Privacy Policy — CinnaReach

✅

GDPR & applicable law compliance CinnaReach operates as a data processor on behalf of its customers (data controllers). This policy explains both how we process data related to our own operations, and how we handle contact data that customers upload. It is written in compliance with the EU General Data Protection Regulation (GDPR), Andorra's Llei qualificada de protecció de dades personals i de garantia dels drets digitals (LQPD), CASL, and CAN-SPAM.

1. Who We Are and What We Do

CinnaReach is a software-as-a-service (SaaS) platform for automated B2B webinar outreach, operated by Cinnamon Consulting, registered in the Principality of Andorra. CinnaReach enables businesses ("customers") to send personalised webinar invitations to their professional contacts via Google Calendar, track RSVPs, auto-register attendees in Zoom, and automate post-webinar follow-up sequences through MailerLite.

Our role under data protection law: CinnaReach acts as a data processor when handling personal data that customers upload into the platform (contact lists, prospect data). Each customer is the data controller for their contact data. For data related to our own operations (account data, usage data), CinnaReach acts as a data controller.

This distinction is important and is reflected throughout this policy.

2. Lawful Basis for Processing (Article 6 GDPR)

We document a specific lawful basis for each category of processing we carry out. The table below summarises our own (controller-side) processing activities. For processing customer contact data, see Section 4.

Processing Activity	Lawful Basis	Explanation
Account registration and management	Contract (Art. 6(1)(b))	Necessary to provide the service you have contracted for
Authentication and session management	Contract (Art. 6(1)(b))	Necessary to operate secure access to your account
Storing OAuth integration tokens (Google, Zoom, MailerLite)	Contract (Art. 6(1)(b))	Required to connect and operate third-party integrations on your behalf
Campaign metrics and activity logging	Contract (Art. 6(1)(b)) / Legitimate interests (Art. 6(1)(f))	Necessary for service delivery; legitimate interest in troubleshooting and audit trail
Platform improvement and analytics (aggregated, anonymised)	Legitimate interests (Art. 6(1)(f))	Our interest in improving product quality; we use anonymised data only
Sending transactional service emails	Legitimate interests (Art. 6(1)(f)) / Legal obligation (Art. 6(1)(c))	Necessary to keep you informed of material changes and fulfil legal obligations
Billing records (reference only)	Legal obligation (Art. 6(1)(c))	Required for accounting, tax, and contractual obligations
Fraud prevention and abuse detection	Legitimate interests (Art. 6(1)(f))	Our legitimate interest in protecting the platform and other customers from misuse

Legitimate Interests Balancing Test Where we rely on legitimate interests, we have conducted an internal Legitimate Interests Assessment (LIA) confirming that our interest is genuine, processing is necessary and proportionate, and the impact on your privacy rights is minimal given the professional B2B context and the safeguards we apply. You may request a copy of any LIA by contacting us at the address in Section 16.

3. What Data We Collect (About Our Customers)

When you use CinnaReach as a customer, we collect and process:

Account information: Name, work email address, company name, and a securely hashed password (bcrypt). We never store passwords in plain text.
Integration credentials: OAuth access tokens and refresh tokens for Google Workspace, Zoom, and MailerLite, encrypted at rest using Fernet symmetric encryption. We never store your third-party account passwords.
Campaign and usage data: Campaign configurations, invite send logs, RSVP response records, Zoom registration statuses, MailerLite sync logs, login timestamps, and feature usage patterns.
Billing reference data: Plan type, billing cycle, and subscription status. Actual payment processing is handled externally and we do not store full payment card data.
Support communications: Any correspondence you send us by email or within the platform.

4. Contact Data You Upload (Customer Contact Lists)

As part of using the platform, customers upload prospect contact lists. This data typically includes: first name, last name, email address (professional/business), company name, job title, and optionally LinkedIn profile URL.

You are the data controller for this data. CinnaReach processes it solely as a data processor, on your instructions, for the purpose of operating your campaigns. We do not use this data for our own marketing, share it with third parties for their own purposes, or sell it.

As the data controller, you are responsible for:

Having a valid lawful basis under Art. 6 GDPR (and any applicable national law) for processing and contacting each person in your list. For B2B outreach to professional contacts, legitimate interests (Art. 6(1)(f)) is the standard industry basis — but it requires a Legitimate Interests Assessment and limits outreach to contacts who would reasonably expect professional communications relevant to their role.
Ensuring that the source of your contact data was obtained lawfully (e.g., your own CRM, reputable B2B data providers with documented compliance, publicly available professional directories — not scraped or purchased lists without a documented data source).
Honouring opt-out and erasure requests from contacts promptly. CinnaReach's suppression list and unsubscribe mechanisms are tools that help you fulfil these obligations.
Complying with the email and electronic communications laws of every jurisdiction where your contacts are located (including GDPR, PECR, CASL, CAN-SPAM, and any other applicable regulation).

