← Back to Operate

Privacy Policy

Effective date: April 28, 2026

Operate Machine, Co. and its affiliates ("Operate", "we", "us", or "our") have written this Privacy Policy to describe what Personal Data (defined below) we collect, how we use and share it, and the rights and choices you have. Through our web and mobile application (the "App"), we help teams ("Users" or "you") run a faster, sharper sales process. The App and operate.so (the "Site") are referred to together in this Privacy Policy as the "Services".

Your use of the Services is also governed by our Terms of Service. Any capitalized terms we don't define here have the meaning given to them in the Terms of Service.

Questions? Email us at legal@operate.so.

1. What this Privacy Policy covers

This Privacy Policy covers how we treat Personal Data that we gather when you access or use our Services. "Personal Data" means any information that identifies or relates to a particular individual and also includes information referred to as "personally identifiable information" or "personal information" under applicable data privacy laws, rules, or regulations. This Privacy Policy does not cover the practices of companies we don't own or control, or people we don't manage.

2. Personal Data

We collect information you give us, information collected automatically when you use the Services, and information from connected third‑party services you authorize.

Marketing site (operate.so)

When you join the waitlist, we collect the email address you submit so we can notify you about product availability and product updates. No other Personal Data is required to join the waitlist.

Account and profile

When the Operate app is available to you, we use Clerk to create and manage your account. Clerk collects your name, email address, profile photo (if provided), and organization membership on our behalf, and may also process authentication metadata (device, IP, sign‑in timestamps) to secure your account.

Customer Content

In the Operate app you and your organization may create or upload data about your companies, people, deals, tasks, comments, documents, attachments, files, and similar CRM records ("Customer Content"). You or your organization control this content. We process it on your behalf to deliver the Services.

Connected Google services

If you choose to connect a Google account, we receive data from the Google APIs you authorize. See Section 4 below for the scopes we request, what we do with the data, and how we comply with the Google API Services User Data Policy.

Connected Slack data

If you install the Slack integration, we receive the messages, channels, users, and files that you authorize through Slack’s OAuth scopes, and we process that data to surface relevant context in Operate.

Automatically collected information

When you visit operate.so or use the Operate app, we and our analytics providers automatically collect information such as your IP address, device and browser type, operating system, referring/exit pages, pages viewed, features used, and similar interaction events. See Section 7 for details.

3. How we use information

We use the information we collect to:

  • Operate, maintain, and secure the Services, and troubleshoot issues.
  • Authenticate users and administer accounts and organizations.
  • Deliver the features you request, including syncing and surfacing Google and Slack data in the CRM.
  • Communicate with you about your account, security, product updates, and (with your permission or as otherwise permitted by law) marketing related to Operate.
  • Provide customer support and respond to inquiries.
  • Improve the Services, including through aggregated and de‑identified usage analysis.
  • Detect, investigate, and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations and enforce our terms.

4. Connected Google services

These practices apply to data we receive from Google APIs when you connect a Google account to Operate.

Scopes we request

We request the following scopes, as defined by Google’s OAuth 2.0 scope documentation:

  • https://www.googleapis.com/auth/gmail.readonly — read message metadata and content so we can surface CRM context (threads, contacts, history) on the people, companies, and deals in your workspace.
  • https://www.googleapis.com/auth/calendar.readonly — read calendar events so we can keep CRM activity in sync with meetings on the relevant people, companies, and deals.
  • https://www.googleapis.com/auth/userinfo.email and https://www.googleapis.com/auth/userinfo.profile — identify the Google account you are connecting.
  • https://www.googleapis.com/auth/gmail.modify — used only for optional inbound mailbox automations set up by an Operate administrator (not for end‑user Google accounts). When an inbound automation is enabled, this scope lets Operate move a message out of the inbox after it has been processed.

Data we receive and store

Depending on the scopes granted, we receive and may store Gmail messages (including headers, snippets, bodies, and attachments), Gmail‑derived contacts, Google calendars and events (including attendees), and basic Google account profile information. This data is stored in our databases to provide CRM features to you and your organization.

Limited Use

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google user data to provide or improve user‑facing features that are prominent in the Operate user interface (for example, CRM context, email sync, and calendar sync).
  • We do not transfer Google user data to third parties except as necessary to provide or improve those user‑facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
  • We do not use Google user data for serving advertisements, including retargeting, personalized, or interest‑based advertising.
  • We do not allow humans to read Google user data unless we have your affirmative consent for specific messages, we need to do so for security purposes (such as investigating abuse), we are required to by applicable law, or the data has been aggregated and anonymized for internal operations.

