Privacy Policy

Last updated: March 10, 2026

1. Introduction

CinnaReach is a software-as-a-service (SaaS) platform for automated webinar outreach, operated by Cinnamon Consulting ("we", "us", "our"). CinnaReach helps businesses send personalized webinar invitations via Google Calendar, track RSVPs, auto-register attendees in Zoom, and automate follow-up email sequences through MailerLite.

This Privacy Policy explains how we collect, use, store, and protect personal data when you use the CinnaReach platform, visit our website, or interact with our services. We are committed to protecting your privacy and handling your data in a transparent, lawful manner in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

By using CinnaReach, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with these practices, please do not use our services.

2. What Data We Collect

We collect and process the following categories of personal data:

• Account Information: When you register for CinnaReach, we collect your name, email address, and a securely hashed version of your password. We never store passwords in plain text.
• Contact Data Uploaded by Users: As part of using the platform, you may upload contact lists containing names, email addresses, company names, and job titles of individuals you wish to invite to webinars. You are the data controller for this data, and we process it on your behalf as a data processor.
• Integration Tokens: When you connect third-party services (Google Workspace, Zoom, MailerLite), we store encrypted authentication tokens using Fernet symmetric encryption. We do not store your third-party passwords.
• Usage Data: We collect information about how you use the platform, including login timestamps, features accessed, campaign activity, and general interaction patterns. This data helps us improve the service and troubleshoot issues.
• Campaign Data: We store records of invitations sent, delivery statuses, RSVP responses (yes, maybe, no, awaiting), Zoom registration statuses, and MailerLite synchronization logs.

3. How We Use Your Data

We use the personal data we collect for the following purposes:

• To Provide the Service: Processing your data is necessary to operate CinnaReach, including sending webinar invitations on your behalf, tracking RSVP responses, registering attendees in Zoom, and synchronizing contact data with MailerLite.
• To Send Webinar Invitations: When you create a campaign, we use the contact data you provide to send personalized Google Calendar invitations from your designated sender accounts.
• To Track RSVPs: We monitor Google Calendar responses to update RSVP statuses in real time, enabling you to see who has accepted, declined, or not yet responded.
• To Automate Follow-Ups: Based on RSVP responses and webinar attendance data, we trigger automated workflows including Zoom registration and MailerLite email sequences.
• To Improve the Platform: We analyze aggregated, anonymized usage data to understand how the platform is used, identify areas for improvement, and develop new features.
• To Communicate with You: We may send you service-related notifications, such as account verification emails, security alerts, or updates about changes to our terms or policies.

4. Data Storage and Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it:

• Infrastructure: CinnaReach is hosted on Heroku, which runs on Amazon Web Services (AWS) infrastructure. Data may be stored in data centers located in the United States and/or the European Union.
• Database: All structured data is stored in PostgreSQL databases with access restricted to authorized services only.
• Encryption: All integration credentials and authentication tokens are encrypted at rest using Fernet symmetric encryption. All data in transit is protected via HTTPS/TLS encryption.
• Access Controls: Access to production systems is restricted to authorized personnel. The platform enforces multi-tenant isolation, ensuring that each customer can only access their own data.
• Password Security: User passwords are hashed using industry-standard algorithms before storage. We never store or have access to plain-text passwords.

5. Third-Party Processors

To provide CinnaReach, we share data with the following third-party service providers, each of which processes data in accordance with their own privacy policies:

• Google (Calendar API, Gmail API): Used to send calendar invitations and track RSVP responses. Google processes event and attendee data per the Google Privacy Policy.
• Zoom (Webinar API): Used to auto-register accepted attendees into Zoom webinars. Zoom processes registrant data per the Zoom Privacy Policy.
• MailerLite (Email Marketing API): Used to synchronize contact segments and trigger email sequences. MailerLite processes subscriber data per the MailerLite Privacy Policy.
• Heroku / Salesforce: Provides our hosting infrastructure. Heroku processes data per the Salesforce Privacy Policy.
• Redis (via Heroku): Used as a task queue and caching layer for background job processing. Redis instances are hosted within our Heroku infrastructure and are not externally accessible.

6. Data Retention

We retain your data only as long as necessary to provide our services and fulfill the purposes described in this policy:

• Account Data: Your account information is retained for as long as your account remains active. If you request account deletion, we will remove your account data within 30 days.
• Contact Data: Contact data uploaded by you is retained according to your tenant-level configuration and campaign requirements. You may delete contact records at any time through the platform.
• Campaign Data: Campaign logs and RSVP records are retained for the duration of your account to enable historical reporting and compliance auditing.
• Post-Termination: Upon account termination, all associated data (account information, contact data, campaign records, and integration tokens) will be permanently deleted within 30 days. You may request a data export prior to termination.

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or if your data is processed under the GDPR, you have the following rights:

• Right of Access: You have the right to request a copy of the personal data we hold about you.
• Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data.
• Right to Erasure: You have the right to request that we delete your personal data, subject to any legal obligations requiring us to retain it.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to Restriction: You have the right to request that we restrict the processing of your personal data in certain circumstances.
• Right to Object: You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis.

To exercise any of these rights, please contact us at hello@cinnamonconsulting.tech. We will respond to your request within 30 days. If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.

8. Cookies

CinnaReach uses minimal cookies strictly necessary to operate the platform:

• Session Token (JWT): A secure, HTTP-only cookie containing your JSON Web Token for authentication. This cookie is essential for keeping you logged in and is deleted when you log out or when it expires.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track your behavior across other websites. We do not participate in any cross-site tracking or advertising networks.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

If we make significant changes that affect your rights or how we process your data, we will make reasonable efforts to notify you through the platform or via email.

10. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

CinnaReach, operated by Cinnamon Consulting
Email: hello@cinnamonconsulting.tech
Website: cinnamonconsulting.tech