Your data, handled like an operator’s would want it.

What we collect, and what we don’t.

Account info, the data you feed our agents, and the events your team generates while using Berry. We don’t buy contact lists, scrape personal social profiles, or harvest anything you didn’t ask us to.

When you sign up, we collect account data — name, email, company, role — and the workspace data you input: target accounts, ICPs, playbooks, integrations, and the prompts you submit to our agents.

While you use the platform we record product events against your workspace ID: which agents you ran, which leads you accepted, which sequences you launched. These are tied to your team, never sold, and used to keep Berry working for you.

Information we don’t collect

• We don’t buy or rent personal-data lists from data brokers.
• We don’t scrape consumer social profiles (Instagram, TikTok, personal Facebook).
• We don’t fingerprint visitors on your behalf or build cross-site advertising profiles.
• We don’t require analytics cookies — the banner is real, not a dark pattern.

We use it to do the work — nothing else.

Run your agents, deliver outreach you authorized, support your team, and improve the product for your team. Period.

We use your information to provide and improve the Service: train your private agents on your specific use cases, deliver outreach on your behalf to the contacts you targeted, and communicate with you about Berry.

We do not sell your personal information to advertisers, and we do not use your customer data to train foundation models we don’t control. Any model fine-tuning happens inside your workspace boundary.

The short list of who else sees it.

Subprocessors that make Berry work — email infrastructure, CRMs you connected, our hosting providers. Nobody else.

We integrate with services to provide our functionality. We share only what each service needs to do its job:

• Email delivery — SendGrid & Postmark (the contents of outreach you authorized us to send).
• CRMs — Salesforce, HubSpot, Pipedrive (only the workspaces you OAuth’d, and only the scopes you granted).
• Enrichment — Apollo & Clay (the company domains you asked us to research; we never send personal email addresses to enrichment vendors).
• Infrastructure — AWS & GCP (encrypted at-rest hosting in eu-central-1 and me-south-1).

The full, current list of subprocessors lives at /en/security#subprocessors and is versioned. We notify customers 30 days before adding a new one.

Encrypted, regional, audit-logged.

Your data is encrypted in transit (TLS 1.3) and at rest (AES-256). We host on AWS and GCP infrastructure in eu-central-1 (Frankfurt) and me-south-1 (Bahrain). Workspace data does not leave the region you signed up in.

Access is role-scoped and audit-logged. No engineer can read your raw outreach without a break-glass approval recorded in our SOC log — and break-glass events are surfaced in your workspace within 24 hours.

Google API Services User Data Policy.

Berry’s use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Limited Use Disclosure

1. Berry uses Google APIs and Google API Services Data only to provide a sending and reading interface for your team’s outbound and inbound email — the work you came to Berry to do.
2. Berry only reads Gmail message bodies, attachments, metadata, headers, and settings to allow agents to compose, send, and process messages on your behalf.
3. Berry will not transfer this Gmail data to others except to provide the features above, comply with applicable law, or as part of a merger, acquisition, or sale of assets — with proper notice in each case.
4. Berry does not use Gmail data for serving advertisements. We do not allow humans to read this data unless you give specific affirmative consent for specific messages, doing so is necessary for security purposes (such as investigating abuse) or for compliance with applicable law, or the data has been aggregated and anonymized.
5. Berry does not use Gmail data to develop, improve, or train generalized AI and machine-learning models.

One banner. Real choices.

We use essential cookies to keep you signed in and the app working, and — with your consent — analytics cookies to understand how the platform is used. The choice is real: the analytics bucket is off by default until you accept it, and you can revoke at any time from your account settings.

The full cookie inventory, including third-party cookies set by integrations, lives at /en/cookies.

We keep it only as long as it’s useful.

• Active workspace data — for the life of your account.
• Backups — 30 days rolling, then destroyed.
• Audit logs — 12 months (compliance requirement).
• After deletion — all production data is purged within 30 days; backups age out within 60.

Access, correct, delete, or just leave.

You can access, correct, or delete your personal data at any time. EU and UK residents have additional rights under GDPR and UK GDPR; KSA residents have rights under the Personal Data Protection Law (PDPL).

You can also object to specific kinds of automated decision-making by our agents and request a human review — for example, if Berry’s ICP qualifier excluded a lead you wanted included.

How to exercise these rights

• From the app — Settings → Privacy → Export / Delete my data (no support ticket needed).
• By email — privacy@getberry.ai. We respond within 5 business days.
• By form — the data-subject request form in our help center.

We tell you before we change it.

Material changes are announced in-product and by email at least 30 days before they take effect. The version number at the top of this page increments on every material change, and the previous version is archived at /legal/archive.

Questions? Ask a human.

Privacy questions go to privacy@getberry.ai. For security disclosures, see our coordinated disclosure policy. For everything else, get in touch.

Our Data Protection Officer is reachable at dpo@getberry.ai. Postal address: Berry AI FZ-LLC, Dubai Internet City, Dubai, UAE.