← Back

Privacy Policy

Version 1.2 · Effective 2026-04-27

This Privacy Policy describes how JournoReach and its related entities, including affiliates, parent companies, subsidiaries, and successors (together “JournoReach,” “we,” “us,” or “our”) collects, uses, discloses, stores, and protects personal information when you use our website, applications, and services (collectively, the “Service”). It applies to all users of the Service worldwide.

By using the Service you agree to the practices described in this Privacy Policy and our Terms of Service. If you do not agree, do not use the Service.

Plain-language summary: we collect what we need to run automated journalist outreach on your behalf. That includes your account info, the SMTP credentials and biographical content you upload for each Persona, and the pitches our system generates and sends. We share necessary data with hosting, payment, automation, and AI providers. We do not sell your data. We retain pitch history indefinitely for analytics. SMTP passwords are encrypted at rest using AES-256-GCM with a key stored separately from the database — see Section 6 for the full details.

1. Who We Are

JournoReach and its related entities operate under the laws of New Zealandand the jurisdictions of their respective parent and affiliated entities. For the purposes of EU and UK data protection law, we are the data controller of the personal information described in this Privacy Policy unless we explicitly state otherwise.

For privacy-related inquiries, contact us at privacy@journoreach.com.

2. Information We Collect

2.1 Information you provide to us

  • Account information: email address, password (hashed), full name, company name (optional).
  • Persona content: biographical information about each Persona you create, including name, job title, company, professional background, areas of expertise, website and LinkedIn URLs, and any photographs or signatures you upload.
  • SMTP credentials: the host, port, username, and password for the outbound email account associated with each Persona.
  • Communication content: support requests, feedback, and any correspondence you send us.
  • Payment information: when you subscribe, our payment processor (Stripe, Inc.) collects and processes your payment card details directly. We do not store your full card number; we only store a customer identifier, the last four digits, and metadata (subscription status, plan, billing amount) returned by Stripe.

2.2 Information we generate or collect automatically

  • Pitches: the AI-generated pitch content sent from your Personas, the recipient email address, the subject line, the message body, the timestamp, the result status, and any signature attached.
  • Usage data: log files, IP addresses, browser type, device information, referring URL, pages accessed, and timestamps. We use this for security, debugging, and analytics.
  • Cookies and similar technologies: session and authentication cookies required to keep you signed in. We do not currently use third-party advertising or tracking cookies.
  • Audit log: we record administrative actions (account changes, persona changes, bans, trial grants, etc.) in an internal audit log including the actor, the timestamp, the IP address, and a description of the action.

2.3 Information from third parties

  • Stripe: subscription status, payment card metadata (brand, last four digits, fingerprint), customer identifier, and webhook events relating to your subscription.
  • Journalist query feeds: we ingest publicly available journalist query feeds (HARO, Source of Sources, Qwoted, and similar) and store them in our database. These feeds may include the journalist's name, email address, publication, query text, and deadline. If you are a journalist who wishes for your queries to be excluded from our database, contact us at privacy@journoreach.com.

3. How We Use Your Information

We use the information described above to:

  • Provide, operate, and maintain the Service;
  • Authenticate the email account associated with each Persona via SMTP and send pitches from that account on your behalf;
  • Generate AI-written pitch content by sending Persona biographical information and journalist query text to third-party large language model providers;
  • Match Personas against journalist queries and rank candidate matches;
  • Process payments, manage subscriptions, and send billing-related communications;
  • Communicate with you about your account, the Service, and product updates;
  • Respond to support requests and provide customer service;
  • Detect, prevent, and address technical issues, abuse, fraud, security incidents, and violations of our Terms of Service;
  • Comply with legal obligations, respond to lawful requests from public authorities, and enforce our agreements;
  • Generate aggregate, de-identified analytics about Service usage for product improvement and benchmarking.

