Privacy Policy

§ 01

Introduction / Who We Are

RawReach ("RawReach," "we," "us," or "our") is a behavioral marketing software-as-a-service (SaaS) platform incorporated and headquartered in Silicon Valley, California. We operate the website located at rawreach.io and all associated subdomains, APIs, and applications (collectively, the "Service").

This Privacy Policy describes how RawReach collects, uses, stores, and protects personal information that you ("User," "Subscriber," or "you") provide when using our Service. It also explains the rights you have under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, CCPA/CPRA), California Senate Bill 446 (SB 446), California Assembly Bill 853 (AB 853), and related regulations governing Automated Decision-Making Technology (ADMT 2026).

Summary: RawReach is a California company. California law governs how we handle your data. We take privacy seriously and have architected our systems specifically to minimize data footprint — especially for the raw behavioral inputs you submit.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

§ 02

What Data We Collect

We collect only the minimum personal information necessary to operate the Service. The following table enumerates every category of data we collect, its purpose, and how it is stored:

Data Element	Category	Storage Method	Required?
Email address	Account identity	Plaintext (used for login & communication)	Required
Phone number	Account identity / 2FA	`AES-256-GCM` encrypted at rest	Optional
Billing address	Payment processing	`AES-256-GCM` encrypted at rest	Required for paid plans
Payment last 4 digits	Payment record	Plaintext last-4 only; full PAN never stored	Required for paid plans
Consent logs	Legal compliance	Immutable audit ledger (timestamped, signed)	Required
AI analysis output	Service delivery	Encrypted, linked to account; subject to retention schedule	Required (Service output)
Generated marketing content	Service delivery	Stored in your account vault; deletable on demand	Required (Service output)
Page views & usage data	Analytics / product improvement	Aggregated, non-identifiable after 90 days	Automatic
IP address	Security / fraud prevention	Hashed after 30 days; used only for security	Automatic
Session tokens	Authentication	HttpOnly secure cookies; expire on logout or 14 days	Automatic

Raw behavioral submissions (the inputs you provide for analysis — including but not limited to text, behavioral descriptors, communication samples, and audience profiling data) are subject to our Zero-Footprint Protocol (§ 06) and are permanently purged upon content delivery. They are not retained in our long-term data stores.

What we do NOT collect: Social Security numbers, government-issued ID numbers, genetic or biometric data, financial account numbers beyond last-4, precise geolocation, or any data from individuals under 18 years of age.

§ 03

How We Use Your Data

We use your personal information only for the following purposes:

Service delivery: Processing your submissions, running AI linguistic analysis, and delivering generated marketing content to your account dashboard.
Account management: Creating and maintaining your account, authenticating logins, enabling two-factor authentication, and communicating account-related notices.
Billing and payments: Processing subscription fees and one-time purchases through Stripe. We do not store full payment card data.
Customer support: Responding to inquiries, troubleshooting issues, and resolving disputes.
Security and fraud prevention: Detecting, investigating, and preventing unauthorized access, fraudulent transactions, or misuse of the Service. IP addresses are used solely for this purpose.
Legal compliance: Maintaining consent logs and responding to lawful legal process, regulatory inquiries, or consumer rights requests.
Product analytics (aggregated): Understanding how the Service is used in aggregate to improve features. Individual usage data is anonymized before analysis.
Communications: Sending transactional emails (receipts, password resets, security alerts) and, with your consent, marketing communications. You may opt out of marketing emails at any time.

We do not use your data to train AI models. See the No AI Training Clause (§ 12) for the full contractual commitment.

We process your personal information only when we have a valid legal basis: (a) performance of our contract with you; (b) compliance with a legal obligation; (c) your explicit consent; or (d) our legitimate business interests where those interests are not overridden by your rights.

§ 04

Data Retention

The following retention schedule governs all data categories. Retention periods are calculated from the trigger event (account closure, content delivery, or last activity, as specified). This schedule mirrors the commitments made in Section 19 of our Terms of Service. CCPA/CPRA SB 446

