Back to Home

Privacy Policy

Last updated: March 2026

Overview

HighReach ("we", "our", or "us") is committed to protecting your privacy. This policy explains how we collect, use, and protect your information when you use our LinkedIn outreach automation service.

Information We Collect

About you (our customer):

  • Name and email address via Google OAuth
  • LinkedIn session cookies used to perform outreach on your behalf (encrypted at rest)
  • Campaign configuration: search filters, message templates, and outreach preferences
  • Billing information processed via Stripe

About LinkedIn leads you discover:

When you run campaigns, we collect publicly available LinkedIn profile data on your behalf, including names, job titles, companies, locations, and profile URLs. This data is sourced from LinkedIn's public search results and post activity. It is stored in your account and used solely to execute your outreach campaigns.

Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

  • Contract performance (Article 6(1)(b)): Processing your account data to provide the service.
  • Legitimate interests (Article 6(1)(f)): Processing lead data to enable B2B outreach on your behalf. Our customers identify and reach out to professional contacts for legitimate business development purposes. We conduct a Legitimate Interest Assessment (LIA) to ensure this processing does not override the rights of individuals.
  • Legal obligation (Article 6(1)(c)): Retaining billing records as required by law.

Data Retention

  • Lead data (undiscovered): Profiles that have not been contacted are deleted after 90 days from discovery.
  • Lead data (outreach sent): Leads that progress through the outreach pipeline (connection sent, connected, DM sent, replied) are retained for 12 months to maintain outreach history, then automatically deleted.
  • Account data: Retained for the duration of your subscription plus 30 days after cancellation.
  • Queue items: Completed and skipped outreach queue items are deleted after 7 days.
  • LinkedIn session cookies: Deleted immediately when you disconnect your LinkedIn account.

Your Rights (GDPR)

If you are in the EU/EEA or UK, you have the following rights:

  • Right of access: Request a copy of your personal data. You can download a structured export of all data we hold about you directly from Settings → Account → Download my data.
  • Right to erasure: Request deletion of your personal data. You can delete your account and all associated data from Settings → Account → Delete my account.
  • Right to rectification: Request correction of inaccurate data.
  • Right to data portability: Request your data in a structured, machine-readable format (available via the download feature above).
  • Right to object: Object to processing based on legitimate interests.

To exercise any of these rights, contact us at privacy@highreach.io. We will respond within 30 days.

For lead data erasure requests: If you are a LinkedIn member who has been contacted via HighReach and wish to have your data removed from our systems, email privacy@highreach.io with your LinkedIn profile URL. We will delete your record within 30 days.

Data Storage

All data is stored in Google Firestore (EU region). LinkedIn session cookies are encrypted at rest using AES-256-GCM encryption.

Third-Party Service Providers

We share data with the following processors, each bound by a Data Processing Agreement (DPA):

  • Google Firebase — Database and authentication. All user and lead data.
  • Groq — AI message personalisation and lead scoring. Lead profile data, message drafts.
  • Apify — LinkedIn profile enrichment and content scraping. Public LinkedIn profile data.
  • Brightdata — Residential proxy network for LinkedIn automation. No personal data stored.
  • Stripe — Payment processing. Billing information only.
  • Mailjet — Transactional email delivery. Name and email address.
  • Sentry — Error monitoring. Anonymised error logs.

Data Security

  • LinkedIn session cookies are encrypted with AES-256-GCM
  • All data is transmitted over TLS
  • Access is restricted to authenticated users via Google OAuth
  • We do not store passwords

International Transfers

Data is processed in the United States (Groq, Apify, Stripe) and the EU (Firebase, Mailjet). Transfers outside the EU are governed by Standard Contractual Clauses (SCCs).

Changes to This Policy

We will notify you of material changes by email or in-app notice. Continued use of the service after changes constitutes acceptance.

Contact

For privacy-related questions or data subject requests:

Email: privacy@highreach.io

We aim to respond to all requests within 30 days.