4. Legal Bases for Processing (EU/UK Users)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR and UK GDPR to process your personal information:

  • Contract: processing necessary to perform our contract with you (these are most uses of your account and Persona data).
  • Legitimate interests: processing for our legitimate business interests such as fraud prevention, security, analytics, and product improvement, where those interests are not overridden by your rights and freedoms.
  • Legal obligation: processing necessary to comply with applicable law.
  • Consent: where required, we will ask for your consent (for example, for non-essential cookies or marketing communications).

5. How We Share Your Information

We do not sell your personal information. We share it only as described below:

5.1 Service providers (sub-processors)

We share personal information with third-party vendors who process it on our behalf and under contractual obligations to protect it. These currently include:

  • Supabase, Inc. — database, authentication, and file storage hosting. All account data, Persona data, SMTP credentials, and pitch history are stored on Supabase infrastructure.
  • Vercel Inc. — application hosting, serverless function execution, and edge content delivery.
  • Stripe, Inc. — payment processing, subscription management, and card-fingerprint-based fraud prevention. Stripe's privacy policy applies to the payment data they collect directly from you.
  • n8n GmbH (or our self-hosted n8n instance): automation workflow engine that fetches active Personas, generates pitches, and sends them via SMTP. n8n has read access to Persona data including SMTP credentials and writes pitch results back to our database.
  • Anthropic, PBC and/or OpenAI, OpCo, LLC: large language model providers that generate pitch content. We send Persona biographical information and journalist query text to these providers via their APIs. These providers may temporarily process the request data on their infrastructure but, per their commercial terms, do not use our customer data to train their models.
  • Email service providers: Nodemailer routes outbound email through the SMTP server you specify in the Persona's credentials. We do not relay through any centralized email service of our own.
  • Google reCAPTCHA: we use Google reCAPTCHA on the signup form to prevent automated abuse. Google's use of data collected via reCAPTCHA is governed by the Google Privacy Policy.

5.2 Recipients of pitches

When you create a Persona and the system sends a pitch on your behalf, the contents of that pitch (including the Persona's name, photograph, signature, and biographical information) are transmitted to the journalist or recipient you target. The recipient may store, share, forward, or publish the contents of the pitch, and we have no control over what they do with it.

5.3 Legal requests and protection of rights

We may disclose your information if we believe in good faith that disclosure is necessary to (a) comply with a subpoena, court order, search warrant, or other legal process; (b) protect our rights, property, or safety, or the rights, property, or safety of our users or others; (c) detect, prevent, or address fraud, security, or technical issues; or (d) enforce our Terms of Service.

5.4 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, your information may be transferred as part of that transaction. You will be notified by email or via a prominent notice on the Service of any change in ownership.

5.5 Aggregated or de-identified information

We may share aggregated or de-identified information that cannot reasonably be used to identify you with third parties for any purpose, including marketing, research, and analytics.

6. SMTP Credentials — Storage and Access

When you create a Persona, you provide the SMTP host, port, username, and password for the email account that will be used to send pitches on the Persona's behalf. The following describes how those credentials are stored, who can access them, and the inherent limits of what we can protect.

  • Encryption at rest: SMTP passwords are encrypted using AES-256-GCM (a standard authenticated symmetric cipher) before they are written to our database. The encryption key is a 256-bit secret stored only in our application's server environment variables — it is not stored in the database, in our source code repository, or in any database backup. A leaked database backup, by itself, contains only ciphertext that cannot be decrypted without the key.
  • Encryption in transit: all communication with the Service occurs over HTTPS / TLS. Your password is transmitted from your browser to our server in plaintext over this encrypted channel, encrypted server-side, and the resulting ciphertext is what gets persisted.
  • Access controls: credentials are additionally protected by Postgres row-level security (RLS) policies that restrict access to (a) the account that owns the Persona, (b) authorized JournoReach administrative personnel, and (c) the service-role key used by our backend and our automation workflows. The public anon key that ships with our frontend application has no access to the credentials at all.
  • Who can decrypt them in practice: our automated pitch-sending system (which must decrypt the password to authenticate with your SMTP server), our authorized staff for support and debugging purposes, and any legal authority that compels disclosure. Anyone who simultaneously compromises our application's environment variables and our database can decrypt the credentials; anyone with only one of those cannot.
  • You cannot view your own SMTP password after saving it. The application UI lets you set a new password, but never displays the existing one. This is intentional — the plaintext password is never sent back to your browser after the initial save.
  • Recommended practice: we still recommend creating a dedicated email account or app-specific password (such as a Gmail App Password) for use with the Service, rather than using credentials that protect other sensitive systems. This limits the blast radius if anything ever goes wrong.

