Privacy Policy

Last updated: January 19, 2026

1. Introduction

Outermind Inc. ("Outermind," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use Outermind and our related services.

2. Information We Collect

We collect information in the following ways:

  • Account Information: Email address, name, and organization details when you sign up.
  • Microsoft 365 Data: With your permission, we access emails, calendar events, contacts, and organizational directory data through Microsoft Graph API to provide our services.
  • Usage Data: How you interact with Outermind, including agent configurations, tool usage, and activity logs.
  • Technical Data: Browser type, IP address, and device information for security and analytics.
  • Third-Party Integration Data: When you connect external services (GitHub, LinkedIn, databases, APIs), we process data necessary to execute those integrations.

3. How We Use Your Information

We use your information to:

  • Provide and improve Outermind services
  • Process AI agent requests and generate responses
  • Send important service notifications
  • Ensure security and prevent fraud
  • Comply with legal obligations

Legal Bases for Processing

We process your personal data only where we have a lawful basis to do so:

  • Contract Performance: Processing necessary to provide the Outermind services you have subscribed to, including account management, agent execution, and customer support.
  • Consent: For optional features requiring your explicit permission, such as email indexing of personal mailboxes, and third-party integrations (LinkedIn, GitHub, databases, external APIs).
  • Legitimate Interests: For security monitoring, fraud prevention, service improvement, debugging, and analytics, where our interests do not override your fundamental rights.
  • Legal Obligation: For tax records, regulatory compliance, responding to lawful government requests, and enforcing our terms of service.

We Do Not Sell Your Data

Outermind does not sell, rent, or lease your personal data to third parties. We do not share your data with advertisers, data brokers, or marketing platforms. Your data is used solely to provide and improve our services as described in this policy.

4. BYOK and Your AI Data

Outermind uses a Bring Your Own Key (BYOK) model. When you provide your own LLM API key (OpenAI, Claude, Gemini, etc.), your data is processed directly by your chosen AI provider under their terms. We do not store or have access to the content of AI-generated responses beyond what is necessary to display them to you and log agent activities for audit purposes.

5. Email Indexing and Knowledge Base

Outermind offers optional email indexing to build a searchable knowledge base from your organization's emails. This feature requires consent as follows:

  • Shared Mailboxes: Tenant administrator consent is sufficient to index shared mailbox contents.
  • Personal Mailboxes: Individual mailbox owner consent is required before their emails are indexed.

Indexed emails are stored in Azure AI Search with encryption at rest. We apply AI-powered value assessment to identify emails worth indexing and may redact personally identifiable information (PII) from indexed content. Original emails remain in Microsoft 365 and are not modified.

6. Safety Gateway and PII Scanning

Outermind includes a Safety Gateway feature that scans outbound AI-generated communications before they are sent. This scanning includes:

  • Detection of personally identifiable information (credit cards, social security numbers, bank accounts, etc.)
  • AI-powered content analysis for sensitive business information
  • Classification of recipients as internal or external to your organization

The Safety Gateway logs all scanning decisions for audit purposes. When PII is detected, it may be automatically masked before sending. Suspicious messages may be held for human review before delivery.

7. Third-Party Integrations

When you connect Outermind to third-party services, data is shared as follows:

  • GitHub: Repository data, issues, pull requests, and workflow information as configured.
  • SQL Databases: Query results from databases you connect.
  • HTTP APIs: Data sent to and received from external APIs you configure.

Each third-party service has its own privacy policy. We encourage you to review the privacy policies of any services you connect to Outermind.

LinkedIn Integration

When you connect your LinkedIn account or Company Page to Outermind, we access profile information, posts, comments, reactions, and engagement metrics to enable AI-assisted community management. We are committed to strict compliance with LinkedIn's API Terms of Use, Marketing API Terms, and Community Management API requirements. This section details our comprehensive compliance measures.

Authorized Access Only

LinkedIn connections require explicit authorization from individuals who are authorized to manage the connected account or Company Page. When connecting a LinkedIn Company Page, you must be an authorized administrator of that page. By connecting, you confirm you are authorized to manage the account on behalf of your organization.

Data Display & No Export

  • Display Only: LinkedIn data is displayed only within the Outermind application and is never exported, downloaded, or transferred to third parties.
  • No Social Feeds: We do not display LinkedIn content on external websites, intranets, or any destination outside the Outermind application.
  • Limited Audience Access: LinkedIn Page data is accessible only to administrators associated with that specific Page within your organization.

Data Isolation & No Combination

LinkedIn data is kept strictly isolated from other data sources within our platform:

  • No Data Combination: We do not combine LinkedIn data with data from other integrations (email, GitHub, databases, external APIs), your own data, or third-party data for any purpose including profiling, lead generation, or audience building.
  • AI Agent Isolation: When AI agents process LinkedIn data, that data is not combined with or cross-referenced against information from other connected services within the same execution context.
  • Multi-Tenant Separation: Each organization's LinkedIn data is strictly isolated by tenant. Organizations cannot access LinkedIn data from other unaffiliated organizations, and we do not create databases that aggregate data across multiple unaffiliated accounts.