LinkedIn data note If you include LinkedIn profile URLs in your contact data, you are responsible for ensuring that use of that data complies with LinkedIn's terms of service and GDPR. CinnaReach stores this field as provided but does not access LinkedIn on your behalf.

Our obligations as your data processor are set out in the Data Processing Agreement (DPA) incorporated into our Terms of Service (Schedule 1).

5. Automated Processing and Priority Scoring

CinnaReach's scheduling engine performs automated processing of contact and campaign data to calculate priority scores, allocate daily sending capacity, determine contact eligibility, and sequence invitations. This processing involves evaluating attributes such as days remaining to the webinar, contact status, and cooldown period.

This processing is used solely for operational scheduling purposes — it determines when and in what order invitations are sent on behalf of the customer. It does not produce legal or similarly significant effects for the individuals concerned (it does not determine credit, employment, or access to services).

This processing is carried out under our contract with the customer (Art. 6(1)(b)) and is not profiling in the sense of Art. 22 GDPR. No individual decisions with legal consequences are made solely on the basis of this automated processing.

6. Data Storage, Security, and Infrastructure

We implement appropriate technical and organisational security measures in accordance with Art. 32 GDPR:

Infrastructure: CinnaReach is hosted on Heroku (a Salesforce company), which runs on Amazon Web Services (AWS). Data may be stored on servers located in the United States and/or the European Union.
Database: Structured data is stored in PostgreSQL databases with access restricted to authorised services only. Multi-tenant isolation is enforced at all query levels.
Encryption at rest: Integration credentials and authentication tokens are encrypted using Fernet symmetric encryption. All databases are encrypted at rest.
Encryption in transit: All data in transit is protected by HTTPS/TLS 1.2 or higher. Unencrypted connections are not permitted.
Access controls: Production system access is restricted to authorised personnel on a need-to-know basis. We maintain access logs.
Password security: User passwords are hashed using bcrypt before storage. We never store, log, or transmit plain-text passwords.
Background task security: Job queues (Redis/Celery) are not externally accessible and operate within our secured infrastructure.

7. International Data Transfers

Heroku and AWS may store and process data in the United States and other jurisdictions outside the European Economic Area (EEA). Where personal data of EEA residents is transferred outside the EEA, we ensure that such transfers are protected by an appropriate legal mechanism in accordance with Chapter V of the GDPR:

Heroku/Salesforce: Covered by Salesforce's EU Standard Contractual Clauses (SCCs) under the EU Commission Decision of June 2021.
Google (Workspace/Calendar API): Google has executed SCCs and participates in the EU-US Data Privacy Framework.
Zoom: Zoom has executed SCCs and participates in the EU-US Data Privacy Framework.
MailerLite: MailerLite is headquartered in Lithuania (EU) and is subject to GDPR in its own right as a data processor.

Andorra has been granted adequate protection status equivalent to the EU, meaning transfers of personal data from EU member states to Andorra do not require additional transfer mechanisms.

You may request copies of the relevant transfer safeguards (including SCCs) by contacting us at [email protected].

8. Sub-Processors

As a data processor, we engage the following sub-processors to help us deliver the service. We require all sub-processors to implement appropriate data protection safeguards and we remain responsible for their processing under Art. 28(4) GDPR.

Sub-Processor	Purpose	Location	Transfer Mechanism
Heroku / Salesforce	Hosting infrastructure, compute, storage	US / EU	SCCs
Google LLC	Calendar API (invite sending & RSVP tracking), Gmail API	US / EU	SCCs / DPF
Zoom Video Communications	Webinar registration and attendance tracking	US	SCCs / DPF
MailerLite	Post-webinar email follow-up sequences	EU (Lithuania)	GDPR (EU entity)
Redis (via Heroku)	Background job queue and caching	US / EU	Covered by Heroku SCCs

We will notify customers of any intended changes to our sub-processor list with at least 30 days' advance notice, providing an opportunity to object. Notice will be given by email and by updating this page.

9. Unsubscribes, Suppression Lists, and Opt-Outs

CinnaReach is designed to make honouring contact preferences simple and immediate:

Google Calendar RSVP declines: Contacts who decline a webinar invitation are immediately marked as declined and excluded from further invitations for that campaign.
MailerLite unsubscribes: When a contact unsubscribes via MailerLite, a webhook triggers immediate suppression — the contact is marked and suppressed across all future sending within the tenant within seconds.
Zoom opt-outs: Cancellations and opt-out signals from Zoom are tracked and applied to the tenant's suppression list.
Cooldown period: By default, a contact who has been invited cannot be contacted again for 60 days (configurable). This prevents over-messaging.
Tenant-level suppression: Customer administrators can manually suppress any contact at any time through the platform interface.

