Privacy Policy

Last updated July 01, 2025

Kampso ("Kampso," "we," "us," or "our") operates the Kampso platform and website at kampso.com (the "Services"). This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our Services, visit our Website, or interact with us.

We are committed to protecting your privacy and handling your data transparently. Please read this Privacy Policy carefully. By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy.

If you have questions about this Privacy Policy or your data, contact us at [EMAIL].

Table of Contents

  1. Scope and Applicability
  2. Information We Collect
  3. How We Use Your Information
  4. Legal Bases for Processing
  5. How We Share Your Information
  6. Email Tracking and Analytics
  7. AI and Machine Learning
  8. Cookies and Tracking Technologies
  9. Data Retention
  10. Data Security
  11. International Data Transfers
  12. Your Privacy Rights
  13. Do Not Sell or Share My Personal Information
  14. Children's Privacy
  15. Third-Party Links and Services
  16. Changes to This Privacy Policy
  17. Contact Us
  18. State-Specific Privacy Addenda
  19. EEA/UK/Swiss Addendum (GDPR)

1. Scope and Applicability

This Privacy Policy applies to:

  • Account holders and users who register for and use the Kampso platform;
  • Website visitors who browse kampso.com;
  • Contacts whose information is uploaded to or managed within the Services by our customers;
  • End Users who access the Services through a customer's white-label implementation.

Kampso acts in two capacities:

  • Data Controller: For information we collect directly from users and website visitors (e.g., account registration, website analytics, billing).
  • Data Processor: For Contact Data that our customers upload to and manage through the Services. Our customers are the data controllers for this information and are responsible for ensuring their collection and use of Contact Data complies with applicable law. Our processing of such data is governed by our Terms of Service and, where applicable, a Data Processing Agreement.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: Name, email address, password, company name, job title, phone number, and billing address.
  • Billing Information: Payment card details, billing address, and transaction history. Payment processing is handled by our third-party payment processor (Stripe). We do not store full credit card numbers on our servers.
  • Contact Data: Names, email addresses, phone numbers, company names, job titles, and other business contact information that you upload or input into the Services.
  • Campaign Content: Email templates, sequences, subject lines, and other content you create using the Services.
  • Communications: Information you provide when you contact our support team, submit feedback, or participate in surveys.
  • White-Label Configuration: Branding assets (logos, colors, domain information) that you provide for white-label customization.

2.2 Information Collected Automatically

  • Usage Data: Features used, pages viewed, actions taken, time spent, click paths, and session information within the Services.
  • Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and language settings.
  • Log Data: Server logs recording access times, referring URLs, error logs, and system activity.
  • Campaign Analytics: Email delivery rates, open rates, click-through rates, bounce rates, reply rates, and unsubscribe rates.

2.3 Information from Third Parties

  • Single Sign-On Providers: If you authenticate via Google, Microsoft, or another SSO provider, we receive your name, email address, and profile information as authorized by your SSO provider settings.
  • Integration Data: If you connect Third-Party Services (CRMs, email providers, enrichment tools), we may receive data from those services as necessary to provide the integration.
  • Analytics Providers: We use third-party analytics services (such as Google Analytics) that collect information about your use of our Website.

3. How We Use Your Information

We use the information we collect for the following purposes:

Purpose Types of Data Used
Provide and operate the Services Account, Contact Data, Campaign Content, Usage Data
Process payments and manage billing Billing Information, Account Information
Send transactional communications (receipts, alerts, updates) Account Information
Provide customer support Account Information, Communications, Usage Data
Deliver email campaigns and sequences on your behalf Contact Data, Campaign Content
Generate campaign analytics and reporting Campaign Analytics, Usage Data
Power AI features (email generation, lead scoring, analytics) Usage Data, Campaign Analytics, de-identified aggregate data
Improve and develop the Services Usage Data, Device/Browser Information, aggregate analytics
Ensure platform security and prevent fraud Log Data, Device/Browser Information, Account Information
Comply with legal obligations All categories as required
Enforce our Terms of Service All categories as relevant
Send marketing communications (with your consent or as permitted by law) Account Information
Enable white-label functionality White-Label Configuration, Account Information

