ReachHQ
ReachHQ
Lifetime Deal

Privacy Policy

Last updated: February 2026

1. Introduction and scope

ReachHQ ("we," "us," "our") operates the ReachHQ platform, our websites, and related services (collectively, the "Services"). We are the data controller for the personal data we collect through the Services. This Privacy Policy explains how we collect, use, disclose, retain, and protect your information and your rights in relation to that information.

This policy is intended to comply with: the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); the UK General Data Protection Regulation and UK Data Protection Act 2018 ("UK GDPR"); the ePrivacy Directive (2002/58/EC as amended) and national laws implementing it ("ePrivacy") regarding cookies and electronic communications; the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy laws (including Québec's Law 25 where applicable); and other applicable data protection and privacy laws (including emerging US state privacy laws). Where we use services provided by Google (e.g. Google Analytics, Google Ads), we do so in accordance with Google's policies and applicable law, including obtaining consent where required.

2. Legal basis for processing (EEA and UK)

Under the GDPR and UK GDPR we process personal data only where we have a valid legal basis:

  • Contract — Performance of our contract with you: providing the Services, account management, billing, and support.
  • Legitimate interests — Where necessary for our legitimate interests (e.g. security, fraud prevention, network and system integrity, analytics necessary to operate and improve the Services), provided your interests and fundamental rights do not override those interests.
  • Consent — Where we ask for your explicit consent (e.g. non-essential cookies, third-party advertising and analytics tracking, and certain marketing communications). You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Legal obligation — Where processing is necessary to comply with a legal obligation (e.g. tax, anti–money laundering, responding to lawful requests from authorities).

We do not use fully automated decision-making that produces legal effects concerning you or similarly significantly affects you. Where we use analytics or profiling to improve our Services or for security, we do so under the legal bases above and do not make solely automated decisions that significantly affect you in the sense of GDPR Article 22.

3. Information we collect

We may collect the following categories of personal data:

  • Account and profile data: Name, email address, company or organization name, role, password (stored in hashed form), and account preferences.
  • Payment and billing data: Billing name, billing address, and payment method information. Payment card details are processed by our payment service provider; we do not store full card numbers.
  • Usage and product data: How you use our platform (e.g. features used, campaigns, sequences, email metrics, settings). We may collect device and application usage data.
  • Technical and log data: IP address (which we may hash before storage for privacy), browser type and version, operating system, referring URLs, pages visited, timestamps, and similar technical identifiers. In some jurisdictions this may be considered personal data.
  • Email and integration data: When you connect email or other services (e.g. Gmail, Outlook), we access only what is necessary to provide the Services (e.g. sending and tracking emails). We do not store your provider credentials in plain text.
  • Communications: Records of your communications with us (e.g. support requests, sales inquiries, feedback).
  • Cookies and similar technologies: Data collected via cookies, pixels, local storage, and similar technologies as described in Section 7.

We may also receive information about you from third parties (e.g. identity or fraud prevention providers, or when you sign in via a third-party provider) where permitted by law and in accordance with this policy.

4. Purposes of processing

We use the information we collect to: provide, operate, maintain, and improve the Services; process payments and manage billing; create and manage your account; send service-related and security communications; provide customer and technical support; personalize your experience and improve our products; analyze usage and develop new features; run analytics and advertising (where you have consented or where permitted by law — see Section 7); send marketing communications (where you have opted in or where permitted, with the ability to opt out); detect, prevent, and address fraud, abuse, and security incidents; comply with legal obligations and enforce our terms; and protect our rights and the rights of others.

5. Data sharing and subprocessors

We share personal data only as described in this policy and only where necessary. We do not sell your personal information for money. We may allow certain advertising and analytics partners to collect information via cookies and similar technologies as described in Section 7, which may be considered "sharing" for cross-context behavioral advertising under some laws (including the CCPA/CPRA). Where required, we provide ways to opt out of such "sale" or "sharing" as described in Sections 7 and 9.

Service providers (processors/subprocessors): We use third-party service providers that process personal data on our behalf under contract. They are required to protect your data and use it only for the purposes we specify. Categories include: hosting and infrastructure; email delivery; payment processing; customer support and communication tools; and analytics and advertising partners (e.g. Google Analytics, Google Ads, Meta Ads (Facebook/Instagram), and other providers) when you have consented or where permitted by law. Our use of Google services for analytics and advertising is carried out in compliance with Google's applicable policies (including the Google EU User Consent Policy where consent is required) and with applicable data protection law.

