Privacy Policy

Last Updated: April 10, 2026

Your privacy is important to us. This Privacy Policy explains how FollowUp ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our mobile application and services.

1. Information We Collect

1.1 Information You Provide

Account Information: Name, email, company name, password
Payment Information: Processed securely through Stripe
Contact Data: Customer phone numbers and names you upload
Message Content: SMS templates and conversation history
API Credentials: Encrypted Twilio/Telnyx credentials

1.2 Information Collected Automatically

Usage Data: Features used, workflows created, messages sent
Device Information: Device model, operating system, unique identifiers, browser type, IP address
Cookies/Local Storage: Session management, authentication, and preferences
Analytics: Page views, click patterns, performance metrics (first-party only)
Crash Data: Error logs, stack traces, and diagnostic information to improve app stability
Performance Data: App load times, API response times, memory usage

2. How We Use Your Information

Purpose	Legal Basis (GDPR)
Provide the Service	Contract Performance
Process Payments	Contract Performance
Send Service Emails	Legitimate Interest
Marketing (with consent)	Consent
Security & Fraud Prevention	Legal Obligation
Analytics & Service Improvements	Legitimate Interest
Aggregated Benchmarks & Industry Insights	Legitimate Interest
AI & Machine Learning Model Development	Legitimate Interest
De-Identified Data Products & Research	Legitimate Interest
Partner Network Referrals (with consent)	Consent

3. Data Security

We implement industry-standard security measures:

Encryption at rest and in transit (AES-256, TLS 1.3)
API credentials encrypted using Fernet symmetric encryption
Regular security audits and penetration testing
Access controls with role-based permissions
Secure data centers (AWS/Google Cloud)
Regular automated backups
Incident response procedures

4. Data Sharing and Third-Party Services

We do not sell your personally identifiable information (such as your name, email, phone number, or payment details) to third parties.

4.1 Aggregated and De-Identified Data

We may share, license, or sell aggregated, anonymized, and de-identified data that does not identify you, your business, or any individual contact. This includes:

Industry benchmarks: Aggregated performance metrics such as response rates, conversion patterns, and optimal messaging timing across industries
Market insights: Anonymized trend data and analytics reports provided to business partners, research firms, and enterprise customers
AI training data: De-identified conversation patterns and messaging outcomes used to train and improve artificial intelligence models

This data cannot be used to identify any individual user, business, or contact.

Our commitment: FollowUp publicly commits to maintaining all de-identified and aggregated data in de-identified form and will not attempt to re-identify such data, except solely for the purpose of verifying the effectiveness of our de-identification processes. We contractually require all recipients of de-identified data to maintain the data in de-identified form and to not attempt re-identification.

4.2 Partner Network

We may offer features that connect leads with relevant service providers in complementary industries. Identifiable lead information is only shared when the lead provides affirmative consent (e.g., responding to a prompt or opting in to receive offers from partners). You can disable Partner Network features at any time in your account settings.

4.3 Third-Party Service Providers

We use the following third-party services that may process information on our behalf:

OpenAI: Powers AI features for message generation and workflow automation
Stripe: Processes payments securely (we do not store full credit card details)
Twilio/Telnyx: SMS gateway providers that deliver text messages on your behalf
Sentry: Error tracking and crash reporting to improve app stability and performance
Cloudflare R2: AWS S3-compatible storage for data and file storage
SendGrid/Postmark: Transactional email delivery

Analytics: We collect analytics data directly (first-party) to understand app usage and improve features. We do not use third-party analytics services.

Each third-party service has its own privacy policy governing their use of your information. All service providers are bound by confidentiality agreements and process data solely on our behalf.

4.4 Legal Requirements

We may disclose information if required by law, court order, or government request.

4.5 Compliance Scrubbing

We check phone numbers in your account against third-party data sources, including federal and state Do Not Call registries and known TCPA litigator databases, to help you avoid contacting individuals who have opted out or who have a documented history of telecommunications litigation. These checks are performed automatically when you import or receive new leads, and may re-run periodically to reflect updated lists. Results are stored on your lead records as flags such as is_litigator, dnc_status, and is_dma_listed.

Data shared with the scrubbing provider. To perform this check we share only the phone number being looked up. We do not share the contact's name, address, email, your account identity, or any other contact field. Our current scrubbing provider is Tracerfy, which is contractually prohibited from using the numbers we query for any purpose other than returning litigation and DNC status to us. We do not retain copies of the third-party data outside of the per-phone results attached to your leads. We may change providers in the future and will update this notice accordingly.

Overrides. If a lead is flagged, FollowUp will block automated outbound messaging to that contact and record the block in the compliance audit log. The contact is not removed from your account. You may override the block on a per-contact basis from the lead detail screen. Overrides are recorded in the compliance audit log. Re-enabling messaging to a known litigator is done at your sole risk and does not transfer any compliance obligation to FollowUp.

5. Your Rights

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services. When you delete your account:

Personal data is permanently deleted within 30 days
Backup copies are removed within 90 days
Some data may be retained longer if required by law

Data Type	Retention Period
Account Data	Active account duration + 30 days after deletion
Backup Copies	Removed within 90 days of account deletion
Message History	Duration of account + 30 days after deletion
Payment Records	7 years (legal/tax requirement)
Analytics Data	24 months (anonymized)
Aggregated & De-Identified Data	Indefinite (cannot be linked to individuals)
Security Logs	12 months

7. Local Data Storage and Tracking

We use local storage, cookies, and similar technologies to:

Essential: Maintain your session and authentication
Preferences: Remember your settings and preferences
Performance: Analyze app performance and usage patterns
Cache: Store data for offline functionality (mobile app)

You can control tracking through your browser settings or device settings. On iOS devices, you can manage tracking permissions through: Settings > Privacy & Security > Tracking

8. Children's Privacy (COPPA Compliance)

FollowUp is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it immediately. If you believe we have collected information from a child under 13, please contact us at [email protected].

9. International Data Transfers

Your data may be transferred to and processed in countries outside your residence. We ensure appropriate safeguards through:

Standard Contractual Clauses (SCCs)
Data Processing Agreements
Adequacy decisions where applicable

10. California Privacy Rights (CCPA)

California residents have additional rights:

Right to know what personal information is collected
Right to know if information is sold or disclosed
Right to opt-out of sale of personal information
Right to non-discrimination

We do not sell personally identifiable information. We may share aggregated, de-identified data that does not constitute "personal information" under the CCPA. To exercise your rights or submit a request, email [email protected].

11. App Tracking Transparency (iOS)

We respect your privacy choices. We do not use Apple's IDFA for advertising tracking. If we ever implement cross-app tracking, we will request your permission through Apple's App Tracking Transparency framework as required by iOS.

You can manage tracking permissions on your iOS device at any time through: Settings > Privacy & Security > Tracking

12. Data Breach Notification

In the event of a data breach that may affect your personal information, we will notify you within 72 hours via email and provide:

Description of the breach
Types of data involved
Steps we're taking
Recommended actions for you

13. Changes to Privacy Policy

We may update this policy periodically. Material changes will be notified via email or prominent notice in the Service. Continued use after changes constitutes acceptance.

14. Contact Information

For questions, concerns, or requests regarding this Privacy Policy:

Email: [email protected]
Subject line: "Privacy Policy Inquiry"

We take privacy seriously and will respond to all requests within 30 days.

Supervisory Authority: EU users may lodge complaints with their local data protection authority.