4. Legal Bases for Processing

Where applicable (including under GDPR), we rely on the following legal bases:

  • Performance of Contract: Processing necessary to provide the Services you have subscribed to, manage your account, and fulfill our contractual obligations.
  • Legitimate Interests: Processing necessary for our legitimate business interests, including improving our Services, ensuring security, preventing fraud, and conducting analytics — provided these interests are not overridden by your rights and freedoms.
  • Consent: Where you have given explicit consent for specific processing, such as receiving marketing emails or opting into certain AI features. You may withdraw consent at any time.
  • Legal Obligation: Processing necessary to comply with applicable legal, regulatory, or tax obligations.

5. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

5.1 Service Providers

We engage trusted third-party service providers who process data on our behalf to help us operate and improve the Services, including:

  • Cloud Hosting: Render (application hosting and infrastructure)
  • Payment Processing: Stripe
  • Email Delivery Infrastructure: Third-party email sending services
  • Analytics: Google Analytics and similar tools
  • Customer Support: Helpdesk and ticketing providers
  • AI/ML Services: Third-party AI model providers (for AI-powered features)

These providers are contractually obligated to use your information only as necessary to perform services for us and in accordance with this Privacy Policy.

5.2 At Your Direction

When you use integrations or connect Third-Party Services (e.g., CRMs, enrichment tools), data may be shared with those services as necessary to enable the integration. Such sharing is initiated and controlled by you.

5.3 Business Transfers

If Kampso is involved in a merger, acquisition, bankruptcy, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your information.

5.4 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to:

  • Comply with a legal obligation;
  • Protect and defend our rights or property;
  • Prevent fraud or address security issues;
  • Protect the personal safety of users or the public.

5.5 Aggregated and De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you for any purpose, including research, analytics, benchmarking, and marketing.

6. Email Tracking and Analytics

6.1 Tracking Technologies in Emails

When you use the Services to send email campaigns, the Services may embed tracking technologies in outgoing emails, including:

  • Tracking Pixels (Web Beacons): A small, transparent image embedded in emails that records when and whether an email is opened, the recipient's IP address, and the device and email client used.
  • Click Tracking Links: Redirect links that track when a recipient clicks a link in an email and which link was clicked.

6.2 Purpose

These technologies enable campaign analytics, including open rates, click-through rates, and engagement metrics, which are displayed in your campaign dashboards.

6.3 Your Responsibility

You are responsible for disclosing the use of email tracking technologies to your email recipients in accordance with applicable law. We recommend including a reference to tracking in your own privacy policy.

6.4 Opt-Out

You may disable open tracking and/or click tracking for individual campaigns or at the account level through your account settings, where available.

7. AI and Machine Learning

7.1 How We Use AI

The Services include AI-powered features that may:

  • Generate suggested email copy, subject lines, and personalization elements;
  • Score and prioritize leads based on engagement signals and data patterns;
  • Provide campaign performance insights and recommendations;
  • Detect and flag deliverability issues.

7.2 Data Used for AI

Our AI features use:

  • Your Campaign Data: To generate personalized outputs for you (processed during your session; not used to train models for other customers without consent);
  • Aggregated, De-identified Data: Usage patterns, campaign performance metrics, and other anonymized data may be used to train and improve our general AI models;
  • Third-Party AI Services: Some AI features may be powered by third-party providers (e.g., large language model APIs). When we send data to these providers, we use contractual and technical safeguards to protect your information.

7.3 No Automated Decision-Making with Legal Effects

We do not use AI to make decisions that produce legal or similarly significant effects on individuals without human oversight. Lead scoring and other AI-powered suggestions are informational tools intended to assist your decision-making.

7.4 Limitations

AI-generated content may be inaccurate, incomplete, or unsuitable. You are solely responsible for reviewing and approving all AI-generated content before use.

