1. Who we are
SEMAOS is a product of DevilDog Lab LLC, a US-registered limited liability company. We're the data controller for account-holder data, and a data processor for the contact records our customers upload or sync through their CRMs.
2. Data we collect
From you (the account holder)
- Name, email address, and password hash (used for login).
- Business name + physical mailing address (required by CAN-SPAM for outgoing email footers — see our Terms of Service).
- Billing information processed by Stripe — we never see or store your card number directly.
- Optional: WebAuthn passkeys, custom sending domain, time zone.
About your contacts (the recipients of your campaigns)
- Email addresses, names, and company affiliations you upload or sync.
- Engagement events — opens, clicks, bounces, unsubscribes.
- Suppression status — unsubscribes and hard bounces are retained indefinitely to prevent accidental re-sending.
3. How we use the data
- To send the emails you ask us to send, and to give you the metrics about those sends.
- To enforce plan limits (send caps, contact caps) and CAN-SPAM compliance.
- To improve the product — aggregated, non-identifying patterns only. We do not train models on your contact data.
- To meet legal requirements (subpoenas, retention orders, etc.) — only when required by law.
4. Sharing & subprocessors
We share data only with the subprocessors required to operate the product:
- AWS — hosts our Lambda functions, Postgres database, SES email infrastructure, and S3 file storage.
- Stripe — payment processing.
- Vercel — hosts the marketing and application web layer.
We do not sell personal data, and we do not share it with third parties for their own marketing.
5. OAuth and connected accounts
SEMAOS can connect to your Gmail or Outlook account (via Google and Microsoft OAuth) so that sales emails send from your own address and replies reach your own inbox. Connecting is optional and per-user — you choose to connect on your settings page, and you can disconnect at any time.
If you connect an account, we request only these permissions:
- Send email (Google
gmail.send/ MicrosoftMail.Send) — used solely to send the sequence and one-off emails you compose in SEMAOS, on your behalf, from your connected address. - Read message headers (Google
gmail.metadata/ MicrosoftMail.Read) — used solely to detect when a prospect replies to an email SEMAOS sent (via theIn-Reply-Toheader) so your sequence can pause automatically. We do not read, store, or analyze the content of your inbox. - Calendar availability and events (Google
calendar.readonly+calendar.events/ MicrosoftCalendars.ReadWrite) — used solely to show your open time slots on booking pages and create the event when a prospect books a meeting.
OAuth tokens are stored encrypted at rest, scoped to your individual user within your tenant, and never shared with any third party. Disconnecting your account in SEMAOS deletes the stored tokens immediately; you can also revoke SEMAOS's access from your Google or Microsoft account security settings, which invalidates the tokens on the provider side. Data obtained through these permissions is retained only as long as needed to provide the features above and is deleted with your account.
SEMAOS's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
6. Cookies
Our marketing site uses a small number of first-party cookies for session continuity and theme preference. We do not use third-party advertising or behavioural-tracking cookies. The cookie notice you see on first visit reflects this; click Got it to dismiss.
7. Your rights
Depending on where you live, you may have rights to access, correct, delete, or export the personal data we hold about you. To exercise any of these, write to privacy@semaos.io. We respond within 30 days and never charge a fee for routine requests.
8. Data retention
Account data: kept while your account is active and for 30 days after deletion, then purged. Suppression records (bounces + unsubscribes): retained indefinitely as required for anti-spam compliance.
9. Security
Data in transit is encrypted with TLS 1.2+; data at rest is encrypted via AWS-managed keys. Tenant data is isolated via row-level security at the database layer — see our public architecture docs for the technical detail.
10. Changes to this policy
Material changes are announced via in-product banner + email to account holders at least 14 days before they take effect. Non-material updates (typos, clarifications) are dated at the top of this page.
11. Contact
Questions, requests, or disputes about how we handle data: privacy@semaos.io. Postal mail to the DevilDog Lab LLC mailing address listed on our About page.
