Last updated: April 23, 2026
Effective date: April 23, 2026
Version: 3.0
View version history →This Privacy Policy explains how Catch (“Catch,” “we,” “us,” or “our”) collects, uses, stores, shares, and protects information when you use our service. It applies to www.usecatch.io, app.usecatch.io, and any other Catch product or website that links to this policy.
Catch is operated by Viralzy LLC (DBA Catch), a Wyoming limited liability company.
This policy distinguishes between controls that are in place today and capabilities that are in active development. Where a control is on our roadmap rather than fully deployed, we say so explicitly. We do not claim controls we have not implemented.
If you only read one section, read this:
This policy applies to:
If you are an individual whose data is being processed because your business contacts use Catch, the workspace customer is the data controller and Catch is the data processor. Contact the workspace administrator to exercise your rights, or contact us directly at privacy@usecatch.io and we will route the request appropriately.
We collect three categories of information.
When you authorize Catch to connect to a third-party service via OAuth, we receive data from that service. Specifically:
We collect only the OAuth scopes required to deliver the product. Our current scope set for each integration is published and maintained at usecatch.io/security.
We classify information into tiers and apply controls based on sensitivity.
| Tier | Examples | Controls in place today |
|---|---|---|
| Customer content | Email bodies, message contents, transcripts, evidence excerpts | Encrypted in transit (TLS 1.2+), encrypted at rest by Supabase and Railway, workspace-isolated at the application layer, excluded from product analytics |
| OAuth credentials | Access tokens, refresh tokens for connected integrations | Application-layer encrypted using Fernet symmetric encryption with a key separate from the database, in addition to underlying at-rest encryption |
| Account and authentication data | Passwords, MFA secrets, session tokens | Passwords hashed (never stored in plaintext), session tokens scoped and time-limited |
| Workspace metadata | Roster, role assignments, configuration | Encrypted in transit and at rest, workspace-isolated |
| Billing data | Transaction metadata, billing address | Processed by Stripe; we never store full card numbers or CVV |
| Operational metadata | Timestamps, identifiers, structural data | Encrypted in transit and at rest |
| Anonymized aggregate data | Cross-customer benchmarks meeting minimum sample-size thresholds | Stripped of identifiers; cannot be linked back to any individual or workspace |
Logs and error reports are reviewed against this classification before being routed to monitoring tools. Hardening of automated PII scrubbing in error payloads is in active development.
We use information for the following purposes, with the legal bases noted for users in jurisdictions that require them (GDPR, UK GDPR).
| Purpose | Examples | Legal basis (GDPR) |
|---|---|---|
| Provide the service | Run extraction; generate audit reports; surface findings | Performance of contract |
| Maintain and improve the service | Calibrate extraction accuracy on your workspace data; debug; product analytics | Legitimate interests |
| Communicate with you | Service notifications, support, account updates | Performance of contract |
| Marketing communications | Product announcements, newsletters | Consent (you can opt out anytime) |
| Billing and payment processing | Process subscription and audit payments through Stripe | Performance of contract |
| Security and fraud prevention | Detect and prevent unauthorized access, abuse, security incidents | Legitimate interests, legal obligation |
| Comply with legal obligations | Respond to lawful requests, maintain required records | Legal obligation |
We do not engage in automated decision-making that produces legal or similarly significant effects on individuals.
You own all data you provide to Catch and all data Catch processes from your connected integrations. Catch holds no ownership rights to customer data.
Catch’s rights are limited to processing customer data for the sole purpose of providing the contracted service. We have no right to use customer data for any other purpose, including but not limited to:
These restrictions apply both to Catch and contractually to every subprocessor we use (Section 9).
If your account is closed, you retain ownership of your data through the deletion windows described in Section 10. After deletion, only anonymized aggregate data that cannot be linked to you or your workspace may be retained.
Catch uses artificial intelligence to extract commitments from communication data. The constraints below apply to every AI subprocessor, not only Anthropic.
Access to customer data is limited and controlled.
Catch personnel access customer data only for the following reasons:
We do not access customer data for marketing, product development informed by individual customer content, or any purpose unrelated to operating the service.
