Back to WorkOnward Reach

Privacy policy

WorkOnward Reach Privacy Policy

Last updated: April 7, 2026

This Privacy Policy explains how WorkOnward Reach collects, uses, stores, discloses, and protects personal information when people visit our website, create an account, connect a mailbox, upload contacts, create campaigns, or otherwise use our services.

WorkOnward Reach is an email marketing and outreach platform. Because the product can process account information, contact data, campaign content, OAuth connection data, and email engagement events, we describe those practices in detail below. This policy is intended to be read together with our Terms of Service and, where applicable, a separate Data Processing Agreement.

1. Scope and roles

This policy applies to information processed through the WorkOnward Reach website, applications, APIs, and related services. It applies to information about our direct users, prospective users, website visitors, and the contacts that our users upload or send messages to through the platform.

For most customer workspace data, including contact lists and campaign content, WorkOnward Reach acts as a service provider, processor, or similar role on behalf of the customer that controls that data. For account registration, billing, security, product operations, and our own business administration, WorkOnward Reach acts as an independent controller or business.

  • If you are a customer using WorkOnward Reach for business outreach, you are responsible for deciding what data to upload and the legal basis for using that data.
  • If you are a contact or recipient whose information was uploaded by one of our customers, your rights request may need to be directed both to WorkOnward Reach and to the customer that controls the list or campaign.

2. Information we collect

Account and profile information

  • Name, email address, password hash or federated login details, organization or workspace details, and profile preferences.
  • Authentication events, session metadata, IP-derived security signals, device or browser information, and account recovery details.

Workspace and campaign information

  • Campaign names, sequences, templates, subject lines, body content, scheduling settings, suppression settings, mailbox assignments, and other outreach configuration.
  • Operational records such as launch history, send logs, bounce logs, unsubscribe records, complaint records, reply classifications, and analytics derived from campaign activity.

Contact and audience information

  • Contact names, email addresses, company information, roles, custom properties, list membership, tags, consent fields supplied by customers, and marketing status fields such as subscribed, unsubscribed, bounced, complained, or never subscribed.
  • Imported CSV or spreadsheet data, field mappings, import audit history, validation results, and list membership actions created during an import workflow.

Mailbox and integration information

  • OAuth connection metadata, connected mailbox email address, provider account identifiers, granted scopes, encrypted refresh and access tokens, mailbox watch state, and mailbox verification status.
  • Limited mailbox content or metadata needed to send messages, sync replies, classify replies, keep thread state accurate, or troubleshoot mailbox connection issues.

WorkOnward Reach does not need broad, unrelated use of mailbox data. Data accessed through connected mailbox integrations is used to provide the requested in-product mail features and related security, support, and compliance functions.

Usage, device, support, and billing information

  • Feature usage data, page views, log events, error reports, browser and device information, approximate location derived from IP address, and support communications.
  • Subscription, invoice, payment processor metadata, plan information, and service history if WorkOnward Reach offers paid services. WorkOnward Reach does not store raw payment card numbers.

3. How we collect information

  • Directly from you when you sign up, submit forms, connect integrations, configure campaigns, upload files, or contact support.
  • Automatically from your use of the service through logs, cookies, local storage, analytics tools, tracking events, and security systems.
  • From integrated providers such as Google or Microsoft when you authorize mailbox access.
  • From customer-uploaded files and list imports when a user imports contact data into a workspace.
  • From third-party service providers such as payment processors, cloud infrastructure providers, support tools, and analytics vendors.

4. Why we process information

  • To create and secure accounts, authenticate users, and keep workspaces isolated.
  • To store and render templates, sequences, campaigns, inbox views, analytics, and related operational data.
  • To send email through connected mailboxes or other supported delivery infrastructure and to process replies, opens, clicks, bounces, complaints, and unsubscribe events.
  • To provide consent management, suppression handling, unsubscribe enforcement, and abuse prevention features.
  • To operate CSV import, validation, deduplication, segmentation, and audience management workflows.
  • To power product features such as AI drafting, classification, template assistance, and workflow recommendations when enabled.
  • To detect security incidents, investigate abuse, enforce platform rules, comply with law, and protect WorkOnward Reach, customers, recipients, and third parties.
  • To provide customer support, communicate about the service, improve reliability, and perform internal analytics and product planning.

