Privacy Policy

Last updated: 24 March 2026

This Privacy Policy explains how Horizon Creatives Studio Ltd ("Company", "we", "us", "our") collects, uses, stores, and protects your personal data when you use the Sellkora platform ("Service").

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection laws.

1. Data Controller

The data controller for personal data collected through the Service is:

Company: Horizon Creatives Studio Ltd
Location: London, United Kingdom
Email: privacy@sellkora.com

2. Data We Collect

We collect personal data in the following categories:

2.1 Account Data (provided by you)

Data	Purpose
Full name	Account identification, personalisation
Email address	Account login, communications, notifications
Phone number	Account security, 2FA, optional contact
Password (hashed)	Account authentication
Company name	Business profile, outreach personalisation
Company website	Business verification, AI content generation

2.2 Authentication Data

Data	Purpose
Google OAuth tokens	Social login authentication
Two-factor authentication data	Account security verification

When you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.

2.3 Business Configuration Data (provided by you)

Data	Purpose
Services offered, pricing, target audience	AI personalisation of outreach
Sales materials, custom instructions	AI agent configuration
Agent identity (name, role, style)	AI personality for communications
SMTP credentials (email host, username, password)	Sending emails on your behalf
LinkedIn session cookies	LinkedIn automation on your behalf

SMTP credentials and LinkedIn session data are stored encrypted at rest and are used solely for the purpose of operating the Service on your behalf.

2.4 Lead Data (collected by the Service)

Data	Purpose
Business names, addresses, phone numbers	Lead identification and outreach
Business email addresses	Outreach communication
Website URLs, social media links	Lead research and verification
LinkedIn profile data (name, headline, experience)	LinkedIn outreach and personalisation

Lead data is sourced from publicly available information: Google Places (business directories), publicly accessible company websites, and public LinkedIn profiles. We do not purchase personal data from third-party data brokers.

2.5 Communication Data

Data	Purpose
Outbound emails (content, recipients, timestamps)	Service delivery, tracking, follow-up
Inbound emails (sender, subject, body)	Inbox management, reply tracking
LinkedIn messages (sent and received)	LinkedIn outreach management
Voice call recordings and transcripts	AI call analysis, quality assurance

2.6 Usage and Technical Data (collected automatically)

Data	Purpose
IP address	Security, fraud prevention, analytics
User agent (browser, OS)	Compatibility, security monitoring
Feature usage (searches, emails sent, AI credits used)	Usage tracking, plan enforcement
Timestamps of actions	Activity logging, billing
Error logs	Debugging, service improvement

2.7 Payment Data

Payments are processed by Stripe. We do not store your credit card number, CVV, or full payment details on our servers. Stripe provides us with a limited set of information (last 4 digits, card brand, billing email, country) for billing management. See Stripe's Privacy Policy.

3. How We Use Your Data

We process your personal data for the following purposes:

Service delivery: To operate the platform, send outreach on your behalf, manage your leads, and provide AI-powered features.
Account management: To create and maintain your account, authenticate your identity, and enforce subscription limits.
AI processing: To generate personalised emails, analyse leads, score opportunities, and power AI agent features. Your business data and lead data are sent to AI providers (see Section 6) for processing.
Billing: To process payments, manage subscriptions, and generate invoices.
Security: To detect and prevent fraud, abuse, and unauthorised access. To monitor for prohibited activities (see our Terms of Use, Section 4.3).
Service improvement: To analyse usage patterns, fix bugs, and improve the platform.
Communications: To send you service-related notifications, billing updates, and (with your consent) marketing communications.

4. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

Purpose	Legal Basis
Service delivery, account management	Contract — necessary to perform the contract between you and us (Article 6(1)(b))
Billing and payments	Contract — necessary to perform the contract (Article 6(1)(b))
Security monitoring, fraud prevention	Legitimate interest — protecting the Service and our users (Article 6(1)(f))
Prohibited activity monitoring	Legal obligation — compliance with UK law (Article 6(1)(c)) and legitimate interest (Article 6(1)(f))
Service improvement, analytics	Legitimate interest — improving our product (Article 6(1)(f))
Marketing communications	Consent — you can opt out at any time (Article 6(1)(a))
Cookie usage	Consent — via cookie consent banner (Article 6(1)(a))

5. Your Role as Data Controller

When you use Sellkora to find leads and send outreach, you are the data controller for the personal data of the individuals and businesses you contact. We act as a data processor on your behalf.

