B2Booster: Email Marketing Redefined
Log inTry for free
Legal center

Legal

Privacy Policy

How we collect, protect, and use the data that powers B2Booster.

Public · Read-onlyTrust & compliance readyBack to sign up
Updated December 9, 2025Living document
Last updated:

B2Booster AB (org. no. 559469-1973), Norra Hamngatan 6, 411 14 Gothenburg, Sweden.
Contact: info@b2booster.com | +46 729 723 650

Personal data we collect

  • Account and profile: email address, full name, password hash, verification and reset tokens, organization and role, signature, avatar file path/name/time, preferences (notifications, MFA flag, language, timezone), and login timestamps. Authentication uses a secure httpOnly "B2Booster-Auth" cookie carrying a JWT.
  • Organization and billing: organization name, privacy policy URL, country code, branding assets, B2Booster API key, subscription package, trial/balance/credit counters, Stripe customer/subscription IDs, checkout IDs, payment amounts, and selected credit packages. Card details stay with Stripe.
  • Mailbox connections: mailbox names and addresses, SMTP/IMAP hosts and ports, mailbox passwords, DNS check results, warm-up settings, Gmail OAuth scopes, access/refresh tokens and expiry, Gmail historyId, provider account email, and OAuth timestamps.
  • Campaign and communication data: campaign titles, email bodies (HTML/text), sender/recipient names and emails, product/company context, prompts/tones, tracking and opt-out flags, message IDs, schedules, sent/opened/replied timestamps, reply text/HTML and classification, warm-up mail content, unsubscribe status, and open events logged via a 1x1 pixel.
  • Leads and prospects: first/last names, email addresses, phone numbers, positions, seniority, departments, LinkedIn and X profiles, email verification data/confidence, company domain/name/description/industry/size/location/address, lead list membership, campaign status, unsubscribed timestamps, and imported/purchased metadata.
  • Product and AI inputs: product descriptions, purposes, colors, websites, user prompts/tones, lead search requests (website, name, description, location, industry), text selections for edits, and reply text sent for classification.
  • Uploads and safety: profile and organization images stored in S3 (keys include user identifiers) and reCAPTCHA token results to prevent abuse.

Google User Data & Limited Use Policy

B2Booster's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

1. Minimum Scopes Required

We request only the specific scopes necessary to operate the core features of our email outreach service:

  • https://www.googleapis.com/auth/gmail.readonly: Required to read incoming emails solely for the purpose of detecting replies to campaigns and stopping follow-up sequences.
  • https://www.googleapis.com/auth/gmail.send: Required to send your outreach campaigns and follow-ups.
  • https://www.googleapis.com/auth/gmail.settings.basic: Required to verify your primary email address and configured aliases to ensure accurate sender identity.

2. Data Protection Mechanisms for Sensitive Data

We treat Google OAuth tokens and email content as highly sensitive data. We implement the following specific protection mechanisms:

  • Encryption at Rest: Google OAuth Access and Refresh tokens are encrypted using AES-256 before being stored in our database.
  • Encryption in Transit: All data transmitted between your browser, our servers, and Google APIs occurs over secure TLS 1.2+ (HTTPS) connections.
  • Strict Access Control: Raw email content and tokens are never exposed to the frontend client. They are processed strictly by backend servers within a private VPC, accessible only by authorized services.
  • No Advertising: We do not use your Google Workspace data for advertisements, and we do not sell your data to third parties.
  • AI Privacy: While we use AI to classify replies (e.g., "Interested" vs "Not Interested"), your email data is not used to train our foundational AI models for other customers.

How we use your data

  • Authenticate users, manage organizations and roles, and send verification or password reset emails.
  • Connect mailboxes, send campaign emails via Gmail or your SMTP, detect replies via Gmail or IMAP, and track opens and unsubscribes.
  • Generate and revise outreach content and classify replies using AI models.
  • Analyze domains and lead-search requests you submit to help configure products and campaigns.
  • Provide billing, subscriptions, and credit purchases through Stripe.
  • Secure the service (JWT auth, role checks, reCAPTCHA) and support customers.

Data protection and security

  • Transport security: All OAuth flows and app traffic use TLS (HTTPS). Authentication cookies are httpOnly, secure, and scoped to the app.
  • Encryption at rest: Databases and object storage use encryption (AES-256). OAuth tokens and secrets are stored server-side only in encrypted form (KMS/Secrets Manager).
  • Access control: Tokens and mail content are accessible only to backend services. Production access is limited to authorized personnel under least-privilege roles.
  • Use and retention limits: Tokens are used solely to deliver product features and are removed when you disconnect a mailbox or offboard. Backups are encrypted.
  • Monitoring: We monitor for abuse, enforce reCAPTCHA, patch dependencies, and review security alerts.

Who we share data with (subprocessors)

  • AWS: Infrastructure, storage (S3), and queue processing (SQS eu-central-1).
  • Google: Gmail API, Google Sign-In, and reCAPTCHA.
  • Stripe: Payment processing and billing portal.
  • OpenAI: LLM processing for content generation and classification.

Retention and control

  • You can update your profile, remove mailboxes, manage lists, or offboard an organization via product controls.
  • Open-tracking records timestamps only. Unsubscribe links are included when enabled.
  • Gmail and SMTP tokens are deleted upon mailbox disconnection or organization closure. You may revoke Gmail access via Google Security settings.

Your rights

You can request access, correction, deletion, restriction, objection, or portability of your personal data, or lodge a complaint with your supervisory authority. Contact info@b2booster.com for requests.