I'm backed by Y CombinatorCombinator
Sales Call AI for
leading GTM teams
Hero background
Also Backed By
Trusted by /trust/lcv.webpTrusted by /trust/e2vc.svgTrusted by /trust/a16z-scout.svgTrusted by /trust/volta.webpTrusted by /trust/fal.svgTrusted by /trust/deel.pngTrusted by /trust/tfh.svg

Privacy Policy

26 October 2025
omar@caretta.so

Who we are: Caretta Inc. ("we", "us", "our") provides Caretta, a sales-enablement application. We are the data controller for personal data processed via our website and app. This policy explains what data we collect, why we collect it, how we use and share it, how long we keep it, your rights, and how to contact us.

Jump to Section

Data we collect and sourcesHow we use the dataLegal basesSharing and processorsInternational transfersSecurityRetentionYour rightsRevocation & deletionGoogle-specific disclosuresChildrenChangesScopes & permissions
Data we collect and sourcesHow we use the dataLegal basesSharing and processorsInternational transfersSecurityRetentionYour rightsRevocation & deletionGoogle-specific disclosuresChildrenChangesScopes & permissions

Data we collect and sources

1) Account & authentication

  • Google Sign-In data: name, email, profile image (as provided by Google).
  • OAuth tokens: access/refresh tokens and expiry (to maintain connections).
  • Google requirement: Our use and transfer of information received from Google APIs will comply with the Google API Services User Data Policy (including Limited Use).

2) In-app data you or your organisation provide

  • Calls: duration, notes, optional transcript, optional recording URL, links to evaluations.
  • Events & scheduling: titles, start/end time, link to related contacts.
  • Contacts & companies: names, emails, phones, CRM fields, lifecycle/lead state.
  • Files: filename/type/size/URL you upload.
  • Context: organisation/user context, objection lists, candidate snippets.
  • LLM content: prompts/outputs (e.g., "brain context", generated notes/summaries) tied to your usage to deliver features.

3) Connected services (only if you opt in)

  • Google Calendar (e.g., read-only calendar metadata) to prepare agendas/briefings and link meetings. We request only the minimum scopes needed.
  • Microsoft Graph (e.g., Calendars.Read delegated) for the same scheduling/context features.
  • HubSpot (selected CRM scopes you approve) to enrich contacts/companies and link meeting context.

We do not read emails or files nor access data beyond the permissions you grant.

4) Analytics & telemetry

We use PostHog for product analytics (e.g., feature usage, device/browser, coarse location/IP) to improve performance and user experience. We configure PostHog with GDPR-friendly controls and limit data to what's necessary. Where required, we obtain consent.

How we use the data (purposes)

  • Authenticate sessions, manage accounts, and secure the service.
  • Prepare call briefings; capture/transcribe calls if enabled; generate notes/summaries; support evaluations.
  • Sync relevant calendar metadata (Google/Microsoft) for scheduling/context.
  • Enrich CRM records (HubSpot) if connected.
  • Provide analytics, product improvement, and support.
  • Comply with legal obligations and enforce terms.

Sharing and processors

We use vetted service providers (hosting, storage, analytics). They process personal data under our instructions. For connected calendars we use Google Calendar API/Microsoft Graph; for CRM enrichment we use HubSpot APIs; for analytics we use PostHog. We do not sell personal data.

International transfers

If we transfer data outside the EEA/UK, we use appropriate safeguards (e.g., EU Standard Contractual Clauses) and assess local laws.

Security

We implement industry-standard technical and organisational measures, including encryption in transit and at rest, strict access controls, and role-based permissions. Our application enforces data-segregation appropriate to our environment.

Retention

We retain personal data only as long as necessary for the purposes above or to meet legal obligations. You (or your organisation admin) may request deletion at any time (see Deletion below).

Your rights

You may have rights to access, rectify, erase, restrict, object, and data portability under the GDPR, and to lodge a complaint with the Autoriteit Persoonsgegevens (NL). We will respond within statutory periods.

Revocation & deletion

Revoke third-party access

  • Google: revoke our access from your Google Account's third-party app settings at any time; we will stop receiving new data thereafter.
  • Microsoft: revoke Microsoft Graph permissions from your Microsoft/Entra account settings.
  • HubSpot: remove our app and its scopes in your HubSpot settings.

Request deletion

To delete in-app data (e.g., calls, transcripts, context, contacts, files), email omar@caretta.so or use the in-app controls (where available). We will confirm deletion unless retention is legally required.

Google-specific disclosures (required)

  • Our use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.
  • We request only the minimum scopes needed and justify any sensitive/restricted scopes during verification.

Children

Our services are not directed to children and we do not knowingly process children's data.

Changes

We may update this policy from time to time. We will post the new date and, where appropriate, notify you.

Scopes & permissions we request (transparency)

Below are the exact scopes our app requests and how we use them. We only request the minimum set of permissions required to deliver the described functionality.

Google

  • openid, email, profile enable Google Sign-In and retrieve the user's basic account details (name, email, and profile image).
  • https://www.googleapis.com/auth/calendar, https://www.googleapis.com/auth/calendar.events.readonly access calendar data to read, create, and update events, allowing meeting integration and synchronisation within the app.
  • offline_access obtain a refresh token so that the connection to your Google Calendar remains active without requiring you to reauthenticate each time.

Microsoft

  • Calendars.Read read your Microsoft calendar metadata (event titles, times, attendees) to display schedules and prepare meeting briefings.
  • User.Read retrieve your basic Microsoft account details (name and email) to associate your user identity with your organisation's workspace.
  • offline_access maintain connection to your Microsoft account and refresh tokens without repeated sign-in.
  • openid, email, profile standard authentication scopes that verify identity and provide basic user information during Microsoft login.

HubSpot

  • crm.objects.contacts.read, crm.objects.contacts.write read and update contact records to keep customer data in sync.
  • crm.objects.companies.read, crm.objects.companies.write read and update company records for CRM enrichment.
  • crm.schemas.companies.read, crm.schemas.companies.write, crm.schemas.contacts.read, crm.schemas.contacts.write read and modify object schema definitions to align with custom CRM fields used within the app.
  • settings.users.read read your HubSpot account's user list to associate HubSpot users with app users.
  • oauth authorise secure integration with your HubSpot account.

Together, these scopes allow the app to read and update CRM data necessary for linking meetings, contacts, and companies within your workspace.

Analytics

  • PostHog event collection gather anonymised usage data (feature usage, device/browser type, session duration) to improve product performance and user experience.
  • GDPR compliance Configured with GDPR-compliant controls and offers opt-out or consent options as required by law.
© Caretta Inc. All rights reserved.