Legal

Privacy Policy

Last updated: May 17, 2025

Pillr is committed to protecting your privacy. This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have. If you have any questions, contact us at privacy@pillr.app.

1. Who we are

Pillr is a CRM and sales intelligence tool based in the Netherlands. As the operator of Pillr, we are the data controller responsible for personal data processed through the Pillr application (app.pillr.app) and marketing website (pillr.app).

Because we are based in the European Union, this policy is written in accordance with the General Data Protection Regulation (GDPR).

2. What we collect

We collect two categories of data: data about you (the Pillr user) and data about your leads (the contacts you manage inside Pillr).

Category	Examples	Source
Account data	Name, email address, password (hashed)	You, at sign-up
Profile data	Phone, country, timezone, job title	You, in settings
Company data	Company name, sector, website, description	You, during onboarding
Lead data	Lead names, emails, phone numbers, company, interaction notes	You, when adding leads
Activity data	Emails logged, call notes, meeting notes, timestamps	You, when logging interactions
AI-generated data	Summaries, open loop analysis, priority scores	Automatically generated from your activity data
Usage data	Pages visited, actions taken, session data	Automatically, via analytics

We do not collect payment card details directly — payments are processed by our payment provider and we only receive a non-sensitive transaction confirmation.

3. How we use your data

We use your data for the following purposes:

Providing the service — creating your account, storing your leads and interactions, and powering the AI features (priority scoring, focus bullets, email drafts).
Personalisation — using your job title, sector, and company description to tailor AI suggestions to your context.
Scheduling and reminders — using your timezone to show follow-up reminders at the correct local time.
Communication — sending transactional emails (account confirmation, password reset). We do not send marketing emails unless you opt in separately.
Security — detecting fraud, abuse, and unauthorised access.
Analytics — understanding how Pillr is used in aggregate to improve the product. We use anonymised, aggregated data only for this purpose.
Legal obligations — complying with applicable laws and regulations.

We do not sell your data. We do not use your data for advertising. Your lead data is never shared with other Pillr users or third parties outside of the processors listed in section 5.

4. Legal basis for processing (GDPR)

Under the GDPR, we must have a legal basis for processing your personal data. We rely on the following:

Contract (Art. 6(1)(b)) — processing your account and lead data is necessary to deliver the Pillr service you signed up for.
Legitimate interest (Art. 6(1)(f)) — usage analytics, fraud prevention, and service improvement, where our interest does not override your rights.
Legal obligation (Art. 6(1)(c)) — retaining records as required by applicable law.
Consent (Art. 6(1)(a)) — for any optional data collection (e.g. marketing communications) where we explicitly ask for your consent.

5. Third-party processors

We use the following third-party services to operate Pillr. Each acts as a data processor on our behalf and is bound by data processing agreements.

Provider	Purpose	Data shared	Location
Supabase	Authentication & session management	Email address, hashed password	EU (Frankfurt)
Neon	Database hosting	All user and lead data	EU (Frankfurt)
Vercel	Application hosting & CDN	Request metadata	EU edge / US
OpenAI	AI analysis (summaries, scoring, drafts)	Interaction notes & lead context	US (with EU data processing addendum)
Vercel Analytics	Anonymised usage analytics	Page views, no personal identifiers	EU / US

When interaction notes are sent to OpenAI for AI processing, they are used solely to generate the response for your session and are not used to train OpenAI models (we use the API under OpenAI's zero data retention policy for the API tier).

6. Data retention

We keep your data for as long as your account is active. Specifically:

Account and profile data — retained for the duration of your account. Deleted within 30 days of account deletion.
Lead and activity data — retained for the duration of your account. Deleted within 30 days of account deletion.
AI-generated data — stored alongside the lead/activity data to which it belongs. Deleted together with that data.
Usage/analytics data — retained in anonymised, aggregated form for up to 24 months.
Billing records — retained for 7 years as required by Dutch tax law.

When you delete your account via Settings → Delete Account, all personal data is permanently removed from our systems within 30 days, except where legal retention obligations apply.

7. Your rights under GDPR

As an EU resident, you have the following rights regarding your personal data:

Right of access — request a copy of the data we hold about you.
Right to rectification — correct inaccurate or incomplete data. You can update most data directly in Settings.
Right to erasure — request deletion of your data. You can delete your account at any time in Settings → Delete Account.
Right to data portability — request your data in a structured, machine-readable format.
Right to restriction — ask us to restrict processing of your data in certain circumstances.
Right to object — object to processing based on legitimate interest.
Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, email privacy@pillr.app. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch data protection authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

8. Security

We take the security of your data seriously. Our measures include:

All data transmitted between your browser and Pillr is encrypted via TLS (HTTPS).
Passwords are never stored in plain text — they are hashed and managed by Supabase Auth.
Database access is restricted to authorised application processes only; no direct public access is permitted.
Each user's data is scoped to their account and organisation — you cannot access another user's leads or data.
We regularly review our security practices as the product evolves.

If you discover a security vulnerability, please report it responsibly to security@pillr.app.

9. Cookies & analytics

Pillr uses a minimal number of cookies and tracking technologies:

Session cookie (pillr_session) — a strictly necessary cookie used to keep you logged in. No expiry date; deleted when you close your browser or log out.
Supabase auth cookies — required for authentication. Session-scoped.
Vercel Analytics — privacy-first, cookieless page-view analytics. No personal identifiers are collected; no cross-site tracking.

We do not use advertising cookies, Facebook Pixel, Google Analytics, or any third-party tracking pixels.

10. Children

Pillr is a professional B2B tool intended for adults. We do not knowingly collect data from anyone under the age of 18. If you believe a minor has created an account, please contact us at privacy@pillr.app and we will delete the account promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Continued use of Pillr after changes take effect constitutes acceptance of the updated policy.

Previous versions of this policy are available on request.

12. Contact us

For any privacy-related questions, data access requests, or complaints:

Data Controller: Pillr

Email: privacy@pillr.app

Location: Netherlands

This policy was last updated on May 17, 2025. It applies to all users of Pillr globally, with specific GDPR rights applying to EU/EEA residents.

← Back to home