Privacy Policy

Last updated: March 11, 2026

Contactwho (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our platform and services (the “Service”). By using the Service you agree to the practices described in this policy.

1. Data We Collect

Information you provide:

Account information — name, email address, and password.
Billing information — payment details processed by Stripe; we do not store card numbers.
Support requests — messages, subject, and priority you submit through our support form.
User content — saved contacts, search queries, pipeline data, and AI chat history.

Information collected automatically:

Usage data — pages visited, features used, search and enrichment activity, timestamps.
Device data — browser type, operating system, IP address, and general location.
Cookies and similar technologies — see the Cookies section below.

2. How We Use Your Data

To provide, maintain, and improve the Service.
To process subscriptions, allocate credits, and manage billing.
To personalise your experience, including AI-generated suggestions.
To communicate with you, including support responses, service updates, and (with your consent) marketing.
To detect, prevent, and address fraud, abuse, and security issues.
To comply with legal obligations.

3. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or UK, we process your data under the following bases:

Contract performance — processing necessary to provide the Service you signed up for.
Legitimate interests — improving the Service, preventing fraud, and understanding usage patterns, balanced against your rights.
Consent — where you have explicitly opted in, such as marketing emails. You may withdraw consent at any time.
Legal obligation — where required by applicable law.

4. Third-Party Services

We share data with the following third-party services to operate the Service:

Google — if you choose “Sign in with Google”, we receive your name, email address, and profile picture from your Google account via OAuth 2.0. We use this information solely for authentication and account creation. We do not access your Google contacts, calendar, or any other Google services. Google's Privacy Policy applies to data Google collects.
Stripe — payment processing for subscriptions and billing. When you subscribe, your payment information (card number, billing address) is sent directly to Stripe and is not stored on our servers. Stripe's Privacy Policy applies.
Supabase — authentication, database, and storage infrastructure. Your account data and user content are stored in Supabase.
Vercel — hosting, edge functions, and analytics. Request metadata (IP, user agent) may be processed by Vercel.
OpenAI — powers the Contactwho AI assistant. Conversation content is sent to OpenAI for processing. OpenAI's data usage policy applies.
Coresignal — provides professional contact and company data for search and enrichment. Search queries are sent to Coresignal to fulfil requests.
Resend — transactional email delivery for support confirmations, notifications, and account emails.

Each third-party service has its own privacy policy. We only share data necessary for the specific purpose and require appropriate safeguards.

5. Third-Party Contact Data

The professional contact and company data available through the Service (such as names, job titles, company details, and contact information) is sourced from Coresignal, a licensed third-party data provider. This data is not collected directly by Contactwho from the individuals or companies described.

Contactwho does not independently verify the accuracy, completeness, or currency of third-party contact data. This data is provided on an “as-is” basis and may contain inaccuracies or outdated information. Contactwho is not affiliated with, endorsed by, or associated with any company or individual whose information appears in the Service.

If you are a data subject whose information appears in the Service and you wish to request correction, deletion, or opt-out, please contact us at support@contactwho.com. We will process your request or direct it to the relevant upstream data provider in accordance with applicable data protection laws.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account deletion, we remove your personal data within 30 days, except where retention is required by law (e.g. billing records). Anonymised, aggregated data may be retained indefinitely for analytics.

7. Your Rights

Depending on your location, you may have the following rights:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure — request deletion of your data (subject to legal exceptions).
Restriction — request that we limit processing in certain circumstances.
Portability — receive your data in a structured, machine-readable format. You can export your data from Account Settings.
Objection — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent.

To exercise any of these rights, contact us at support@contactwho.com. We will respond within 30 days (or as required by applicable law). If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.

8. Cookies

Contactwho uses essential cookies required for authentication and session management. We do not use third-party advertising or tracking cookies. Essential cookies cannot be disabled as they are necessary for the Service to function. Analytics cookies, if introduced in the future, will require your explicit consent.

9. Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS) and at rest, secure authentication flows, and regular security reviews. However, no system is completely secure and we cannot guarantee absolute security. If you become aware of a security vulnerability, please report it to support@contactwho.com.

10. International Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our infrastructure providers operate. Where we transfer data outside the EEA/UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

11. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

Right to know — what personal information we collect, use, and disclose.
Right to delete — request deletion of your personal information.
Right to opt-out — of the sale of personal information. Contactwho does not sell your personal information.
Non-discrimination — we will not discriminate against you for exercising your CCPA rights.

To make a CCPA request, contact us at support@contactwho.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice on the Service. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Email: support@contactwho.com
Support form: contactwho.com/account/support