Built for revenue leaders · powered by Anthropic Claude
Home

Legal · Last updated January 1, 2026

Privacy Policy

What we collect, why, who we share it with, and how you can control it.

1. Who we are

Outcome Engine AI ("Outcome Engine," "we," "us") is the data controller for the outcomeengineai.com marketing site and the data processor for customer data submitted into the Outcome Engine platform. We are operated by Fusion Advisory (the legal entity behind Outcome Engine AI). For any privacy inquiry, contact mike@fusion-advisory.com.

2. What we collect

Account data

  • Name, work email, role, and (optional) profile picture when you sign up
  • Workspace name, plan, seat count, and billing contact
  • Sign-in identifiers from your chosen provider (Google, Microsoft, or magic-link email)

Workspace data

  • CRM records you create or import: deals, contacts, companies, activities, meetings, proposals, bookings, campaigns
  • Pipeline configuration: stages, custom fields, goals, automations
  • Files you upload (proposal assets, branding logos)

Usage data

  • Pages viewed, features used, AI calls made (counts + cost; never the prompt text in our analytics layer)
  • Login timestamps, IP addresses, and user-agent strings — used for security auditing
  • Browser cookies for authentication session and a single privacy-respecting analytics cookie

Communications

  • Emails you send through the platform (Campaign Engine, proposal share notifications)
  • Calendar events synced via Google or Microsoft when you connect your calendar
  • Meeting transcripts when Recall.ai is explicitly enabled (private beta, opt-in per workspace)

3. How we use your data

  • Deliver the service — render your pipeline, run AI analyses, send emails on your behalf, sync your calendar
  • Operate safely — detect abuse, prevent fraud, enforce row-level security across tenants
  • Bill you — process subscriptions via Stripe; we never store full credit-card numbers ourselves
  • Support you — when you contact us, we use your account and workspace context to help
  • Improve the product — aggregate, anonymized analytics on which features get used

4. AI processing — explicit commitments

Outcome Engine uses Anthropic Claude (and may in the future use other providers) for AI features. We commit to the following:

  • Customer data is never used to train AI models. Anthropic's commercial API terms guarantee this; we rely on that contractual commitment and pass it through to you.
  • AI never writes to your CRM unattended. Every AI suggestion (stage move, activity log, health-score change) is a confirm-first chip the rep approves before save. The original sentence, the AI suggestion, and the final saved value are recorded in the audit log.
  • You can disable AI features. Workspace admins can turn off AI-driven writes in /admin/policies. Reads (drafts, summaries) cannot be forced; users opt in by clicking the AI button.

5. Who we share data with (subprocessors)

We use the following subprocessors. Each is bound by a data-processing agreement with us, and we commit to notifying customers of material changes to this list at least 30 days in advance via email and an update to this page.

SubprocessorPurposeDataRegion
Supabase, Inc.Postgres database + authentication + storageAll customer data — accounts, workspaces, deals, contacts, activitiesUnited States (us-east-1)
Vercel, Inc.Application hosting and edge deliveryRequest metadata, deployment logsUnited States + global edge
Anthropic, PBCLarge-language-model inference for AI featuresPrompts sent to Claude (deal context, user input, meeting summaries). Anthropic does NOT use API data for training per their commercial terms.United States
Resend (Resend, Inc.)Transactional + outbound email deliveryRecipient addresses, message subject + body, delivery statusUnited States
Stripe, Inc.Subscription billing + payment processingBilling contact, payment method tokens, invoice records (no full card numbers)United States + customer's region for PCI compliance
Recall.ai, Inc.Meeting recording + transcription (private beta; only if enabled per workspace)Meeting audio/video, transcript text. Recall.ai deletes media within 24 hours by default.United States
Postmark (ActiveCampaign LLC)Inbound email routing (Campaign Engine replies)Inbound message metadata and content addressed to your routing aliasesUnited States

We do not sell your data. We do not share your data with advertisers. We do not allow third parties to use your data to build profiles of you.

6. International transfers

Our primary infrastructure is in the United States. If you access Outcome Engine from outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) for EEA, UK, and Swiss data transfers. For customers requiring EU data residency, contact us — EU-region hosting is on our 2026 roadmap.

7. Your rights

Depending on your jurisdiction, you have the following rights:

  • Access — see what data we have about you. Export available at /settings/export.
  • Correction — update inaccurate data. Most data is directly editable in the app.
  • Deletion — request deletion of your personal data. Workspace admins can self-serve delete a workspace at /settings; for full erasure beyond that, email mike@fusion-advisory.com and we'll process within 30 days.
  • Portability — receive your data in a machine-readable format. /settings/export returns JSON.
  • Restriction — limit how we process your data
  • Objection — object to processing based on legitimate interest
  • Complaint — file a complaint with your local data protection authority

8. Retention

  • Active workspace data: retained for the life of your subscription.
  • Cancelled / churned workspaces: 30-day grace period during which you can reactivate and recover data, then permanently deleted.
  • Billing records: 7 years (US tax requirement).
  • Audit logs: 2 years.
  • Backups: 7-day rolling point-in-time recovery via Supabase. Backups are encrypted and access-restricted.

9. Security

  • Transport: TLS 1.2+ on every connection
  • At rest: AES-256 encryption (Supabase Postgres default)
  • Multi-tenant isolation: Postgres row-level security on every customer-data table; every query scoped to the actor's organization
  • Authentication: Supabase Auth with OAuth (Google, Microsoft) or magic-link email; SAML/Okta on the Enterprise roadmap
  • Audit log: every meaningful action (writes, deletes, access-control changes) is logged with timestamp, actor, and IP
  • Vulnerability disclosure: email mike@fusion-advisory.com with the subject "Security disclosure." We acknowledge within 24 hours.

We are working toward SOC 2 Type II attestation in 2027. In the meantime our /security page describes the technical posture in detail.

10. Cookies + tracking

We use a session cookie for authentication and a single first-party analytics cookie (via Plausible-style privacy-respecting analytics) to count page views. We do not use third-party advertising cookies. We do not track you across other sites.

11. Children

Outcome Engine is a B2B product not intended for children under 16. We do not knowingly collect data from anyone under 16.

12. Changes to this policy

We will notify customers of material changes at least 30 days before they take effect via email and an update to this page. Routine updates (clarifications, fixed typos, new minor subprocessors of the same purpose) are posted here with the "Last updated" date refreshed.

13. Contact

For privacy inquiries, data subject requests, security disclosures, or any other concern:

mike@fusion-advisory.com

For our full Data Processing Addendum (DPA), visit /dpa.