Privacy Policy

Last updated: July 11, 2026

Bu sayfanın Türkçe sürümü (KVKK aydınlatma metni dahil) için Gizlilik Politikası'na bakın.

This policy explains how ExportReach ("the Platform") collects, uses, stores, and shares personal data. The Platform is a cold-email service that helps small and medium-sized exporters reach international B2B buyers: it retrieves prospect (lead) data from verified B2B data sources, drafts personalized emails with AI, and sends the emails the user has approved from the user's own Gmail or Outlook account connected via OAuth.

1. Data controller and contact

ExportReach is the data controller for the personal data described in this policy. For any question or request, contact us at dinazorxo@gmail.com.

2. Personal data we process

  • Account and profile data: email address, name, company name, product/sector details (HS codes), and target country preferences.
  • Mailbox connection data: when you connect your Gmail or Outlook account, the OAuth access and refresh tokens we receive and the connected email address. Your password is never shared with us; tokens are stored encrypted with AES-256-GCM.
  • Campaign content: the email templates and sequences you create, and the content and status records of sent emails (sent, opened, replied, bounced).
  • Recipient (lead) data: name, job title, business email address, company, and country details retrieved from third-party B2B data sources (Apollo, Hunter) for your campaigns.
  • Payment and subscription data: plan, subscription status, and billing period. Payments are processed by iyzico; your card details are never stored on ExportReach servers.
  • Usage and log data: session information, usage counters, and error logs.
  • Cookies: only strictly necessary session cookies are used; no third-party advertising or tracking cookies.

3. Google and Microsoft account data (Limited Use)

When you connect your Gmail account, the Platform requests authorization from Google for only the following scopes: gmail.send (to send the emails you have approved, on your behalf) and gmail.readonly (solely to detect whether recipients have replied to the campaigns you sent). For Outlook connections, the equivalent Microsoft Graph scopes are used.

Here is how ExportReach accesses, uses, stores, and shares Google user data:

  • Access and use: your Gmail data is processed only to provide user-facing features you initiate — sending the campaign emails you approved and detecting replies and bounces to stop sequences automatically. We do not scan, profile, or analyze the contents of your mailbox, and we never use your data for advertising.
  • Storage: OAuth tokens are encrypted at rest with AES-256-GCM. We do not store the bodies of messages read for reply detection; only message metadata needed to update campaign status is kept.
  • Sharing: we do not sell or transfer your Google user data to any third party, and we do not use it to develop or train artificial intelligence or machine learning models, including generalized AI/ML models.
  • Human access: no human reads your Google user data, except with your explicit permission, when necessary for security purposes, or to comply with applicable law.
  • Revoking access: you can disconnect your account at any time from the Platform's mailbox settings or from your Google/Microsoft account security settings; the tokens become invalid once disconnected.

ExportReach's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4. Purposes and legal bases

We process personal data on the following legal bases (under the Turkish Personal Data Protection Law No. 6698, "KVKK", and equivalent principles):

  • Performance of a contract: account creation, campaign management, email sending, reply tracking, subscription and payment processing.
  • Legitimate interest: service security, debugging, abuse prevention, and enforcement of sending limits.
  • Legal obligation: retention duties arising from financial and commercial regulations.
  • Consent: use of the service providers below that involve international data transfer, tied to your use of the related features.

5. Data sharing and international transfer

We share data with the following service providers only to the extent necessary to provide the service:

  • Supabase (EU region): database and authentication infrastructure — your data is hosted in the European Union.
  • Google LLC / Microsoft Corporation (USA): email sending and reply detection through your connected mailbox.
  • OpenAI (USA): email draft generation — only your company/product profile and the recipient's business context are sent to the model.
  • Apollo, Hunter (USA): B2B lead data sourcing and email verification.
  • iyzico (Türkiye): payment processing.

Your data is never sold or transferred to any other third party for marketing purposes.

6. Data retention

Your data is retained for as long as your account is active. When you delete your account, your account, profile, campaign, and mailbox connection data are deleted or anonymized within a reasonable technical period; records we are legally required to keep (e.g., invoices and payment records) are retained for the applicable statutory period.

7. Data security

Your data is stored on access-controlled infrastructure; OAuth tokens are encrypted at rest with AES-256-GCM, all data is transmitted over TLS, and each user's data is accessible only within their own account.

8. Email recipients (leads)

The business contact details of people who receive emails through the Platform are processed on behalf of our users for B2B commercial communication. Every email includes an unsubscribe link; recipients who unsubscribe, reply, or whose emails bounce are automatically removed from further sending and added to a suppression list. If you received an email and want your data deleted, contact dinazorxo@gmail.com.

9. Your rights

You may contact us to learn whether your personal data is processed, request information about it, learn the purpose of processing, know the third parties it is transferred to, request correction of incomplete or inaccurate data, request deletion, and object to results arising from purely automated processing. Requests sent to dinazorxo@gmail.com are answered within 30 days at the latest. The full list of rights under KVKK Article 11 is available in the Turkish version of this policy.

10. Changes

This policy may be updated when needed. Material changes are announced on the Platform; the current version is always published on this page.