Privacy Policy

Last Updated: June 2026

1. Introduction

Guesterra (“Guesterra”, “we”, “us”, or “our”) is a human-guided podcast outreach strategy platform. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our website, platform, application, and related services (collectively, the “Platform”).

Guesterra is a brand operated by Norrin Radd, a company registered in the Republic of Serbia. For the purposes of applicable data protection laws, Norrin Radd is the data controller of your personal data.

We are committed to protecting your privacy and handling your data transparently and lawfully. This Privacy Policy is incorporated into our Terms of Service by reference.

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at [privacy@guesterra.co] or at the address provided in Section 17.

2. What Data We Collect

We collect data necessary to provide, operate, secure, support, and improve the Platform.

2.1 Data You Provide Directly
Category
Examples

Account Data

Name, email address, company or agency name, login method, account role, subscription status.

Client Profile Data

Information about the person or brand being pitched, including name, bio, expertise, company details, links, positioning, talking points, target audience, and related profile information.

Campaign Data

Campaign name, angle, topic, positioning direction, outreach goals, and answers to campaign questionnaires.

Pitch and Email Content

Pitch templates, subject lines, follow-up drafts, email body text, merge fields, and any edits or customizations you make.

Connected Inbox Authorization

Data needed to connect your Gmail account and allow Guesterra, through Unipile or another email integration provider, to provide email sending and reply tracking features.

Strategy Call Data

Information shared during strategy calls, booking details through scheduling tools, and related notes or communications.

Communications

Messages you send to us for support, inquiries, feedback, refund requests, privacy requests, or other purposes.

2.2 Data Collected Automatically
Category
Examples

Usage Data

Pages visited, features used, actions taken, time spent, clicks, workflow progress, and feature engagement within the Platform.

Device and Log Data

IP address, browser type and version, operating system, device type, referring URLs, timestamps, server logs, and error or crash logs.

Event Data

Structured events emitted for analytics and lifecycle emails, such as user_registered, inbox_connected, subscription_activated, campaign_created, outreach_sent, payment_failed, and usage_threshold_reached. Event properties may include plan type, account type, referral source, usage metrics, and feature engagement.

2.3 Data From Third-Party Sources
Source
Examples

Podcast Data Providers, expected to include Podscan or equivalent providers

Podcast names, descriptions, host names, contact emails, categories, topics, language, recent episode data, website or social links, audience estimates, listener ranges, popularity indicators, and other provider-supplied metadata.

Payment Provider, expected to be Paddle

Subscription status, payment status, plan type, invoice or receipt references, refund status, chargeback status, and transaction metadata. We do not store full credit card numbers.

Affiliate Platform, expected to be Tolt

Referral ID, affiliate ID, click ID, conversion status, and commission-related metadata, tracked through cookies and referral parameters.

Authentication Providers, such as Google

Basic profile information, such as name, email address, and profile picture, when you sign in with Google OAuth.

2.4 Data We Do Not Intentionally Collect

We do not intentionally collect or store:

  1. full inbox content outside Guesterra-created or Guesterra-managed threads;

  2. emails unrelated to your outreach campaigns;

  3. full credit card or payment instrument data;

  4. Google account passwords;

  5. unnecessary sensitive personal data;

  6. personal data of children under 18.

You should not submit sensitive personal data unless it is strictly necessary for your use of Guesterra and you have a lawful basis to do so.

Sensitive personal data may include health data, patient data, biometric data, government identification numbers, political opinions, religious beliefs, racial or ethnic origin, trade union membership, criminal records, or similar protected data.

3. Gmail Integration and Email Data

Guesterra sends outreach emails through your connected Gmail account, using Unipile or another email integration provider. This section explains what we access and why.

3.1 What We Access

When you connect your Gmail account, you authorize us, through Google OAuth and Unipile or another email integration provider, to:

Permission or Data
Purpose

Send emails on your behalf

To send Initial Outreach, Follow-Ups, and manual outbound replies that you create, approve, schedule, or manually send.

Read Guesterra-created or Guesterra-managed email threads

To detect replies, identify bounces where available, display email threads in your Guesterra inbox view, classify replies using AI, draft suggested replies, and update campaign statuses.

Access basic profile information

To identify and display your connected sending account within the Platform.

Process connection metadata and OAuth tokens

To maintain the Gmail connection and provide authorized email-related features.