5. Legal bases and business purposes

Where data protection law requires a legal basis, WorkOnward Reach generally relies on one or more of the following: performance of a contract, legitimate interests, legal obligations, consent, and protection against fraud, abuse, and security threats.

For customer-uploaded outreach data, the customer is generally responsible for determining and documenting the lawful basis for collecting and using recipient information. Depending on the jurisdiction, that may include consent, legitimate interests, or another permitted basis. WorkOnward Reach may provide features that help customers manage consent and suppression status, but those features do not replace the customer's own legal obligations.

6. Email, outreach, and compliance processing

WorkOnward Reach processes campaign and outreach data to draft, schedule, send, and measure customer communications. This includes recipient addresses, content, metadata, delivery status, reply status, bounce status, complaint status, unsubscribe status, and analytics records.

Campaign messages sent through WorkOnward Reach may include sender identification, unsubscribe links, physical address content provided by the customer, tracking pixels, and compliance headers such as one-click unsubscribe headers where supported. Customers are responsible for ensuring that the content, audience, and legal basis for each send are lawful.

  • WorkOnward Reach may automatically suppress unsubscribed, complained, or bounced contacts based on account and campaign settings.
  • WorkOnward Reach may automatically pause or restrict sending when complaint rates, bounce rates, or abuse indicators exceed platform thresholds.
  • WorkOnward Reach does not sell uploaded contact lists and does not use imported audience data for unrelated third-party marketing purposes.

7. How we share information

We share personal information only as reasonably necessary to operate the service, comply with law, protect rights and safety, or complete a transaction requested by the customer.

  • Infrastructure and hosting providers, database providers, storage providers, monitoring tools, and support vendors.
  • Email delivery, mailbox, and messaging providers used to send campaigns, process replies, or register mailbox activity.
  • Identity, authentication, payment, analytics, customer support, and communication vendors.
  • Professional advisers, auditors, insurers, regulators, courts, law enforcement, or other parties where required by law or reasonably necessary to protect legal rights, enforce our agreements, or investigate misuse.
  • A buyer, investor, successor, or affiliate in connection with a merger, financing, sale of assets, restructuring, or similar corporate transaction, subject to appropriate confidentiality and data-use limits.

If WorkOnward Reach ever engages in selling or sharing personal information in a way that triggers additional opt-out rights under applicable law, we will provide the notices and controls required by that law.

8. OAuth, mailbox access, and restricted data

When a user connects a mailbox, WorkOnward Reach requests only the scopes and permissions needed for supported sending, reply, and mailbox-sync features. OAuth tokens are stored in encrypted form and may be refreshed as needed to maintain the connection until the user disconnects the integration or the provider invalidates it.

WorkOnward Reach may use mailbox and API data to provide sending, reply detection, threading, inbox, security, support, and compliance functions. WorkOnward Reach does not use restricted mailbox data for advertising and does not use Google restricted-scope data to develop, improve, or train generalized artificial intelligence or machine learning models.

  • Users can disconnect mailbox integrations from within the product, subject to provider limitations.
  • Mailbox access may be disabled or reauthorization may be required if tokens expire, scopes are revoked, or provider policies change.

9. Cookies, local storage, and analytics

WorkOnward Reach and its service providers may use cookies, local storage, pixels, and similar technologies to keep users signed in, remember settings, maintain security, measure product usage, and improve performance.

Some tracking technologies are essential to product functionality, while others help us understand service performance and user experience. Depending on location and applicable law, users may have the ability to manage certain non-essential technologies through browser controls or consent mechanisms made available by WorkOnward Reach.

10. Data retention

We retain personal information for as long as reasonably necessary to provide the service, meet contractual commitments, comply with legal obligations, resolve disputes, enforce our agreements, and maintain appropriate business and security records.