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

Cookie Type Purpose Duration
Strictly Necessary Essential for the Website and Services to function (authentication, security, load balancing) Session / Persistent
Functional Remember your preferences and settings (language, display options) Persistent
Analytics Understand how visitors use our Website (page views, traffic sources, user flow) Persistent
Marketing Deliver relevant advertising and measure ad campaign effectiveness Persistent

8.2 Third-Party Cookies

We may allow third-party analytics and advertising partners to place cookies on your device. These third parties may collect information about your online activities across websites over time.

8.3 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, blocking certain cookies may impair your use of the Services.

Additionally:

  • Google Analytics Opt-Out: You can install the Google Analytics opt-out browser add-on.
  • Do Not Track: Our Website currently does not respond to "Do Not Track" browser signals. However, we honor Global Privacy Control (GPC) signals where required by applicable state law.

8.4 Local Storage and Similar Technologies

We may also use local storage (e.g., HTML5 localStorage) and similar technologies for functionality and analytics purposes.

9. Data Retention

9.1 General Retention Periods

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

Data Category Retention Period
Account Information Duration of account + 30 days after deletion request, unless legal hold applies
Billing and Transaction Records 7 years (for tax and legal compliance)
Customer Data (Contact Data, Campaigns) Duration of subscription + 30 days post-termination for export
Usage and Log Data Up to 24 months
Campaign Analytics Duration of subscription + 90 days
Support Communications Up to 3 years
Cookie Data Varies by cookie (see Section 8)

9.2 Deletion

Upon termination of your account, we will delete or de-identify your Customer Data within thirty (30) days following the export period, except where we are required to retain it for legal, tax, audit, or security purposes.

9.3 Backup Systems

Residual copies of data may exist in backup systems for a limited period. We will not actively use or process backup data except for disaster recovery purposes.

10. Data Security

We implement and maintain reasonable administrative, technical, and physical security measures designed to protect your personal information from unauthorized access, use, alteration, and destruction. These measures include:

  • Encryption of data in transit (TLS 1.2+) and at rest;
  • Access controls and authentication requirements;
  • Regular security assessments and monitoring;
  • Employee security awareness training;
  • Incident response procedures.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

If we become aware of a security breach that affects your personal information, we will notify you in accordance with applicable law.

11. International Data Transfers

Kampso is based in the United States. If you access the Services from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the European Economic Area (EEA), United Kingdom (UK), or Switzerland to the United States:

  • We rely on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework, as applicable;
  • Where the Data Privacy Framework does not apply, we use Standard Contractual Clauses (SCCs) approved by the European Commission;
  • We implement supplementary measures where necessary to ensure an adequate level of data protection.

By using the Services, you acknowledge and consent to the transfer of your information as described in this section.

12. Your Privacy Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:

12.1 General Rights

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal information.
  • Deletion: Request deletion of your personal information, subject to certain exceptions.
  • Portability: Request a copy of your personal information in a structured, commonly used, machine-readable format.
  • Opt-Out of Sale/Sharing: Direct us not to sell or share your personal information (see Section 13).
  • Opt-Out of Targeted Advertising: Opt out of the use of your personal information for targeted advertising.
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

12.2 How to Exercise Your Rights

You may exercise your rights by:

  • Emailing us at [EMAIL];
  • Using the self-service privacy tools within your Account settings;
  • Submitting a request through our Website at kampso.com/privacy.

We will verify your identity before processing your request. We will respond within the timeframe required by applicable law (generally 30-45 days, with extensions as permitted).

12.3 Authorized Agents

In certain jurisdictions, you may designate an authorized agent to submit a request on your behalf. We may require proof of the agent's authorization.

12.4 Appeals

If we deny your privacy request, you may have the right to appeal. To appeal, contact us at [EMAIL] with the subject line "Privacy Request Appeal." If your appeal is denied and you are in a jurisdiction that permits it, you may contact your state Attorney General or relevant supervisory authority.

13. Do Not Sell or Share My Personal Information

Kampso does not sell personal information for monetary consideration. Depending on the applicable state law definition, certain data sharing activities (such as sharing data with advertising partners for targeted advertising) may constitute a "sale" or "sharing" of personal information.