3.2 What We Do Not Access

We do not intentionally:

  1. read, scan, index, analyze, or store your general inbox content;

  2. access emails unrelated to Guesterra-created or Guesterra-managed threads;

  3. access your drafts, spam folder, trash, or archived emails outside campaign threads for product purposes;

  4. access your Google Contacts, Calendar, Drive, or other Google services unless a future feature asks for separate permission and you grant it;

  5. delete your emails;

  6. send emails without your approval, configuration, or action.

3.3 How We Process Inbox Data

Email providers and integration providers, including Unipile, may technically transmit broader webhook data, metadata, or event signals.

Guesterra uses server-side filtering to retain only data related to Guesterra-created or Guesterra-managed threads. Any unrelated data is discarded and not stored, except transiently where technically necessary to receive, filter, route, or discard provider events.

3.4 Google API Services User Data Policy

Guesterra’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  1. We use Google user data obtained through Gmail scopes only to provide and improve user-facing features that are prominent in Guesterra’s interface, such as email sending, reply detection, inbox view, reply classification, suggested replies, and campaign analytics.

  2. We do not sell Google user data.

  3. We do not use Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising.

  4. We do not use Google user data to train AI models.

  5. We do not transfer Google user data except as necessary to provide or improve user-facing Platform features, to service providers bound by appropriate confidentiality and data protection obligations, for security purposes, to comply with applicable law, or as part of a merger, acquisition, or sale of assets where the successor is bound to honor these limitations.

  6. Human access to Gmail data is limited to situations where you ask us to access specific data for support, where access is necessary for security, abuse investigation, debugging, or where access is required to comply with law. In all such cases, access is restricted to the minimum data reasonably required.

3.5 Your Control

You can revoke Guesterra’s access to your Gmail account at any time:

  1. through your Google Account security settings, usually under third-party apps with account access;

  2. through Platform controls where available;

  3. by contacting us.

Revoking access will disable email sending, Follow-Ups, reply tracking, inbox view, reply classification, suggested replies, and related email-based features.

4. AI Processing

Guesterra uses artificial intelligence and large language models provided by OpenAI, Anthropic, or similar providers for assistive features.

4.1 What AI Features Do

AI Features may process the following inputs to generate Output:

AI Feature
Inputs Processed

Pitch template generation

Client profile answers, campaign answers, pitch style selection, internal prompt instructions.

Subject line generation

Campaign angle, pitch content, podcast metadata.

Pitch validation

Generated pitch text, validation rules, formatting checks.

Podcast fit scoring and rationale

Client or campaign profile, podcast metadata, recent episode data.

Search parameter generation

Client or campaign answers, internal prompt instructions.

Follow-up drafting

Original pitch text, campaign context, sequence settings.

Reply classification

Inbound reply text, original pitch, thread context.

Suggested reply drafting

Original pitch, inbound reply text, campaign or client context, thread history, and AI classification.

4.2 How AI Data Is Handled

AI providers process only the data necessary to provide AI features for your specific requests and Platform workflows.

AI Output is generated automatically and may be inaccurate, incomplete, misleading, or require human review.

You remain responsible for reviewing all AI-generated Output before use.

AI providers do not use your User Content or email content to train their general foundation models where supported by the applicable provider’s terms, settings, and contractual arrangements.

4.3 Human-Guided, Not Autonomous

AI Features are assistive only.

AI does not make decisions on your behalf, send emails independently, book podcast appearances, or act autonomously.

You remain in control of strategy, approval, and sending.

5. Podcast Data

5.1 Source

Podcast Data is obtained from third-party podcast data providers, currently expected to be Podscan or an equivalent provider, and from publicly available or business sources.

Guesterra does not own the underlying podcast catalogue.

5.2 What Data May Be Displayed

Depending on provider availability, Podcast Data may include:

  1. podcast names;

  2. descriptions;

  3. host names;

  4. contact emails;

  5. categories;

  6. topics;

  7. language;

  8. recent episode titles and descriptions;

  9. website links;

  10. social links;

  11. audience estimates;

  12. listener ranges;

  13. popularity indicators;

  14. publishing frequency;

  15. other provider-supplied metadata.

5.3 No Guarantee of Accuracy

We do not guarantee the accuracy, completeness, freshness, or availability of Podcast Data.

Podcast Data is provided by third parties and may be incomplete, outdated, inaccurate, unavailable, duplicated, or subject to provider limitations.

