SEC / OUTBOUND Home

Privacy Policy

Effective date: June 23, 2026 Last updated: July 8, 2026

Sleet Labs LLC (the "Company," "we," "us," or "our") operates the SEC/OUTBOUND service at secoutbound.com (the "Service"). This Privacy Policy explains how we handle information when you visit the website, fill out a form, or engage SEC/OUTBOUND as a client.

We collect only what we need to run the Service. We do not sell personal information.

1. Who we are

Legal entity Sleet Labs LLC, a Wyoming limited liability company
Mailing address 5830 E 2nd St, Ste 7000, Casper, WY 82609, USA
Contact email privacy@secoutbound.com
Data Protection Officer We have assessed that we are not required to appoint a Data Protection Officer. Privacy inquiries are handled via privacy@secoutbound.com.
Our role For personal data of the prospects we email, Sleet Labs LLC acts as an independent "business" under US state privacy laws (and an independent controller for any residual UK/EU data): we determine the purposes and means of the processing, operate the sending infrastructure on domains we own, and source the data. Our clients are separate, independent businesses/controllers for their own use of any data we deliver to them. We do not act as our clients' service provider or processor for that outbound prospecting. Scheduling/calendar exception (under review): where we operate a meeting scheduler on a client's behalf and hold authorization to write to that client's calendar, we may act as that client's processor/service provider for that specific booking-and-calendar processing. That role determination is being finalized; until it is, no real booking data is processed, and any processor relationship will be governed by a data processing addendum with the client.

2. What information we collect

From visitors to secoutbound.com

From prospects we email to promote our clients' offers

From clients

3. How we use information

Purpose Legal basis
Respond to inquiries from the contact form Legitimate interest
Send outbound emails promoting our clients' offers (as an independent controller) Legitimate interest (B2B prospecting)
Provide the Service to clients we have engaged Contract performance
Comply with legal obligations (tax, anti-fraud, CAN-SPAM, etc.) Legal obligation
Improve the Service (aggregate analytics) Legitimate interest

We do not use information for behavioral advertising or for profiling decisions with legal effect.

4. How we share information

We share information only with:

We do not sell personal information to third parties. We do not "share" personal information for cross-context behavioral advertising (CCPA term of art).

5. Geographic scope and international transfers

We operate from, and provide the Service to clients and prospects located in, the United States only. We do not currently offer the Service in, or send outbound email to recipients in, any other country. We will add other geographies (United Kingdom, Canada, European Union, Australia, etc.) only after we complete jurisdiction-specific legal review.

Residual non-US data: our website is reachable from outside the United States, so we may incidentally receive personal data from non-US visitors (for example, a UK visitor who submits the contact form). Where we hold such data, we process it in the United States; for any UK or EU personal data, we rely on an appropriate transfer mechanism — the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, or the EU–US Data Privacy Framework (and its UK Extension) where a sub-processor is certified. We do not target or market to individuals outside the United States.

6. Sub-processors

We use the following third-party services. Each provider that processes live client or prospect data is bound by a data processing agreement or equivalent contractual protection. A provider listed ahead of a feature going live is marked as pending its data processing agreement and processes no real client or prospect data until that agreement is executed:

Sub-processor Purpose Data shared
Vercel, Inc. Website hosting, form endpoint, AI Gateway Server logs, form submissions, AI inputs/outputs
Cloudflare, Inc. DNS, registrar, network security IP addresses, request metadata
Railway Corp. Application hosting/compute, managed PostgreSQL database, and Redis cache for the self-hosted cal.diy booking scheduler. Data processing agreement executed (DocuSign, 2026-07-09) — synthetic test data only until the cal.diy scheduler goes live; no real booking data yet. Server and application logs; once live, booking records (booker name, work email, meeting time and time zone, event/meeting title, connected-calendar references, booking-form answers)
Plus Five Five, Inc. (d/b/a Resend) Transactional email delivery — contact-form notifications now; booking confirmations, reminders, reschedules, and cancellations once the self-hosted scheduler is live Form submission data (name, email, message); booking-lifecycle email and its metadata
Google LLC Workspace (mailbox, calendar) Email content, contact metadata
ZenLeads Inc. (d/b/a Apollo.io) Third-party B2B data source (independent provider) We retrieve public business contact data
GBD Software as a Service Ltd. (d/b/a MillionVerifier) Email address verification Email addresses (verification only)
521 Products Pty Ltd (d/b/a Smartlead) Outbound email sending and tracking Prospect contact data, email content, engagement events
Anthropic PBC (via Vercel AI Gateway) AI-assisted email personalization Prospect public profile snippets sent to the model; inputs are not used to train the model under our Vercel AI Gateway / Anthropic commercial terms
Supabase, Inc. Per-client dashboard + CRM (Postgres with row-level security) Prospect engagement data
Cal.com, Inc. (hosted scheduler only) Meeting scheduling Booking details, calendar metadata
Pluot Communications, Inc. (d/b/a Daily.co) Cal Video meeting rooms for cal.diy booking events (video/screen-share hosting). Data processing agreement in effect (Daily online DPA, incl. US state-law service-provider terms) — synthetic test data only until the cal.diy scheduler goes live; no real booking data yet. Participant display name, IP address, in-call audio/video/screen-share media (not recorded), room/session metadata
Stripe, Inc. Payment processing for clients Billing details (we never see full card data)