Data Category	Retention Period	Trigger Event	Deletion Method
Raw behavioral submissions	Immediate	Upon content delivery to User	Secure overwrite (NIST 800-88)
Generated marketing content	Until account deletion or 36 months of inactivity	Last account activity / account closure	Cryptographic erasure + overwrite
AI analysis outputs	Until account deletion or 36 months of inactivity	Last account activity / account closure	Cryptographic erasure + overwrite
Account identity (email, phone)	30 days post-account closure	Account deletion request confirmed	Hard delete from all datastores
Billing address	7 years	Last transaction date	Hard delete (legal hold lifted)
Payment last 4 / transaction records	7 years	Last transaction date	Hard delete (legal hold lifted)
Consent logs	7 years	Consent recorded	Archived (cannot be deleted; legal obligation)
IP addresses	30 days (raw) / 90 days (hashed)	Date of collection	Auto-hashed at 30d; purged at 90d
Session tokens	14 days or logout (whichever first)	Session creation	Auto-expiry; immediate on logout
Usage / analytics data	90 days (identifiable) / 24 months (aggregated)	Date of collection	Anonymization at 90d; purge at 24m
Support communications	3 years post-resolution	Ticket closure	Hard delete
Backup snapshots	30 days rolling	Snapshot creation	Auto-expiry from backup store

Mandatory Legal Holds: Financial records (billing, transactions) and consent logs are subject to a mandatory 7-year retention period under California and federal law. We cannot honor deletion requests for these specific records during the applicable hold period, but they are fully encrypted and access-restricted. All other data categories are fully deletable upon verified consumer request.

§ 05

Split-Storage Protocol SB 446

In compliance with California Senate Bill 446 and best practices for sensitive behavioral data, RawReach employs a Split-Storage Protocol that architecturally separates identifying information from behavioral data.

Under this protocol:

Identity Store: Your name, email, billing information, and account credentials are stored in an isolated identity datastore. This store is access-controlled and encrypted with unique per-tenant keys.
Behavioral Data Store: Behavioral inputs and analysis results are stored in a separate datastore, referenced only by a randomly generated, non-guessable UUID that carries no inherent link to your identity.
Key-Join Layer: The mapping between your identity and your behavioral UUID is held in a third, strictly access-logged key-join layer. Access to this layer requires multi-party authorization and generates an immutable audit entry.
Breach Containment: If any single datastore is compromised, the attacker cannot correlate behavioral data to a real-world identity without also compromising the key-join layer under separate authorization.

SB 446 Compliance Statement: RawReach's Split-Storage Protocol is designed to satisfy and exceed the data segregation requirements of California SB 446 as applied to behavioral analysis platforms. We do not store behavioral profiles and personal identifiers in a jointly queryable system.

The Split-Storage Protocol is reviewed semi-annually by our security team. Any architectural changes that would reduce the separation of stores require written sign-off by the Data Protection Officer and notification to affected Users if required by applicable law.

§ 06

Zero-Footprint Protocol for Raw Submissions

RawReach operates a Zero-Footprint Protocol for all raw behavioral submissions — defined as any text, behavioral descriptors, communication patterns, audience profile data, or other input material you submit for AI analysis.

Core Commitment: Raw submissions are processed in ephemeral, in-memory compute environments and are permanently purged upon delivery of generated content to your dashboard. They are never written to persistent disk storage, never included in database backups, and never transmitted to third-party services beyond the AI inference pipeline necessary for service delivery.

The Zero-Footprint Protocol operates as follows:

Submission Ingestion: Your raw input is received over TLS 1.3 and held exclusively in encrypted RAM for the duration of processing.
Processing Pipeline: The input is tokenized and passed to the AI inference layer. No intermediate states are logged to disk.
Output Generation: Generated content is produced, encrypted with your account's tenant key, and written to your account vault.
Purge Confirmation: The in-memory buffer holding your raw input is securely overwritten immediately after output generation completes. A purge confirmation event is recorded in the audit log (without retaining the content itself).
No Backup Retention: Because raw submissions never touch persistent storage, they are never present in backup snapshots, replication logs, or disaster recovery images.

SB 446 This protocol is the technical implementation of our California Zero-Retention compliance commitment. The footer of every RawReach page carries notice of this practice: "All raw data is permanently purged upon content delivery to ensure California Zero-Retention compliance."

§ 07

Right to Know (Access)

Under the CCPA/CPRA CCPA/CPRA, you have the right to request that RawReach disclose the personal information we have collected about you in the preceding 12 months. This includes:

The categories of personal information collected
The specific pieces of personal information collected about you
The categories of sources from which information was collected
The business or commercial purposes for collecting the information
The categories of third parties with whom we share the information

Self-Service JSON Export

Log in to your dashboard, navigate to Account → Privacy → Export My Data. A complete JSON export of all retained personal information is generated within 48 hours and available for download for 7 days.

