ThroughTheGrapevine.ai
Start free

Privacy Policy

Last Updated: September 17, 2025

Kendall Labs LLC (“Kendall Labs,” “ThroughTheGrapevine,” “we,” “us,” or “our”) is the controller for personal information processed in connection with ThroughTheGrapevine.ai and related websites, apps, and services (collectively, the “Service”).

Your privacy is important to us. This Policy explains what we collect, how we use and share it, and the choices and rights available to you.

If you do not agree with this Policy, please do not access or use the Service.

1) Scope & Third-Party Links

This Policy applies to personal information processed by ThroughTheGrapevine via https://throughthegrapevine.ai and any site we own and operate that links to it. Our Service may link to third-party websites, tools, or platforms (e.g., social networks, maps, ad platforms). Their privacy practices are governed by their own policies.

2) What We Collect

We collect information in three ways: (a) you provide it to us, (b) we collect it automatically, and (c) we obtain it from third parties (including public and licensed sources).

A. Information You Provide (Voluntarily Provided)

  • Account & Contact Data: name, email, password (hashed), company, role, preferences.
  • Billing & Subscription Data: plan selection, invoices, billing address, last-4 digits/brand/expiration month & year via our payment processor (we do not store full card numbers).
  • Lead & Workflow Inputs (“Customer Data”): search terms/filters, lists, tags, notes, imported contacts, campaign settings, message templates, consent flags.
  • Support & Comms: emails, chat messages, survey responses, feedback.
  • Consent Records: marketing consent, TCPA consent for SMS (when used), and opt-out preferences.

B. Information We Collect Automatically

  • Log & Usage Data: IP address, device/OS/browser type, pages viewed, referring/exit pages, date/time stamps, feature usage, error and performance data.
  • Cookie/Pixel/SDK Data: cookie identifiers, session data, UTM parameters, ad identifiers, approximate location (derived from IP), and in-product event analytics.
  • Device Data: device type, operating system, language settings, time zone, crash diagnostics.

C. Information From Third Parties

  • Data Partners & Integrations: where enabled, we may receive business profile attributes, public contact signals, or metadata from data partners or platforms you connect (subject to their terms and your permissions).
  • Public & Open Sources: business directories, public websites, and publicly available social/profile pages to help surface local lead signals.
  • Marketing/Ad Partners & Analytics: interaction data with our ads and pages, campaign performance, and conversions.

We aim to collect only what is reasonably necessary for the purposes described below.

3) How We Use Information

We use personal information to:

  1. Provide & Improve the Service – account creation, authentication, user settings, lead discovery and alerts, search functionality, saved lists, integrations, and debugging.
  2. Customer Support & Communications – respond to requests; send service, security, and transactional notices.
  3. Billing & Administration – process payments; detect fraud; manage subscriptions and renewals.
  4. Personalization & Product Research – tailor content, features, and recommendations; measure usage and improve performance and reliability.
  5. Marketing (Opt-Out Anytime) – send product updates, offers, and educational content (email/SMS subject to applicable law and your preferences).
  6. Safety, Security & Compliance – monitor misuse, prevent spam/abuse, and comply with legal obligations and platform policies.
  7. Aggregated/De-identified Insights – create statistics and benchmarks that do not identify you.

AI/Model-Assisted Features. Some features may use AI/heuristics to rank, enrich, or summarize signals. Outputs can be probabilistic and may contain errors. We use Customer Data to operate and improve these features, and we may create aggregated/de-identified datasets for model tuning and quality—never to re-identify an individual or to sell PI as a standalone data product. Where required by applicable law, you may opt out of certain improvement uses (see Section 11).

4) Legal Bases (EEA/UK)

Where GDPR/UK GDPR applies, we process personal data under these legal bases:

  • Contractual necessity (to provide the Service);
  • Legitimate interests (product improvement, security, fraud prevention, basic marketing);
  • Consent (cookies/analytics/ads where required; SMS marketing; certain data sharing);
  • Legal obligation (tax, accounting, regulatory).

You may withdraw consent at any time without affecting prior lawful processing.

5) Cookies, Pixels & Similar Tech

We use first- and third-party cookies and similar technologies for:

  • Essential operations (authentication, security);
  • Analytics (usage metrics, product improvement);
  • Advertising/retargeting (to measure and improve campaigns);
  • Functional (remember preferences).

You can manage cookies in your browser and via our Cookie Preferences link (if implemented). Blocking some cookies may limit functionality. See our separate Cookie Policy for details.

Global Privacy Control (GPC). Where required by law, we treat a valid GPC signal as a request to opt out of sale/share for the device/browser sending the signal.

6) How We Share Information

We do not sell personal information as commonly understood. Under certain state privacy laws, some analytics/advertising disclosures can be considered a “sale” or “share.” You can opt out (see Section 11).

We share personal information with:

  • Service Providers / Processors – hosting, infrastructure, analytics, email/SMS, payment processing, customer support, logging/monitoring, security, QA. These parties are contractually bound to use PI only to provide services to us.
  • Integration & Platform Partners – where you connect accounts or direct us to act on your behalf (subject to your permissions).
  • Professional Advisors – auditors, lawyers, and accountants under confidentiality.
  • Business Transfers – in M&A, financing, or asset sale scenarios (successors bound by this Policy or a policy with materially similar protections).
  • Legal & Safety – to comply with law, enforce terms, or protect rights, safety, and security.

