LEGAL
Privacy Policy
Version 1.2 · Last updated May 2026
1. Who we are
GambitAI (“we”, “us”, “our”) operates the website gambitai.in and provides an AI-powered cold outreach message generator. We act as the data controller for the personal data described in this policy.
Contact us at privacy@gambitai.in with any privacy questions.
2. What data we process (Art. 13 & 14 GDPR)
When you use GambitAI we process the following data transiently, only for the duration of your request. Nothing is stored on our servers after the response is sent.
Account data (Clerk)
When you sign up or sign in, we collect your email address and, where you use OAuth (Google, GitHub, or Apple), your name and profile picture as provided by that provider. This data is stored by Clerk (see Section 4) and is retained for as long as your account exists. We use it solely to authenticate you and associate your sessions with your account.
LinkedIn profile URL
You paste this. We send the URL identifier (e.g. /in/john-smith) to Serper API (operated by Serper.dev) to look up publicly available profile information via Google search. We do not scrape LinkedIn directly.
Prospect's public profile data
Name, job title, and professional summary returned by Serper from public search results. This is sent to Google Gemini API (operated by Google LLC) to generate personalised outreach messages.
Your sales goal
The text you type describing your outreach objective. This is sent to Google Gemini to contextualise the generated messages.
Company website URL (optional)
If you paste a company website URL instead of a LinkedIn URL, we fetch the page content server-side and send the extracted text to Google Gemini. The URL itself is not stored.
We do not collect: payment information or any data beyond what is described above. Outreach generation data (URLs, prospect profiles, goal text) is processed transiently and never stored on our servers after the response is returned.
3. Legal basis for processing (Art. 6 GDPR)
We rely on legitimate interests (Art. 6(1)(f)) as our legal basis. Our legitimate interest is to provide the core message-generation service you actively request by submitting a URL. No processing occurs unless you initiate it.
The prospect's data processed is limited to what is already publicly available via Google search, and is used only to generate the output you request. It is not retained, profiled, or used for any other purpose.
4. Third-party processors (Art. 28 GDPR)
We use the following sub-processors:
Google Gemini API
Operated by Google LLC (USA). Used to generate outreach messages. Data is processed under Google's API Terms of Service and Data Processing Addendum. International transfer basis: Standard Contractual Clauses.
Google DPA →Serper API
Operated by Serper.dev. Used to look up publicly available LinkedIn profile information via Google search. Data is processed under Serper's Terms of Service. International transfer basis: Standard Contractual Clauses where applicable.
Serper Terms →Clerk
Operated by Clerk, Inc. (USA). Used to manage user authentication, account storage, and session management. Clerk stores your email address, name (if provided via OAuth), session tokens, and device/browser metadata for security purposes. Clerk is SOC 2 Type II certified and GDPR-compliant. International transfer basis: Standard Contractual Clauses.
Clerk Privacy Policy →Vercel
Our hosting provider. Vercel may process request metadata (IP address, user agent) for infrastructure purposes. Vercel is GDPR-compliant with SCCs in place.
Vercel Privacy Policy →5. Data retention
Account data(email, name, sessions) is stored by Clerk for as long as your account exists. You can delete your account at any time from your profile settings, which permanently removes your data from Clerk's systems.
Generation data (LinkedIn URLs, prospect profiles, goal text) is processed in-memory only and discarded immediately after the API response is returned. It is never written to any database.
Server access logs (IP address, request path, timestamp) may be retained by Vercel for up to 30 days for infrastructure security purposes.
6. Your rights (Art. 15–22 GDPR)
Under GDPR, you have the right to:
- Access (Art. 15)Request a copy of personal data we hold about you.
- Erasure (Art. 17)Request deletion of your personal data.
- Portability (Art. 20)Receive your data in a structured, machine-readable format.
- Restriction (Art. 18)Ask us to limit how we process your data.
- Objection (Art. 21)Object to processing based on legitimate interests.
- Rectification (Art. 16)Correct inaccurate personal data we hold.
For account data stored by Clerk, you can exercise most rights directly: delete your account in profile settings (erasure), or contact us to request a data export or correction. For generation data, no stored data exists to act upon. It is discarded after each request. To exercise any right or lodge a complaint, contact us at privacy@gambitai.in.
You also have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or the relevant EU Data Protection Authority).
7. Analytics & session recording
We use Microsoft Clarity to understand how visitors use GambitAI. Clarity records anonymised session replays, heatmaps, and interaction events (clicks, scrolls, rage clicks). This helps us identify usability issues and improve the product.
Clarity does not collect personally identifiable information by default. It automatically masks text inputs so your typed content (LinkedIn URLs, sales goals) is never recorded. Data is processed by Microsoft Corporation under their Privacy Statement.
Legal basis: legitimate interests (Art. 6(1)(f)) to improve our service. You can opt out of Clarity tracking by enabling the Do Not Track signal in your browser, which Clarity respects.
8. Cookies & local storage
Clerk session cookies: when you sign in, Clerk sets encrypted, HttpOnly cookies to maintain your authenticated session. These are strictly necessary for authentication and cannot be opted out of while using the service.
localStorage: we use the browser's localStorage to remember your dark/light theme preference. This contains no personal data and never leaves your device.
Microsoft Claritysets its own cookies for session identification. These are third-party cookies governed by Microsoft's privacy policy. No advertising pixels or cross-site tracking is used.
9. Security (Art. 32 GDPR)
We implement appropriate technical and organisational measures including HTTPS-only access, HTTP security headers (HSTS, CSP, X-Frame-Options), API rate limiting, payload size limits, and SSRF protection on all server-side URL fetching.
10. Changes to this policy
We may update this policy from time to time. The version number and last updated date at the top of this page reflect the current version. Continued use of the service after an update constitutes acceptance of the revised policy.
11. Contact
For any privacy questions, data subject requests, or complaints, email us at privacy@gambitai.in.