Privacy Policy
Last updated: April 6, 2026
This Privacy Policy describes how SingleSend, Inc. ("SingleSend," "we," "us," or "our") collects, uses, stores, shares, and protects your information when you use our multi-channel messaging platform ("the Service"). By using the Service, you agree to the practices described in this policy.
1. Information We Collect
We collect information in the following categories:
- Account information: Name, email address, password (hashed and salted — we never store plaintext passwords), and timezone preference.
- Payment information: Payment details are collected and processed exclusively by Stripe. SingleSend never receives, stores, or has access to your full credit card number, CVV, or other payment card data. Stripe is PCI-DSS Level 1 certified. We store only the Stripe customer ID and subscription ID needed to manage your account.
- Contact data: Names, phone numbers, email addresses, tags, groups, notes, and other information you store about your contacts. You are the data controller for this data.
- Message content: The content of SMS, email, and voice messages you compose and send through the Service.
- Voice data: Voice recordings provided for voice cloning, classified as biometric data under BIPA (Illinois), CCPA (California), and similar regulations. Collected only with your explicit consent.
- Usage data: Feature usage, login timestamps, IP addresses, browser type, device information, and performance metrics collected automatically to operate and improve the Service.
2. How We Use Your Information
- To provide, operate, and maintain the messaging platform
- To send messages on your behalf via our channel providers (Twilio for SMS/voice, Resend for email)
- To power AI features (message drafts, reply suggestions, sequence building, contact enrichment) via Anthropic's Claude API — see Section 6 for details on what data is shared
- To create and manage voice profiles via ElevenLabs for the voice cloning feature
- To process payments, manage subscriptions, and prevent fraud via Stripe
- To send you account-related transactional communications (email verification, password reset, billing alerts, security notifications)
- To monitor and enforce compliance with our Terms of Service and Acceptable Use Policy
- To generate aggregate, de-identified analytics to improve the Service (no individual data is used for this purpose)
We process your information on the legal bases of: contractual necessity (providing the Service you signed up for), legitimate interest (security, fraud prevention, service improvement), consent (voice cloning, marketing communications), and legal obligation (tax records, law enforcement requests).
3. Data Encryption & Security
All PII fields (contact names, phone numbers, email addresses, message content, notes) are encrypted at rest using AES-256-GCM encryption before storage in our database. Decryption occurs only server-side in our secure backend when you request your data. Non-sensitive metadata (IDs, timestamps, counts, statuses) is stored unencrypted for performance and querying.
All data in transit is encrypted via TLS 1.2 or higher. Our infrastructure is hosted on Google Cloud Platform (Firebase) which maintains SOC 1, SOC 2, SOC 3, and ISO 27001 certifications. Access to production systems is restricted to authorized personnel and logged in our audit system.
4. Biometric Data (Voice Cloning)
Voice recordings are classified as biometric data under BIPA (Illinois), CCPA (California), and similar regulations. We collect voice data only with your explicit, informed consent, which you provide when you initiate the voice cloning process. Voice data is:
- Transmitted securely to ElevenLabs solely to generate your voice profile
- Never used for model training without your separate, explicit opt-in
- Never shared with any other third party
- Deletable at any time from Settings (purged from all systems within 24 hours)
- Automatically deleted upon account deletion
You may withdraw your consent for voice data processing at any time by deleting your voice profile from Settings. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
5. Data Processor & Controller Relationship
For the purposes of GDPR and similar data protection regulations:
- You (the User) are the Data Controller for your contacts' personal data. You determine the purposes and means of processing your contacts' data.
- SingleSend is the Data Processor acting on your instructions to store, encrypt, transmit, and manage your contacts' data through the Service.
- SingleSend is the Data Controller for your account information, usage data, and billing data, which we collect and process for our own purposes.
As a Data Processor, SingleSend processes contact data only on your documented instructions (i.e., sending messages, storing contacts, running sequences you configure). We do not independently determine how your contacts' data is used.
Enterprise customers requiring a formal Data Processing Agreement (DPA) may request one by contacting privacy@singlesend.com.
6. Sub-Processors & Data Sharing
We share your data with the following sub-processors, solely to provide the Service. Each sub-processor has been evaluated for adequate data protection practices. We maintain Data Processing Agreements with each sub-processor as required.
