Privacy Policy

Hong Kong Anvil Ltd. is a company registered in Hong Kong SAR (Business Registration number pending publication). Our registered address is held on file with the Hong Kong Companies Registry. You can reach our Data Protection Officer at 738888@proton.me or by phone at +852 4748 1911.

For the purpose of the EU General Data Protection Regulation (GDPR) and the UK GDPR, Anvil acts as:

• Data Controller for personal data of Anvil account holders (you) and your authorised end-users.
• Data Processor for the customer records, messages, and prospect information you upload or collect through the Service — you remain the Data Controller of that data.

2.1 Information you provide

• Account data — name, email address, password (hashed with bcrypt or argon2), phone number, profile photo, company name, role, and workspace (tenant) name.
• Authentication data — when you sign in with Google or Apple, the identity provider sends us your email, name, and a subject identifier. We never receive your provider password.
• Billing data — billing address, tax ID, and the last four digits of the payment card (the full card number is held by Stripe — we never see it).
• Content you create — contacts, leads, pipelines, notes, email templates, drip sequences, crawl tasks, deal rooms, workflows, and any uploaded files (logos, attachments, recordings).
• Connected-account credentials — SMTP passwords, OAuth refresh tokens for Google Calendar / Gmail, WhatsApp Business access tokens, and other third-party API keys you choose to connect. These are encrypted at rest using AES-256-GCM.

2.2 Information we collect automatically

• Usage data — pages viewed, features used, click events, session duration, approximate geolocation derived from IP.
• Device data — browser type, operating system, device identifiers, language, time zone.
• Log data — IP address, request method, URL, timestamps, HTTP status, request ID, and error traces.
• Cookies and similar technologies — see Section 10.

2.3 Information from third parties

• Identity providers you choose to sign in with (Google, Apple).
• Payment processors (Stripe) — transaction metadata, refund status, risk scores.
• Public sources you instruct us to scrape on your behalf — see Section 5 for how we handle prospect data specifically.

We use personal data to:

• Provide, operate, authenticate, and maintain the Service.
• Process your subscriptions and send transactional communications (invoices, password resets, security alerts, product notifications).
• Run the features you enable on your data — for example, to classify an inbound reply, draft a personalised email, or compute a fit score for a lead you added to your workspace.
• Monitor usage, detect abuse, prevent fraud, and secure accounts.
• Comply with legal obligations and enforce our agreements.
• With your explicit consent, send product updates or marketing emails. You can unsubscribe any time via the link in every marketing email.

We do not use your content — the emails you draft, the leads you upload, the conversations you have with prospects — to train AI models shared with other customers. Aggregate, anonymised usage statistics may be used to improve the Service.

If you are located in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases:

• Contract (Art. 6(1)(b)) — to deliver the Service you subscribed to.
• Legitimate interests (Art. 6(1)(f)) — to secure accounts, prevent fraud, improve the product, and carry out ordinary business-to-business communications on behalf of you (our customer).
• Consent (Art. 6(1)(a)) — for optional cookies, marketing messages, and any sensitive feature that needs explicit opt-in.
• Legal obligation (Art. 6(1)(c)) — tax, accounting, and lawful-demand compliance.

Anvil helps users discover and contact potential B2B customers. Data about those prospects may be collected from:

• Publicly accessible business directories (OpenStreetMap, Google Maps, corporate websites, public LinkedIn company pages, press releases).
• Sources you explicitly authorise (CSV uploads, CRM imports, API feeds).
• Business contact fields shown on the prospect’s own publicly available website (e.g. the info@company.com address shown on their contact page).

We rely on legitimate interest under GDPR Art. 6(1)(f) for this processing. In practice:

• We only collect business-context data (work email, company role, business phone) — never personal data unrelated to the prospect’s professional capacity.
• We carry out a balancing test before every scraping workflow and honor opt-out tokens, robots.txt directives, and explicit source-site terms where technically feasible.
• Users of Anvil are contractually required to comply with applicable anti-spam laws (CAN-SPAM, CASL, GDPR Art. 21, China PIPL direct marketing rules).
• Every outbound email sent through Anvil includes a functional unsubscribe link. One-click unsubscribe is honored within 24 hours and the recipient is added to a suppression list across all workspaces owned by the same user.

Right of the prospect to be notified / erased. If you are a prospect whose data was collected for outreach by an Anvil customer, you can exercise your rights directly with that customer, or contact us at 738888@proton.me and we will forward your request or act directly on it within 30 days.

