Legal
Privacy policy
This policy explains what personal data RemarketOS handles, why, for how long, and the rights you have over it — whether you're an operator with an account, a client of an operator, or someone who received an email sent through the platform.
Last updated: July 16, 2026
1. Who we are
RemarketOS is operated by APETEC LTD, a company registered in England and Wales (company number 17065917) with its registered office at 128 City Road, London, EC1V 2NX (“RemarketOS”, “we”, “us”). For data protection law in the UK and EU, we are based in the United Kingdom.
You can reach us about anything in this policy through the contact form or by writing to hello@apetec.co.uk.
2. Whose data we handle — and our role for each
RemarketOS touches personal data belonging to three groups of people:
- Operators — people who create a RemarketOS account. For your account, billing, and usage data, we are the data controller: we decide what is collected and why.
- Clients of operators — the local businesses an operator works with. For a client’s business details and Google connection, we are the controller of the connection records and a processor acting on the operator’s and client’s instructions when sending email and writing calendar events.
- Contacts on uploaded customer lists — the past customers a client asks their operator to win back, and the recipients of Business Finder pitches. For uploaded lists, the operator (and their client) is the controller; we are a processor. We store, clean, and send to those lists only as instructed by the operator through the product, and we never use them for anything else.
3. Data we collect
Account data (operators)
- Email address, name, and a password (stored as a hash by our auth provider, Supabase — we never see plaintext passwords).
- Plan and billing status. Payment is handled by Stripe; we store your Stripe customer reference and subscription state, never your card number.
Google connections
- When an operator or a client connects a Google account, we store the Google email address and OAuth tokens, encrypted at rest. We request exactly two permissions — send email and create calendar events. See Google account data below.
Client business details
- Business name, contact name and email, industry, website, phone, timezone, and postal address (required in campaign emails by US anti-spam law).
Uploaded customer lists
- Names, email addresses, and phone numbers of a client’s past customers, uploaded by the operator as a CSV or pasted list.
Booking data
- When someone books an appointment: their name, email, optional phone number, timezone, and the chosen time slot.
Business Finder results
- Publicly listed business information (name, address, rating, category, website, phone, published contact email) retrieved via our data provider, Apify.
Usage and technical data
- First-party product analytics (for example: signed up, ran the Finder, launched a campaign), delivery events for emails we send (sent, bounced, unsubscribed), IP-based rate-limiting records, and error reports via Sentry. We do not use third-party advertising trackers.
4. How we use it — purposes and legal bases
- Providing the service (accounts, sending campaigns and pitches as instructed, booking appointments, portals, support) — performance of a contract.
- Billing — performance of a contract and legal obligation (tax and accounting records).
- Compliance with email law — maintaining suppression lists of people who unsubscribed, bounced, or booked, so they are never emailed again — legal obligation and legitimate interest.
- Security and abuse prevention (rate limiting, bot checks via Cloudflare Turnstile, error monitoring) — legitimate interest in keeping the service safe.
- Product improvement — first-party, minimal analytics about feature usage — legitimate interest. We do not sell this data or share it with advertisers.
- Service emails (booking confirmations and reminders, booking notifications, account notices) — performance of a contract.
5. What we never do
- We never sell personal data, and we never “share” it for cross-context behavioral advertising as defined by the CCPA.
- We never read anyone’s inbox — the app does not hold the Google permission that would make it possible.
- We never use uploaded customer lists for anything other than the uploading operator’s own campaigns. Lists are never shared between accounts, pooled, or used to train AI models.
- We never supply consumer email lists. Campaigns can only be sent to a list an operator uploads on a client’s behalf.
6. Google account data
Connecting a Google account grants RemarketOS exactly two scopes: gmail.send (send email on the account’s behalf) and calendar.events (create and manage calendar events the app creates). We never request scopes that read, search, or modify inbox contents.
- OAuth refresh and access tokens are stored encrypted (AES-256-GCM) and used solely to send the emails and create the calendar events you or your client initiate through the product.
- Disconnecting or revoking a connection erases the stored refresh token immediately; deleting the related client or account removes it too. Any of these stops all sending for that connection at once.
- Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
7. If you received an email sent through RemarketOS
Emails sent through RemarketOS come from a real business — either a local business you’ve bought from before (email remarketing campaigns go only to a business’s own past customers) or an individual introducing their service to your business. In line with the US CAN-SPAM Act, every campaign email includes:
- a working one-click unsubscribe link, honored immediately and permanently;
- the sending business’s physical postal address;
- truthful sender information — mail is sent from the business’s own address, not a lookalike.
