Early access · Founding operators lock in launch pricing for life.Become a founding operator →
Privacy Policy

How we handle your data.

This policy explains what information Setell collects, why we collect it, how we use it, who we share it with, and your rights regarding your data.

Effective Date
June 10, 2026
Data Controller
Setell ("we", "us", "our") is operated by Timber Ridge Capital LLC, a Washington limited liability company. We operate the website setell.ai, the application at go.setell.ai, and the Setell Chrome extension.
Contact
privacy@setell.ai

1. Information We Collect

What data we gather and how

Information You Provide
  • Account information: name and email address provided via Google OAuth sign-in
  • Business data: customer records, quotes, invoices, job details, and email content you create or import through the service
  • Communications: messages you send to us (support requests, feedback)
  • Integration credentials: OAuth tokens for Gmail, Microsoft 365 / Outlook, QuickBooks, Xero, and Slack connections you authorize
Information Collected Automatically
  • Usage data: pages visited, features used, actions taken within the application
  • Device information: browser type, operating system, screen resolution
  • Log data: IP address, access times, referring URLs, error logs
  • Cookies: session authentication cookies (essential) and optional analytics cookies (see Section 8)
Information from Third Parties
  • Google: profile information (name, email, profile picture) when you sign in with Google OAuth
  • Gmail: email messages when you connect your Gmail account to process quote requests
  • Microsoft: email messages from your connected Outlook / Microsoft 365 mailbox when you connect it to process quote requests (read-only)
  • QuickBooks: customer records, invoices, and estimates when you connect your QuickBooks account
  • Xero: contact and customer records, and the invoices Setell creates in your Xero organisation when you connect your Xero account
  • Stripe: subscription status and billing events (we never receive or store your credit card number)
Information from the Setell Chrome Extension
  • Email content: when you click the "Send to Setell" button on an open Gmail thread, the extension reads the sender, subject, and body of that single thread and sends it to your Setell account at go.setell.ai — no background scanning, no other tabs, no Gmail data is read without an explicit click
  • Purpose: the email content is delivered to your Setell account where Setell uses it to draft a quote for you (the user-facing feature you signed up for) — the extension does not use Gmail content for any other purpose
  • Local storage (chrome.storage.local): your Setell API key (used to authenticate to your own account) and a rolling 7-day count of how many emails you've sent — both stored on your device only, never transmitted except to authenticate to Setell
  • Uninstall behavior: when you remove the extension from Chrome, all locally-stored extension data (API key, send count) is removed automatically by Chrome — to delete the corresponding data inside Setell, see Section 5 (Retention) below
  • No third-party analytics, ad networks, or trackers are loaded inside the extension
  • Data the extension sends is processed by Setell under the same terms as the rest of this policy and inherits the Google API Limited Use restrictions in Section 9

2. How We Use Your Information

Why we process your data

To Provide the Service
  • Parse inbound emails to identify quote requests
  • Generate, revise, and send quotes using AI
  • Create invoices and sync them with QuickBooks
  • Create invoices in your connected Xero account
  • Manage your job pipeline and customer records
  • Send emails on your behalf through your connected Gmail
To Improve and Protect
  • Monitor for errors and fix bugs (via Sentry error tracking)
  • Analyze usage patterns to improve the product (aggregated, not individual)
  • Detect and prevent fraud, abuse, and security threats
  • Enforce our terms of service
To Communicate
  • Send transactional emails (account confirmation, billing receipts)
  • Respond to support requests
  • Send product updates and announcements (you can opt out at any time)

3. Legal Basis (GDPR)

Lawful basis for processing

For users in the European Union and European Economic Area, we process personal data under the following legal bases:

Contract Performance
Processing necessary to provide the Setell service you signed up for — including account management, quote generation, email processing, and QuickBooks sync.
Legitimate Interest
Processing necessary for security monitoring, fraud prevention, error tracking, product improvement, and enforcing our terms. We balance these interests against your privacy rights.
Consent
Where required by law, such as for optional analytics cookies and marketing communications. You can withdraw consent at any time without affecting the lawfulness of prior processing.

3a. Privacy by Design

Privacy by design & by default

Setell follows the principles of data protection by design and by default as set out in GDPR Article 25. These are not aspirations — they are structural choices in how the product is built.

