Privacy Policy

Last updated: March 9, 2026

1. Introduction

B2ARocket ("we," "us," or "our") operates the B2ARocket platform, an AI-powered B2B sales automation service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. By accessing or using B2ARocket, you agree to the practices described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and authentication credentials. If you sign up through a single-sign-on (SSO) provider, we receive profile information from that provider.

2.2 Organization & Team Data

We collect organization names, team member information, roles, and invitation details to provide multi-tenant collaboration features.

2.3 Business Documents

You may upload service documents, pitch decks, case studies, pricing sheets, brand guides, and ideal customer profiles. These documents are processed by our AI agents to extract business context for targeting and outreach.

2.4 Lead & Contact Data

Our platform discovers and stores lead information including business names, contact names, email addresses, phone numbers, company details, social media links, and enrichment data. This data may come from public sources (Google Places, web scraping, directories), CSV imports, or manual entry.

2.5 Email & Campaign Data

We store email drafts, sent messages, delivery statuses, reply content, and campaign performance metrics. This includes email addresses of recipients you engage with through our platform.

2.6 Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers or bank account details. Stripe may collect payment information directly under its own privacy policy.

2.7 Usage & Technical Data

We collect usage analytics, request logs, IP addresses, browser type, and device information for service operation, security, and improvement. We use correlation IDs and OpenTelemetry metrics for performance monitoring.

3. How We Use Your Information

  • AI Document Analysis: Uploaded documents are processed by Anthropic's Claude API to extract business context, generate targeting strategies, and personalize outreach.
  • Lead Discovery: We use third-party data sources and AI to find and enrich leads matching your targeting criteria.
  • Email Outreach: We send emails on your behalf via Resend and manage campaign delivery, tracking, and reply handling.
  • Reply Classification: Incoming replies are analyzed by AI to classify intent (e.g., interested, objection, meeting request) and draft appropriate responses.
  • Service Operation: Account management, authentication, billing, customer support, and platform security.
  • Analytics & Improvement: Aggregated metrics to improve platform performance, AI accuracy, and user experience.

4. Third-Party Services

We share data with the following third-party services as necessary to operate the platform:

  • Supabase: Authentication, database hosting, and row-level security.
  • Anthropic (Claude): AI processing of documents, lead scoring, email personalization, and reply classification. Your data is sent to Anthropic's API for processing and is subject to Anthropic's data usage policies.
  • Stripe: Payment processing for subscriptions and billing.
  • Resend: Email delivery for outreach campaigns, transactional emails, and notifications.
  • Apify: Web scraping for lead discovery and enrichment from public sources.
  • Upstash: Redis hosting for job queues, caching, and rate limiting.
  • Google Places API: Business information lookup for lead discovery (when enabled).
  • Cal.com: Meeting scheduling for booked meetings from outreach campaigns.
  • HubSpot: Optional CRM sync for contacts, deals, and engagement data (when connected by the user).

5. Data Security

5.1 Encryption

Personally identifiable information (PII) — including lead email addresses, phone numbers, and contact details — is encrypted at the field level using AES-256-GCM encryption. Data in transit is protected by TLS. HubSpot OAuth tokens are encrypted with AES-256-GCM before storage.

5.2 Access Controls

We enforce multi-tenant isolation through row-level security (RLS) at the database level and org membership verification on every API request. Role-based access control (Owner, Admin, Manager, Viewer) restricts operations within each organization. Multi-factor authentication (TOTP) is available for additional account security.

5.3 Audit Logging

Significant actions are recorded in tamper-evident audit logs secured with HMAC-SHA256 chain signatures, enabling detection of unauthorized modifications.

6. Data Retention & Deletion

We retain your data for as long as your account is active or as needed to provide the service. You may request deletion of your account and associated data at any time by contacting us at hello@b2arocket.com .

Individual lead records can be erased through the platform's GDPR erasure feature (Article 17 — Right to Erasure). Erased records are anonymized: PII fields are redacted, but the record skeleton is preserved for analytics integrity.

7. Cookies & Tracking

B2ARocket uses minimal cookies. We use Supabase authentication cookies to maintain your login session. We do not use third-party advertising cookies or tracking pixels. We do not sell your data to advertisers.

8. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your personal data (Right to be Forgotten).
  • Restriction: Request restriction of processing of your data.
  • Portability: Request transfer of your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interests.

We process data under the legal bases of contractual necessity (to provide the service you requested), legitimate interest (service improvement and security), and consent (where applicable). To exercise any of these rights, contact us at hello@b2arocket.com .

9. Your Rights Under CCPA/CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To submit a request, email hello@b2arocket.com with the subject line "CCPA Request." We will verify your identity and respond within 45 days.

10. Data Residency

Our primary infrastructure is hosted in the United States. Data may be transferred to and processed in the US regardless of your location. By using the platform, you consent to this transfer. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.

11. Children's Privacy

B2ARocket is a business-to-business service and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a minor, we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of B2ARocket after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

B2ARocket
Email: hello@b2arocket.com

Back to B2ARocket