To opt out of any such sale or sharing:

  • Visit kampso.com/privacy and select "Do Not Sell or Share My Personal Information";
  • Enable Global Privacy Control (GPC) in your browser — we honor GPC signals where required by law;
  • Contact us at [EMAIL].

14. Children's Privacy

The Services are not directed to, and we do not knowingly collect personal information from, children under the age of 16 (or 13 in jurisdictions where COPPA applies). If we learn that we have collected personal information from a child under the applicable age, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at [EMAIL].

15. Third-Party Links and Services

The Services may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party service you interact with.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page;
  • Notify you by email or through the Services at least thirty (30) days before the changes take effect.

Your continued use of the Services after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, contact us at:

Kampso
[ADDRESS]
Email: [EMAIL]
Website: kampso.com

For EEA/UK residents: If you have concerns about our data practices, you have the right to lodge a complaint with your local data protection supervisory authority.

18. State-Specific Privacy Addenda

The following addenda apply to residents of specific U.S. states, to the extent required by applicable law. Where the terms of an addendum conflict with the main Privacy Policy, the addendum controls for residents of that state.

Addendum A: California (CCPA/CPRA)

This addendum applies to California residents and supplements this Privacy Policy as required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA").

Categories of Personal Information Collected (preceding 12 months):

Category (per CCPA § 1798.140) Examples Collected Source
A. Identifiers Name, email, IP address, account ID Yes Directly from you; automatically
B. California Customer Records (Civ. Code § 1798.80) Name, address, phone, payment info Yes Directly from you
D. Commercial Information Subscription records, transaction history Yes Directly from you
F. Internet/Electronic Network Activity Browsing history, usage data, interactions with Services Yes Automatically
G. Geolocation Data Approximate location from IP address Yes Automatically
K. Inferences Preferences, characteristics, engagement scores Yes Derived from usage

Business Purposes for Collection: See Section 3 above.

Categories of Third Parties with Whom We Share Personal Information:

  • Service providers (hosting, payment, email delivery, analytics, AI)
  • Advertising partners (if applicable)
  • Business transaction parties (mergers/acquisitions)

Sale and Sharing: Kampso does not sell personal information for monetary consideration. To the extent certain data sharing for analytics or advertising purposes constitutes "sharing" under the CCPA, you may opt out as described in Section 13.

Your CCPA Rights:

  • Right to Know: Request the categories and specific pieces of personal information we have collected.
  • Right to Delete: Request deletion of personal information we have collected.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: Direct us to stop selling or sharing your personal information.
  • Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond those permitted under the CCPA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

Submitting a Request: See Section 12.2. We will verify your identity by matching information you provide with information in our records. For "Right to Know" requests for specific pieces of information, we may require additional verification.

Financial Incentives: We do not currently offer financial incentives related to the collection, sale, or deletion of personal information.

Retention: See Section 9.

Addendum B: Virginia (VCDPA)

This addendum applies to Virginia residents under the Virginia Consumer Data Protection Act.

Your Rights:

  • Access, correct, delete, and obtain a portable copy of your personal data;
  • Opt out of the processing of personal data for targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects.

Exercising Rights: See Section 12.2. We will respond within 45 days (extendable by 45 days with notice). You may appeal a denial by contacting us at [EMAIL]; you may also contact the Virginia Attorney General.

Addendum C: Colorado (CPA)

This addendum applies to Colorado residents under the Colorado Privacy Act.

Your Rights:

  • Access, correct, delete, and obtain a portable copy of your personal data;
  • Opt out of targeted advertising, sale, or profiling that produces legal or similarly significant effects.

Universal Opt-Out: We honor universal opt-out mechanisms (such as GPC) as required by the CPA.

Exercising Rights: See Section 12.2. We will respond within 45 days (extendable by 45 days). You may appeal a denial; if denied, you may contact the Colorado Attorney General.

Addendum D: Connecticut (CTDPA)

This addendum applies to Connecticut residents under the Connecticut Data Privacy Act.