Data minimization
We collect only the data needed to perform the specific feature you have requested. When you connect Gmail, we read messages matching customer-quote patterns; we do not index your inbox. When you sync QuickBooks, we read customer and invoice records; we do not pull every QuickBooks Online entity.
Purpose limitation
Each category of data we collect is used only for the purpose disclosed in this policy. Gmail content powers quote drafting for you; we do not use it for cross-customer analytics, to train generalized AI models, or for any feature outside the quote-to-cash workflow you connected it for.
Default privacy
New accounts default to the most private settings. Any data sharing for product improvement requires explicit opt-in with granular controls, default OFF.
Tenant isolation by design
Your data is bound to your account at the database schema level. Every database query our application makes includes a tenant filter; this is enforced by schema constraints, automated code checks that block deployments missing tenant filters, and static analysis rules. We do not aggregate, share, or expose data across customer accounts.
Minimal retention
Data is retained only as long as necessary for the feature it supports. Retention windows are documented in Section 5 of this policy, and at deletion we purge from production within 30 days and from backups within 90 days.
Pseudonymization in logs
Authentication tokens, share tokens, and similar secrets are fingerprinted (one-way hashed) before being written to any log. Customer-identifying data is scrubbed from error reports before transmission to our monitoring vendor.
No training on customer data
Setell does not train, fine-tune, develop, or improve generalized AI or machine-learning models using customer data. The sole exception is data that customers explicitly opt in to share for a specifically-named purpose, with granular controls, default-OFF, audit-logged consent, and revocation rights. Our AI sub-processors (Anthropic, OpenAI) operate under commercial API terms that prohibit the use of API inputs to train their models.

4. Sharing

Who we share your data with

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We share data only with the following categories of recipients:

Service Providers (Sub-Processors)
Third parties that help us operate the service, bound by data processing agreements:
  • AWS (hosting and compute)
  • Neon (database hosting)
  • Stripe (payment processing)
  • Anthropic (AI quote generation — does not use your data for model training)
  • Sentry (error monitoring)
  • Google (authentication and Gmail API)
  • Microsoft (Outlook / Microsoft 365 mailbox and Entra sign-in)
  • Intuit (QuickBooks API)
  • Xero (Xero API)
  • Twilio (SMS delivery)
At Your Direction
When you explicitly connect integrations or share content:
  • Emails sent to your customers through your connected Gmail
  • Invoices created in your connected QuickBooks account
  • Invoices created in your connected Xero account
  • Quotes shared via portal link with your customers
  • Notifications sent to your connected Slack workspace
Legal Requirements
We may disclose information when required by law, legal process, or government request, or to protect the rights, safety, or property of Setell, our users, or the public.

4a. SMS / Text Messaging

How text messaging and consent work

If you are a customer of a business that uses Setell, you may receive text messages (SMS) about your quote, estimate, invoice, or job, and you may reply to communicate with that business. SMS is always optional and is never sent without your explicit, prior consent. Consent to receive text messages is never required to receive a quote, sign, make a payment, or complete any transaction — you can use every part of the service by email or in your online portal without opting in. This section explains how that consent works and how we handle your mobile information.

How You Opt In
You opt in to text messages in one of two ways:
  • On the web — by entering your mobile number and checking the consent box in your online quote portal (express written consent)
  • By text — after a business sends a one-time confirmation message, you reply YES to begin receiving texts (double opt-in)
  • Opting in is optional — consent is not a condition of purchase and is never required to receive a quote, sign, make a payment, or complete any transaction. You can use every feature by email or in your online portal without it.
What We Send & How Often
  • Transactional updates about your quote, estimate, signature request, invoice, or payment, sent by the business you are working with
  • Replies within a two-way conversation when you text back
  • Message frequency varies based on your job activity. Message and data rates may apply.
Opting Out & Getting Help
  • Reply STOP (or STOPALL, UNSUBSCRIBE, QUIT, CANCEL, END) at any time to stop all texts from that number
  • Reply HELP for help, or contact the business directly
  • You can also turn texts off from your online quote portal
How We Handle Your Mobile Information
We use Twilio as our SMS service provider solely to deliver the messages you have consented to receive. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Text messaging originator opt-in data and consent will not be shared with any third parties.

4b. Agent Connections (MCP)

AI agents you connect to your account

Setell offers an MCP (Model Context Protocol) connector so AI agents you choose — such as Claude, ChatGPT, or Claude Code — can work with your Setell account on your behalf. Connections are created only by you, through an explicit consent screen, and every connection is yours to revoke.

What a Connected Agent Can Access
A connection grants the agent the same working scope as the Setell app, limited to your account only:
  • Read your jobs, customers, quotes, and pricing signals
  • Draft, send, and schedule quotes (subject to your autonomy settings)
  • Save customer notes and pricing memory
  • No access to other Setell accounts, billing credentials, or connected-integration tokens
How Consent and Credentials Work
  • You approve each connection on a Setell consent screen that names the requesting app
  • Setell issues the agent expiring, revocable access credentials — your password is never shared
  • Credentials are stored as cryptographic digests; the raw values are never persisted
  • Each connection is bound to exactly one Setell account
Your Controls
  • Settings → Connected agents lists every active connection with last-used time
  • Disconnect revokes an agent’s access immediately
  • Data the agent reads is governed by the agent provider’s own privacy policy (e.g. Anthropic for Claude, OpenAI for ChatGPT) once it leaves Setell at your direction

