Privacy Policy

Last updated: May 16, 2026

This Privacy Policy explains how SendMate collects, uses, and shares information when you use the SendMate software application, website, and related services (collectively, the “Software”).

Local-first design: SendMate’s assisted texting runs on your device. Your message content, contacts, phone numbers, Follow Up Boss session, notes, tasks, and send queue stay on your computer. SendMate servers handle account access, billing and licensing, app updates, security and abuse monitoring, support, and privacy-preserving verification metadata.

Information We Collect

Depending on your usage, we may collect:

  • Account information: Name, email address, phone number, and subscription status.
  • Support communications: Messages you submit through the in-app Support feature.
  • License and activation data: Activation status, device and application identifiers (which may be hashed), timestamps, and IP addresses associated with login sessions.
  • Settings: Schedule configuration, feature preferences, and notification toggles you choose to save.

Diagnostics

To diagnose crashes and reliability problems, SendMate collects error reports both through our error-monitoring provider (Sentry) and into an internal error_reports table in our database. These reports may include the application version, error type and message, stack trace, the page or feature in use, and basic device/environment details (such as operating system and user-agent string). Before transmission, our error pipeline scrubs email addresses, phone numbers, JWT tokens, and known provider secrets from event payloads.

Diagnostics are designed to exclude: plaintext message bodies, contact names, contact phone numbers, Follow Up Boss cookies or API keys, raw Follow Up Boss notes or tasks, and your local send queue. Error reports are retained only as needed for security, debugging, and service reliability (see Retention and Security below).

What We Do Not Want

Do not submit Third-Party Service passwords through support channels. We do not need passwords to provide support and will not request them.

What Stays On Your Device (Local-Only Data)

SendMate is designed to process sensitive texting data locally on your computer. The following data is stored locally on your device and is not transmitted to our servers:

  • Third-Party Service credentials:Passwords and API keys are stored locally and encrypted at rest on your device using AES-256-GCM authenticated encryption, with the encryption key derived from your device's hardware identifier so that a copy of the encrypted blob cannot be decrypted on a different machine.
  • Session cookies/tokens: Authentication cookies/tokens for Third-Party Services are stored locally and transmitted only as needed to authenticate requests to the applicable Third-Party Service.
  • Task/message processing data: Message content, contact names, phone numbers, and task lists that are used during assisted texting are processed locally on your device.
  • Local history used for safety features: Local records used for duplicate detection and operational safeguards.

What We Store on Our Servers (Limited Metadata)

We store limited account and operational metadata on our servers to operate the Software, including:

  • Account information (such as name, email, phone, and subscription status)
  • Support requests you submit through in-app Support
  • License and activation metadata (activation status, app version, device and session identifiers (which may be hashed), and timestamps)
  • Anomaly and security events (for example, app-integrity checks, repeated authentication failures, install identifier mismatches, and other signals used to detect tampering and abuse)
  • Send-outcome metadata (per outbound text we record only the outcome — sent, failed, or skipped— with a timestamp and counters; we do not store the message body)
  • Do-not-contact (DNC) records when Follow Up Boss reports a recipient has opted out, so that we can honor the opt-out on future sends. Where Follow Up Boss returns the opt-out message body verbatim, that text is captured to document compliance.
  • Phone-number lookup cache for the optional Real Phone Validation (RPV) DNC-screening feature you may enable. Numbers you submit for screening are cached so duplicate lookups do not re-charge you.
  • Diagnostics (crash/error logs and app/version info — see Diagnostics above)
  • High-level usage and operational logs (for example, feature usage counters and internal identifiers needed to operate and troubleshoot the Software)

We may also collect and store IP address information and session metadata (such as login timestamps and device identifiers) in the ordinary course of providing the Software. This information is used for security purposes, including detecting unauthorized access, enforcing single-device session limits, fraud prevention, and to document acceptance of our Terms.

