DefrostDefrost
How it worksFeaturesPricingFAQ
Log inGet started
HomeHow it worksFeaturesPricingFAQLog inGet started
Legal

Privacy Policy

Last updated · 2026-06-15

This privacy policy describes how DEFROST LLC (“Defrost,” “we,” “us”) collects, uses, and protects information when you use our cold-outreach automation platform. For questions, email privacy@defrostmail.com.

What we collect

We collect three categories of information:

  • Account data — your work email address, name (if provided), workspace name, and password hash. Used to identify you and route notifications.
  • Workspace data — your ICP definitions, campaign settings, sending mailbox credentials (encrypted at rest), and outbound message templates. Used to run your campaigns.
  • Outbound contact data — the cold-email recipients you target. We collect their work email addresses, employer, role, and publicly-available context to enable personalization and verification. You are responsible for the lawful collection of this data; we process it on your behalf as your data processor.

How we use it

We use your data only to run the platform on your behalf:

  • Researching prospects and drafting personalized emails (via our LLM sub-processor).
  • Verifying email addresses before sending (via our verification sub-processors).
  • Sending outbound mail and processing replies (via our email sub-processor).
  • Aggregate, anonymized analytics for product improvement.

We do notsell, rent, or trade your data. We do not use your contact list for any other customer's campaigns, and we do not train our models on your private campaign copy without explicit consent.

Sub-processors

We use third-party sub-processors to operate the platform — Anthropic for LLM inference, Resend for transactional email, Supabase for database and authentication, Vercel for hosting, and email-verification providers (MillionVerifier, ZeroBounce, NeverBounce). The full list is at Sub-processors. We notify customers 30 days in advance of material changes.

Managed sending domains (done-for-you)

If you use a Defrost managed sending domain, we register a dedicated sending domain on your behalf through our domain registrar (Dynadot) and operate the sending inboxes on that domain through our managed email relay (Mailreef). The registrant details you provide for the domain (name, organization, postal address, email) are submitted to the registrar as required for ICANN domain registration and WHOIS. We use this dedicated domain solely to send your outreach and process replies; it is isolated from your primary brand domain. Both the registrar and the relay are listed as sub-processors above.

Data retention

While your account is active, we retain your data for as long as you keep using Defrost. After cancellation, we retain your data for 30 days in case you reactivate. After 30 days, we permanently delete your workspace data, contact lists, campaign history, and reply data — except where law requires longer retention (e.g. financial records for billing compliance).

Cookies and tracking

We use first-party cookies for session authentication and a long-lived consent cookie (defrost_cookie_consent) that records your response to our cookie banner. We do not use third-party advertising cookies, fingerprinting, or cross-site trackers on our marketing pages or app. To withdraw consent, clear your browser site data for this domain — the banner will reappear on your next visit.

Your rights

Regardless of jurisdiction, you can:

  • Access the data we hold about you — export from your account settings or by emailing us.
  • Correct inaccurate data — edit in-app or by emailing us.
  • Delete your account and all associated data — one click in billing settings.
  • Object to specific processing — contact us with the request.
  • Port your data to another provider — we provide CSV / JSON exports.

EU/UK customers have rights under GDPR. California customers have rights under CCPA/CPRA, including the right to opt-out of the sale or sharing of personal information. Defrost does not sell or share personal information with third parties for cross-context behavioral advertising. We honor all such rights regardless of where you live; email privacy@defrostmail.comwith the request and we'll respond within 30 days.

Security

We use AES-256-GCM encryption at rest for sensitive secrets (API keys, mailbox credentials), TLS in transit, row-level security in our database, and least-privilege access for our team.

Data residency

Our default infrastructure runs in the United States (US-East). EU/UK data residency is available on the Agency tier and Enterprise plans on request.

International transfers

Where we transfer personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework.

Children

Defrost is a B2B platform and not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we have, email us and we'll delete it.

Changes

If we change this policy materially, we'll email all account-holders at least 30 days before the change takes effect.

Contact

Questions, requests, or complaints? Email privacy@defrostmail.com. For data subject requests, we respond within 30 days.

DefrostDefrost

Cold outreach that runs itself — research, copy, sending, learning. All from a URL.

Product
  • How it works
  • Features
  • Pricing
  • FAQ
Company
  • About
  • Standards
  • Blog
  • Changelog
  • Founding 100
  • System status
  • Brain Book
  • Contact
Legal
  • Privacy
  • Terms
  • DPA
  • Sub-processors
  • Do Not Sell My Information
  • Security
  • Acceptable Use Policy
  • API Docs
© 2026 DEFROST LLC · All rights reservedMade in the cold