5. Retention

How long we keep your data

Active Accounts
  • Account and business data is retained for the duration of your subscription
  • Integration credentials are retained while the integration is connected
  • Usage logs are retained for 90 days
  • Error logs are retained for 30 days
After Deletion
  • Personal data is purged within 30 days of account deletion request
  • Integration tokens are deleted immediately upon disconnection
  • Setell Chrome extension API keys are revoked immediately when you rotate or delete them in Settings → Extension, and locally-stored extension data is removed automatically by Chrome when the extension is uninstalled
  • Backup copies are purged within 90 days
  • Anonymized, aggregated analytics may be retained indefinitely

6. Your Rights

Privacy rights under GDPR & CCPA

GDPR Rights (EU/EEA)
  • Access — request a copy of all personal data we hold about you
  • Rectification — correct inaccurate personal data
  • Erasure — request deletion of your personal data
  • Portability — receive your data in a machine-readable format
  • Restriction — limit how we process your data
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — at any time, without affecting prior processing
  • Lodge a complaint with your local supervisory authority
CCPA/CPRA Rights (California)
  • Know — what personal information we collect, use, and disclose
  • Delete — request deletion of your personal information
  • Opt-out — of the sale or sharing of personal information (we do not sell your data)
  • Non-discrimination — equal service regardless of exercising your rights
  • Correct — request correction of inaccurate personal information
  • Limit use of sensitive personal information
How to Exercise Your Rights
Email privacy@setell.ai with your request. We will verify your identity and respond within 30 days (GDPR) or 45 days (CCPA). You may also delete your account and data directly from your account settings.

7. International Transfers

Where your data is processed

Transfer Safeguards
Setell is based in the United States. If you are accessing the service from outside the US, your data will be transferred to and processed in the United States. We protect international transfers with the following safeguards:
  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/EEA
  • Data Processing Agreements (DPAs) with all sub-processors
  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • All sub-processors maintain SOC 2 Type II or equivalent certifications

8. Cookies

Cookies & tracking technologies

Essential Cookies
Strictly necessary for the application to function. Cannot be disabled.
  • Session authentication cookie (HttpOnly, Secure, SameSite=Lax)
  • CSRF protection token
Analytics Cookies
Used for anonymous, aggregated usage analytics. Can be declined without affecting functionality.
  • Google Analytics 4 (GA4) — opt-out via the cookie banner
  • Page views, session duration, and feature usage only
  • IP anonymization enabled; no advertising cookies set
  • No personal data included in analytics events

9. Google API Data

Google API Services User Data Policy

Setell's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

Limited Use Compliance
  • We only access Gmail data necessary to provide quoting and invoicing functionality (parsing inbound emails, sending quote drafts)
  • We do not use Gmail data for advertising, market research, or to serve ads
  • We do not allow humans to read your email content except with your explicit consent, for security purposes (investigating abuse), or as required by law
  • We do not transfer Gmail data to third parties except as necessary to provide the service (AI processing via Anthropic, which does not use API inputs for training), with your consent, or as required by law
  • You can disconnect Gmail and revoke access at any time from Settings or your Google account — credentials are deleted immediately upon disconnection
  • The Setell Chrome extension is subject to the same Limited Use restrictions: it reads only the Gmail thread you have open at the moment you click "Send to Setell" — no background scanning, no other tabs, no usage for advertising or model training

10. Security

How we protect your data

We implement industry-standard technical and organizational measures to protect your data. For full details, see our Security Policy. Key measures include:

Security Measures
  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • OAuth 2.0 authentication — we never store your Google password
  • Webhook signature verification (HMAC-SHA256) with timing-safe comparison
  • Input validation on all API endpoints (Zod schema validation)
  • Parameterized database queries (SQL injection prevention)
  • Rate limiting on all public-facing endpoints
  • Real-time error and security event monitoring
  • Formal incident response plan with 72-hour breach notification

11. Children

Children's privacy

Age Restriction
Setell is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will delete it promptly. If you believe a child has provided us with personal information, please contact privacy@setell.ai.

12. Changes

Updates to this policy

Notification of Changes
We may update this privacy policy from time to time. When we make material changes, we will notify you by email (sent to the address associated with your account) or by placing a prominent notice on our website prior to the change becoming effective. Your continued use of the service after the effective date constitutes acceptance of the updated policy. We encourage you to review this page periodically.

Questions?

Contact us

If you have questions about this privacy policy, want to exercise your data rights, or have concerns about how we handle your information, reach out to us.

Privacy & data rightsprivacy@setell.ai
Security concernssecurity@setell.ai
General inquirieshello@setell.ai

This privacy policy is reviewed and updated at least annually.
Last updated: June 10, 2026.