Privacy Policy
Last updated: 24 March 2026
This Privacy Policy explains how Horizon Creatives Studio Ltd ("Company", "we", "us", "our") collects, uses, stores, and protects your personal data when you use the Sellkora platform ("Service").
We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection laws.
1. Data Controller
The data controller for personal data collected through the Service is:
- Company: Horizon Creatives Studio Ltd
- Location: London, United Kingdom
- Email: privacy@sellkora.com
2. Data We Collect
We collect personal data in the following categories:
2.1 Account Data (provided by you)
| Data | Purpose |
|---|---|
| Full name | Account identification, personalisation |
| Email address | Account login, communications, notifications |
| Phone number | Account security, 2FA, optional contact |
| Password (hashed) | Account authentication |
| Company name | Business profile, outreach personalisation |
| Company website | Business verification, AI content generation |
2.2 Authentication Data
| Data | Purpose |
|---|---|
| Google OAuth tokens | Social login authentication |
| Two-factor authentication data | Account security verification |
When you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.
2.3 Business Configuration Data (provided by you)
| Data | Purpose |
|---|---|
| Services offered, pricing, target audience | AI personalisation of outreach |
| Sales materials, custom instructions | AI agent configuration |
| Agent identity (name, role, style) | AI personality for communications |
| SMTP credentials (email host, username, password) | Sending emails on your behalf |
| LinkedIn session cookies | LinkedIn automation on your behalf |
SMTP credentials and LinkedIn session data are stored encrypted at rest and are used solely for the purpose of operating the Service on your behalf.
2.4 Lead Data (collected by the Service)
| Data | Purpose |
|---|---|
| Business names, addresses, phone numbers | Lead identification and outreach |
| Business email addresses | Outreach communication |
| Website URLs, social media links | Lead research and verification |
| LinkedIn profile data (name, headline, experience) | LinkedIn outreach and personalisation |
Lead data is sourced from publicly available information: Google Places (business directories), publicly accessible company websites, and public LinkedIn profiles. We do not purchase personal data from third-party data brokers.
2.5 Communication Data
| Data | Purpose |
|---|---|
| Outbound emails (content, recipients, timestamps) | Service delivery, tracking, follow-up |
| Inbound emails (sender, subject, body) | Inbox management, reply tracking |
| LinkedIn messages (sent and received) | LinkedIn outreach management |
| Voice call recordings and transcripts | AI call analysis, quality assurance |
2.6 Usage and Technical Data (collected automatically)
| Data | Purpose |
|---|---|
| IP address | Security, fraud prevention, analytics |
| User agent (browser, OS) | Compatibility, security monitoring |
| Feature usage (searches, emails sent, AI credits used) | Usage tracking, plan enforcement |
| Timestamps of actions | Activity logging, billing |
| Error logs | Debugging, service improvement |
2.7 Payment Data
Payments are processed by Stripe. We do not store your credit card number, CVV, or full payment details on our servers. Stripe provides us with a limited set of information (last 4 digits, card brand, billing email, country) for billing management. See Stripe's Privacy Policy.
3. How We Use Your Data
We process your personal data for the following purposes:
- Service delivery: To operate the platform, send outreach on your behalf, manage your leads, and provide AI-powered features.
- Account management: To create and maintain your account, authenticate your identity, and enforce subscription limits.
- AI processing: To generate personalised emails, analyse leads, score opportunities, and power AI agent features. Your business data and lead data are sent to AI providers (see Section 6) for processing.
- Billing: To process payments, manage subscriptions, and generate invoices.
- Security: To detect and prevent fraud, abuse, and unauthorised access. To monitor for prohibited activities (see our Terms of Use, Section 4.3).
- Service improvement: To analyse usage patterns, fix bugs, and improve the platform.
- Communications: To send you service-related notifications, billing updates, and (with your consent) marketing communications.
4. Legal Basis for Processing (GDPR)
We process your data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Service delivery, account management | Contract — necessary to perform the contract between you and us (Article 6(1)(b)) |
| Billing and payments | Contract — necessary to perform the contract (Article 6(1)(b)) |
| Security monitoring, fraud prevention | Legitimate interest — protecting the Service and our users (Article 6(1)(f)) |
| Prohibited activity monitoring | Legal obligation — compliance with UK law (Article 6(1)(c)) and legitimate interest (Article 6(1)(f)) |
| Service improvement, analytics | Legitimate interest — improving our product (Article 6(1)(f)) |
| Marketing communications | Consent — you can opt out at any time (Article 6(1)(a)) |
| Cookie usage | Consent — via cookie consent banner (Article 6(1)(a)) |
5. Your Role as Data Controller
When you use Sellkora to find leads and send outreach, you are the data controller for the personal data of the individuals and businesses you contact. We act as a data processor on your behalf.
