Legal
Privacy Policy
Last updated: 30 March 2026
1. Who we are (data controller)
ICPilot is an AI-powered B2B sales intelligence platform operated by ICPilot (“we”, “us”, “our”), accessible at icpilot.siddha.pro.
For all questions related to data protection, please contact us at privacy@icpilot.siddha.pro.
2. What data we collect
We collect only the data necessary to provide the service. The categories are:
2.1 Account data
- Email address (used for authentication and communications)
- Full name (optional, used for personalisation)
- Company name (used for ICP analysis context)
- Product description (used as AI interview context)
2.2 Prospecting data you create
- ICP cluster profiles (cluster names, industries, pain points, buying triggers) — generated from your AI interview
- Enriched company profiles (firmographics, tech stack, maturity scores, news signals)
- Stakeholder profiles (names, titles, LinkedIn URLs, communication style assessments, conversation starters)
- Outreach sequences and message touchpoints
- One-Pager slide decks and storylines
2.3 Usage and technical data
- Usage metrics (number of ICP scans, enrichments, messages generated, decks created per month) — for billing and abuse prevention
- Authentication session tokens (HTTP-only cookies managed by Supabase Auth)
- Server-side access logs (IP address, user agent, timestamp) — retained for 30 days for security monitoring
3. Sources of prospecting data
When you ask ICPilot to enrich a company or stakeholder, we retrieve publicly available business information from third-party sources:
- LinkedIn public profiles — job titles, career history, and recent posts visible without login, via the Proxycurl API
- Apollo.io — business contact database (firmographics, professional email addresses listed for business purposes)
- Company websites — publicly available information from company “About” pages, press sections, and job postings
- News articles — press mentions and news items about companies via NewsAPI
- Technology detection — publicly detectable technology stack data via BuiltWith
All enrichment data concerns companies and individuals in their professional capacity. We do not collect or process sensitive personal data (GDPR Article 9) and do not scrape or process any private communications.
4. Legal basis for processing
4.1 Contractual performance (GDPR Art. 6(1)(b))
Processing your account data (email, name, product description) is necessary to provide the ICPilot service you have signed up for.
4.2 Legitimate interest (GDPR Art. 6(1)(f))
Enrichment of B2B company and professional data is based on the legitimate interest of both ICPilot (providing the service) and our customers (conducting lawful B2B prospecting). This interest is not overridden by the data subjects' rights because:
- All processed data is professional/business data in a B2B context
- Data subjects have a reasonable expectation that their publicly shared professional information may be used for business outreach
- The processing is proportionate and does not concern sensitive personal data
- Individuals can always exercise their rights to object (see Section 7)
4.3 Legal obligation (GDPR Art. 6(1)(c))
We retain billing records and access logs to comply with applicable tax and accounting laws (German HGB/AO where applicable).
5. Data storage and international transfers
All user data is stored in the European Union (EU):
- Database and storage: Supabase hosted on AWS Frankfurt (eu-central-1), Germany
- Application server: Hetzner data centre, Nuremberg, Germany
We use the Anthropic Claude API to process AI tasks. Prompts sent to Anthropic may include your product description and anonymised company/ stakeholder context. Anthropic processes this data in the United States under Standard Contractual Clauses (SCCs). We do not send personally identifiable information in AI prompts unless explicitly required.
Payment processing is handled by Stripe, Inc. Stripe stores payment card data on our behalf and is PCI-DSS Level 1 certified. Stripe operates under SCCs for EU data transfers.
6. Data retention
Account and prospecting data: Retained until you delete your account. You can delete all data at any time from Settings → Privacy & Data.
Billing records: Retained for 10 years to comply with German commercial law (HGB § 257).
Access logs: Retained for 30 days, then automatically purged.
7. Your rights under GDPR
As a data subject in the EU, you have the following rights:
Right of access (Art. 15)
Request a copy of all personal data we hold about you.
Right to rectification (Art. 16)
Correct inaccurate personal data via Settings or by contacting us.
Right to erasure (Art. 17)
Delete all your data from Settings → Privacy & Data → "Delete all my data".
Right to data portability (Art. 20)
Download all your data as JSON from Settings → Privacy & Data → "Download my data".
Right to object (Art. 21)
Object to processing based on legitimate interest, including profiling for direct marketing.
Right to restriction (Art. 18)
Request restriction of processing in certain circumstances.
To exercise any of these rights, contact us at privacy@icpilot.siddha.pro. We will respond within 30 days. You also have the right to lodge a complaint with the competent supervisory authority — in Germany this is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).
8. Cookies and tracking
ICPilot uses only strictly necessary cookies:
- Authentication cookies — HTTP-only, secure session tokens set by Supabase Auth. Required for you to stay logged in. These expire after 7 days of inactivity.
We do not use advertising cookies, third-party tracking pixels, or Google Analytics.
9. Third-party processors
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, auth, storage | EU (Frankfurt) |
| Hetzner | Application hosting | EU (Nuremberg) |
| Anthropic | AI processing (Claude API) | US (SCCs) |
| Stripe | Payment processing | US/EU (SCCs, PCI-DSS) |
| Apollo.io | B2B contact enrichment | US (SCCs) |
| Proxycurl | LinkedIn profile data | US (SCCs) |
| NewsAPI | Company news signals | US (SCCs) |
| BuiltWith | Tech stack detection | AU (SCCs) |
10. Changes to this policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email at least 14 days before the changes take effect. The “Last updated” date at the top reflects the most recent revision.
11. Contact
For all data protection enquiries:
ICPilotc/o icpilot.siddha.pro
privacy@icpilot.siddha.pro