Privacy Policy

1. Introduction

Welcome to Vruum ("Vruum," "we," "us," or "our"). Vruum is a service-as-software firm that operates the outbound revenue motion for B2B companies on their behalf — research, sourcing, multichannel outreach, paid demand-gen, and meeting booking — as a delivered outcome rather than a self-serve tool. Each Vruum client is paired with one operator at our firm who runs an internal agent stack on the client's behalf and approves every strategic action before it is executed.

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our service or are contacted by our service. Please read this policy carefully. By using Vruum, you agree to the collection and use of information in accordance with this policy.

2. Whose Information We Process

Because Vruum is a managed service, we process information about three distinct categories of people:

• Vruum staff and contractors who operate the platform on behalf of clients.
• Vruum clients and their authorized users who hire us to operate their outbound motion.
• Prospects — the contacts our clients direct us to engage with (researched, sourced, messaged, or shown a paid ad). Prospects do not have an account with Vruum and have not consented directly to us; we process their information on the client's legitimate-interest basis under applicable law, and we honor data-subject requests as described in Section 8.

3. Information We Collect

3.1 Account Information

When a client's authorized user creates an account, we collect:

• Name and email address
• Company name and business information
• Password (stored securely using industry-standard hashing)

3.2 Prospect Data

To provide our services, we process prospect data that the client imports, directs us to source, or that we discover through approved third-party data sources, including:

• Contact names, email addresses, and phone numbers
• LinkedIn profile URLs and other public professional identifiers
• Company information (name, industry, size, location, description)
• Enrichment data obtained through approved third-party services
• Conversation history and communication records sent or received through Vruum
• Reply sentiment, intent classification, and lead-quality scoring derived from those messages
• For paid demand-gen (ad-warming): cohort assignment (treatment / control), audience-membership state, and meeting-source attribution data

3.3 Integration and OAuth Data

When a client connects a third-party service, we store:

• OAuth access and refresh tokens for connected services (email, calendar, LinkedIn, ad platforms), encrypted at rest
• API credentials and account identifiers for the connected service
• Synchronization preferences, scopes granted, and per-service settings

3.4 Paid Demand-Gen Data (Ad-Warming)

For clients who use our paid demand-gen product, we additionally process:

• Hashed contact identifiers (SHA-256, computed inside our infrastructure before any data leaves it) for the purpose of building Matched Audiences on advertising platforms. Raw email addresses and LinkedIn URLs are never uploaded to advertising platforms.
• Campaign metadata, daily impressions, clicks, spend, and reach pulled from the client's connected ad accounts.
• Cohort attribution records linking prospect engagement (replies, meetings, deals) to treatment-vs-control assignment, used to compute the lift the client is paying for.
• Optional "awareness check" responses captured at meeting-booking time (e.g., whether the prospect mentioned seeing an ad), entered by the operator.

3.5 Usage and Analytics Data

We automatically collect:

• Log data (IP address, browser type, pages visited)
• Feature usage and interaction data
• Performance metrics and error reports

4. How We Use Information

We use the information we collect to:

• Operate the outbound and paid demand-gen motion the client has hired us to run
• Generate, review, and send personalized outreach with operator approval
• Build Matched Audiences on the client's connected ad platforms (using hashed identifiers only)
• Analyze replies, meetings, and deals to score leads and compute cohort-level attribution
• Synchronize data with the client's connected integrations
• Send service-related communications to client users
• Detect, prevent, and address technical issues, abuse, or policy violations
• Comply with legal obligations and respond to data-subject requests

5. Third-Party Services

Vruum integrates with and may share data with the following categories of third-party services. We share only the minimum data needed for each service to perform its function.

5.1 Email Providers

Google (Gmail) and Microsoft (Outlook) for sending and receiving emails on the client's behalf.

5.2 LinkedIn

LinkedIn integrations are used to operate connected LinkedIn accounts on behalf of the client for direct outreach, connection management, and inbound reply handling, as well as for paid advertising on the client's connected ad account (see Section 5.4).

5.3 Calendar Services

Calendly, Cal.com, Google Calendar, and Outlook Calendar for scheduling integrations and meeting capture.

5.4 Advertising Platforms

LinkedIn Marketing API and Google Ads API are used solely against the client's own connected ad account and only after explicit operator approval. We never operate a master ad account; the client owns the ad account and the payment method on file with the platform. Identifiers shared for Matched Audience creation are SHA-256 hashed before transmission.

5.5 Data Enrichment

Hunter.io for email discovery and LinkedIn Sales Navigator (operated by the client under their own seat) for prospect sourcing.

5.6 AI Providers

OpenAI and Anthropic for AI-assisted message drafting, intent and sentiment classification, and lead analysis. Information sent to these providers is used to deliver our core functionality and is not used by the providers to train their public models under our enterprise agreements.

5.7 Billing

Stripe for managed-service subscription billing. Ad spend itself is paid by the client directly to the relevant advertising platform — Vruum does not process or hold ad-spend funds.

5.8 Operations and Monitoring

Sentry for error monitoring (no message bodies, OAuth tokens, or hashed identifiers are sent to Sentry).

5.9 Infrastructure

Supabase for database, authentication, file storage, and row-level access control; Railway for application hosting and background workers.

6. Data Security

We implement appropriate technical and organizational measures to protect data we process:

• Encryption in transit (TLS/SSL) and at rest
• Secure OAuth token storage with refresh-token rotation
• Per-tenant row-level access controls so one client's data is never visible to another
• SHA-256 hashing of contact identifiers before transmission to advertising platforms for Matched Audience creation
• Operator approval gate on every outreach send and every paid-campaign mutation, with a per-action audit log
• Regular security assessments and a documented incident-response process
• Employee access limited to those who need it

While we strive to protect information we process, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain information for as long as the client's account is active or as needed to provide services. After client-account deletion:

• Account data is deleted within 30 days
• Prospect data is deleted within 30 days
• Hashed Matched-Audience identifiers held by advertising platforms are removed via the platform's own deletion mechanisms upon disconnection
• Backups may be retained for up to 90 days
• Aggregate, non-personal analytics may be retained indefinitely

8. Your Rights

Depending on your location, you may have the following rights with respect to personal data we process about you, including as a prospect contacted on behalf of one of our clients:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data
• Export: Request a portable copy of your data
• Restriction: Request restriction of processing
• Objection: Object to certain processing activities, including direct marketing and ad targeting

To exercise these rights, contact us at jon@vruum.ai. We will respond within 30 days. For prospect requests, we will additionally remove the prospect from any active Matched Audience and suppress further outreach across all clients on whose behalf we hold the prospect's record.

9. Cookies and Tracking

On the Vruum web application, we use cookies and similar technologies to:

• Maintain your session and authentication state
• Remember your preferences
• Analyze usage patterns
• Improve our services

On client-facing landing pages we host as part of the paid demand-gen product, we may load the client's own LinkedIn Insight Tag or equivalent platform-side tracking pixel under the client's own configuration; we do not aggregate that pixel data across clients.

You can control cookies through your browser settings, though some features may not function properly if cookies are disabled.

10. International Data Transfers

Information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.

11. Children's Privacy

Vruum is a B2B service and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Continued use of Vruum after changes constitutes acceptance of the updated policy.