This means:
- You are responsible for ensuring you have a lawful basis to contact the leads (e.g., legitimate interest for B2B outreach).
- You are responsible for responding to data subject access requests (DSARs) from individuals you have contacted.
- You must honour unsubscribe requests.
- You must comply with GDPR, CAN-SPAM, CASL, PECR, and other applicable laws in the jurisdictions you operate in and send outreach to.
We will assist you in responding to DSARs to the extent technically feasible.
6. Third-Party Processors and Data Sharing
We share your data with the following categories of third-party service providers, strictly for the purpose of delivering the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Google (Gemini AI) | AI lead analysis, content generation | Lead data, business context, prompts |
| Anthropic (Claude AI) | AI communications, agent features | Lead data, business context, conversation history |
| Google (Places API) | Lead discovery | Search queries (business type + location) |
| Stripe | Payment processing | Billing email, payment method details |
| Your SMTP provider | Email delivery | Email content, sender/recipient addresses |
| LinkedIn automation (via your credentials) | Actions performed under your LinkedIn account | |
| Telephony provider (Twilio) | AI voice calls (where applicable) | Phone numbers, call audio |
We do not sell, rent, or trade your personal data to third parties for marketing purposes. We do not share your data with data brokers.
6.1 AI Provider Data Handling
- Data sent to Google Gemini and Anthropic Claude is used solely for generating AI responses within the Service.
- We use API access (not consumer products), which means your data is not used to train AI models under current provider policies.
- We recommend reviewing the privacy policies of Google Gemini API and Anthropic for full details.
7. Data Storage and Security
- Your data is stored on servers located in the European Union / United Kingdom.
- We use PostgreSQL with encrypted connections for database storage.
- Passwords are hashed using industry-standard algorithms (never stored in plaintext).
- SMTP credentials and LinkedIn session data are encrypted at rest.
- All connections to the Service are encrypted via TLS/HTTPS.
- Access to production systems is restricted to authorised personnel only.
- We conduct regular security reviews and apply patches promptly.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 90 days after deletion |
| Lead data and outreach history | Duration of account + 90 days after deletion |
| Communication data (emails, messages) | Duration of account + 90 days after deletion |
| Voice call recordings | 90 days from call date, or duration of account (whichever is shorter) |
| Payment records | 7 years (UK legal requirement for financial records) |
| Usage logs | 24 months |
| Security logs (IP, user agent) | 24 months |
| Prohibited activity logs | Indefinitely (for law enforcement purposes) |
After the retention period, data is permanently deleted or anonymised.
9. Cookies
We use cookies and similar technologies on our website and platform. A cookie consent banner is displayed on your first visit, allowing you to accept or reject non-essential cookies.
9.1 Essential Cookies
Required for the Service to function. These cannot be disabled.
- Session cookie: Keeps you logged in during your browsing session.
- CSRF token: Protects against cross-site request forgery attacks.
- Cookie consent: Remembers your cookie preferences.
9.2 Analytics Cookies (optional)
Used to understand how visitors interact with our website. Only set with your consent.
- Google Analytics: Page views, session duration, traffic source. Data is anonymised (IP anonymisation enabled).
9.3 Marketing Cookies (optional)
Used for remarketing and advertising. Only set with your consent. We currently do not use marketing cookies, but reserve the right to introduce them with appropriate consent mechanisms.
10. Your Rights (GDPR)
Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:
- Right of access — You can request a copy of all personal data we hold about you.
- Right to rectification — You can request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — You can request deletion of your data, subject to legal retention requirements.
- Right to restriction — You can request that we limit processing of your data in certain circumstances.
- Right to data portability — You can request your data in a structured, machine-readable format.
- Right to object — You can object to processing based on legitimate interest.
- Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time.
- Right to lodge a complaint — You can file a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local data protection authority.
To exercise any of these rights, contact us at privacy@sellkora.com. We will respond within 30 days.
11. International Data Transfers
Some of our third-party processors (Google, Anthropic, Stripe, Twilio) are based in the United States. Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place:
- EU-US Data Privacy Framework (where applicable).
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- UK International Data Transfer Agreement (IDTA) where required.
12. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a minor, we will delete it immediately.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
14. Contact
For privacy-related questions, data requests, or complaints:
- Email: privacy@sellkora.com
- Company: Horizon Creatives Studio Ltd
- Location: London, United Kingdom
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113