Privacy Policy

How we handle your data.

This policy explains what information Setell collects, why we collect it, how we use it, who we share it with, and your rights regarding your data.

Effective Date
March 27, 2026
Data Controller
Setell ("we", "us", "our") operates the website setell.ai and the application at app.setell.ai.
Contact
privacy@setell.ai

1. Information We Collect

What data we gather and how

Information You Provide
  • Account information: name and email address provided via Google OAuth sign-in
  • Business data: customer records, quotes, invoices, job details, and email content you create or import through the service
  • Communications: messages you send to us (support requests, feedback)
  • Integration credentials: OAuth tokens for Gmail, QuickBooks, and Slack connections you authorize
Information Collected Automatically
  • Usage data: pages visited, features used, actions taken within the application
  • Device information: browser type, operating system, screen resolution
  • Log data: IP address, access times, referring URLs, error logs
  • Cookies: session authentication cookies (essential) and optional analytics cookies (see Section 8)
Information from Third Parties
  • Google: profile information (name, email, profile picture) when you sign in with Google OAuth
  • Gmail: email messages when you connect your Gmail account to process quote requests
  • QuickBooks: customer records, invoices, and estimates when you connect your QuickBooks account
  • Stripe: subscription status and billing events (we never receive or store your credit card number)

2. How We Use Your Information

Why we process your data

To Provide the Service
  • Parse inbound emails to identify quote requests
  • Generate, revise, and send quotes using AI
  • Create invoices and sync them with QuickBooks
  • Manage your job pipeline and customer records
  • Send emails on your behalf through your connected Gmail
To Improve and Protect
  • Monitor for errors and fix bugs (via Sentry error tracking)
  • Analyze usage patterns to improve the product (aggregated, not individual)
  • Detect and prevent fraud, abuse, and security threats
  • Enforce our terms of service
To Communicate
  • Send transactional emails (account confirmation, billing receipts)
  • Respond to support requests
  • Send product updates and announcements (you can opt out at any time)

3. Legal Basis (GDPR)

Lawful basis for processing

For users in the European Union and European Economic Area, we process personal data under the following legal bases:

Contract Performance
Processing necessary to provide the Setell service you signed up for — including account management, quote generation, email processing, and QuickBooks sync.
Legitimate Interest
Processing necessary for security monitoring, fraud prevention, error tracking, product improvement, and enforcing our terms. We balance these interests against your privacy rights.
Consent
Where required by law, such as for optional analytics cookies and marketing communications. You can withdraw consent at any time without affecting the lawfulness of prior processing.

4. Sharing

Who we share your data with

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We share data only with the following categories of recipients:

Service Providers (Sub-Processors)
Third parties that help us operate the service, bound by data processing agreements:
  • AWS (hosting and compute)
  • Neon (database hosting)
  • Stripe (payment processing)
  • Anthropic (AI quote generation — does not use your data for model training)
  • Sentry (error monitoring)
  • Axiom (event logging)
  • Google (authentication and Gmail API)
  • Intuit (QuickBooks API)
At Your Direction
When you explicitly connect integrations or share content:
  • Emails sent to your customers through your connected Gmail
  • Invoices created in your connected QuickBooks account
  • Quotes shared via portal link with your customers
  • Notifications sent to your connected Slack workspace
Legal Requirements
We may disclose information when required by law, legal process, or government request, or to protect the rights, safety, or property of Setell, our users, or the public.

5. Retention

How long we keep your data

Active Accounts
  • Account and business data is retained for the duration of your subscription
  • Integration credentials are retained while the integration is connected
  • Usage logs are retained for 90 days
  • Error logs are retained for 30 days
After Deletion
  • Personal data is purged within 30 days of account deletion request
  • Integration tokens are deleted immediately upon disconnection
  • Backup copies are purged within 90 days
  • Anonymized, aggregated analytics may be retained indefinitely

6. Your Rights

Privacy rights under GDPR & CCPA

GDPR Rights (EU/EEA)
  • Access — request a copy of all personal data we hold about you
  • Rectification — correct inaccurate personal data
  • Erasure — request deletion of your personal data
  • Portability — receive your data in a machine-readable format
  • Restriction — limit how we process your data
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — at any time, without affecting prior processing
  • Lodge a complaint with your local supervisory authority
CCPA/CPRA Rights (California)
  • Know — what personal information we collect, use, and disclose
  • Delete — request deletion of your personal information
  • Opt-out — of the sale or sharing of personal information (we do not sell your data)
  • Non-discrimination — equal service regardless of exercising your rights
  • Correct — request correction of inaccurate personal information
  • Limit use of sensitive personal information
How to Exercise Your Rights
Email privacy@setell.ai with your request. We will verify your identity and respond within 30 days (GDPR) or 45 days (CCPA). You may also delete your account and data directly from your account settings.

7. International Transfers

Where your data is processed

Transfer Safeguards
Setell is based in the United States. If you are accessing the service from outside the US, your data will be transferred to and processed in the United States. We protect international transfers with the following safeguards:
  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/EEA
  • Data Processing Agreements (DPAs) with all sub-processors
  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • All sub-processors maintain SOC 2 Type II or equivalent certifications

8. Cookies

Cookies & tracking technologies

Essential Cookies
Strictly necessary for the application to function. Cannot be disabled.
  • Session authentication cookie (HttpOnly, Secure, SameSite=Lax)
  • CSRF protection token
Analytics Cookies
Used for anonymous, aggregated usage analytics. Can be declined without affecting functionality.
  • Google Analytics via Google Tag Manager
  • Page views, session duration, and feature usage only
  • IP anonymization enabled
  • No personal data included in analytics events

9. Google API Data

Google API Services User Data Policy

Setell's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

Limited Use Compliance
  • We only access Gmail data necessary to provide quoting and invoicing functionality (parsing inbound emails, sending quote drafts)
  • We do not use Gmail data for advertising, market research, or to serve ads
  • We do not allow humans to read your email content except with your explicit consent, for security purposes (investigating abuse), or as required by law
  • We do not transfer Gmail data to third parties except as necessary to provide the service (AI processing via Anthropic, which does not use API inputs for training), with your consent, or as required by law
  • You can disconnect Gmail and revoke access at any time from Settings or your Google account — credentials are deleted immediately upon disconnection

10. Security

How we protect your data

We implement industry-standard technical and organizational measures to protect your data. For full details, see our Security Policy. Key measures include:

Security Measures
  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • OAuth 2.0 authentication — we never store your Google password
  • Webhook signature verification (HMAC-SHA256) with timing-safe comparison
  • Input validation on all API endpoints (Zod schema validation)
  • Parameterized database queries (SQL injection prevention)
  • Rate limiting on all public-facing endpoints
  • Real-time error and security event monitoring
  • Formal incident response plan with 72-hour breach notification

11. Children

Children's privacy

Age Restriction
Setell is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will delete it promptly. If you believe a child has provided us with personal information, please contact privacy@setell.ai.

12. Changes

Updates to this policy

Notification of Changes
We may update this privacy policy from time to time. When we make material changes, we will notify you by email (sent to the address associated with your account) or by placing a prominent notice on our website prior to the change becoming effective. Your continued use of the service after the effective date constitutes acceptance of the updated policy. We encourage you to review this page periodically.

Questions?

Contact us

If you have questions about this privacy policy, want to exercise your data rights, or have concerns about how we handle your information, reach out to us.

Privacy & data rightsprivacy@setell.ai
Security concernssecurity@setell.ai
General inquirieshello@setell.ai

This privacy policy is reviewed and updated at least annually.
Last updated: March 27, 2026.