5.4 Data Subject Rights for Podcast Hosts

If you are a podcast host, guest, producer, or other person whose information appears in Guesterra, you may contact us at [privacy@guesterra.co] to request access to, correction of, or removal of your information, subject to verification of your identity and any applicable legal grounds for retention.

If the data comes from a third-party provider, we may direct you to that provider or pass the request to them where appropriate.

6. Affiliate and Referral Program

6.1 Affiliate Tracking

Guesterra may operate an affiliate program through Tolt or another designated affiliate platform.

When a visitor arrives through an affiliate link, affiliate cookies and referral parameters may be set to attribute signups and conversions.

Data collected may include:

  1. referral ID;

  2. affiliate ID;

  3. click ID;

  4. partner ID;

  5. signup attribution;

  6. conversion status;

  7. commission information;

  8. payout status;

  9. fraud or chargeback-related metadata.

6.2 Affiliate Portal

Affiliate partners may access an external affiliate portal provided by Tolt or another affiliate platform.

Affiliate partners do not receive access to customer campaigns, inboxes, replies, analytics, or Platform internals through the affiliate portal.

6.3 Cookie Policy

Affiliate tracking cookies are disclosed in our Cookie Policy.

Cookie duration is expected to be approximately 30 days unless otherwise configured.

7. Analytics and Lifecycle Emails

7.1 Analytics Provider

Guesterra uses PostHog or an equivalent analytics provider for product analytics, event tracking, and lifecycle email workflows.

7.2 What Events Are Tracked

We emit structured events for analytics and lifecycle email purposes.

Events may include account creation, subscription activation, campaign creation, outreach sending, payment events, usage metrics, feature engagement, and similar product interactions.

7.3 What PostHog Receives

Event properties may include:

  1. user ID;

  2. account type;

  3. plan or subscription status;

  4. referral source;

  5. feature usage metrics;

  6. activity timestamps;

  7. lifecycle events.

Core product records, such as campaigns, pitches, email content, and replies, remain in our primary database and are not stored in PostHog as the system of record.

7.4 Lifecycle Emails

We may use PostHog or an equivalent provider to send lifecycle emails, such as onboarding tips, usage reminders, feature announcements, and subscription-related notifications.

You may opt out of non-essential lifecycle emails using the unsubscribe link in those emails.

8. How We Use Your Data

We use your personal data for the following purposes:

Purpose
Legal Basis, EEA/UK where applicable

To create and manage your account

Performance of a contract

To provide Platform features, including campaign creation, podcast discovery, AI-assisted drafting, email sending, reply tracking, and analytics

Performance of a contract

To process payments through our payment provider

Performance of a contract

To send outreach emails and Follow-Ups from your Connected Inbox, as approved by you

Performance of a contract

To provide AI-assisted features, including pitch generation, scoring, classification, and reply suggestions

Performance of a contract

To track affiliate referrals and calculate commissions

Performance of a contract / Legitimate interest

To send service-related communications, such as billing, security, product updates, and policy changes

Performance of a contract / Legitimate interest

To provide support and respond to inquiries

Performance of a contract / Legitimate interest

To improve, secure, and maintain the Platform, using aggregated or de-identified data where possible

Legitimate interest

To detect and prevent abuse, fraud, spam, and security incidents

Legitimate interest

To send marketing and promotional communications, with consent where required

Consent / Legitimate interest

To comply with legal obligations

Legal obligation

To establish, exercise, or defend legal claims

Legitimate interest / Legal obligation

Where we rely on legitimate interest, we balance that interest against your rights and freedoms.

You may object to processing based on legitimate interest at any time, as described in Section 11.

9. How We Share Your Data

We do not sell, rent, or trade your personal data.

We share data only as necessary with the following categories of recipients.

9.1 Service Providers and Subprocessors

9.1 Service Providers and Subprocessors
Provider
Purpose
Data Shared

Unipile

Email integration, sending, receiving, webhook processing

OAuth tokens, campaign-related email threads, sender and recipient metadata.

Google

Gmail OAuth, Gmail sending and related email features

OAuth tokens, email content of Guesterra-managed threads, basic profile information.

Podscan or equivalent

Podcast data provider

Search queries, filters, podcast identifiers, and related query metadata.

Paddle

Payment processing and Merchant of Record

Name, email, subscription details, payment status, invoice or receipt references. Full card data is handled by Paddle.

Tolt or equivalent

Affiliate tracking and partner portal

Referral IDs, click IDs, conversion data, affiliate contact details.