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Twilio | SMS and voice delivery | Phone numbers, message content (decrypted at send time) | United States |
| Resend | Email delivery and tracking | Email addresses, message content, delivery/open/click events | United States |
| Anthropic (Claude) | AI features (compose, suggestions, enrichment) | Message content or contact context provided in your prompt. Data is sent via API and is not used to train Anthropic's models per their API terms. No contact PII is sent unless you include it in your prompt. | United States |
| ElevenLabs | Voice cloning | Voice recordings (biometric data), with your explicit consent | United States / EU |
| Stripe | Payment processing | Payment method details, billing address. SingleSend never accesses or stores full card numbers. | United States |
| Google (Firebase) | Infrastructure, authentication, database, hosting, push notifications | All application data (encrypted at rest), authentication tokens, FCM device tokens | United States (us-central1) |
We will notify you before adding or changing sub-processors that handle personal data. If you object to a new sub-processor, you may terminate your account. We do not sell, rent, or trade your personal information or your contacts' personal information to any third party for marketing or advertising purposes.
7. Cookies & Tracking
Marketing website (singlesend.com): We may use essential cookies for site functionality. We do not currently use third-party analytics, advertising cookies, or tracking pixels on our marketing site. If this changes, we will update this policy and implement a cookie consent banner.
Application (app.singlesend.com): The application uses authentication tokens stored in browser storage to keep you logged in. These are essential for the Service to function and are not tracking cookies.
Email tracking: Emails sent through the Service may include open tracking (via a transparent pixel) and click tracking (via link rewriting), provided by Resend. These features can be monitored by the sender (you) to measure engagement. Recipients can disable tracking by blocking remote images in their email client.
8. Your Rights
GDPR (EU/UK Residents)
Under the General Data Protection Regulation, you have the right to:
- Access: Request a copy of all personal data we hold about you
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Restriction: Request that we limit processing of your data
- Portability: Receive your data in a structured, machine-readable format (JSON export available in Settings)
- Objection: Object to processing based on legitimate interest
- Automated decision-making: Request human review of any decisions made solely by automated means
To exercise these rights, use the self-service tools in Settings (data export, account deletion) or contact privacy@singlesend.com. We will respond to all data subject requests within 30 days. If we need additional time, we will notify you and explain the reason for the delay.
You have the right to lodge a complaint with your local data protection authority if you believe your rights have not been respected.
International data transfers: Your data is processed in the United States. For transfers from the EU/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by our technical security measures (AES-256-GCM encryption at rest, TLS in transit).
CCPA / CPRA (California Residents)
Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:
- Know: Request disclosure of what personal information we collect, use, share, and sell
- Delete: Request deletion of your personal information
- Correct: Request correction of inaccurate personal information
- Opt out of sale/sharing: We do not sell or share personal information for cross-context behavioral advertising
- Non-discrimination: We will not discriminate against you for exercising your rights
Data shared with our sub-processors (Twilio, Resend, etc.) is shared solely to provide the Service and constitutes a "service provider" relationship under CCPA, not a "sale" of personal information.
CASL (Canadian Residents)
We obtain consent before sending commercial electronic messages. We honor unsubscribe requests within 10 business days. All messages sent through the Service include sender identification information as required by CASL. Users sending messages to Canadian contacts are responsible for ensuring their messages comply with CASL requirements, including providing a valid physical mailing address and functional unsubscribe mechanism.
9. Do-Not-Call Compliance
SingleSend does not automatically check contacts against the National Do-Not-Call (DNC) Registry or other do-not-call lists. You are responsible for ensuring that your contacts have provided consent to receive SMS and voice messages from you and that you are not contacting individuals on applicable do-not-call lists without a valid exemption (such as an existing business relationship). SingleSend provides opt-out tools that allow your contacts to unsubscribe from your messages.
10. Data Retention
- Active accounts: Data is retained while your account is active and for 90 days after account suspension
- Deleted accounts: All data (contacts, messages, sequences, voice clones, inbox threads) is purged within 30 days of a deletion request
- Billing records: Retained for 7 years as required by tax and financial regulations
- Audit logs: Retained for the lifetime of the workspace (purged on account deletion). Audit logs include event type, actor, timestamp, and resource ID — no PII is stored in audit log entries
- Anonymized analytics: Aggregate usage statistics (not linked to individual users) may be retained indefinitely to improve the Service
11. Data Export
You may export all your data (contacts, messages, sequences, analytics) as JSON from Settings at any time. This data export includes all fields in decrypted form to support your data portability rights under GDPR and CCPA.
12. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal information, contact us at privacy@singlesend.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree, you must stop using the Service and may request account deletion.
14. Contact & Data Protection Officer
For privacy inquiries, data subject requests, or to request a Data Processing Agreement:
- Email: privacy@singlesend.com
- Data Protection Officer: dpo@singlesend.com
We aim to respond to all inquiries within 5 business days and to data subject requests within 30 days.