By providing SMTP credentials to the Service, you acknowledge and accept the storage, encryption, and access conditions described above.

7. International Data Transfers

The Service is operated from New Zealand. Our service providers are located in various countries including the United States, the European Union, and the Asia-Pacific region. By using the Service, you consent to the transfer of your personal information to these countries, which may have data protection laws different from those of your country of residence. Where required by law, we put in place appropriate safeguards (such as the European Commission's Standard Contractual Clauses) to protect personal information transferred internationally.

8. Data Retention

We retain personal information for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specifically:

  • Account and Persona data: retained for as long as your account is active. Upon account deletion, we delete the row in app_profiles and all associated rows in app_personas, including SMTP credentials.
  • Pitch history: rows in app_completed_answers are linked to a Persona by email address rather than by user ID. As a result, pitch history is retained indefinitely in our database even after the associated user account has been deleted, for analytics, audit, and operational purposes. You may request earlier deletion under Section 9.
  • Audit log: retained indefinitely for security and compliance purposes.
  • Backups: our database backups may retain deleted information for up to 90 days after deletion before being permanently overwritten.

9. Your Rights

Depending on where you live, you may have some or all of the following rights with respect to your personal information:

  • Access: request a copy of the personal information we hold about you;
  • Correction: request that we correct inaccurate or incomplete information;
  • Deletion: request that we delete your personal information, subject to certain exceptions (e.g., we may retain information necessary to comply with legal obligations or to defend legal claims);
  • Portability: request a copy of your personal information in a structured, commonly used, machine-readable format;
  • Restriction: request that we restrict the processing of your personal information in certain circumstances;
  • Objection: object to our processing of your personal information based on legitimate interests;
  • Withdrawal of consent: withdraw any consent you have previously given.

To exercise any of these rights, contact us at privacy@journoreach.com. We will respond within 30 days. We may need to verify your identity before processing your request. If you are dissatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

10. Security

We implement reasonable technical and organizational measures designed to protect your personal information against unauthorized access, accidental loss, alteration, and disclosure. These measures include:

  • HTTPS encryption in transit;
  • Database-level access controls and Row-Level Security policies enforced by Postgres;
  • Restricted administrative access on a need-to-know basis;
  • Secret rotation and credential management practices for our service providers;
  • Audit logging of administrative actions;
  • Disposable email blocking and reCAPTCHA at signup to limit automated abuse.

However, no method of transmission over the internet or storage system is 100% secure. We cannot guarantee absolute security. As described in Section 6, SMTP passwords are encrypted at rest with AES-256-GCM, but our automated systems and authorized staff can still decrypt them when necessary to operate the Service. You provide your information to us at your own risk and should consider the sensitivity of the credentials you provide.

If we become aware of a personal data breach affecting your information, we will notify you and any applicable regulator as required by law.

11. Children's Privacy

The Service is not directed to children under the age of 18. We do not knowingly collect personal information from children under 18. If you are aware that a child has provided us with personal information, please contact us and we will take steps to delete it.

12. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policy of every website you visit.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service before the changes take effect. The revised Privacy Policy will be effective on the date posted (or such later date as specified). Your continued use of the Service after the effective date constitutes your acceptance of the revised Privacy Policy.

14. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our handling of your personal information, please contact us at privacy@journoreach.com.

Version 1.2 · Effective 2026-04-27