PostHog or equivalent

Product analytics and lifecycle emails

Event data, user ID, plan type, usage metrics, activity timestamps.

OpenAI / Anthropic or equivalent

AI/LLM processing

Client or campaign answers, podcast metadata, pitch text, Guesterra-managed email thread content, internal prompts, only as needed for AI features.

Vercel or equivalent

Hosting and deployment

Account data, usage data, and technical data needed for hosting operations.

Supabase or equivalent

Database, authentication, storage

Platform data, including account, campaign, email, and usage data.

Inngest or equivalent

Background job and workflow processing

Campaign data and email data as needed for Follow-Up scheduling and related workflows.

Calendly or equivalent

Strategy call scheduling

Name, email, call booking metadata.

9.2 Legal and Safety

We may disclose data:

  1. to comply with applicable law, regulation, legal process, or governmental request;

  2. to enforce our Terms of Service and investigate potential violations;

  3. to detect, prevent, or address fraud, security, spam, abuse, or technical issues;

  4. to protect the rights, property, or safety of Guesterra, our users, recipients, third-party

9.3 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, transfer to a new Guesterra entity, or transfer of the Guesterra business, your data may be transferred as part of that transaction, subject to the same protections described in this Privacy Policy or other protections required by law.

10. Data Retention

10.1 General Retention Policy

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by applicable law.

Category
Retention Period

Account data

While the account is active, plus a reasonable period thereafter for legal and operational purposes.

Client and Campaign data

While the account is active, plus up to 90 days after account deletion or termination, unless a longer period is required by law or necessary for legal claims, security, or dispute resolution.

Sent outreach and replies

While the account is active, plus up to 90 days after account deletion or termination, unless a longer period is required by law or necessary for legal claims, security, or dispute resolution.

AI Output and classifications

While the associated Campaign data is retained.

OAuth tokens

Until revoked by you, disconnected, or account deletion, subject to technical and security retention needs.

Payment and subscription records

As required for accounting, tax, payment, chargeback, and legal purposes, typically 7 to 10 years depending on applicable law.

Affiliate attribution data

While relevant for commission calculation, fraud prevention, chargeback handling, and legal retention purposes.

Analytics events

As configured in PostHog or equivalent analytics provider, typically up to 2 years.

Support communications

For the duration of the inquiry plus a reasonable period for operational, legal, or support history purposes.

Server logs

Up to 90 days, or longer for security investigations, abuse prevention, legal claims, or technical issues.

10.2 Deletion After Account Termination

When you request deletion of your account, we will delete or anonymize your personal data within 90 days, except for data we are legally required or permitted to retain.

Examples may include payment records, tax records, security logs, dispute records, fraud prevention records, and records needed to establish, exercise, or defend legal claims.

10.3 Agency Member Removal

When an Agency Member is removed, their access is immediately terminated.

Their data remains under the Agency Account and is retained according to the Agency Account’s lifecycle, unless the Agency Owner requests deletion and deletion is legally and technically available.

10.4 Read-Only Access vs. Deletion

Read-only access after cancellation is not the same as data deletion.

Data is retained during the read-only period and deleted or anonymized in accordance with this section after the applicable retention period expires.

11. Your Rights and Choices

11.1 Rights for All Users

Depending on your location, you may have the following rights:

Right
Description

Access

Request a copy of the personal data we hold about you.

Correction

Request correction of inaccurate or incomplete data.

Deletion

Request deletion of your personal data, subject to legal retention obligations.

Portability

Request your data in a structured, machine-readable format.

Restriction

Request restriction of processing in certain circumstances.

Objection

Object to processing based on legitimate interests.

Withdraw Consent

Withdraw consent where processing is based on your consent.

Complaint

Lodge a complaint with your local data protection authority.

Where legally required, we will recognize and honor browser-based opt-out preference signals, such as Global Privacy Control, GPC, as a request to opt out of the sale or sharing of personal data for cross-context behavioral advertising.

To exercise your CCPA/CPRA rights, contact us at privacy@guesterra.co.

We may verify your identity before processing your request.

You may designate an authorized agent to make a request on your behalf, where permitted by law.

We will not discriminate against you for exercising your privacy rights.

11.2 Additional Rights for EEA, UK, and Switzerland Users

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights listed above under applicable data protection laws, including GDPR, UK GDPR, and Swiss FADP.

Our legal bases for processing are identified in Section 8.

To exercise your rights, contact us at [privacy@guesterra.co].

We will respond within the timeframe required by applicable law, typically 30 days.