Your Rights:

  • Access, correct, delete, and obtain a portable copy of your personal data;
  • Opt out of targeted advertising, sale, or profiling that produces legal or similarly significant effects.

Universal Opt-Out: We honor universal opt-out mechanisms (such as GPC) as required by the CTDPA.

Exercising Rights: See Section 12.2. We will respond within 45 days (extendable by 45 days). You may appeal a denial; if denied, you may contact the Connecticut Attorney General.

Addendum E: Utah (UCPA)

This addendum applies to Utah residents under the Utah Consumer Privacy Act.

Your Rights:

  • Access and delete your personal data;
  • Obtain a portable copy of your personal data;
  • Opt out of targeted advertising or sale of personal data.

Exercising Rights: See Section 12.2. We will respond within 45 days. You may contact the Utah Attorney General Division of Consumer Protection if you believe your rights have been violated.

Addendum F: Texas (TDPSA)

This addendum applies to Texas residents under the Texas Data Privacy and Security Act (effective July 1, 2024).

Your Rights:

  • Access, correct, delete, and obtain a portable copy of your personal data;
  • Opt out of targeted advertising, sale, or profiling that produces legal or similarly significant effects.

Exercising Rights: See Section 12.2. We will respond within 45 days (extendable by 45 days). You may appeal a denial; if denied, you may contact the Texas Attorney General.

Addendum G: Oregon (OCPA)

This addendum applies to Oregon residents under the Oregon Consumer Privacy Act (effective July 1, 2024).

Your Rights:

  • Access, correct, delete, and obtain a portable copy of your personal data;
  • Opt out of targeted advertising, sale, or profiling;
  • Obtain a list of specific third parties to whom your data has been disclosed.

Exercising Rights: See Section 12.2. We will respond within 45 days (extendable by 45 days). You may appeal a denial; if denied, you may contact the Oregon Attorney General.

Addendum H: Other States

Residents of Montana, Iowa, Delaware, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, and other states with comprehensive privacy laws in effect as of the date of this Privacy Policy may exercise rights substantially similar to those described above. Contact us at [EMAIL] to exercise your state-specific privacy rights. We will comply with the requirements of your applicable state law.

19. EEA/UK/Swiss Addendum (GDPR)

This addendum applies to individuals in the European Economic Area (EEA), United Kingdom (UK), and Switzerland, and supplements this Privacy Policy as required by the General Data Protection Regulation (GDPR) and UK GDPR.

19.1 Data Controller

For personal information we collect directly (account data, website analytics), the data controller is:

Kampso
[ADDRESS]
Email: [EMAIL]

19.2 Legal Bases

See Section 4. Under GDPR, we process personal data based on:

  • Contract: To perform our obligations under our agreement with you.
  • Legitimate Interests: For fraud prevention, security, service improvement, and analytics — balanced against your rights.
  • Consent: For marketing communications and certain cookie use. You may withdraw consent at any time.
  • Legal Obligation: To comply with EU/UK legal requirements.

19.3 Your GDPR Rights

In addition to the rights in Section 12, you have the right to:

  • Restrict Processing: Request restriction of processing in certain circumstances.
  • Object: Object to processing based on legitimate interests (we will cease processing unless we demonstrate compelling grounds).
  • Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not engage in such processing (see Section 7.3).
  • Lodge a Complaint: File a complaint with your local data protection supervisory authority.

19.4 International Transfers

See Section 11. For transfers outside the EEA/UK, we use:

  • EU-U.S. Data Privacy Framework and UK Extension;
  • Standard Contractual Clauses (SCCs);
  • Supplementary technical and organizational measures.

19.5 Data Protection Officer

We have not appointed a Data Protection Officer at this time. For data protection inquiries, contact us at [EMAIL].

19.6 Data Processing Agreement

Where Kampso acts as a data processor on behalf of a customer (controller) within the EEA/UK/Switzerland, we will enter into a Data Processing Agreement incorporating SCCs and appropriate technical and organizational measures upon request.

This Privacy Policy is effective as of the Last Updated date above and applies to all information collected from that date forward.