Written Request

Submit a verified consumer request to privacy@rawreach.io. We will respond within 45 days (extendable by 45 days with notice, per CPRA). We may require identity verification.

You may make a verifiable consumer request for access no more than twice within a 12-month period. We do not charge a fee for the first request per year.

Note: Because raw behavioral submissions are purged upon delivery under the Zero-Footprint Protocol, they are not available for export — they no longer exist in our systems.

§ 08

Right to Delete

You have the right to request deletion of personal information RawReach has collected from you, subject to certain legal exceptions (e.g., financial records under mandatory hold). CCPA/CPRA

RawReach offers two deletion pathways:

Nuke Account

Dashboard: Account → Privacy → Delete Account. Immediately schedules deletion of all non-legally-held data within 30 days. Account becomes inaccessible immediately. A confirmation email is sent.

Download & Destroy

Dashboard: Account → Privacy → Download & Destroy. Exports your data as JSON, then initiates the full deletion sequence. You receive your data before anything is deleted.

Upon confirmed deletion, we will:

Delete your account identity (email, phone, name) from all active systems within 30 days.
Cryptographically erase all AI analysis outputs and generated content.
Sever the key-join mapping (Split-Storage Protocol), rendering any residual behavioral UUIDs permanently de-identified and unlinkable.
Instruct our service providers (Stripe) to delete associated personal information to the extent permitted by their own legal obligations.
Retain only: billing records and consent logs for the mandated 7-year period, stored encrypted and access-restricted.

We will confirm completion of deletion in writing within 45 days of the verified request. AB 853

§ 09

Right to Opt-Out of AI Processing (ADMT)

Under California's Automated Decision-Making Technology regulations (ADMT 2026), you have the right to opt out of automated processing that produces legal or similarly significant effects on you.

Important Context: RawReach's AI analysis is a tool you actively invoke to generate marketing content for your own use. It does not make decisions that affect your access to credit, employment, housing, insurance, education, or other legally significant outcomes. However, we respect your ADMT opt-out rights regardless.

If you opt out of AI processing:

Your submissions will no longer be processed by our AI linguistic analysis engine.
You will not receive AI-generated content outputs from those submissions.
Your account remains active and you retain access to any previously generated content.
You may opt back in at any time from your dashboard settings.

Opt Out via Dashboard

Navigate to Account → Privacy → AI Processing and toggle to Opt Out. Effective immediately for all new submissions.

Opt Out via Email

Send a request to privacy@rawreach.io with subject line: "ADMT Opt-Out Request." We will process within 15 business days and confirm in writing.

We will not discriminate against you for exercising your ADMT opt-out right. We will not deny you service, charge a different price, or provide a reduced quality of service solely because you exercised this right — though opting out of AI processing will functionally limit certain AI-dependent features of the Service.

§ 10

Right to Opt-Out of Sale — We Do Not Sell Your Data

RawReach does not sell personal information. We have never sold personal information, and we do not share personal information with third parties for their direct marketing or advertising purposes. We do not sell, rent, lease, license, or otherwise transfer personal information to data brokers or third-party advertisers for monetary or other valuable consideration.

Because we do not sell personal information, there is no opt-out mechanism required. However, in the event our practices change, we will: CCPA/CPRA

Provide at least 30 days' notice before any sale of personal information begins;
Add a prominent "Do Not Sell or Share My Personal Information" link to our homepage and footer;
Honor all previously submitted opt-out requests without requiring re-submission.

We do share limited information with Stripe solely for payment processing. This sharing is a service provider relationship, not a "sale" under CCPA/CPRA. Stripe is contractually prohibited from using your data for any purpose other than processing your payments for RawReach. See § 15 (Third Parties) for details.

§ 11

Global Privacy Control (GPC)

RawReach honors Global Privacy Control (GPC) signals as required by the California Attorney General's CCPA enforcement guidance. CCPA/CPRA

Automatic Opt-Out: When our systems detect a valid GPC signal from your browser or device, we automatically apply an opt-out of any data sharing that constitutes a "sale" or "sharing" under CCPA/CPRA. This applies to all California residents and any User choosing to exercise this control regardless of jurisdiction.