Access to production systems is logged at the infrastructure level by our hosting providers (Vercel, Railway, Supabase). We are in active development on a dedicated privileged-access audit log that will record every customer-data read by Catch personnel, the time, the actor identity, the workspace accessed, and a reason code. This control is published in our security roadmap at usecatch.io/security/changelog. Until that audit log is live, infrastructure-level logs serve as the access record.
All Catch personnel with production access are required to use multi-factor authentication. Production credentials are rotated on personnel changes.
We share information in the following limited circumstances, and never for advertising or data sale.
Information in your Catch workspace is visible to other authorized members of your workspace based on their role. Workspace administrators control role assignments. We do not share data between separate workspaces.
We use third-party service providers (subprocessors) to deliver the service. Each subprocessor is contractually bound to handle data only as needed to perform their service for us, and is contractually prohibited from using customer data to train or improve generalized AI/ML models or for any purpose other than serving Catch (Section 6 and Section 9).
We may disclose information when required by valid legal process or to protect the rights, property, or safety of Catch, our users, or others. See Section 14 for our government request policy, including our customer notification commitment.
If Catch is acquired, merges with another company, or sells substantially all of its assets, your information may transfer to the acquirer. We will notify you and provide options before any such transfer takes effect.
Any other sharing requires your explicit consent.
We rely on the following subprocessors. We update this list when we add, remove, or change subprocessors. Material changes are communicated to workspace administrators with 30 days’ notice when feasible.
| Subprocessor | Purpose | Data location | Data accessed |
|---|---|---|---|
| Supabase | Authentication, application database | US | Account data, workspace configuration, OAuth tokens (encrypted) |
| Railway | Backend API hosting, operational database | US | All workspace data including extracted communication content |
| Vercel | Frontend hosting, edge functions | Global edge (primary functions in US) | Request metadata, no persistent storage of customer content |
| Anthropic | AI processing for commitment extraction | US | Email, message, transcript, calendar content sent for extraction; not retained for training |
| Stripe | Payment processing | Global | Billing information, transaction metadata |
| Sentry | Error monitoring and performance | US | Error payloads, request metadata; PII scrubbing in active hardening |
| Google Workspace | Internal email and calendar (Catch’s own corporate use, not customer data processing) | Global | Catch internal communications only |
| 1Password | Secrets management (Catch internal use only) | Global | Catch operational secrets only |
Every subprocessor in this table operates under a written agreement that prohibits using customer data to train or improve generalized AI/ML models or for any purpose other than providing service to Catch.
The current subprocessor list is also published at usecatch.io/security.
We retain different categories of data for different periods. After the deletion windows below, data is irreversibly purged from primary systems and from backups.
| Data type | Retention period |
|---|---|
| Active workspace data | While your account is active |
| Account information after closure | Soft-deleted with 7-day recovery window, then hard-deleted from primary systems. Backup retention up to 30 days after hard-delete, then permanently purged. |
| Extracted commitments and findings | Soft-deleted with 7-day recovery window when the workspace is closed, then hard-deleted from primary systems. Backup retention up to 30 days after hard-delete, then permanently purged. |
| Source communication content (email bodies, messages, transcripts) | Soft-deleted with 7-day recovery window when the workspace is closed, then hard-deleted from primary systems. Backup retention up to 30 days after hard-delete, then permanently purged. |
| OAuth tokens | Until you disconnect the integration; deleted immediately upon disconnect |
| Audit logs (security and access) | Retained per hosting provider defaults; dedicated application-level audit log with 12-month retention is in active development per Section 12.2 |
| Billing and tax records | 7 years (legal requirement) |
| Anonymized aggregate benchmarks | Indefinite if no individual workspace remains identifiable; deleted on opt-out per Section 6 |
| Marketing communications opt-out lists | Indefinite (to honor your opt-out) |
Deletion is verified by job completion logs. Where you have a legal requirement that your data be deleted faster than these defaults, contact privacy@usecatch.io and we will accommodate where feasible.
You have rights regarding your personal information. The specific rights depend on your jurisdiction, but we extend most rights to all users globally as a matter of policy.
We do not knowingly collect or sell the personal information of minors under 16.
You have substantially the rights described above. The procedure is the same: email privacy@usecatch.io.