Privacy-preserving verification metadata

For license enforcement, send verification, abuse prevention, and service reliability, SendMate may process privacy-preserving hashes and identifiers — for example, hashed Follow Up Boss person IDs, hashed local task or record IDs, hashed normalized message digests, and short-lived signed send-intent tokens. These are non-reversible identifiers used for verification only. They are not plaintext message content, contact names, phone numbers, Follow Up Boss cookies, raw Follow Up Boss notes or tasks, or your local send queue. Where this metadata is enabled, retention follows the limits in the Retention table below.

We do not store Follow Up Boss passwords, API keys, or session cookies on our servers.

We do not route plaintext message bodies, contact names, phone numbers (other than the optional RPV cache described above), Follow Up Boss cookies, raw Follow Up Boss notes or tasks, or your local send queue through SendMate servers. Texts are sent directly from the SendMate desktop app to Follow Up Boss using your local Follow Up Boss session.

Support Ticket Data

If you submit a support request through the in-app Support feature, it may contain information you choose to include (such as screenshots, descriptions, or contact details). We retain support ticket data as needed to resolve your request and for quality assurance. Do not submit Third-Party Service passwords in support tickets.

SMS and Text Message Communications

SendMate sends transactional SMS notifications to account holders who have verified their phone number and opted in during signup. These messages may include lead activity alerts, account notifications, daily summaries, verification codes, and (for the [IVR] Follow Up Boss integration) missed call and voicemail notifications.

Phone number data we collect for SMS: your mobile phone number, opt-in timestamp, opt-in method, and message delivery status. We use this data solely to send the notifications you requested and to comply with carrier and regulatory requirements.

No sharing for marketing. We do not sell, rent, or share your mobile phone number with any third parties for marketing or promotional purposes. Your phone number is shared only with our messaging provider (Twilio) solely to deliver the messages you requested. Mobile information is not shared with affiliates or partners for any purpose other than message delivery and customer service.

Opt-in. You opt in to SMS notifications by checking a consent box during account signup at https://mysendmate.com and verifying your phone number via a one-time SMS code.

Opt-out. You can opt out at any time by replying STOP to any SMS message. After replying STOP, you will receive one final confirmation message and no further SMS messages will be sent. To re-subscribe, reply START. For help, reply HELP or contact [email protected].

Message frequency. Message frequency varies based on your account activity and notification settings. Message and data rates may apply.

How We Use Information

We use information to:

  • Operate the Software, including access control and activation.
  • Provide customer support.
  • Prevent fraud, abuse, and unauthorized access.
  • Improve reliability and fix bugs.
  • Manage billing and account administration.

Sharing

We share limited information with our service providers (subprocessors), listed below by role. Each provider receives only the data needed for its specific role and is bound by contract or its own published terms to use that data solely to provide the service to SendMate. We also disclose information to legal/compliance authorities when required by law, legal process, or to protect our rights. We do not sell personal data to advertisers.

Service Providers (Subprocessors)

SendMate uses the following service providers to operate the Software and website:

  • Supabase— authentication, account database, edge functions, and Realtime updates. United States.
  • Paddle— payments, subscriptions, and merchant-of-record tax handling. United States / Europe.
  • Twilio— SMS notification delivery and phone-number verification codes. United States.
  • Resend— transactional and notification email delivery. United States.
  • Sentry— error and diagnostic monitoring for the application and website. United States.
  • HelpScout— in-app and website support chat and knowledge base. United States.
  • Cloudflare— bot/abuse prevention (Turnstile), DNS, content delivery, and traffic analytics for the website. United States.
  • Vercel— website hosting, deployment, and Vercel Analytics (privacy-focused, aggregated page-view counts; no tracking cookies). United States.
  • Google Fonts— font delivery for the website. Google receives standard HTTP request data (such as IP address and User-Agent) during font load. United States.

For a customer-specific Data Processing Addendum (DPA) or an up-to-date subprocessor list, see our DPA & Subprocessors page or email [email protected].

Third-Party Services

Third-party services that you connect to SendMate (for example, Follow Up Boss) may collect data independently when you use them. Their privacy practices are governed by their own policies; SendMate does not control them.