How our GPC implementation works:

Detection: Our web application reads the Sec-GPC: 1 HTTP header and the navigator.globalPrivacyControl JavaScript property on every page load.
Automatic Application: Upon detection, we set a session-level and account-level opt-out flag that disables any cross-context behavioral advertising data flows.
No Action Required: You do not need to manually submit an opt-out request if GPC is enabled in your browser. The signal is honored automatically.
Persistence: If you are logged in when GPC is detected, the opt-out preference is persisted to your account and honored in future sessions even on devices without GPC enabled.
Conflict Resolution: If you have previously opted in to a sharing practice and your browser subsequently sends a GPC signal, the GPC signal takes precedence.

To enable GPC in your browser, install a compatible browser extension or use a browser with native GPC support (e.g., Firefox with privacy settings enabled, Brave with GPC enabled). Visit globalprivacycontrol.org for a list of compatible tools.

§ 12

No AI Training Clause

Your data is never used to train AI models — full stop.

RawReach makes the following binding commitments regarding AI model training:

No Training on User Data: We will never use your personal information, raw behavioral submissions, generated content, account activity, or any other data associated with your account to train, fine-tune, evaluate, or improve any AI or machine learning model — whether operated by RawReach or any third party.
No Sharing for Training: We will never share your data with any third party for the purpose of AI model training, dataset creation, benchmarking, or related research activities.
Third-Party AI Services: Where we use third-party AI inference services to process your submissions, we select providers contractually bound by equivalent no-training clauses. We will disclose the identity of those providers upon written request to privacy@rawreach.io.
Audit Rights: Enterprise Subscribers (Tier 3 and above) may request a written attestation from RawReach confirming compliance with this No AI Training Clause for their account data during the prior 12 months.
Survivability: This clause survives termination of your account and any change in ownership of RawReach. Any acquirer of RawReach's business must assume this obligation as a condition of any asset transfer involving User data.

This clause is also incorporated by reference into our Terms of Service and constitutes a material term of our agreement with you.

§ 13

ADMT Disclosure

In compliance with California's Automated Decision-Making Technology regulations effective 2026 (ADMT 2026), RawReach provides the following disclosure regarding our use of automated processing:

Nature of Automated Processing: RawReach uses large language model (LLM) AI systems to perform linguistic pattern analysis on text and behavioral inputs submitted by Users, and to generate marketing copy, messaging frameworks, and related content outputs. This processing is solely for the purpose of delivering the content you requested.

Scope of Automated Processing:

What is automated: Linguistic pattern recognition, semantic analysis, tone profiling, audience segmentation modeling, and generative content drafting.
What is not automated: Account approval, pricing decisions, access control, and any determination affecting your legal rights or access to services. These are handled by human review or rule-based (non-AI) systems.
Consequential Decisions: RawReach does not use AI to make or substantially contribute to decisions that produce legal or similarly significant effects on consumers, as defined under ADMT 2026.
Human Oversight: All AI-generated content is delivered to your account as a draft output under your editorial control. You review, approve, and deploy any content. RawReach's AI does not autonomously publish, transmit, or act on your behalf without your affirmative instruction.

Model Information:

We use state-of-the-art LLMs from providers who have agreed to our data processing terms. The specific models in use may change as the AI landscape evolves. Current model providers are disclosed to Enterprise Subscribers upon request.
Our AI systems do not perform profiling for purposes of predicting your behavior, preferences, or characteristics beyond what is necessary to complete your requested content generation task.

You may opt out of all AI processing at any time. See § 09 (Right to Opt-Out of AI Processing) and use the anchor #opt-out on this page.

§ 14

How We Protect Your Data

RawReach implements layered technical and organizational security measures designed to protect your personal information against unauthorized access, disclosure, alteration, and destruction.

Control	Implementation
Encryption at Rest	All personal data encrypted with AES-256-GCM. Encryption keys managed via per-tenant key hierarchy with hardware-backed key storage.
Encryption in Transit	TLS 1.3 enforced on all connections. HSTS with a minimum 1-year max-age. Certificate pinning on mobile clients.
Authentication	Bcrypt password hashing (cost factor 12+). Optional TOTP-based 2FA. Brute-force rate limiting. Anomalous login detection.
Session Security	HttpOnly, Secure, SameSite=Strict cookie flags. Session tokens rotated on privilege escalation. Absolute session timeout at 14 days.
No Raw Storage	Zero-Footprint Protocol (§ 06) ensures raw behavioral submissions never touch persistent storage.
Access Controls	Role-based access control (RBAC) for all internal systems. Principle of least privilege enforced. Multi-party authorization required for key-join layer access (Split-Storage Protocol).
Audit Logging	Immutable audit log for all data access events. Logs retained 7 years. Tamper-evident signatures.
Vulnerability Management	Automated dependency scanning. Quarterly penetration testing by independent third party. Responsible disclosure program at security@rawreach.io.
Incident Response	Documented incident response plan. Breach notification to affected Users within 72 hours of confirmed breach (exceeding CCPA 45-day requirement). Notification to California AG for breaches affecting 500+ residents.

