Privacy Policy
Effective May 29, 2026
Outreach-MCP ("Outreach-MCP", "we", "us") is operated by 42nights. This policy explains what data we handle when you use the Outreach-MCP service and connectors, how we use it, and the choices you have. Questions: jerry@42nights.dev.
1. Data we collect
- Account data. Your license key, billing email, and Stripe customer identifier (we do not store card numbers; payments are processed by Stripe).
- Campaign data. The outreach scenarios, ideal-customer criteria, and email-sequence templates you create.
- Lead data. Prospect records you scrape or import — names, job titles, employers, public LinkedIn URLs, and email addresses — together with classification scores and verification status.
- Connected-account credentials. If you connect Gmail, we store the OAuth refresh token Google issues for your account. If you supply third-party provider API keys, we store those. All such secrets are encrypted at rest (NaCl sealed box); the decryption key lives only in our backend environment.
2. Google user data & Limited Use
When you connect Gmail, Outreach-MCP requests the https://www.googleapis.com/auth/gmail.send scope to send mail on your behalf, plus the openid and email scopes solely to identify which Gmail address is connected (shown back to you as the sender). We use Gmail access only to send the outreach emails you direct us to send, from your own Gmail account. We do not read, search, or download your mailbox, and we cannot — the Gmail scope grants send-only access.
Outreach-MCP's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer or sell Google user data, do not use it for advertising, and do not allow humans to read it except as required for security, to comply with law, or with your explicit consent.
3. How we use data
We use the data above only to operate the service for you: to scrape and score leads, find and verify email addresses, render and send your sequences, and report on the pipeline. We do not sell your data or use it to train models for other customers.
4. Service providers
We share data with subprocessors strictly as needed to run the pipeline: Convex (data storage + compute), Vercel (web hosting), Stripe (billing), Google (Gmail send), and the lead-data, email-finding, email-verification, and AI-classification providers configured for your account. Each receives only the data needed for its function.
5. Retention & deletion
We retain your data for as long as your account is active. You can revoke Gmail access at any time from your Google Account permissions; doing so invalidates the stored token. To delete your account and associated lead, campaign, and credential data, email jerry@42nights.dev and we will erase it within 30 days.
6. Security
Connected-account tokens and provider keys are encrypted at rest. Data in transit is protected by TLS. No method of transmission or storage is perfectly secure, but we take reasonable measures to protect your data.
7. Changes
We may update this policy; material changes will be reflected by a new effective date above. Continued use after a change constitutes acceptance.
8. Contact
Questions or requests: jerry@42nights.dev.