Prohibited Uses

LinkedIn data obtained through our integration is never used for:

  • Advertising, ad targeting, or audience building
  • Sales prospecting or identifying sales leads
  • Recruiting or identifying prospective talent
  • CRM or marketing automation platform enhancement
  • Account-based marketing (ABM)
  • Mass messaging campaigns
  • Creating, supplementing, or verifying user profiles or reference tables
  • Employment, credit, insurance, or housing eligibility decisions

LinkedIn Data Storage Limits

We enforce LinkedIn's mandatory data storage requirements through automated time-to-live (TTL) policies. These limits supersede our general retention policies and are strictly enforced:

  • Member Social Activity Data (posts, comments, reactions by individuals): Automatically purged after 48 hours
  • Non-Authenticated Member Profile Data (profiles of users who did not authorize the connection): Automatically purged after 24 hours
  • Organization Social Activity Data: Retained for up to 6 weeks, or 6 months if your organization authenticated the connection
  • Organization Admin & Reporting Data (follower counts, engagement summaries): Retained for up to 1 year

LinkedIn Audit Logs

We maintain audit logs for LinkedIn API interactions for compliance and debugging purposes. These logs:

  • Automatically redact member profile data and personally identifiable information
  • Contain only metadata necessary for compliance (timestamps, action types, success/failure status)
  • Do not store raw member social activity data beyond the permitted retention periods
  • Are subject to the same TTL enforcement as cached LinkedIn data

LinkedIn Data Deletion

LinkedIn integration data is subject to accelerated deletion requirements:

  • Disconnection: When you disconnect your LinkedIn integration, all cached LinkedIn data is deleted within 10 days
  • Account Termination: When you terminate your Outermind account, LinkedIn data is deleted within 10 days (faster than our general 30-day policy)
  • Upon Request: You may request immediate deletion of your LinkedIn integration data at any time

LinkedIn Compliance Monitoring

We maintain compliance with LinkedIn's requirements through:

  • Regular audits of our data handling practices
  • Cooperation with LinkedIn's monitoring and compliance review processes
  • Prompt notification to LinkedIn of any material changes to our integration
  • Security incident reporting to LinkedIn within 24 hours per their API terms

8. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Specific retention periods include:

  • Audit Logs: 7 days (Basic), 30 days (Professional), 1 year (Pro Plus)
  • Indexed Knowledge: Configurable per source, default 2 years
  • After Termination: All customer data permanently deleted within 30 days

You may request immediate deletion or export of your data at any time by contacting us.

9. Data Security

We implement industry-standard security measures including encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls, and regular security audits. We are currently pursuing SOC 2 Type II certification. We regularly monitor our systems for possible vulnerabilities and attacks.

Security Incident Response

In the event of a security incident or data breach affecting your personal data, we will:

  • Investigate and contain the incident promptly
  • Notify affected users and relevant supervisory authorities within 72 hours as required by GDPR, or sooner where required by applicable law
  • For incidents involving LinkedIn integration data, report to LinkedIn at security@linkedin.com within 24 hours per their API terms
  • Provide details about the nature of the incident, categories of data affected, approximate number of individuals impacted, and remediation steps taken
  • Document the incident and our response for compliance records

To report a security concern, contact us at security@outermind.ai.

10. International Data Transfers

Outermind is hosted on Microsoft Azure infrastructure. Depending on your organization's requirements, we offer data residency options:

  • United States: Primary data center region (default)
  • European Union: Available upon request for EU-based customers

When data is transferred internationally, we use appropriate safeguards including Standard Contractual Clauses approved by the European Commission. Contact us to discuss data residency requirements for your organization.

11. Service Providers

We use the following categories of service providers to deliver Outermind:

  • Cloud Infrastructure: Hosting, storage, and computing services
  • AI/ML Providers: Large language model processing (as configured through BYOK)
  • Search Services: Knowledge base indexing and retrieval
  • Authentication: Identity verification and access management
  • Payment Processing: Subscription billing and payments
  • Analytics: Usage analytics and service improvement

All service providers are bound by data processing agreements that require them to protect your data and use it only as instructed by Outermind Inc.

12. Automated Decision-Making

Outermind uses AI to make certain automated decisions, including:

  • Routing emails to appropriate AI agents
  • Assessing the value of emails for knowledge base indexing
  • Evaluating risk levels of outbound communications

These automated processes are designed with human oversight. You may request human review of significant automated decisions by contacting us. The Safety Gateway and approval queue features provide built-in human review for high-risk automated decisions.

13. Your Rights

Depending on your location, you may have rights to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data
  • Export your data in a portable format
  • Opt out of certain processing, including AI training
  • Object to automated decision-making
  • Withdraw consent for email indexing

14. Legal Demands for Data

If we receive legal demands for your personal data (such as subpoenas, court orders, or government requests), we will:

  • Carefully review each request for legal validity and proper scope
  • Attempt to notify you before disclosing your data, unless prohibited by law or court order, so you may seek protective relief if desired
  • Challenge requests we believe are overbroad, unlawful, or otherwise improper
  • Provide only the minimum data legally required to comply
  • Document all requests and our responses for transparency reporting

We may be prohibited from notifying you in certain circumstances, such as national security letters or court orders that include a non-disclosure requirement.

15. Contact Us

For privacy-related questions, data subject requests, or to exercise your rights, contact our Privacy Team:

Mailing Address:
Outermind Inc.
Attn: Privacy Team
[Address]

For EU/UK residents, if you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority (Data Protection Authority).

16. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or through the Outermind dashboard at least 30 days before they take effect.