Legal

Privacy Policy

How we handle your account data and the prospect data you upload — and the choices you have.

Last updated · July 8, 2026

This policy explains what data Warmvane (“we”, “the service”) collects, why, and how we protect it. It is a plain-language template and should be reviewed by legal counsel before production use.

Who we are

The service is operated by Tomasz Matusiak, an individual based in Poland (“we”, “the operator”). We act as the data controller for your account data and as a processor for the prospect data you upload. You can reach us at tomasz.matusiak@post.pl. A registered business entity and postal address will be added here once the operator formalizes the business; until then, the operator acts as a natural person.

What we collect

How we use it

We do not sell your data or your prospects’ data, and we do not use it to train third-party models beyond what is required to generate your drafts. The service never sends messages on your behalf — every message is sent by you, from your own inbox.

Legal basis for processing

We process your account data to provide the service you signed up for (Article 6(1)(b) GDPR — performance of a contract) and to keep it secure (Article 6(1)(f) — our legitimate interest in running a safe service). We process the prospect data you upload on your behalf and under your instructions, as your processor; you are responsible for the legal basis that covers that data. Where the law requires it, we also process data to meet our legal obligations (Article 6(1)(c)).

Where your data is processed

Your account and prospect data are stored on Supabase in the United Kingdom (London, eu-west-2 region). The United Kingdom is covered by a European Commission adequacy decision, so transfers there from the EEA are permitted. To research prospects and generate drafts, relevant content is also processed by our AI sub-processor in the United States (see international transfers below). Our current sub-processors are:

International transfers

When the AI researches a company or drafts a message, the relevant content is sent to Anthropic in the United States. Where personal data is transferred outside the EEA or the UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and our AI provider’s data-processing terms, and we limit the data shared to what is needed to produce your research and drafts.

Payments

The app does not process payments today. When paid plans go live, checkout and billing will be handled by a third-party Merchant-of-Record payment provider (for example, Lemon Squeezy or Paddle), which acts as the seller of record and handles applicable taxes. That provider processes your payment details directly under its own privacy policy — we do not receive or store your full card details. We receive only what we need to activate your plan, such as your email and subscription status.

Your responsibilities for prospect data

You decide which prospects to upload and remain responsible for having a lawful basis to process their personal data under applicable law (for example, the GDPR). In data-protection terms, you act as the controller of that data and we act as a processor acting on your instructions.

Retention

We keep your account and prospect data for as long as your account is active. You can request deletion of your data at any time; we will remove it within a reasonable period, except where we are required to retain certain records by law.

Your rights

Depending on your location, you may have the right to access, correct, delete, export, or object to the processing of your personal data. To exercise any of these, contact us at the address on our contact page.

Cookies

The app uses only essential cookies: to keep you signed in, and to remember your language preference (English or Polish) so we do not ask again on your next visit. We do not use advertising or third-party tracking cookies.

Data breaches

We keep reasonable technical and organizational measures in place to protect your data. If a personal-data breach occurs that is likely to result in a risk to people’s rights, we will notify the relevant supervisory authority and any affected users without undue delay, in line with Articles 33 and 34 GDPR.

Changes

We may update this policy as the product evolves — for example, when billing is introduced. Material changes will be reflected by the “last updated” date above.

Contact

Questions about privacy? Reach us via our contact page.