We never sell personal information. We share limited data with the following subprocessors, each bound by data-processing agreements:

• Cloud hosting — the server infrastructure on which the Service runs (region: Hong Kong / Singapore / EU, selected per customer).
• Cloudflare Inc. (US/global) — CDN, WAF, DDoS protection, DNS.
• Stripe Payments Europe Ltd. — payment processing. Your card number is never sent to Anvil.
• Resend Inc. (US) — transactional and marketing email delivery.
• OpenAI, LLC (US) — optional AI inference for discovery, analysis, and message composition. Customer content sent to OpenAI is not used to train their models (OpenAI API data usage policy).
• Google LLC (US) — Google OAuth, Calendar, optional Places API (only when you enable those integrations).
• Meta Platforms Ireland Ltd. — WhatsApp Cloud API (only when you connect a WhatsApp channel).
• Sentry Inc. (US) — application error monitoring. PII is scrubbed from error payloads before transmission.
• Twilio Inc. (US) — telephony, SMS (only when you enable voice/SMS features).
• ElevenLabs Inc. (US) — AI voice synthesis (only when you enable the voice feature).
• GitHub Inc. (US) — source-code hosting; no customer content is stored here.

An up-to-date list of subprocessors is maintained at anvilhk.com/legal/subprocessors. Enterprise customers receive 30 days’ notice of any material change.

We also disclose information when required by law (subpoenas, court orders, regulatory requests), or to protect our rights, property, or safety. We will challenge overbroad or unlawful requests where reasonable.

In the event of a merger, acquisition, or sale of assets, personal data may be transferred. We will notify you by email and in-app at least 30 days before any such transfer.

We keep personal data only as long as necessary:

• Account & billing data — kept for the life of your account plus 7 years to meet tax and accounting requirements.
• Content (CRM, emails, workflows) — kept while your subscription is active. Deleted within 30 days of account closure unless you request an extension.
• Backups — encrypted snapshots rotate on a 30-day schedule and are fully purged within 90 days.
• Access & audit logs — kept for up to 1 year for security and forensic purposes.
• Prospect outreach suppression lists — kept indefinitely to honor unsubscribe requests even across workspace changes.

• TLS 1.2+ in transit; HSTS enforced on all customer-facing domains.
• AES-256 at rest for object storage, database backups, and all third-party credential fields (SMTP password, OAuth tokens).
• JWT access tokens are HttpOnly, Secure, SameSite-strict cookies. Refresh tokens rotate on every refresh; revoked tokens are blacklisted.
• Multi-factor authentication is available and required for Owner and Admin roles by default on Business-plan tenants.
• Principle of least privilege: only a small number of vetted staff can access production data and only for break-glass diagnostics, with every access event logged.
• Vulnerability management: third-party dependencies are monitored daily and patched on a defined SLA based on severity.
• We will notify affected customers of any confirmed personal data breach within 72 hours of becoming aware, as required by GDPR Art. 33 and HK PDPO DPP4.

Depending on where you live, you have some or all of the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure (“right to be forgotten”) — request deletion of your data, subject to legal retention obligations.
• Restriction — ask us to pause processing while a dispute is resolved.
• Portability — receive a machine-readable export of your data.
• Objection — object to processing based on legitimate interest, including direct marketing.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.
• Lodge a complaint — with your local data-protection authority (for example, the Hong Kong PCPD, the Irish Data Protection Commission for EU residents, or the California Privacy Protection Agency for California residents).

You can exercise most rights directly inside the Service under Settings → Privacy, or by emailing 738888@proton.me. We respond within 30 days.

California residents (CCPA/CPRA) have the right to know the categories of personal information collected, sold, or shared (Anvil does not sell personal information), the right to delete, the right to correct, the right to opt-out of sharing for cross-context behavioral advertising, and the right to non-discrimination for exercising these rights.

Mainland China residents (PIPL) have the right to know, decide, access, correct, copy, transfer, and delete their personal information, and the right to withdraw consent. For transfers of personal information outside the PRC, we rely on the PRC Standard Contract for the outbound cross-border transfer of personal information.

We use a minimal set of cookies:

• Strictly necessary — session cookies (auth), CSRF tokens, locale preference. These cannot be disabled.
• Preference — dark mode, language, sidebar state.
• Analytics — first-party anonymised page-view metrics (no third-party trackers by default).

We do not use advertising or cross-site tracking cookies. EU/UK visitors will see a cookie banner on first visit where you can accept or reject non-essential cookies.

Anvil is operated from Hong Kong. Data may be transferred to and processed in countries other than the one you live in, including the United States and the European Union, depending on where our subprocessors are located (see Section 6).

For transfers out of the EEA, the UK, or Switzerland we rely on the European Commission’s Standard Contractual Clauses (2021/914/EU) and, where applicable, the UK Addendum. For transfers out of mainland China we rely on the PRC Standard Contract for outbound transfer of personal information, filed with the CAC where required.

The Service is intended for business use and is not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe we have, contact us immediately and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be notified to Anvil account holders by email at least 30 days before they take effect. The “Last updated” date at the top of this page always reflects the latest version.

For privacy questions, data-subject requests, or to lodge a complaint:

• Email: 738888@proton.me
• Phone: +852 4748 1911
• Postal: Hong Kong Anvil Ltd., Hong Kong SAR

If we do not resolve your concern to your satisfaction, you have the right to lodge a complaint with your local supervisory authority.