GambitAI← Back to home

LEGAL

Privacy Policy

Version 1.0 — Last updated May 2025

1. Who we are

GambitAI (“we”, “us”, “our”) operates the website gambitai.in and provides an AI-powered cold outreach message generator. We act as the data controller for the personal data described in this policy.

Contact us at privacy@gambitai.in with any privacy questions.

2. What data we process (Art. 13 & 14 GDPR)

When you use GambitAI we process the following data transiently — only for the duration of your request. Nothing is stored on our servers after the response is sent.

LinkedIn profile URL

You paste this. We send the URL identifier (e.g. /in/john-smith) to Serper API (operated by Serper.dev) to look up publicly available profile information via Google search. We do not scrape LinkedIn directly.

Prospect's public profile data

Name, job title, and professional summary returned by Serper from public search results. This is sent to Google Gemini API (operated by Google LLC) to generate personalised outreach messages.

Your sales goal

The text you type describing your outreach objective. This is sent to Google Gemini to contextualise the generated messages.

Company website URL (optional)

If you paste a company website URL instead of a LinkedIn URL, we fetch the page content server-side and send the extracted text to Google Gemini. The URL itself is not stored.

We do not collect: names, email addresses, account credentials, payment information, cookies (beyond the browser's own localStorage for theme preference), or any analytics data.

3. Legal basis for processing (Art. 6 GDPR)

We rely on legitimate interests (Art. 6(1)(f)) as our legal basis. Our legitimate interest is to provide the core message-generation service you actively request by submitting a URL. No processing occurs unless you initiate it.

The prospect's data processed is limited to what is already publicly available via Google search, and is used only to generate the output you request. It is not retained, profiled, or used for any other purpose.

4. Third-party processors (Art. 28 GDPR)

We use the following sub-processors:

Google Gemini API

Operated by Google LLC (USA). Used to generate outreach messages. Data is processed under Google's API Terms of Service and Data Processing Addendum. International transfer basis: Standard Contractual Clauses.

Google DPA →

Serper API

Operated by Serper.dev. Used to look up publicly available LinkedIn profile information via Google search. Data is processed under Serper's Terms of Service. International transfer basis: Standard Contractual Clauses where applicable.

Serper Terms →

Vercel

Our hosting provider. Vercel may process request metadata (IP address, user agent) for infrastructure purposes. Vercel is GDPR-compliant with SCCs in place.

Vercel Privacy Policy →

5. Data retention

We retain no personal data after your request completes. All prospect data, URLs, and goal text are processed in-memory and discarded when the API response is returned. We do not maintain any user accounts or databases of prospect information.

Server access logs (IP address, request path, timestamp) may be retained by Vercel for up to 30 days for infrastructure security purposes.

6. Your rights (Art. 15–22 GDPR)

Under GDPR, you have the right to:

  • Access (Art. 15)Request a copy of personal data we hold about you.
  • Erasure (Art. 17)Request deletion of your personal data.
  • Portability (Art. 20)Receive your data in a structured, machine-readable format.
  • Restriction (Art. 18)Ask us to limit how we process your data.
  • Objection (Art. 21)Object to processing based on legitimate interests.
  • Rectification (Art. 16)Correct inaccurate personal data we hold.

Because we do not store personal data beyond the duration of your request, most rights can only be exercised in real time (during an active session). To exercise any right or lodge a complaint, contact us at privacy@gambitai.in.

You also have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or the relevant EU Data Protection Authority).

7. Cookies & local storage

We do not use cookies. We use the browser'slocalStorage solely to remember your dark/light theme preference. This does not contain personal data and does not leave your device.

No analytics trackers, advertising pixels, or session recording tools are used.

8. Security (Art. 32 GDPR)

We implement appropriate technical and organisational measures including HTTPS-only access, HTTP security headers (HSTS, CSP, X-Frame-Options), API rate limiting, payload size limits, and SSRF protection on all server-side URL fetching.

9. Changes to this policy

We may update this policy from time to time. The version number and last updated date at the top of this page reflect the current version. Continued use of the service after an update constitutes acceptance of the revised policy.

10. Contact

For any privacy questions, data subject requests, or complaints, email us at privacy@gambitai.in.

← Back to GambitAI