This means:

You are responsible for ensuring you have a lawful basis to contact the leads (e.g., legitimate interest for B2B outreach).
You are responsible for responding to data subject access requests (DSARs) from individuals you have contacted.
You must honour unsubscribe requests.
You must comply with GDPR, CAN-SPAM, CASL, PECR, and other applicable laws in the jurisdictions you operate in and send outreach to.

We will assist you in responding to DSARs to the extent technically feasible.

6. Third-Party Processors and Data Sharing

We share your data with the following categories of third-party service providers, strictly for the purpose of delivering the Service:

Provider	Purpose	Data Shared
Google (Gemini AI)	AI lead analysis, content generation (all plans)	Lead data, business context, prompts
Anthropic (Claude AI)	AI communications, agent features (Agent plans+)	Lead data, business context, conversation history
Google (Places API)	Lead discovery	Search queries (business type + location)
Stripe	Payment processing	Billing email, payment method details
Your SMTP provider	Email delivery	Email content, sender/recipient addresses
LinkedIn	LinkedIn automation (via your credentials)	Actions performed under your LinkedIn account
Telephony provider (Twilio)	AI voice calls (where applicable)	Phone numbers, call audio

We do not sell, rent, or trade your personal data to third parties for marketing purposes. We do not share your data with data brokers.

6.1 AI Provider Data Handling

Data sent to Google Gemini and Anthropic Claude is used solely for generating AI responses within the Service.
We use API access (not consumer products), which means your data is not used to train AI models under current provider policies.
We recommend reviewing the privacy policies of Google Gemini API and Anthropic for full details.

7. Data Storage and Security

Your data is stored on servers located in the European Union / United Kingdom.
We use PostgreSQL with encrypted connections for database storage.
Passwords are hashed using industry-standard algorithms (never stored in plaintext).
SMTP credentials and LinkedIn session data are encrypted at rest.
All connections to the Service are encrypted via TLS/HTTPS.
Access to production systems is restricted to authorised personnel only.
We conduct regular security reviews and apply patches promptly.

8. Data Retention

Data Type	Retention Period
Account data	Duration of account + 90 days after deletion
Lead data and outreach history	Duration of account + 90 days after deletion
Communication data (emails, messages)	Duration of account + 90 days after deletion
Voice call recordings	90 days from call date, or duration of account (whichever is shorter)
Payment records	7 years (UK legal requirement for financial records)
Usage logs	24 months
Security logs (IP, user agent)	24 months
Prohibited activity logs	Indefinitely (for law enforcement purposes)

After the retention period, data is permanently deleted or anonymised.

9. Cookies

We use cookies and similar technologies on our website and platform. A cookie consent banner is displayed on your first visit, allowing you to accept or reject non-essential cookies.

9.1 Essential Cookies

Required for the Service to function. These cannot be disabled.

Session cookie: Keeps you logged in during your browsing session.
CSRF token: Protects against cross-site request forgery attacks.
Cookie consent: Remembers your cookie preferences.

9.2 Analytics Cookies (optional)

Used to understand how visitors interact with our website. Only set with your consent.

Google Analytics: Page views, session duration, traffic source. Data is anonymised (IP anonymisation enabled).

9.3 Marketing Cookies (optional)

Used for remarketing and advertising. Only set with your consent. We currently do not use marketing cookies, but reserve the right to introduce them with appropriate consent mechanisms.

10. Your Rights (GDPR)

Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:

Right of access — You can request a copy of all personal data we hold about you.
Right to rectification — You can request correction of inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — You can request deletion of your data, subject to legal retention requirements.
Right to restriction — You can request that we limit processing of your data in certain circumstances.
Right to data portability — You can request your data in a structured, machine-readable format.
Right to object — You can object to processing based on legitimate interest.
Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time.
Right to lodge a complaint — You can file a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local data protection authority.

To exercise any of these rights, contact us at privacy@sellkora.com. We will respond within 30 days.

11. International Data Transfers

Some of our third-party processors (Google, Anthropic, Stripe, Twilio) are based in the United States. Where personal data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place:

EU-US Data Privacy Framework (where applicable).
Standard Contractual Clauses (SCCs) approved by the European Commission.
UK International Data Transfer Agreement (IDTA) where required.

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a minor, we will delete it immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact

For privacy-related questions, data requests, or complaints:

Email: privacy@sellkora.com
Company: Horizon Creatives Studio Ltd
Location: London, United Kingdom

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113