This Privacy Policy explains how envokit ("we", "us", or "our") collects, uses, and protects your personal data when you use our platform at envokit.com. We take privacy seriously and will never sell your data.
1. Who we are
envokit is operated by Shahar Matorin, based in Tel Aviv, Israel. For privacy-related matters, contact us at hello@envokit.com.
2. What data we collect
Account data: When you sign up, we collect your name, email address, and password (stored as a secure hash). We never store your password in plain text.
Your workspace data: Contact records, CSV files you upload, email templates, campaign names, send history, and notes. This data belongs to you. We store it solely to provide the service and never use it for any other purpose.
Gmail connection data: When you connect Gmail via OAuth, we store a refresh token that allows the platform to send emails on your behalf. We do not store the body content of emails in your Gmail inbox. We only access subject lines and sender addresses for reply detection, and only when you have explicitly enabled that feature.
Usage data: We collect basic analytics about how you use the platform, including pages visited, features used, and error logs. This helps us improve the product. We do not sell this data or share it with advertising networks.
Billing data: Payment details are collected and stored exclusively by Paddle, our authorised payment processor. We only receive a transaction confirmation and subscription status. We never see or store your card details.
3. How we use your data
- To provide, operate, and improve the platform
- To send emails on your behalf when you use the send features
- To detect replies to your campaigns by scanning your Gmail inbox metadata
- To process payments and manage your subscription
- To send you transactional emails (account confirmation, billing receipts, important product updates)
- To respond to your support requests
We do not use your contact data, email templates, or campaign information for any purpose other than providing the platform to you directly.
4. Your responsibility for contact data
You are solely responsible for the contact data you upload to envokit. By uploading contact data, you confirm that you have the legal right to contact those individuals, that you have obtained any required consents, and that your use of that data complies with all applicable laws in your jurisdiction, including GDPR, CAN-SPAM, CASL, and any other relevant regulations.
envokit is a tool that processes data at your direction. We act as a data processor on your behalf. You are the data controller for any personal data relating to your contacts. You are responsible for your own privacy notices, consent records, and compliance obligations toward your contacts.
5. Google OAuth and Gmail data
Our use of data received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We only request the Gmail scopes necessary to send emails and detect replies
- We do not read, store, or share the body content of your emails
- We do not use your Gmail data to serve advertisements or train AI models
- We do not allow humans to read your Gmail data except with your explicit permission for support purposes
You can revoke our Gmail access at any time at myaccount.google.com/permissions or from your Settings page in the app.
6. Data sharing
We do not sell, rent, or share your personal data with third parties for marketing purposes. We share data only with the following service providers, strictly to operate the platform:
- Supabase — database and authentication (EU data centres)
- Paddle — payment processing
- Railway / Vercel — infrastructure hosting
- Google — Gmail OAuth integration
All providers operate under data processing agreements and are required to handle your data in accordance with applicable data protection law.
7. Data retention
We retain your account and workspace data for as long as your account is active. If you delete your account, your data is permanently deleted within 30 days. You may request an export of your data at any time by emailing hello@envokit.com.
8. Your rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the data we hold about you
- Correction: Ask us to correct inaccurate data
- Deletion: Ask us to delete your account and associated data
- Portability: Receive your data in a machine-readable format
- Objection: Object to certain types of processing
To exercise any of these rights, email hello@envokit.com. We will respond within 30 days.
9. Cookies
We use only essential cookies required for authentication and session management. We do not use advertising, analytics, or tracking cookies of any kind.
10. Security
We implement industry-standard security measures including encrypted data transmission (HTTPS), hashed passwords, OAuth tokens stored securely, and strict access controls. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security, but we take all reasonable steps to protect your data.
11. Children's privacy
The platform is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, contact us and we will delete it promptly.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you by email before any material changes take effect. The updated policy will be posted at this URL with a revised effective date. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
13. Contact
For any privacy questions or data requests, contact us at hello@envokit.com.