Privacy Policy
Last updated: 22 April 2026
1. Who We Are
Outpilot Ltd (company number 16977693) is a company incorporated in England and Wales, with its registered office at 5 Beech Court, Hurst, Berkshire, England, RG10 0RQ.
Outpilot provides an AI-assisted outreach platform for B2B commercial teams.
In the course of providing our services, we may act as a data controller (or equivalent, including "business" under US state privacy laws and "controlador" under Brazil's LGPD) where we collect business contact data from publicly available sources, and as a data processor (or equivalent, including "service provider" or "processor" under US state privacy laws and "operador" under the LGPD) where we process data on behalf of our subscribers in accordance with their instructions. We operate globally and may process personal data relating to individuals located in the United Kingdom, the European Economic Area, the United States, Brazil, and other jurisdictions worldwide.
For privacy-related enquiries, contact us at privacy@outpilot.ai.
2. What Personal Data We Collect and Where From
Subscriber data
When organisations sign up to use Outpilot, we collect information provided during account setup and onboarding, including names, job titles, business email addresses, and company names.
Prospect data
We collect business contact information from publicly available professional sources and third-party data providers to support our subscribers' outreach activities. This includes names, job titles, company names, business email addresses, and communication history generated during campaign activity.
If you received an outreach email: Your business contact information was collected from publicly available professional sources to facilitate a business communication on behalf of our subscriber. You can opt out of future communications at any time. See Your Rights below.
Technical data
We collect technical data for security and operational purposes, including IP addresses, browser type, device information, and access logs.
3. Why We Process Personal Data (Lawful Basis)
We process personal data under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), Brazil's Lei Geral de Proteção de Dados (LGPD), and applicable US state privacy laws (including the CCPA/CPRA, VCDPA, CPA, and CTDPA), as well as any other data protection law applicable to the processing. Our lawful bases (or equivalent legal bases under non-GDPR regimes) are as follows:
- Legitimate interests (Article 6(1)(f) of the UK and EU GDPR; Article 7, IX (legítimo interesse) of the LGPD; and the "business purpose" exemption for publicly available B2B contact data under the CCPA/CPRA and comparable US state privacy laws): for collecting publicly available business contact data and facilitating B2B commercial communications to corporate subscribers (as defined in the Privacy and Electronic Communications Regulations 2003, to whom the consent requirements of Regulation 22 of those Regulations do not apply, and as treated as B2B communications under comparable laws in other jurisdictions). Our balancing assessment records that the processing is proportionate, limited to data published or voluntarily made available for business purposes, and subject to an absolute right to object exercisable at any time.
- Contract performance (Article 6(1)(b) of the UK and EU GDPR; Article 7, V of the LGPD; and performance-of-contract grounds under comparable US state privacy laws): for processing subscriber account data to provide our platform services.
- Legal obligation (Article 6(1)(c) of the UK and EU GDPR; Article 7, II of the LGPD; and legal compliance exemptions under US state privacy laws): where processing is required by law.
- Legitimate interests (Article 6(1)(f) of the UK and EU GDPR; Article 7, IX of the LGPD; and the "business purpose" of ensuring security, integrity, debugging, or short-term use under the CCPA/CPRA): for platform security and service improvement.
We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on individuals within the meaning of Article 22 of the UK and EU GDPR, Article 20 of the LGPD, or equivalent provisions under other applicable data protection law.
4. How We Use Personal Data
We use personal data to provide and operate our platform services, facilitate outreach communications on behalf of subscribers, manage campaign reporting, maintain opt-out and suppression lists, and ensure platform security.
We do not sell personal data. We do not use personal data for unrelated advertising or profiling.
5. Who We Share Personal Data With
We work with a limited number of trusted third-party service providers who assist us in delivering our services. These providers fall into the following categories: data storage and hosting, email verification, email delivery infrastructure, AI technology, and workflow automation.
All third-party providers are bound by appropriate contractual obligations requiring them to process personal data securely and in accordance with applicable data protection law.
6. International Transfers
We operate globally, and some of our service providers may process personal data in jurisdictions other than the one in which you are located, including (without limitation) in the United Kingdom, the European Economic Area, the United States, and other countries. Where personal data is transferred across borders in circumstances that require a transfer mechanism under the applicable data protection law, we ensure that appropriate safeguards are in place, including: adequacy decisions or adequacy recognitions (including the EU-US Data Privacy Framework and any adequacy recognition issued by the ANPD); the UK International Data Transfer Addendum (IDTA); the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914); the Swiss FADP addendum; the ANPD-approved Standard Contractual Clauses under Resolution CD/ANPD No. 19/2024 (or any successor instrument) for transfers out of Brazil; binding corporate rules, approved certifications, or approved codes of conduct where applicable; and any other lawful transfer mechanism available under applicable law (including, where permitted, the derogations set out in Article 49 of the UK/EU GDPR or Articles 33 and 34 of the LGPD).
