PRIVACY

Privacy Policy

Last updated: May 10, 2026

Short version: Wallyy is an outbound execution tool. We collect the data needed to run that tool — your account, the prospects you upload, and (when you connect your mailbox) the messages we send and receive on your behalf. We do not sell your data, we do not train AI models on your mailbox content, and we follow Google's Limited Use requirements for Gmail data.

1. Who we are

This Privacy Policy describes how Wallyy ("we", "us", or "our"), operating the service at wallyy.com (the "Service"), collects, uses, and shares information about you when you create an account, connect a mailbox, upload prospects, or otherwise use the Service.

For privacy questions, email legal@wallyy.com.

2. Information we collect

Account information

When you sign up, we collect your name, email address, authentication identifiers (provided by our auth provider Clerk), and the workspace settings you configure. If you pay for a plan, our payment processor Stripe receives your billing details and we store a non-sensitive billing record (plan, status, last 4 digits/brand of card, subscription dates).

Prospect data you upload

You can import prospects (names, email addresses, company information, custom fields, notes). This data is stored in our database and is visible only to your account. You are responsible for ensuring you have a lawful basis to contact these prospects (CAN-SPAM, GDPR, CASL, and any other applicable rules).

Connected mailbox data (Gmail / Outlook)

When you connect Gmail or Outlook via OAuth, the relevant provider (Google or Microsoft) issues us access and refresh tokens. We store these tokens encrypted at rest. We use them to:

  • Send outbound emails you authored or that Wallyy drafted for your review;
  • Read incoming replies to those emails so we can classify them, surface them in your inbox view, and mark prospect tasks as done;
  • Look up basic profile info (your name, email, mailbox identifier) so we can show you which account is connected.

3. Google API Services — Limited Use disclosure

Wallyy's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Gmail data to provide the user-facing features of Wallyy (sending outbound mail you authorize, ingesting replies to those sends, and drafting AI-assisted follow-ups you review).
  • We do not transfer Gmail data to other parties except as needed to provide or improve the user-facing features, or as required by law.
  • We do not use Gmail data for serving advertising, and we do not sell Gmail data.
  • We do not allow humans to read Gmail data unless (a) we have your specific consent, (b) it is necessary for security investigations or to comply with applicable law, or (c) the data has been aggregated and anonymized for internal operations.
  • We do not use Gmail data to train generalized or third-party AI or machine-learning models. AI features that operate on email content (such as reply classification or draft generation) use ephemeral inference calls scoped to your account and are not retained by the model provider for training.

4. Microsoft Graph data use

When you connect an Outlook / Microsoft 365 mailbox, we use the Microsoft Graph delegated scopes you grant (Mail.ReadWrite, Mail.Send, User.Read, offline_access) solely to deliver the same user-facing features as Gmail (send, reply ingestion, profile lookup). The same restrictions in section 3 apply to Microsoft data: no sale, no advertising, no AI model training.

5. Telemetry and product analytics

We collect basic product telemetry to operate and improve the Service: request logs, error reports, performance metrics, and anonymized usage events (e.g. "a prospect was added", "an email was sent"). This data does not include the content of your prospects' messages or your mailbox content, and is kept separate from identifiable user records where feasible.

6. How we use information

  • Provide, maintain, and improve the Service;
  • Authenticate you and secure your account;
  • Send transactional emails (receipts, security alerts, product updates);
  • Generate AI-assisted drafts and classifications from prompts you submit;
  • Process payments via Stripe;
  • Detect and prevent fraud, abuse, and violations of our Terms;
  • Comply with legal obligations.

7. Third-party processors

We use the following service providers to run Wallyy. Each receives only the data needed for their role:

  • Vercel — hosting and request logs.
  • Neon / Postgres — encrypted application database.
  • Clerk — authentication, sign-in, and session management.
  • Stripe — payment processing and subscription billing. We never see or store your full card number.
  • Google LLC — Gmail API access when you connect Gmail.
  • Microsoft Corporation — Microsoft Graph access when you connect Outlook / Microsoft 365.
  • AI model providers (e.g. OpenAI, Anthropic) — short-lived inference calls for draft generation, classification, and other AI features. These providers do not train models on the data we send.

8. Data retention

We retain your account data, prospect data, and message history for as long as your account is active. When you delete your account or disconnect a mailbox, we delete the associated OAuth tokens immediately and purge or anonymize related records on a rolling basis (typically within 30 days, faster on request). Backups are rotated and overwritten within 60 days.

9. Your rights

Depending on where you live (California, EU/EEA, UK, and other jurisdictions), you may have the right to access, correct, delete, port, or restrict our processing of your personal data, and to object to certain uses. To exercise any of these rights, email legal@wallyy.com from the email associated with your account. We respond within 30 days.

California residents (CCPA / CPRA): We do not sell or share personal information for cross-context behavioral advertising, so the "Do Not Sell or Share" right is satisfied by default. You also have the right to know, delete, and correct your information, and not be discriminated against for exercising these rights.

10. Security

We use industry-standard safeguards: TLS in transit, AES-256 encryption at rest for OAuth tokens, scoped IAM roles, audit logging, and regular dependency updates. No system is perfectly secure; if we ever discover a breach affecting your data, we will notify you without undue delay as required by law.

11. Children

Wallyy is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, email us and we will delete it.

12. International transfers

Wallyy is operated from the United States. By using the Service you consent to your data being processed in the United States, which may not have the same data-protection laws as your country.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above and, for material changes, notify you by email or in-product banner before the change takes effect.

14. Contact

Questions about this Privacy Policy or our data practices? Email legal@wallyy.com.

See also: Terms of Service.