Privacy Policy

Last updated: 2026-06-09

1. Introduction

SmartySales (operated by the Smarty Sales team) provides a multi-tenant SaaS platform that helps businesses automate the classification of incoming corporate email, discover potential clients, and send personalized outreach. This Privacy Policy explains what data we collect and how we handle it.

2. Information We Collect

  • Account information — full name, business email, company name, company description (if you fill it in), and locale preference. The description is used as the {{my_company_description}} variable in LLM email templates.
  • Mailbox metadata — for each inbound message we store the sender, recipient, subject, snippet (first 500 characters of the body), and timestamp. The full message body is not stored. Outlook category labels assigned by your processing rules are also stored.
  • Outbound emails generated by the platform or sent manually from the client card are stored in full (subject, body, recipient, sender, template, file attachments) for audit, quota enforcement, and linking to incoming replies.
  • Discovered client records — publicly available information about prospective companies (name, INN, OGRN, region, industry, OKVED, address, revenue, website, public contacts). Sourced from public-data providers and/or LLM web search over public sources.
  • Decision-maker data — names, positions, INNs, birth dates, contact emails and phones of decision makers; collected via large-language-model web search over public sources.
  • Template attachment files (PDF, DOCX, images, etc.) uploaded by users are stored as binary BLOBs in the database and automatically attached to outbound emails.
  • System logs and audit logs (HTTP requests, calls to LLM and data providers, business milestones for mail processing and client enrichment) are written to local files with daily rotation and retained for 30 days.

3. How We Use Your Information

  • Authenticate users and enforce role-based access; the "remember me" feature uses signed cookies valid for 30 days.
  • Run automatic LLM-based classification of incoming email by your configured categories and apply matching labels in Outlook/EWS.
  • Enrich client records using public-data providers and large language models based on publicly available sources.
  • Generate and send personalized outreach emails using your templates — both automatically (driven by search results) and manually from a client's card.
  • Cross-tenant cache: enriched company data (contacts, decision makers) keyed by INN is reused across tenants so identical public lookups are not requested from the LLM twice. Per-tenant data (notes, templates, message history) remains isolated.
  • Track quota consumption (only successfully enriched clients are billed) and process subscription billing.

4. Data Security

  • User passwords are hashed using BCrypt with per-record salts.
  • Sensitive credentials (Exchange/IMAP passwords, Gmail App Passwords, LLM provider API keys, and public-data provider keys) are encrypted at rest with AES-256 (CBC/PKCS5).
  • All traffic between your browser and our servers is encrypted via HTTPS; CSRF protection is enforced on all mutating requests.
  • Tenant data is isolated by company identifier; queries always include this constraint. The SUPER_ADMIN role can view all tenants' data for support and audit purposes, but cannot read tenant notes.
  • All platform activity (user HTTP requests, outbound calls to LLMs and Rusprofile, background worker actions) is recorded in an audit log; sensitive parameters (passwords, tokens, CSRF) are masked.

5. Third-Party Services

  • Large language model providers (OpenAI, Anthropic Claude, DeepSeek) for classification and content generation.
  • Mail providers (Gmail via App Passwords / Microsoft Exchange via EWS).
  • Public company data providers (e.g. Rusprofile) for client discovery.
  • Payment gateway for processing subscription billing.

6. Data Retention

  • Activity and audit logs: up to 30 daily archives (.gz), older files are auto-deleted.
  • Mailbox metadata and inbound/outbound history: kept while the mailbox is connected and the account is active.
  • Account data: kept while the subscription is active. Deleting an account erases your tenant data within 30 days; depersonalized company data (without notes or conversation history) may remain in the cross-tenant cache.

7. Your Rights

  • Access — request a copy of your stored data at any time.
  • Deletion — request erasure of your account and tenant data.
  • Export — download client data and outbound emails in standard formats.

8. Contact

For privacy-related questions, write to support@smartysales.ru or use our contact page.

Contact us