Privacy Policy

1. Introduction

Pulley ("we," "our," or "us") is a CRM and engagement platform built for small nonprofits. This Privacy Policy explains how we collect, use, and protect your information when you use our platform at app.getpulley.app (the "Service").

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and organization details. This information is used to provide and personalize the Service.

Organization Data

You may store contact information, donation records, volunteer data, and other nonprofit operational data within the Service. This data belongs to your organization and is used solely to provide the Service to you.

Gmail Integration

If you choose to connect your Gmail account, we request permission to send emails on your behalf using the Gmail API (gmail.send scope). We do not read your inbox, access your email history, or store the content of your emails beyond what is necessary to send messages you explicitly initiate through the Service. OAuth tokens are stored securely and encrypted at rest. You can disconnect your Gmail account at any time from your Settings page, which immediately revokes our access.

Payment Information

Payments are processed by Stripe. We do not store credit card numbers or bank account details on our servers. Stripe's privacy policy governs the handling of payment data.

Usage Data

We collect anonymized usage data and error reports through Sentry to improve the Service. This may include browser type, pages visited, and error logs. This data does not include your organization's contact or donation records.

3. How We Use Your Information

• To provide, maintain, and improve the Service
• To send emails you initiate through the platform (via Gmail API or our email service provider, Resend)
• To process subscription payments through Stripe
• To send you account-related communications (e.g., password resets, billing notices)
• To generate AI-drafted email suggestions using third-party AI providers (Anthropic). Contact names and relevant context are sent to generate drafts; we do not send your full database.
• To monitor and fix errors through Sentry

4. Google API Disclosure

Pulley's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only request the gmail.send scope, which allows sending emails on your behalf. We do not request read access to your inbox.
• We do not use Google user data for advertising purposes.
• We do not transfer Google user data to third parties, except as necessary to send emails you explicitly initiate or as required by law.
• We do not use Google user data to train AI models.
• You can revoke access at any time from your Pulley Settings page or from your Google account security settings.

5. Data Storage and Security

Your data is stored in Supabase (PostgreSQL) with row-level security policies ensuring organizations can only access their own data. OAuth tokens are encrypted at rest. All connections use HTTPS/TLS encryption in transit. The Service is hosted on Vercel.

6. Data Sharing

We do not sell your data. We share data only with:

• Supabase — database hosting and authentication
• Stripe — payment processing
• Resend — transactional email delivery (donation receipts, team invites)
• Google — Gmail API for sending emails you initiate
• Anthropic — AI email draft generation (minimal contact context sent per draft request)
• Sentry — error monitoring (anonymized usage data only)
• Vercel — application hosting

7. Data Retention

Your organization's data is retained for as long as your account is active. If you cancel your subscription, your data is retained for 30 days to allow for reactivation, after which it may be deleted. You may request data export or deletion at any time by contacting us.

8. Your Rights

You have the right to:

• Access your data stored in the Service
• Export your data (contacts, donations, volunteer records) via CSV export
• Request deletion of your account and associated data
• Disconnect third-party integrations (Gmail) at any time
• Opt out of non-essential communications

9. Children's Privacy

The Service is not directed to individuals under 13. We do not knowingly collect personal information from children under 13.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date.

11. Contact Us

If you have questions about this Privacy Policy or your data, contact us at: heath@getpulley.app