7. How Long We Keep Personal Data
- Subscriber account data: retained for the duration of the subscription and for up to 60 days thereafter for secure deletion or return.
- Prospect and campaign data: retained for the duration of the subscription and for up to 60 days thereafter.
- Suppression list data (opt-out records): retained for as long as necessary to prevent re-contacting individuals who have opted out. This data is limited to the minimum information needed to identify opted-out individuals and is not used for any other purpose.
- Technical and security logs: retained for up to 12 months for security and operational purposes.
Data is deleted securely when it is no longer needed for the purposes described in this policy.
8. Your Rights
You have an absolute right to object to the processing of your personal data for direct marketing purposes at any time.
Depending on your location and the applicable data protection law, you may have the following rights in relation to your personal data. Where you are located in the United Kingdom or the European Economic Area, the UK GDPR or EU GDPR grants you the following rights:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
Where you are located in Brazil, the LGPD grants you the following rights (Article 18 LGPD):
- Confirmation of the existence of processing
- Access to your personal data
- Correction of incomplete, inaccurate, or outdated data
- Anonymisation, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD
- Data portability to another service or product provider
- Deletion of personal data processed on the basis of your consent
- Information about public and private entities with which we have shared your data
- Information about the possibility of refusing consent and the consequences of doing so
- Revocation of consent, where processing is based on consent
Where you are a California resident (or, as applicable, a resident of another US state with comprehensive privacy legislation such as Virginia, Colorado, or Connecticut), you have the following rights under the CCPA/CPRA and equivalent state laws:
- Right to know what personal information is collected, used, shared, or sold
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioural advertising)
- Right to limit the use and disclosure of sensitive personal information
- Right to non-discrimination for exercising your rights
If you are located in a jurisdiction not specifically mentioned above, you may still have rights in relation to your personal data under the data protection laws of that jurisdiction. Please contact us at privacy@outpilot.ai and we will respond in accordance with the applicable law.
How to exercise your rights
If Outpilot collected your data as a Controller (for example, we sourced your business contact information from publicly available sources): contact us directly at privacy@outpilot.ai.
If Outpilot processed your data as a Processor on behalf of a subscriber (for example, you received an outreach email from an organisation using our platform): please contact the organisation whose outreach email you received. They are the data controller for that campaign activity.
We will respond to rights requests within one calendar month.
You have the right to lodge a complaint with the data protection supervisory authority in your jurisdiction. Depending on where you are located, this may include:
- The Information Commissioner's Office (ICO) in the United Kingdom (ico.org.uk)
- The data protection authority of any EU or EEA Member State (a list is maintained by the European Data Protection Board at edpb.europa.eu)
- The Autoridade Nacional de Proteção de Dados (ANPD) in Brazil (gov.br/anpd)
- The California Privacy Protection Agency (CPPA) or the California Attorney General in California, or the Attorney General or equivalent regulator in other US states
- The Office of the Privacy Commissioner of Canada (priv.gc.ca)
- The Office of the Australian Information Commissioner (oaic.gov.au)
- The Personal Data Protection Commission (PDPC) in Singapore (pdpc.gov.sg)
- The Personal Information Protection Commission (PPC) in Japan (ppc.go.jp)
- Any other competent supervisory authority in your jurisdiction
9. AI and Automated Processing
We use AI technology to assist with generating outreach content on behalf of our subscribers. We do not use personal data to train AI models. All outreach content is reviewed and approved by our subscribers before it is sent.
10. Data Security
We implement appropriate technical and organisational security measures to protect personal data, including encryption, access controls, and regular review of our security practices. While we take reasonable steps to protect personal data, no system is completely secure.
11. Changes to This Privacy Policy
We may update this privacy policy from time to time. Changes will be published on this page with a revised "last updated" date. Where changes are material, we will communicate them to active subscribers.
12. Contact Us
If you have any questions about this privacy policy or how we handle personal data, please contact us:
- Email: privacy@outpilot.ai
- Address: Outpilot Ltd, 5 Beech Court, Hurst, Berkshire, England, RG10 0RQ