Outer ReachSign In
← Back

Privacy Policy

Last updated: April 17, 2026

1. Introduction

Outer Reach ("we", "our", or "us") operates the outerreach.app platform — a booking pipeline management tool for live music professionals. This Privacy Policy explains how we collect, use, and protect your information when you use our service.

2. Information We Collect

Account Information

When you sign up, we collect your email address and name via Google OAuth or magic link authentication. We do not store your Google password.

Google API Data

With your explicit consent, we access limited Gmail data (sending emails on your behalf and reading email threads) solely to power the outreach features within the platform. We request the following Google API scopes:

  • gmail.send — to send outreach emails you compose and approve
  • gmail.readonly — to track replies and display conversation threads

Spotify OAuth Data (optional)

If you choose to connect Spotify, we store your Spotify user ID and a refresh token so we can look up artist profiles and catalog data on your behalf. This integration is optional and can be disconnected at any time from your settings.

Workspace Content

Content you create within your workspace — venues, contacts, opportunities, email drafts, templates, comparator artists, agent conversations, and similar records — is stored in our database to provide the service. This content is scoped to your workspace and is not visible to other workspaces.

Usage & Telemetry

We record server-side usage events and activity logs (feature usage, timestamps, event types such as agent_message or email_send) to monitor service reliability, manage costs, and diagnose problems. This is first-party data — we do not use third-party analytics or advertising trackers.

Error Reports

When the platform encounters an error, we may capture the stack trace, request metadata, and a redacted snapshot of the environment via Sentry to help us diagnose and fix issues. Error reporting is only active when it has been configured for the deployment.

3. How We Use Your Information

  • To authenticate you and maintain your session
  • To send outreach emails on your behalf (only when you explicitly approve)
  • To display email conversation threads within the platform
  • To provide venue management, pipeline tracking, and related features
  • To schedule background jobs such as nightly Event Radar scans and daily briefs
  • To monitor service reliability through aggregated usage metrics and error reports
  • To improve the service and fix issues

4. Sub-Processors & Data Sharing

We do not sell, rent, or share your personal information or Google API data with third parties for advertising, marketing, or cross-context behavioral advertising. Your data is processed by the following service providers that are necessary to operate the platform:

  • Supabase — database and authentication (US)
  • Vercel — application hosting and edge network
  • Google — OAuth authentication and Gmail API access
  • Spotify — OAuth and Web API access (only if you connect Spotify)
  • Sentry — error monitoring (only when configured for the deployment)
  • Resend — transactional email delivery for outreach sends and digests
  • OpenAI — embeddings (text-embedding-3-small) for semantic similarity over your workspace content. Your content is not used to train OpenAI models.
  • Inngest — background job orchestration (cron metadata, job payloads)
  • Bandsintown and Songkick — public tour data lookups; queries consist of artist names, not personal user data
  • Venue Directory Service (VDS) — our first-party enrichment service hosted on Railway, which receives workspace venue stubs for deduplication and enrichment

We may also disclose information if required to do so by law or in response to a valid legal request.

5. Google API Services — Limited Use Disclosure

Outer Reach's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only use Gmail data to provide the outreach features you see in the app
  • We do not use Gmail data for advertising or market research
  • We do not allow humans to read your email content unless required for security purposes, to comply with law, or with your explicit consent
  • We do not transfer Gmail data to third parties except as necessary to provide the service

6. International Data Transfers

Our primary processing location is the United States. The sub-processors listed above are predominantly US-based. If you access the service from outside the United States, including from the European Economic Area (EEA), the United Kingdom, or Switzerland, your information will be transferred to, stored, and processed in the United States.

Where required, these transfers rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) entered into with our sub-processors.

7. Legal Basis for Processing (EEA / UK Users)

If you are located in the EEA, the UK, or Switzerland, we rely on the following legal bases under the GDPR (or equivalent law) when we process your personal data:

  • Contract performance — to provide the service you have signed up for, including authentication, workspace storage, and outreach features
  • Legitimate interests — to secure the service, prevent abuse, monitor reliability, and improve functionality, provided these interests are not overridden by your rights
  • Consent — where you have given explicit consent, such as connecting Gmail or Spotify via OAuth, or opting into optional features
  • Legal obligation — where processing is required to comply with applicable law

You may withdraw consent at any time (for example, by disconnecting an OAuth integration from your settings or revoking access at Google Account permissions). Withdrawing consent does not affect the lawfulness of prior processing.

8. Data Security

We use industry-standard security measures including encrypted connections (TLS), secure authentication tokens, and access controls. OAuth refresh tokens are stored server-side in our database, protected by Row Level Security policies and accessible only with a service-role key — they are never exposed to the browser.

9. Data Retention & Deletion

Your workspace data is retained as long as your account is active. Activity logs and usage events are retained while your account is active for diagnostic and billing purposes. Error reports in Sentry are retained according to Sentry's default retention (currently 90 days for most plans).

You can request deletion of your account and all associated data by contacting us. Upon deletion, we will revoke all OAuth tokens (Google, Spotify) and remove your workspace data and account records from our systems within 30 days, except where we are required to retain specific information to comply with legal obligations.

10. Your Rights

Regardless of where you live, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Revoke Google or Spotify API access at any time via your provider account settings

If you are in the EEA, the UK, or Switzerland, you also have the right to:

  • Data portability — receive your data in a commonly used, machine-readable format
  • Restriction of processing under certain conditions
  • Object to processing based on legitimate interests
  • Withdraw consent at any time for processing based on consent
  • Lodge a complaint with your local data protection supervisory authority

To exercise any of these rights, contact us at privacy@outerreach.app. We will respond within the timeframes required by applicable law.

11. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act gives you additional rights regarding your personal information.

Categories of personal information we collect. In the last 12 months we have collected the following CCPA categories:

  • Identifiers — name, email address, account ID
  • Commercial information — the workspace records you create (venues, contacts, opportunities, outreach)
  • Internet or other electronic network activity information — usage events, activity logs, error reports
  • Professional or employment-related information — if you include this in your workspace content

Sources and purposes are described in Sections 2 and 3 above. The sub-processors in Section 4 act as service providers under the CCPA.

We do not sell or share personal information for cross-context behavioral advertising, and we have not done so in the past 12 months. We do not knowingly collect or sell the personal information of minors under 16.

Your California rights include the right to:

  • Know what personal information we have collected about you
  • Delete personal information we have collected from you
  • Correct inaccurate personal information
  • Limit the use and disclosure of sensitive personal information
  • Not be discriminated against for exercising these rights

To exercise these rights, email privacy@outerreach.app. We may need to verify your identity before responding to your request. You may also designate an authorized agent to act on your behalf.

12. Children's Privacy

Outer Reach is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.

13. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last updated" date.

14. Contact

If you have questions about this Privacy Policy or your data, contact us at privacy@outerreach.app.