Legal and regulatory: We may disclose personal data when required by law, court order, or governmental authority, or when necessary to protect our rights, your safety, or the safety of others, to enforce our terms, or to investigate fraud or security issues.

Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to the same privacy commitments.

6. International data transfers

Your data may be processed in the United States or other countries where we or our service providers operate. Countries outside the European Economic Area (EEA) and the United Kingdom may not provide the same level of data protection as your country.

When we transfer personal data from the EEA or the UK to countries that are not recognized as providing adequate protection, we implement appropriate safeguards as required by the GDPR and UK GDPR. These may include: Standard Contractual Clauses (SCCs) adopted by the European Commission or approved by the UK authorities; the UK International Data Transfer Agreement or Addendum; or other transfer mechanisms recognized by applicable law. Our analytics and advertising partners (including Google) may transfer data globally in accordance with their own data processing terms and transfer mechanisms (e.g. Google's Standard Contractual Clauses or certification under frameworks recognized by regulators).

7. Cookies, tracking technologies, and third-party advertising and analytics

We and our partners use cookies, pixels, local storage, SDKs, and similar technologies ("cookies and similar technologies") on our websites and in our Services. In the EEA and the UK, we comply with the ePrivacy Directive and national cookie laws: we obtain your consent before placing non-essential cookies or using non-essential tracking for advertising or analytics, except where a limited exception applies under applicable law.

Categories we use:

  • Strictly necessary: Required for the operation of our Services (e.g. authentication, session management, security, load balancing). These cannot be disabled if you wish to use the Services. Legal basis: contract / legitimate interests.
  • Functional: Enable enhanced functionality and personalization (e.g. preferences, language). Legal basis: consent (where required) or legitimate interests.
  • Analytics: We use third-party analytics to understand how visitors and users interact with our websites and product (e.g. pages viewed, usage patterns, traffic sources). We use Google Analytics (and may use other analytics providers). Google Analytics may collect identifiers, device and browser information, and usage data. Where required by law (e.g. in the EEA and UK), we enable non-essential analytics only after you have given consent. We configure Google Analytics in line with our privacy obligations, which may include IP anonymization and use of Google's consent mode or similar mechanisms to respect your choices and comply with GDPR and Google's policies. You can review Google's privacy policy at policies.google.com/privacy.
  • Advertising and remarketing: We may use third-party advertising and remarketing (including Google Ads, Meta Ads (Facebook/Instagram), and other ad networks and social media advertising platforms) to show relevant ads on other websites and to measure the effectiveness of our campaigns (e.g. conversion tracking, remarketing lists). These partners may set their own cookies and collect data about your visits to our site and other sites. In the EEA and the UK we use advertising cookies and similar technologies only with your consent. Our use of Google Ads is in compliance with Google's EU User Consent Policy and related requirements when we collect consent from users in applicable regions. You can manage Google ad personalization at adssettings.google.com.

Your choices: You can manage your preferences by: using our cookie preference or consent tool (where we provide one) to accept or refuse non-essential cookies; adjusting your browser settings to block or delete cookies (note: blocking essential cookies may affect the functionality of the Services); using Google's tools to opt out of personalized ads or Google Analytics (e.g. Google Analytics opt-out browser add-on where available); using Meta's ad preferences controls (for Facebook/Instagram ads) at facebook.com/adpreferences; or using industry opt-out tools (e.g. Your Online Choices in the EU: youronlinechoices.eu, and the Digital Advertising Alliance (DAA) tools where available). Withdrawing consent for advertising or analytics does not affect the lawfulness of processing based on consent before its withdrawal.

Global Privacy Control (GPC) / opt-out preference signals: Where required by applicable law (including the CCPA/CPRA), we treat browser-based opt-out preference signals such as Global Privacy Control (GPC) as a request to opt out of "sale" and/or "sharing" of personal information for cross-context behavioral advertising for that browser and device, where technically feasible.