We maintain a list of core sub-processors and will provide it on request (or via a posted list).

7) Data Retention

We retain personal information for as long as necessary to: provide the Service; comply with legal obligations; resolve disputes; enforce agreements; and maintain business records. We may retain backups for limited periods. When no longer needed, data is deleted or de-identified per our schedules.

8) Security

We implement reasonable technical and organizational measures appropriate to the nature of the data and our role as a SaaS provider (e.g., encryption in transit, access controls, logging). No system is 100% secure. You’re responsible for keeping credentials confidential and using strong passwords.

9) Children’s Privacy

The Service is not directed to children under 13 (or under 16 where applicable). We do not knowingly collect personal information from children. If you believe a child has provided personal information, contact us so we can delete it.

10) Messaging Compliance (Email/SMS/Calls)

If you use any messaging features:

  • Email: comply with CAN-SPAM (truthful headers/subjects, physical address, and opt-out).
  • SMS/Calls: comply with TCPA/FCC (obtain prior express consent where required, honor STOP/revocation). You’re responsible for ensuring you have appropriate consent to contact individuals and for honoring opt-out requests. We may throttle or filter to protect recipients and comply with law and carrier policies.

11) Your Privacy Choices & State/Regional Rights

A. Your Choices (All Users)

  • Marketing Opt-Out: unsubscribe links in emails; reply STOP to SMS; or email us.
  • Cookie Preferences: manage in browser and via our cookie controls.
  • Do Not Sell/Share (Ad/Analytics): use our “Do Not Sell or Share My Personal Information” link (site footer) or contact us. We will also honor valid GPC signals.
  • AI/Improvement Opt-Out (where required): contact us to limit certain de-identified/aggregated improvement uses tied to your workspace/account.

B. California (CCPA/CPRA)

California residents have the right to:

  • Know/Access categories and specific pieces of personal information we have collected about you;
  • Delete personal information (subject to exceptions);
  • Correct inaccurate personal information;
  • Opt-out of sale/share of personal information for cross-context behavioral advertising;
  • Limit use/disclosure of sensitive personal information (we do not collect SPI for the purpose of inferring characteristics);
  • Non-discrimination for exercising rights.

We disclose the following categories of PI (as defined by CPRA) for business purposes: identifiers (e.g., email, IP), commercial information (subscriptions), internet/network activity, geolocation (coarse), and inferences (basic preference segments). We do not sell PI in the traditional sense; we may share identifiers and internet activity with analytics/advertising partners (opt-out available).

Submit requests via support@throughthegrapevine.ai. We will verify and respond within statutory timeframes.

C. Virginia / Colorado / Connecticut (and similar state laws)

Residents may have rights to access, correct, delete, and opt out of targeted advertising, sale, and profiling with legal or similarly significant effects. Exercise rights via support@throughthegrapevine.ai. You may appeal our decision by replying “Appeal” to our response.

D. Nevada

Nevada residents may opt out of the sale of covered information by emailing support@throughthegrapevine.ai with “Nevada Opt-Out” in the subject.

E. EEA/UK (GDPR/UK GDPR)

You have rights to access, rectify, erase, restrict, object (including to direct marketing), and data portability. You may also lodge a complaint with a supervisory authority. Where we rely on consent, you may withdraw it at any time.

12) International Data Transfers

We are U.S.-based. If we transfer personal data from the EEA/UK/Switzerland to countries without an adequacy decision, we rely on Standard Contractual Clauses (and the UK Addendum, as applicable), plus supplementary measures where appropriate.

13) Data Processing Addendum (DPA)

For customers subject to GDPR/UK GDPR or similar laws, we offer a DPA governing our processor obligations when we process Customer Data on your behalf. Contact support@throughthegrapevine.ai to request our DPA and current sub-processor list.

14) Do Not Track

Some browsers offer “Do Not Track” (DNT). We currently do not respond to DNT signals. We do honor Global Privacy Control (GPC) as described above.

15) Changes to This Policy

We may update this Policy to reflect changes in our practices, technologies, or legal requirements. We will post updates with a new “Last Updated” date and, where required by law, provide notice and/or seek consent.

16) Contact Us

Kendall Labs LLC Attn: Privacy Team Email: support@throughthegrapevine.ai Address: 125 Church Street Unit 90-127 Pembroke, MA, 02359 EU/UK DPO/Representative (if applicable): \[Insert or “Not applicable”\]

17) California Notice of Collection (Summary)

Over the past 12 months, we collected (see Sections 2 & 3) and disclosed for business purposes the following categories: identifiers; commercial information; internet/network activity; approximate geolocation; and inferences. Sources include you, your devices, public sources, data partners, and ad/analytics partners. Purposes include Service delivery, security, analytics, personalization, and marketing. We may share identifiers and internet activity with ad/analytics partners in ways that can be considered “share” or “sale” under CPRA; you can opt out via our site footer link or GPC.

18) Additional Disclosures (“Shine the Light”)

California residents may request information about our disclosures of certain personal information to third parties for their direct marketing purposes (once per year). Send requests to support@throughthegrapevine.ai with “Shine the Light” in the subject, and include your name and postal address.

19) Your Responsibilities

If you upload or sync third-party contacts or trigger messaging through the Service, you are responsible for ensuring you have lawful basis/consent and for honoring opt-out requests, applicable spam/TCPA rules, and any platform terms for services you connect.