Retention and Security

We retain information as needed for operations and legal/accounting requirements. Specific retention periods for operational data:

  • Diagnostic and error logs: 90–365 days
  • Email notification logs: 365 days
  • Login event records: 180 days
  • Billing event records: 180 days
  • Daily and monthly statistics: 730 days (2 years)
  • Send-outcome metadata (per-send result + timestamp; no message body): 180 days
  • Anomaly and security events: retained as needed for security review and abuse investigation (typically up to 90 days for routine signals; longer where required for an open investigation)
  • Do-not-contact (DNC) / opt-out records: retained for the life of the account so that we can honor opt-outs on future sends
  • RPV phone-number lookup cache: retained as long as needed to serve the optional DNC-screening feature you enabled
  • Terms and consent acceptance records (timestamp, app/Terms version, device or session identifier, IP address): retained for the life of the account and a reasonable period afterward for dispute resolution
  • Account information and support tickets: retained while your account is active, or as required by law

Some specific retention periods above are best estimates of our current operational defaults and may change as the Software evolves. For the current authoritative period for a specific data category, email [email protected].

When You Delete Your Account

Deleting your account through the app deactivates it; it does not immediately erase every record.When you click “Delete Account,” SendMate:

  • Immediately marks your account as deleted — you cannot sign in, send texts, or be billed further.
  • Cancels your active subscription, with account credit for unused time applied to your billing account. Cash refunds are reviewed manually by support.
  • Retainsthe following for the legal-records, fraud-prevention, and dispute-handling periods listed above: your profile (name, email, phone), subscription history, billing events, send-log entries, daily & per-month statistics, and DNC / opt-out flags. These remain so that you can dispute a chargeback, request reactivation, or respond to a regulatory inquiry without losing your history.
  • Removes your account from active billing, team memberships, and active session lists.

If you want a complete erasure beyond the retention periods above — for example, a GDPR Article 17 “right to be forgotten” request — email [email protected] from the email address on the account. We complete verified erasure requests within 30 days.

We use reasonable safeguards to protect your data; however, no system is 100% secure. You are responsible for securing your device and access credentials.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal data.
  • Deletion (Right to Erasure): Request deletion of your personal data. Upon a verified request, we will delete your account data and personal information, except where retention is required by law or for legitimate business purposes (such as fraud prevention or legal compliance).
  • Data Portability: Request a machine-readable copy of your personal data for transfer to another service.
  • Opt-Out of Sale: We do not sell your personal data. If this changes, we will provide a clear opt-out mechanism.

To exercise any of these rights, submit a request through the in-app Support feature or email us at [email protected]. We will respond within 30 days (or sooner if required by applicable law).

For California Residents

Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have the right to:

  • Know what personal information we collect, use, and disclose.
  • Request deletion of personal information.
  • Opt out of the sale or sharing of personal information (we do not sell or share your data).
  • Not be discriminated against for exercising your privacy rights.

Categories of personal information we collect include: identifiers (name, email, phone), commercial information (subscription status, billing records), and internet activity (usage logs, device identifiers). We do not collect sensitive personal information as defined under CCPA/CPRA.

For EEA and UK Residents

If you are located in the European Economic Area or United Kingdom, we process your personal data under the following legal bases:

  • Contract performance: To provide the Software and fulfill our obligations under your subscription.
  • Legitimate interests: To improve the Software, prevent fraud, and ensure security.
  • Legal obligation: To comply with applicable laws.

In addition to the rights listed above, you have the right to lodge a complaint with your local data protection authority.

International data transfers.SendMate is operated from the United States and our service providers (subprocessors) listed above are predominantly U.S.-based. Where personal data is transferred out of the European Economic Area, United Kingdom, or Switzerland, we rely on appropriate safeguards including, as applicable, the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, the EU–US Data Privacy Framework where our processors are certified, or equivalent safeguards published by each processor. If you need a copy of our subprocessor list or a customer-specific Data Processing Addendum (DPA), see our DPA & Subprocessors page or email [email protected].

Contact

Privacy requests and questions can be submitted through the in-app Support feature or by emailing [email protected].

Operator (minimal disclosure): SendMate is operated by Mint Strategies LLC (d/b/a “SendMate”).