CORSTRATE · EMAIL TOOL

Privacy Policy

Applies to the Corstrate Email Tool · Last updated: 2026-06-22

1. Who we are and our role

This Privacy Policy explains how Corstrate SASU, a French société par actions simplifiée unipersonnelle (SIREN 847766136), registered office 20 chemin des Yvelines, 06530 Peymeinade, France (“Corstrate”, “we”, “us”), processes personal data in connection with the Corstrate Email Tool — a targeted B2B outreach service that sends personalised emails from a connected business mailbox and tracks the responses.

Data controller. For the personal data processed through the Corstrate Email Tool, Corstrate acts as the data controller within the meaning of the EU General Data Protection Regulation (GDPR): we determine the purposes and means of the processing and we are responsible for compliance with applicable data-protection law. This allocation of responsibility is set out in our contracts with clients.

Contact for any privacy matter: ijelassi@corstrate.com. Data Protection Officer: Imen Jelassi (ijelassi@corstrate.com).

2. Scope

This policy covers the data processed when an operator connects a business mailbox to the Corstrate Email Tool via OAuth — either Microsoft 365 (Microsoft Graph) or Google Workspace (Gmail API) — and when the tool conducts outreach. It does not cover third-party websites or services linked from our pages.

3. What data we process

3.1 Mailbox data (via the connected mailbox)

DataPurpose
Outbound email content (subject, body, recipient)Sending the personalised outreach and follow-ups
Inbound reply metadata (sender, subject, internet message ID, headers)Matching a reply to the originating outreach
Inbound reply content — first ~1,000 characters, stripped of HTMLShowing the operator a reply summary
Bounce notification details (recipient address, error code)Marking a recipient undeliverable and stopping further sends
Out-of-office notificationsPausing outreach to that recipient until a later date
Signed-in user profile (display name, email address)Identifying the operator’s mailbox during authentication

The Corstrate platform stores derived data (sender address, message ID, classification, reply excerpt) — not a full copy of the mailbox. Full email content remains in the provider’s storage at all times.

3.2 Prospect / lead data

To run B2B outreach we process business-context personal data of the prospects contacted: name, professional email address, job title, employer/company, and publicly available professional information (e.g. LinkedIn profile, company website). We do not process special categories of personal data.

3.3 What we never access

4. OAuth permissions we request

Access is per-user and delegated; it is limited to the mailbox of the operator who signs in and consents. There is no tenant-wide, cross-mailbox or administrative access.

Microsoft 365 (Microsoft Graph)

ScopePurpose
Mail.SendSend outreach from the operator’s mailbox
Mail.ReadWriteRead inbound replies to classify them; move bounce/out-of-office messages into sub-folders. No email is deleted or forwarded outside the mailbox.
User.ReadRead the signed-in user’s basic profile during sign-in
offline_accessRefresh the access token so the operator need not re-authenticate every hour

Google Workspace (Gmail API)

ScopePurpose
gmail.sendSend outreach from the operator’s mailbox
gmail.modifyRead inbound replies to classify them and organise bounce/out-of-office messages into labels. Includes read access; no email is deleted.

5. Purposes and lawful basis

Every outreach email identifies the sender and offers a clear way to opt out. We do not use the data for advertising profiling or automated decision-making producing legal effects.

6. Where data is stored — sub-processors & EU residency

All persistent processing by Corstrate takes place within the European Union. We use the following sub-processors:

Sub-processorRoleRegion
OVH SASPrimary hosting (database & backend)Roubaix, France 🇫🇷
ScalewayEncrypted backup storageParis, France 🇫🇷
Teable (Community Edition, self-hosted by Corstrate)Operational database (PostgreSQL)Roubaix, France 🇫🇷
Cloudflare, Inc.CDN / edge routing / web hosting — TLS termination only, no email content stored at the edgeGlobal edge, EU routing preference
Microsoft CorporationMicrosoft Graph API (mailbox access)The client tenant’s own data residency
Google LLCGmail API (mailbox access)The client’s Google Workspace data residency

Mailbox content itself remains in the client’s Microsoft 365 / Google Workspace storage. Corstrate stores only the derived data described in §3.

7. International transfers

Persistent storage is in the EU (France). Where a sub-processor is US-headquartered (Cloudflare, Microsoft, Google), processing occurs under that provider’s GDPR commitments and EU data-residency / Standard Contractual Clauses frameworks. The Cloudflare edge performs TLS termination only and does not persistently store mailbox content.

8. Retention

DataRetention
Outreach campaign data (sent metadata, reply summaries, tracker history)For the duration of the engagement; deleted on request
Encrypted daily backups (Scaleway)1 year, then automatic deletion
Operational logs30 days, then automatic rotation
OAuth refresh tokens (operator’s device Keychain)Until access is revoked

9. Security

10. Use of Google user data — Limited Use

Corstrate’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, data obtained through Google Workspace (Gmail) APIs is used only to provide and improve the user-facing outreach features described in this policy. It is never sold, never used for advertising, and never used to train generalised AI/ML models. Human access to this data occurs only where strictly necessary for security, to comply with law, or with the user’s consent.

11. Your rights

As the data controller, Corstrate handles requests directly. Subject to applicable law, you may request access to, rectification or erasure of your personal data, restriction of or objection to processing, and data portability. To exercise these rights, or to opt out of outreach, contact ijelassi@corstrate.com. You also have the right to lodge a complaint with your supervisory authority (in France, the CNIL).

12. Revoking mailbox access

A connected mailbox can be disconnected at any time: Microsoft 365 users via myapps.microsoft.com → remove “Corstrate Email Tool”, or by a tenant admin in Entra ID → Enterprise Applications; Google users via Google Account → Security → Third-party access, or by a Workspace admin. Access ends on the next token refresh.

13. Changes to this policy

We may update this policy; the “Last updated” date above reflects the latest version. Material changes will be communicated to clients.