  • Campaign send logs, unsubscribe records, complaint records, and related compliance evidence may be retained for multiple years to support legal and operational obligations.
  • OAuth grant and revocation events may be retained for security audit purposes.
  • Account activity, support records, and security logs may be retained for the duration of the account relationship and for a reasonable period afterward.
  • When customers delete contacts, lists, or campaigns, we may retain limited backup or log records for disaster recovery, legal defense, fraud prevention, and system integrity for a limited period.

11. Security and incident response

WorkOnward Reach uses administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Those measures may include encryption in transit, encryption at rest for sensitive credentials and tokens, access controls, logging, environment segregation, and monitoring.

No service can guarantee absolute security. Customers remain responsible for maintaining strong credentials, using available account security controls, limiting workspace access to authorized users, and promptly reporting suspected incidents.

  • We may investigate suspicious behavior, misuse, scraping, phishing, spam activity, and other conduct that threatens users, recipients, or the platform.
  • If WorkOnward Reach experiences a confirmed security incident affecting personal information, we will take steps required by applicable law, contract, and incident response procedures, including notification where required.

12. International data transfers

WorkOnward Reach may process and store personal information in the United States and in other countries where WorkOnward Reach or its service providers operate. Data protection laws in those countries may differ from those in the country where the data originated.

Where required for cross-border transfers, WorkOnward Reach may rely on legally recognized transfer mechanisms such as contractual commitments, standard contractual clauses, or other valid safeguards.

13. Privacy rights and requests

Depending on applicable law, individuals may have rights to request access, correction, deletion, portability, restriction, objection, or information about the processing of their personal information.

Because WorkOnward Reach often processes recipient and campaign data on behalf of customers, we may direct some requests to the relevant customer so that the request can be handled by the party that controls the data.

  • Access to the categories and specific pieces of information we process about you, where required by law.
  • Correction of inaccurate information.
  • Deletion of information, subject to legal and operational exceptions.
  • Portability of information in a usable format, where required.
  • Objection to or restriction of certain processing, where available.
  • Withdrawal of consent where processing depends on consent.

Privacy requests may be submitted through the support or privacy contact channel made available by WorkOnward Reach. We may need to verify identity before completing a request.

14. US state privacy disclosures

Residents of California and other states with comprehensive privacy laws may have specific rights to know, access, correct, delete, or opt out of certain processing or profiling activities, subject to the scope and exceptions in the applicable law.

WorkOnward Reach's public privacy disclosures are intended to support obligations under laws such as the CCPA, CPRA, and other state privacy statutes. We aim to apply a generally high baseline of transparency, data minimization, and user-rights handling across jurisdictions.

  • We do not discriminate against individuals for exercising applicable privacy rights.
  • Where legally required, we will provide notice of the categories of information collected, sources, business purposes, and categories of recipients or service providers.
  • If WorkOnward Reach ever engages in selling or sharing information in a way that triggers a specific opt-out right, we will provide the required notice and method to exercise that right.

15. EEA, UK, and Switzerland disclosures

Individuals in the European Economic Area, United Kingdom, and Switzerland may have additional rights under applicable data protection law, including the right to complain to a supervisory authority in their place of residence, work, or where an alleged violation occurred.

Where WorkOnward Reach acts as a processor for customer data, our customer remains responsible for responding to data subject requests regarding the underlying outreach or contact data unless applicable law requires otherwise. WorkOnward Reach may support those requests through product functionality, exports, deletion workflows, and contract terms.

16. Children's privacy

WorkOnward Reach is intended for business use and is not directed to children. We do not knowingly collect personal information from children in violation of applicable law. If you believe a child has provided personal information through the service without appropriate authorization, please contact us so that we can investigate and take appropriate action.

17. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in the service, law, or our data practices. When we make material changes, we may update the posted effective date and provide additional notice where required, such as by email, in-product notice, or other reasonable means.

18. Contact information

Questions, requests, or complaints about this Privacy Policy or WorkOnward Reach's privacy practices may be sent through the support or privacy contact channel identified on the website or in your WorkOnward Reach account.

If a Data Processing Agreement, regional addendum, or other contract applies to your organization, that agreement may include additional notice and contact procedures for privacy and security matters.