Privacy Framework and Standard Contractual Clauses (Module 2) as the lawful transfer mechanism.

5. Retention

Account and workspace data: kept while your account is active and for 90 days after deletion. Email send-logs: 12 months. Audit logs: 24 months (legal retention). Suppression list: retained indefinitely to honor unsubscribes.

6. Your Rights

Under GDPR and CCPA you have the right to access, correct, delete, restrict processing, port, and object to processing of your personal data. You may also withdraw consent at any time. Submit a request to privacy@billslash.app; we respond within 30 days.

7. Recipients of Email You Send

When you use Reach to send email, you are the data controller for the recipients you contact. We act as your data processor in that activity. See our Data Processing Addendum.

8. Security

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is restricted via row-level security, role-based access control, and audit logging. We test backups quarterly and conduct annual penetration tests.

9. Children

The Service is not directed to children under 16 and we do not knowingly collect their data.

10. Changes

We post material changes to this policy in-app at least 30 days before they take effect.

11. Contact & Supervisory Authority

Questions: privacy@billslash.app. EU residents may also lodge a complaint with their local Data Protection Authority.