Once you unsubscribe, book, or your address bounces, you are added to a suppression list that is checked before every single send. If you want your data removed entirely, use the contact form and include the address the email was sent to — we will suppress it and pass deletion requests to the responsible business where they, not we, control the data.
8. Retention and deletion
We describe what the product actually does, not an aspirational schedule. The behaviour below is enforced in the software.
- Customer lists: purged immediately (database cascade) when the client they belong to is deleted, and when the operator’s account is deleted. Operators can delete a client at any time.
- Suppression records: retained even after the client or account they came from is deleted, because we have a continuing duty to make sure an unsubscribed, bounced, or booked address is never emailed again. Each record holds only the email address and the reason for suppression — nothing else.
- Google OAuth tokens: the stored refresh token is erased the moment a connection is disconnected or revoked, and when the related client or account is deleted. A revoked connection keeps no usable credential.
- Account data: deleted promptly when you delete your account — your profile, clients, uploaded lists, campaigns, bookings, Google connections, and the log of emails we sent for you are all removed. We hold no card data and keep no separate billing archive; payment records live with Stripe under their own retention.
- Email delivery logs: hold third-party recipient addresses, so they are purged after 90 days as a matter of data minimization, and are cleared immediately when the operator’s account is deleted.
- Portal links: expire after 90 days of inactivity — each time a client opens their portal the window extends, so an active link never lapses — and can be revoked at any time. An expired or revoked link exposes nothing.
- Product analytics: first-party usage events are retained to improve the product; when an account is deleted, its events are disassociated from the operator (the identifier is nulled) rather than kept against a named person.
9. Subprocessors
We use a small set of service providers to run RemarketOS. Each processes data only on our instructions under a data processing agreement:
| Provider | Purpose | Data involved |
|---|---|---|
| Vercel | Application hosting | All traffic to the app |
| Supabase | Database and authentication | All stored data; operator credentials |
| Stripe | Subscription billing | Operator name, email, payment details (held by Stripe) |
| Email sending and calendar (via connected accounts) | Outgoing emails, calendar events, OAuth tokens | |
| Apify | Business Finder data retrieval | Search terms; publicly listed business data |
| Postmark | Transactional email (confirmations, reminders, notices) | Recipient email and message content |
| Anthropic | AI editing and result descriptors | Draft email text and factual business fields sent for processing; not used to train models |
| Cloudflare | Bot protection (Turnstile) | IP address and browser signals on public forms |
| Sentry | Error monitoring | Technical error context; we minimize personal data in reports |
10. International transfers
We are UK-based; most of our subprocessors store data in the United States (our database region is in the US, close to most operators and their customers). Where personal data moves from the UK or EU to the US, we rely on the UK International Data Transfer Addendum and EU Standard Contractual Clauses with each provider, and on the EU–US Data Privacy Framework where the provider is certified.
11. Your rights (GDPR & CCPA)
Under UK/EU GDPR, you have the right to access, correct, delete, and receive a copy of your personal data, to restrict or object to our processing, and to withdraw consent where processing is based on consent. You also have the right to complain to the UK Information Commissioner’s Office (ico.org.uk) or your local supervisory authority.
Under the CCPA/CPRA (California), you have the right to know what personal information we collect, to delete it, to correct it, and to not be discriminated against for exercising those rights. We do not sell or share personal information, so there is nothing to opt out of.
To exercise any right, use the contact form or email hello@apetec.co.uk. We verify requests and respond within one month (GDPR) or 45 days (CCPA). If your data is on a customer list controlled by an operator or their client, we will forward your request to them and suppress your address on our side in the meantime.
13. Security
- All traffic is encrypted in transit (TLS); data is encrypted at rest by our database provider.
- Google OAuth tokens are additionally encrypted at the application level with AES-256-GCM.
- Every database table is protected by row-level security, so one operator’s data — including uploaded lists — is never visible to another operator or client.
- Magic links and connect links are stored as hashes and expire; passwords are hashed by Supabase Auth.
No system is perfectly secure. If a breach affects your personal data, we will notify you and the relevant authority as the law requires.
14. Children
RemarketOS is a business tool for adults. You must be at least 18 to create an account, and we do not knowingly collect data from children. If you believe a child has provided us personal data, contact us and we will delete it.
15. Changes and contact
When we change this policy in a way that matters, we’ll update the date at the top and notify operators by email before the change takes effect. Minor clarifications may be posted without notice.
Questions, requests, or complaints: contact form, or write to APETEC LTD, 128 City Road, London, EC1V 2NX.