8. Data retention

We retain your personal data only for as long as necessary to fulfil the purposes set out in this policy, unless a longer retention period is required or permitted by law. In general: account and profile data are retained for the duration of your account plus a reasonable period after closure for legal, support, and dispute resolution purposes; billing and payment data as required for accounting and tax; technical and log data for a limited period necessary for security and operations; marketing and analytics data in accordance with our retention schedules and your choices (e.g. consent withdrawal); and support communications for as long as needed to resolve issues and for a limited period thereafter. You may request deletion of your account and associated personal data at any time by contacting us; we will process your request in accordance with applicable law.

9. Your rights

If you are in the EEA or the UK (GDPR / UK GDPR), you have the right to: Access — obtain confirmation as to whether we process your personal data and a copy of that data; Rectification — have inaccurate personal data corrected; Erasure — request deletion of your personal data in certain circumstances; Restriction — request restriction of processing in certain circumstances; Data portability — receive your data in a structured, commonly used, machine-readable format and, where feasible, have it transmitted to another controller; Object — object to processing based on legitimate interests or for direct marketing; Withdraw consent — where processing is based on consent, withdraw it at any time; Lodge a complaint — with a supervisory authority in your country of residence or place of work, or of an alleged infringement. In the UK you may contact the Information Commissioner's Office (ICO). In the EEA you may contact your national data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

If you are a California resident (CCPA/CPRA), you have the right to: Know — what personal information we collect, use, disclose, and retain; Delete — request deletion of your personal information, subject to certain exceptions; Correct — request correction of inaccurate personal information; Limit use of sensitive personal information — to the extent we use sensitive personal information for purposes beyond those permitted; Opt out of sale or sharing — opt out of "sale" and/or "sharing" of personal information (including for cross-context behavioral advertising) where applicable; Non-discrimination — we will not discriminate against you for exercising your privacy rights. You may opt out via the mechanisms described in Section 7, including opt-out preference signals such as GPC where required by law.

If you are in Canada (PIPEDA and applicable provincial laws, including Québec Law 25 where applicable), you may have the right to access and correct personal information we hold about you, and to withdraw consent to certain processing (subject to legal or contractual restrictions and reasonable notice). You may also ask questions about our privacy practices, including our use of service providers and cross-border processing, by contacting us as described below.

Other jurisdictions: Depending on where you live, you may have additional rights under local data protection laws (e.g. Virginia, Colorado, Connecticut, Utah, or other US state laws, or laws in other countries). We will honour such rights to the extent required by applicable law.

How to exercise your rights: Contact us at privacy@reachhq.io. We will respond within the timeframes required by applicable law (e.g. generally one month under the GDPR/UK GDPR, 45 days under the CCPA/CPRA, subject to any permitted extension). We may need to verify your identity before processing your request. If you have authorised an agent to act on your behalf, we may require proof of that authorisation.

10. Security and data breach notification

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including: encryption of data in transit (e.g. TLS) and at rest where appropriate (e.g. AES-256); access controls and authentication; regular review of our security practices; and, where applicable, compliance with standards such as SOC 2 Type II. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required by law, affected individuals without undue delay.

11. Children

Our Services are not directed at individuals under the age of 16 (or under 13 in jurisdictions that set a lower age). We do not knowingly collect personal data from children. If you believe we have collected personal data from a child, please contact us at privacy@reachhq.io and we will take steps to delete such information.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or legal requirements. We will post the updated policy on this page and update the "Last updated" date. For material changes (including material changes to our use of cookies or third-party tracking, or to how we use your data), we will provide additional notice where required by law, which may include email or a prominent notice within the Services. Your continued use of the Services after the effective date of the updated policy constitutes your acceptance of the updated policy. If you do not agree, you should discontinue use and may contact us to request deletion of your account and data where applicable.

13. Contact, data protection officer, and EU representative

For any privacy-related requests, questions, or complaints, please contact us at: privacy@reachhq.io. We will work to resolve your concern. If you are in the EEA or the UK and believe that our processing of your personal data infringes applicable law, you have the right to lodge a complaint with a supervisory authority as described in Section 9.

For the purposes of Canadian privacy laws (including Québec Law 25 where applicable), you may contact us at privacy@reachhq.io to reach the person responsible for privacy.

If we appoint a data protection officer (DPO) or an EU/UK representative for the purposes of the GDPR or UK GDPR, we will publish their contact details on this page or otherwise make them available to you.