ZenLeads Inc. (Apollo.io) and GBD Software as a Service Ltd. (MillionVerifier) are independent third-party data sources from which we obtain or verify business contact data as an independent controller; the other entities are sub-processors that process data on our behalf. Self-hosted cal.diy is not approved for real booking personal data until each newly added processor's data processing agreement is executed, the connected-calendar authorization (Google Calendar OAuth) model is reviewed, and clients receive any required change notice. The application hosting/compute layer, the managed PostgreSQL database, and the Redis cache have been selected and are listed above — Railway Corp. — and the booking email-delivery layer (Resend) and the video/meeting-link provider (Cal Video, provided by Pluot Communications, Inc. (d/b/a Daily.co)) have also been selected and are listed above; Railway's and Daily's data processing agreements are now executed and in effect; real booking data will flow only after the self-hosted scheduler completes its go-live readiness review, and the scheduler otherwise uses synthetic test data only for now.

A current list of our sub-processors is published at https://secoutbound.com/subprocessors, where clients may subscribe to receive change notices. We will give clients at least 30 days' notice of material sub-processor changes by email before the new sub-processor begins processing their data.

7. Data retention

Data type Retention period
Contact form submissions 24 months from submission, then deleted
Server logs 30 days
Prospect engagement data 12 months from last activity, then anonymized
Booking & scheduling records (scheduler + connected calendar) 12 months from last booking activity, then anonymized or deleted; calendar references removed on deletion; deletion/objection requests honored within 30 days
Client data For the duration of the engagement + 7 years (tax/legal)
Marketing list (people who explicitly subscribed) Until unsubscribe
Unsubscribe / opt-out lists Indefinitely (legally required to honor opt-outs)

8. Your rights

Depending on where you live, you have the right to:

If you are a California resident, see Section 8A for additional rights under the CCPA/CPRA.

To exercise any right, email privacy@secoutbound.com. We will respond within 30 days. To unsubscribe from outbound emails, use the unsubscribe link in any email or write to unsubscribe@secoutbound.com.

8A. California residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA):

The categories of personal information we collect are described in §2 — principally identifiers and professional/employment information; we do not collect sensitive personal information; and we retain it as described in §7. To exercise these rights, email privacy@secoutbound.com or write to the address in §13. You may use an authorized agent, in which case we may verify your identity and the agent's authority. We will respond within 45 days (extendable by an additional 45 days with notice).

9. Cold email and unsubscribe (CAN-SPAM)

For outbound email, we follow these rules:

10. Security

We use standard technical and organizational measures to protect information:

No system is perfectly secure. If we discover a personal-data breach, we will notify affected individuals without undue delay where the breach is likely to result in a high risk to them, and we will notify regulators where and within the time required by applicable law (for any residual UK/EU data, the relevant supervisory authority within 72 hours of becoming aware where the breach is reportable; and as otherwise required by applicable US state law).

11. Children's privacy

The Service is intended for business use only. We do not knowingly collect information from anyone under 16. If we learn we have collected information from a minor, we will delete it.

12. Changes to this policy

We may update this policy from time to time. We will email clients about material changes and post the revised policy at this URL with a new "Last updated" date. Continued use of the Service after a change means you accept it.

13. Contact

Questions about this Privacy Policy or your data:

Sleet Labs LLC 5830 E 2nd St, Ste 7000 Casper, WY 82609, USA Email: privacy@secoutbound.com