Privacy Policy

Effective date: May 7, 2026 · Last updated: May 7, 2026

This policy describes how Capstone Technology Solutions ("we," "us," "Capstone") handles personal information when you use Capstone Outreach (the "Service") at capstoneoutreach.com. We've tried to write it in plain English. If anything is unclear, email sg@capstonetech.co.

Contents 1. Who we are 2. Information we collect 3. How we use information 4. Sharing and third-party services 5. Your connected mailbox (Gmail / Outlook) 6. Cookies, analytics, and session replay 7. Security 8. Data retention 9. Your rights 10. Children's privacy 11. Changes to this policy 12. Contact

1. Who we are

Capstone Outreach is a contact-management and outreach tool operated by Capstone Technology Solutions, a company based in the United States. We are the data controller for personal information you provide directly, and a data processor for personal information you upload about your contacts.

2. Information we collect

Account information

When you create an account, we collect your name, email address, and a hashed password. If you sign up through a referral link, we record the referring user so they can receive credit.

Billing information

Paid subscriptions are processed by Stripe. We do not store your full card number on our servers; Stripe holds it on its PCI-compliant infrastructure. We receive a customer ID and basic subscription state (tier, status, renewal date) from Stripe so we can grant or restrict features.

Contact information you upload or scan

When you scan a business card, import a CSV, or add a contact manually, we store the contact's name, email, phone number, company, job title, LinkedIn URL, the original card image, and any notes or selfies you attach. You are responsible for having a legitimate reason to hold this information — for example, that the contact gave you their card or that you have a lawful basis for outreach.

Lead data sourced through the platform

If you use the Find Leads feature, we query third-party B2B contact databases (Apollo, LeadMagic) and store the records you choose to save to your account. Those records may include verified work email addresses, phone numbers, and employment data sourced from those providers' public and licensed datasets.

Communication content

When you draft, send, or log an email or text through the Service, we store the subject, body, recipients, and timestamps so you can see your outreach history per contact. AI drafts are generated by passing relevant context to OpenAI or Anthropic; see Section 4.

Mailbox tokens

When you connect Gmail or Microsoft 365, we receive an OAuth refresh token from Google or Microsoft. We store it encrypted at rest and use it only to perform the actions described in Section 5.

Usage data and device information

We log standard application data: your IP address, browser type, pages visited, actions taken, and timestamps. We also log billable interactions with third-party APIs (LLM calls, OCR calls, lead lookups) so we can monitor service health and bill you accurately.

3. How we use information

We use personal information to:

Provide and operate the Service.
Authenticate you and protect your account.
Send transactional email (password resets, billing receipts, security alerts).
Generate AI-drafted email and text messages on your behalf.
Send messages from your connected mailbox at your direction.
Match incoming replies in your mailbox to outreach you've sent.
Measure how the product is used and improve it.
Detect, prevent, and respond to abuse, fraud, or security incidents.
Comply with legal obligations.

We do not sell personal information. We do not use the contents of your emails or contact records to train AI models.

We share personal information only with vendors who help us operate the Service, and only to the extent each needs to do its job. Each vendor below is bound by its own privacy commitments.

Stripe — payment processing.
Amazon Web Services (Lightsail, S3) — hosting and image storage.
Google (Gmail API, Cloud Vision OCR, OAuth) — sending email from your mailbox, optical character recognition for scanned business cards, and account authentication.
Microsoft (Microsoft Graph, OAuth) — sending email from your Microsoft 365 mailbox.
OpenAI and Anthropic — large language models used to draft email and text messages, extract structured fields from card images, and personalize outreach. We send the minimum data needed to fulfill each request and do not retain provider responses beyond what's needed to display the result back to you.
Apollo and LeadMagic — B2B contact database lookups when you use the Find Leads feature.
Mixpanel — product analytics, session replay, and funnel analysis. See Section 6.
Rewardful — affiliate tracking. Sets a referral cookie so affiliates can be credited for sign-ups.
SMTP2GO — transactional email delivery (e.g. password resets) for users who haven't connected a personal mailbox.

We may also disclose information if required by law, to enforce our Terms, or to protect the rights, property, or safety of Capstone, our users, or the public.

5. Your connected mailbox (Gmail / Outlook)

When you connect Gmail, we request the gmail.send scope and the email-address portion of your profile. When you connect Microsoft 365, we request Mail.Send, Mail.Read, offline_access, and User.Read.

We use these permissions only to:

Send messages that you compose or approve in the Service.
Search your inbox for replies to outreach you sent through us, so we can show conversation context next to each contact.
Display the connected email address in Settings.

What we do not do: We do not browse your general inbox, train AI on your mail, sell or share your messages, or read mail that isn't related to outreach you initiated through the Service. You can revoke our access at any time at myaccount.google.com/permissions (Google) or in your Microsoft account settings, or by clicking Disconnect on the Settings page.

Capstone's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

6. Cookies, analytics, and session replay

We and our vendors use cookies and similar technologies for:

Authentication — keeping you signed in.
Affiliate attribution (Rewardful) — remembering which affiliate referred you so they get credit on a paid sign-up.
Product analytics (Mixpanel) — measuring feature usage, click flow, and conversion funnels.
Session replay (Mixpanel) — recording approximately 75% of sessions as visual replays. We mask contact emails, phone numbers, the contents of message bodies, scanned card images, and any selfies before recording. We do this so we can diagnose UX issues that aren't visible in logs.

Do Not Track / Global Privacy Control: our analytics vendor honors these signals by default; we currently override that default for clearer product analytics. We may revisit this if our user base shifts to jurisdictions that require honoring privacy signals.

7. Security

We use industry-standard measures to protect your data, including:

TLS in transit for all API calls and page loads.
Encryption at rest for OAuth refresh tokens and other sensitive secrets.
Hashed passwords (we never store plain-text passwords).
Card images stored in a private S3 bucket with signed-URL access.
Nightly database backups with limited retention.
Access controls so each tenant's data is isolated by organization ID.

No system is perfectly secure. If we become aware of a security incident affecting your data, we will notify you in accordance with applicable law.

8. Data retention

We retain personal information for as long as your account is active and for a reasonable period afterward to satisfy legal, tax, or accounting requirements. When you delete a contact, the contact and its associated card images, interactions, and notes are removed from live systems within 30 days; backups age out within 30 days as well. When you close your account, we delete your account-level data within 90 days, except where we are required to retain it longer.

9. Your rights

Depending on where you live, you may have rights to access, correct, port, or delete personal information we hold about you, or to object to or restrict certain processing. To exercise these rights, email sg@capstonetech.co from the address on your account.

For California residents: you may request disclosure of categories of information we collect, opt out of any "sale" or "share" of personal information (we do not currently sell or share under CCPA definitions), and request deletion.

For EU / UK / EEA residents: we rely on your consent, contractual necessity, and legitimate interests as our lawful bases for processing. You may lodge a complaint with your local supervisory authority.

10. Children's privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please email us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you via email or an in-app notice and update the "Last updated" date above. Your continued use of the Service after a change indicates your acceptance.

12. Contact

Questions about this policy or your data? Email sg@capstonetech.co.