Email privacy@usecatch.io with a description of your request. We will verify your identity (typically by confirming control of the email address associated with your account) and respond within 30 days for GDPR requests and 45 days for CCPA requests, with possible extensions where allowed by law.
If we deny your request, we will explain why. You have the right to appeal denials by replying to our response.
We protect customer data through multiple layers of controls. The descriptions below distinguish between controls in place today and capabilities in active development.
Catch publishes a security roadmap at usecatch.io/security/changelog. Items currently in active development include:
We commit to updating this section as items move from “in development” to “in place today.” Material changes are reflected in the policy version history at usecatch.io/privacy/changelog.
No method of transmitting or storing data is 100% secure. While we use industry-standard practices, we cannot guarantee absolute security.
To report a security vulnerability, email security@usecatch.io. We commit to acknowledging reports within 2 business days.
In the event of a security incident affecting customer data:
We have a documented incident response procedure. Engagement of external incident response counsel and forensic specialists is on standby for incidents exceeding our internal capacity.
Catch’s policy on government and legal requests for customer data:
If you are a government agency seeking customer data, contact legal@usecatch.io with valid legal process.
We use cookies and similar technologies for the following purposes:
Where required by law (such as in the EEA), we present a cookie consent banner before setting non-essential cookies.
You can control cookies through your browser settings. Disabling necessary cookies will prevent the service from functioning correctly.
All customer data is currently processed and stored in the United States. Specific data locations are listed in Section 9. EU-region data residency is on our enterprise roadmap; until available, EU-region customers’ data is processed in the US under the transfer mechanisms below.
For users in the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (the European Commission’s approved transfer mechanism) for cross-border data transfers from the EEA, UK, or Switzerland to the United States. We participate in the EU-US Data Privacy Framework where applicable. A copy of the relevant Standard Contractual Clauses is available on request to privacy@usecatch.io.
Catch operates in two primary modes:
Data handling, security controls, retention, and your rights apply identically in both modes. Audit mode does not retain extracted data longer or apply different controls than continuous mode.
For customers requiring a Data Processing Agreement under GDPR Article 28, our standard DPA includes:
To request a DPA, email privacy@usecatch.io. We provide a counter-signed DPA within 5 business days under our standard terms.
Catch is a business product and not intended for users under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@usecatch.io and we will delete it.
If you receive marketing communications from us, you can opt out at any time by clicking the unsubscribe link in any marketing email or by emailing privacy@usecatch.io. Opting out of marketing does not affect transactional communications (security alerts, billing notices, important service updates).
Catch may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. Review their privacy policies before providing them with your information.
We may update this policy. When we make material changes, we will:
Non-material changes (typos, clarifications, structural reorganization) may be made without notice. The current version is always available at usecatch.io/privacy.
A history of material changes is maintained at usecatch.io/privacy/changelog.
Privacy oversight at Catch is the responsibility of the company’s founder until a dedicated privacy or security role is hired. The founder serves as the point of contact for all privacy questions, requests, and complaints.
For privacy questions, requests, or complaints:
For security disclosures: security@usecatch.io
For legal and government requests: legal@usecatch.io
For general support: hello@usecatch.io
We respond to privacy requests within 30 days (45 days for CCPA), with possible extensions where allowed by law.
The data controller for users in these regions is Viralzy LLC, with the contact information above. We do not currently have a designated EU representative under GDPR Article 27. We will appoint one when our processing volume in the EU triggers the Article 27 requirement.
This policy serves as our notice at collection under the CCPA. We collect the categories of personal information described in Section 2 for the purposes described in Section 4.
In the 12 months preceding the date of this policy, we collected the following categories of personal information from California residents: identifiers, professional or employment-related information, internet activity, geolocation data (general region only), and the customer data described in Section 2.2. We disclosed these categories to the subprocessors listed in Section 9 for the sole purpose of providing the service. We did not sell or share personal information for cross-context behavioral advertising.
This policy was last reviewed by Catch leadership on April 23, 2026. The policy is intended to comply with the GDPR, UK GDPR, CCPA/CPRA, and other applicable privacy laws in jurisdictions where Catch operates. Customers requiring a Data Processing Agreement under GDPR Article 28 should email privacy@usecatch.io.