You may also have the right to lodge a complaint with your local supervisory authority:

  1. EEA: your Member State’s data protection authority;

  2. UK: Information Commissioner’s Office, ICO, at www.ico.org.uk;

  3. Switzerland: Federal Data Protection and Information Commissioner, FDPIC.

11.3 Additional Rights for California Residents

If you are a California resident, you may have the following rights under the California Consumer Privacy Act, CCPA, and California Privacy Rights Act, CPRA:

Right
Description

Right to Know

Request information about the categories and specific pieces of personal data we have collected about you, the sources, the purposes, and the categories of third parties with whom we have shared it.

Right to Delete

Request deletion of your personal data.

Right to Correct

Request correction of inaccurate personal data.

Right to Opt Out of Sale or Sharing

We do not sell or share personal data, as those terms are defined under California law, for cross-context behavioral advertising. We do not have actual knowledge of selling or sharing personal data of consumers under 16.

11.4 Marketing Opt-Out

You may opt out of receiving marketing and promotional communications at any time by:

  1. clicking the “unsubscribe” link in our emails;

  2. contacting us at privacy@guesterra.co.

Opting out of marketing does not opt you out of essential service communications, such as billing, security, legal, account, or policy updates.

11.5 Cookie Controls

Most browsers allow you to manage cookies through browser settings.

Please refer to our Cookie Policy for more information about the cookies we use and how to manage them.

12. Data Security

We implement reasonable technical and organizational measures to protect your personal data, including:

  1. HTTPS for data in transit;

  2. encryption at rest for sensitive credentials and OAuth tokens where technically supported;

  3. access controls;

  4. user and Agency Member data isolation;

  5. least-privilege admin access where practical;

  6. server-side filtering for inbox data;

  7. provider webhook verification where available;

  8. password hashing where email/password login is implemented;

  9. secure OAuth token storage;

  10. reasonable logging and monitoring for security and operational purposes.

However, no method of transmission over the Internet or method of electronic storage is 100 percent secure.

We cannot guarantee absolute security.

You are responsible for protecting your account credentials, devices, Connected Inbox, and access to your account.

13. International Data Transfers

13.1 Data Processing Locations

Guesterra is operated from Serbia.

Your personal data may be processed on servers located in the United States, the European Union, the United Kingdom, Serbia, or other locations where our service providers operate.

13.2 Transfer Safeguards

Where personal data is transferred from the EEA, UK, Switzerland, Serbia, or another jurisdiction to countries that have not been recognized as providing an adequate level of data protection, we rely on appropriate safeguards where required.

These may include:

  1. Standard Contractual Clauses approved by the European Commission;

  2. the UK International Data Transfer Addendum, where applicable;

  3. equivalent mechanisms as applicable;

  4. data processing agreements with service providers.

13.3 Data Processors Abroad

Our service providers listed in Section 9.1 may process data in various jurisdictions.

We take reasonable steps to ensure that appropriate data transfer mechanisms are in place where required by applicable law.

14. Children’s Privacy

Guesterra is intended only for users who are at least 18 years old.

Our website, platform, and services are not directed to children or minors, and we do not knowingly collect personal data from anyone under the age of 18.

If we become aware that a person under 18 has provided us with personal data, we will take reasonable steps to delete such information promptly, unless we are legally required to retain it.

If you believe that a person under 18 has provided us with personal data, please contact us at privacy@guesterra.co.

15. Third-Party Links and Services

The Platform may contain links to third-party websites or services, such as scheduling tools, social media, external resources, podcast websites, or payment provider pages.

This Privacy Policy does not apply to those third-party services.

We encourage you to review their privacy policies before using them.

We are not responsible for third-party privacy practices, security, content, or policies.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

If we make material changes, we will notify you by email to the address associated with your account, by a prominent notice on the Platform, or by another reasonable method before or when the changes become effective, where required by law.

Your continued use of the Platform after the effective date of the updated Privacy Policy means you acknowledge the updated Privacy Policy.

If you do not agree, you must stop using the Platform and cancel your subscription.

17. Contact Us

For questions, concerns, requests, or complaints regarding this Privacy Policy or our data practices, contact us at:

Guesterra
Operated by: Norrin Radd
Email: privacy@guesterra.co
Support: support@guesterra.co
Registered address: insert registered address in Serbia
Registration number: insert registration number

If you have a complaint and are unsatisfied with our response, you may have the right to contact your local data protection authority.