Once suppressed, a contact will not receive further invitations from that tenant regardless of future campaign additions, unless the suppression is deliberately lifted by the customer administrator with an appropriate legal basis.

10. Data Retention

Data Category	Retention Period	Basis
Customer account data	Duration of account + 30 days post-termination	Contract; then erasure
Integration tokens (OAuth)	Deleted on disconnection or account termination	Contract necessity
Contact data uploaded by customers	As configured by customer; deleted on request or termination (within 30 days)	Customer instruction (processor)
Campaign logs and RSVP records	Duration of account; deleted on termination (within 30 days)	Contract / legitimate interests
Billing reference data	7 years (legal accounting obligation)	Legal obligation
Security and access logs	90 days (rolling)	Legitimate interests (security)
Zoom webhook event logs	90 days (rolling)	Legitimate interests (audit, debugging)
Support correspondence	3 years from last interaction	Legitimate interests

Upon account termination or a written deletion request, all contact data and campaign records will be permanently and irreversibly deleted within 30 days. You may request a data export prior to termination. Billing records required for legal compliance are retained separately with restricted access.

11. Your Rights Under GDPR (and Equivalent Laws)

If you are located in the EEA, UK, or a jurisdiction with equivalent data protection laws, you have the following rights:

Right	What it means for you	How to exercise it
Right of access (Art. 15)	Obtain a copy of the personal data we hold about you	Email [email protected]
Right to rectification (Art. 16)	Correct inaccurate or incomplete data	Via platform settings or by email
Right to erasure (Art. 17)	Request deletion of your data where there is no overriding legal obligation to retain it	Email [email protected]
Right to portability (Art. 20)	Receive your data in a machine-readable format	Request data export via platform or email
Right to restriction (Art. 18)	Restrict processing while a dispute is resolved	Email [email protected]
Right to object (Art. 21)	Object to processing based on legitimate interests	Email [email protected]
Right to withdraw consent	Where processing is based on consent, withdraw it at any time without affecting prior processing	Via platform settings or by email

We will respond to all rights requests within 30 days (extendable by a further two months for complex requests, with notice). There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.

Rights of contacts in customer lists

If you are an individual whose data has been uploaded by one of our customers (e.g., you received a CinnaReach-powered webinar invitation), you should direct your request to the customer who sent you the communication, as they are the data controller for your data. If you cannot identify or contact the controller, email us at [email protected] and we will assist. A confirmed unsubscribe or opt-out will prevent future invitations across all of that tenant's campaigns immediately.

Right to lodge a complaint

CinnaReach's lead supervisory authority is:

Autoritat de Protecció de Dades Personals (APDA) — Andorra
Website: www.apda.ad

If you are located in an EU member state, you may also contact your local national data protection authority — for example, the CNIL (France), the ICO (UK), or the BfDI (Germany).

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will:

Notify the APDA within 72 hours of becoming aware of the breach (Art. 33 GDPR).
Notify affected customers without undue delay, including: nature of the breach, data categories and approximate number of individuals affected, likely consequences, and measures taken or proposed.
Assist customers (as data controllers) in notifying affected data subjects where required under Art. 34 GDPR.

We maintain an internal breach register and a documented incident response procedure. We conduct regular security assessments to identify and remediate vulnerabilities proactively.

13. Cookies

CinnaReach uses only the following cookies:

Session token (JWT): A secure, HTTP-only, SameSite cookie containing your JSON Web Token for authentication. This cookie is essential for keeping you logged in and is deleted when you log out or when it expires.

We do not use third-party tracking cookies, advertising cookies, analytics cookies, or any cross-site tracking. We do not participate in advertising networks. We do not serve ads in the CinnaReach platform.

14. Records of Processing Activities (Art. 30 GDPR)

CinnaReach maintains internal records of all processing activities carried out under its own controllership and as a data processor, as required by Art. 30 GDPR. These records include categories of data processed, purposes, sub-processors engaged, and retention periods. Records are available to supervisory authorities on request.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in our processing activities, technology, sub-processor list, or applicable law. When we make material changes, we will notify customers by email with at least 14 days' advance notice before changes take effect and update the "Last updated" date. Continued use of CinnaReach after the effective date constitutes acceptance of the updated policy.

16. Contact and DPO

Data Protection Contact

CinnaReach, operated by Cinnamon Consulting
Principality of Andorra
Email: [email protected]
Website: cinnamonconsulting.tech

CinnaReach does not currently meet the thresholds requiring mandatory appointment of a Data Protection Officer (DPO) under Art. 37 GDPR. Privacy and data protection inquiries are handled directly by our operations team at the address above with a 30-day response commitment.