No security system is impenetrable. In the event of a data breach, we will notify you promptly and cooperate with law enforcement and regulatory authorities as required by law.

§ 15

Third Parties

RawReach intentionally limits the number of third parties that receive your personal information. The following table reflects all third-party data sharing as of the date of this policy:

Third Party	Purpose	Data Shared	Sale?
Stripe, Inc.	Payment processing	Billing address, payment card data (processed directly by Stripe; we receive only last-4 and token)	No
Cloud Infrastructure Provider	Hosting and compute	Encrypted data at rest; provider cannot access plaintext	No
AI Inference Provider(s)	LLM processing for content generation	Anonymized submission tokens only; no account identity transmitted; no-training clause in effect	No
Transactional Email Provider	Sending receipts, security alerts, password resets	Email address and message content only	No

We do not share data with: data brokers, advertising networks, marketing platforms, social media companies, analytics resellers, credit bureaus, insurance companies, employers, or any other third party not listed above.

All service providers listed above are bound by Data Processing Agreements (DPAs) that: (a) prohibit use of your data for any purpose beyond performing services for RawReach; (b) require equivalent security standards; (c) require prompt breach notification to RawReach; and (d) require deletion of your data upon termination of the service relationship.

We may disclose personal information to government authorities or law enforcement if required by valid legal process (subpoena, court order, or equivalent). We will notify you of such disclosure unless prohibited by law or court order, and we will challenge overbroad legal process to the extent permitted.

In the event of a merger, acquisition, or sale of all or substantially all of RawReach's assets, User data may be transferred to the acquiring entity, subject to this Privacy Policy. We will notify you via email and prominently on our website at least 30 days before any such transfer, and you will have the right to request deletion of your data before the transfer completes.

§ 16

Children's Privacy

RawReach is a business-to-business marketing SaaS platform intended exclusively for use by individuals who are 18 years of age or older. We do not knowingly collect, process, or store personal information from anyone under the age of 18.

If you are under 18, you are not permitted to use the Service and must not submit any personal information to us. If you are a parent or guardian and believe that your minor child has provided us with personal information, please contact us immediately at privacy@rawreach.io and we will promptly delete that information.

We do not knowingly process children's data within the meaning of the Children's Online Privacy Protection Act (COPPA), the CPRA, or any equivalent state or international law governing minors' data.

§ 17

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or our Service. When we make material changes, we will:

Update the "Last Updated" date at the top of this page;
Send an email notification to all active Users at least 30 days before the changes take effect;
Display a prominent banner on the dashboard for 30 days following publication;
For changes that materially reduce your privacy protections, provide an opt-out mechanism or the ability to close your account before the change takes effect.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes, to the extent permitted by applicable law. If you do not agree with the revised policy, you may request deletion of your account before the effective date.

We maintain an archive of prior versions of this Privacy Policy. You may request a copy of any prior version by contacting us at privacy@rawreach.io.

§ 18

Contact

For all privacy-related inquiries, consumer rights requests, ADMT opt-out requests, or concerns about this Privacy Policy, please contact us:

Channel	Contact	Response SLA
Privacy Requests (CCPA/CPRA)	`privacy@rawreach.io`	45 days (extendable to 90 per CPRA)
Security Vulnerabilities	`security@rawreach.io`	48 hours acknowledgment
General Inquiries	`hello@rawreach.io`	5 business days
Takedown Requests (SB 1142)	Takedown Request Form	10 business days
Mailing Address	RawReach, Inc. · Silicon Valley, California · USA	—

When submitting a consumer rights request by email, please include: (a) your full name as registered on the account; (b) the email address associated with your account; (c) the specific right(s) you are exercising; and (d) any additional information we may need to verify your identity. We may ask for additional verification for sensitive requests to protect against fraudulent access.

California Residents: If you are not satisfied with our response to your privacy request, you have the right to appeal our decision within 30 days of receiving our response by emailing privacy@rawreach.io with "CPRA Appeal" in the subject line. You also have the right to lodge a complaint with the California Privacy Protection Agency (CPPA) at cppa.ca.gov.

Table of Contents