AI and machine learning

Google user data may be processed by AI models we operate, or by AI sub‑processors (including Anthropic and OpenAI), only to deliver user‑facing features inside your Operate account — for example, summarizing a thread or extracting entities you ask for. In particular:

  • We do not use Google user data to develop, improve, or train generalized AI and/or ML models, including any model used to serve any other customer or any third party.
  • We do not retain Google user data obtained through Google Workspace APIs for the purpose of developing, improving, or training generalized AI and/or ML models.

Disconnecting and revoking access

You can revoke Operate’s access to your Google account at any time from Google Permissions, and from your Operate account settings when the product is available to you. When you disconnect, we stop new data syncs; previously synced data is handled per the Retention section below.

5. How we share information

We share information only as described below. We do not sell personal information.

  • Service providers ("sub‑processors"). We share information with vendors that help us run the Services — including hosting and infrastructure, databases and object storage, authentication, analytics and error monitoring, AI providers that power features you invoke, and integration partners — under written terms that restrict their use of the information to providing services to us.
  • Within your organization. Customer Content, and data from connected services authorized by your organization, is available to other authorized users of the same Operate organization based on the access controls you configure.
  • Legal, safety, and enforcement. We may disclose information when we reasonably believe it is required to comply with law, legal process, or a lawful government request; to protect the rights, property, or safety of Operate, our users, or others; or to investigate fraud or abuse.
  • Business transfers. If Operate is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to customary confidentiality protections and, where applicable, notice to affected users.
  • With your consent. We may share information with third parties when you direct us to.

6. How we use AI models

Operate includes AI‑powered features such as enrichment, summaries, and drafting. These features use large language models operated by us or by third‑party AI sub‑processors. Inputs and outputs are processed solely to deliver the feature you requested inside your account. We do not use Customer Content or Google user data to train, fine‑tune, or improve generalized AI/ML models used to serve other customers or any third party.

7. Cookies and similar technologies

We and our providers use cookies, local storage, and similar technologies to operate the Services, keep you signed in, remember preferences, and understand how the Services are used. This includes product and traffic analytics on operate.so, and session cookies required for authentication once you sign in to the Operate app.

You can control cookies through your browser settings; blocking some cookies may affect how the Services function.

8. Your choices and rights

You can:

  • Access, correct, or delete your Personal Data by contacting us at legal@operate.so. If your organization is the controller of the data, we will route your request to them.
  • Opt out of marketing emails by following the unsubscribe link in any marketing email we send or by emailing us.
  • Revoke access to connected Google and Slack accounts from the third party’s settings, or from your Operate account settings when available.
  • Close your account at any time.

Depending on where you live, you may have additional rights under laws such as the GDPR, UK GDPR, or the CCPA/CPRA, including rights to access, correct, delete, port, and restrict processing of your Personal Data, and the right to lodge a complaint with a supervisory authority.

9. Retention

We keep Personal Data only as long as reasonably necessary to provide the Services and for the purposes described in this policy.

  • Customer Content is retained while your Operate account is active. On account closure or termination, Customer Content is deleted within 30 days, unless we are required to keep it for legal, compliance, or dispute‑resolution reasons.
  • Marketing‑site waitlist email addresses are kept until you ask us to remove them.
  • Backups follow our standard backup rotation and are overwritten on cycle.
  • Aggregated or de‑identified data that cannot reasonably be used to identify you may be retained indefinitely.

10. International transfers

We process Personal Data in the United States and in other countries where our service providers operate. When we transfer Personal Data across borders, we take steps to ensure an adequate level of protection, which may include entering into standard contractual clauses with the recipient.

11. Security

We use administrative, technical, and organizational measures designed to protect Personal Data, including encryption in transit and at rest, access controls, and vendor due diligence. No system is perfectly secure, but we work to continuously improve our safeguards.

12. Children

The Services are not directed to children under 13 (or the applicable minimum age in your jurisdiction), and we do not knowingly collect Personal Data from them. If you believe a child has provided us Personal Data, please contact legal@operate.so and we will take appropriate steps to remove it.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice on the Services before the change takes effect. The "Effective date" at the top of this page reflects the latest version.

14. Contact us

If you have questions or requests about this policy, please contact:

Operate Machine, Co.

2261 Market Street STE 86910

San Francisco, CA 94114

legal@operate.so