PitchBox Privacy Policy v1.1
Last updated: April 22, 2026 | Effective date: April 22, 2026
Summary: PitchBox reads publicly visible HTML of the websites you explicitly scan, to help you research prospects and draft outreach. Your scans and prospects are stored locally in your browser. Only your account email and payment record are held on our servers. We do not sell data. We use a small number of disclosed sub-processors (listed below).
1. Who We Are
PitchBox is a Chrome browser extension operated by DivergeiX ("we", "us", "our"). PitchBox helps sales reps, founders, agencies, and recruiters analyze publicly available website technology information and generate personalized outreach content.
We act as the data controller for the data described in this policy. For privacy-related queries or to exercise any of your rights, contact: privacy@divergeix.com
2. What Data We Collect
2.1 Website content you explicitly scan (processed locally + sent to our AI service)
When you click Scan This Page or Deep Scan, PitchBox reads the publicly visible HTML source of the active tab to identify:
- Technology signatures (e.g. script tags referencing React, WordPress, Stripe)
- Meta tags (page title, description, Open Graph)
- Publicly visible company metadata (name from meta tags, domain, social links if present)
- Presence of common web tools (analytics, marketing, chat widgets, payment processors)
- Publicly visible text content used to classify industry and generate outreach angles
Parts of this content are sent via TLS to our AI service (see §4) to classify the company and draft outreach. The scan never runs automatically — only when you explicitly click Scan or Deep Scan.
2.1.1 Deep Scan
When you explicitly click Deep Scan, PitchBox fetches up to 10 additional publicly accessible subpages on the same website (e.g. /about, /pricing, /careers):
- Only runs on explicit user gesture, never in the background
- Checks and respects the website's robots.txt before scanning
- Skips pages marked noindex
- Rate-limited to 1 page every 1.5 seconds
- Only scans the same domain — never follows external links
We only read publicly served HTML. Functionally equivalent to the user pressing Ctrl+U (View Page Source). We do NOT access cookies, localStorage, session data, passwords, form inputs, or any private data on any website.
2.2 Data stored locally on your device (never uploaded to our servers)
The following lives in your browser's chrome.storage.local and never leaves your device:
- Your PitchBox settings (name, company name, role, tone/persona preferences)
- Saved prospect records (company profiles you choose to save)
- Scan history (last 20 scanned domains)
- Theme preference (dark/light mode)
- Generated outreach drafts (stored in session, cleared when browser closes)
2.3 Account and billing data (stored on our servers)
If you create a PitchBox account for paid features, we collect and store:
- Email address — for account identification and login
- Password — stored as a bcrypt hash. We never store plaintext passwords.
- Usage counters — daily scan and draft counts for quota enforcement
- Payment records — Razorpay order ID, payment ID, amount, and GST breakdown. We do NOT store card numbers or bank details.
- Account plan status — Free, Starter, Pro, or Business
This data is stored in an encrypted cloud database in the India region (encryption at rest AES-256, in transit TLS 1.2+).
2.4 Data we do NOT collect
- Personal data of website visitors or website owners
- Browsing history beyond the pages you explicitly scan
- Cookies or session data from any website
- Form inputs or passwords from any website
- Credit card or banking information (Razorpay handles all payment processing)
- Location data or device fingerprints
- Data from tabs you do not explicitly scan
- Background browsing activity
3. How We Use Your Data
- Technology detection — to identify web technologies from publicly visible HTML and display results to you.
- Outreach generation — to generate personalized outreach drafts using our AI service (§4). Input: the scan data; output: your draft. We do not retain the scan content on our servers beyond the duration of the request.
- Account management — to authenticate your login and enforce plan quotas.
- Payment processing — to process subscriptions and issue GST-compliant tax invoices via Razorpay.
4. Third-Party Services
We use the following third-party infrastructure partners. Each is bound by its own privacy policy and, where applicable, standard contractual clauses for cross-border transfers.
| Partner | Purpose | Location |
|---|
| AI text-generation service |
Powers the outreach-draft and company-classification features. Scan content is sent via TLS for real-time processing and is not retained. |
Primary region: United States; enterprise customers may request EU-region processing. |
| Razorpay |
Payment processing for paid subscriptions. PCI-DSS Level 1 certified, RBI regulated. |
India |
| Cloud infrastructure provider |
Hosting for backend services (serverless functions) and account storage (encrypted database). ISO 27001, ISO 27018, SOC 2 certified. |
India region |
| Static page hosting |
Static hosting for marketing, checkout, and policy pages. |
Global CDN |
Cross-border transfer notice (GDPR/DPDP): when you use outreach generation, relevant scan content may be transferred outside of India for AI processing. We rely on Data Processing Agreements and, where applicable, the EU Standard Contractual Clauses for these transfers. Enterprise customers may request our current sub-processor list and DPA by emailing privacy@divergeix.com.
5. Data Retention
- Local data: retained until you uninstall the extension or clear browser data. You control this entirely.
- Session drafts: cleared when you close the browser.
- Scan content sent to the AI service: processed in real time and not retained on our servers. The AI provider's own retention policy applies; ephemeral by default.
- Account data: retained while your account is active. Deleted within 30 days of a deletion request.
- Usage logs: retained for 90 days for billing and quota enforcement.
- Payment records: retained for 8 years for Indian GST and tax compliance.
6. Your Rights (GDPR, DPDP Act 2023, and global privacy)
You have the right to:
- Access — request a copy of all data we hold about you
- Rectification — correct any inaccurate data
- Erasure — request complete deletion of your account and all associated data (subject to tax-retention obligations for payment records)
- Portability — export your saved prospects and settings in machine-readable format
- Restriction — restrict further processing of your data
- Object — object to processing (for legitimate interest bases)
- Withdraw consent — uninstall the extension at any time to stop all processing
- Nomination (DPDP) — Indian users may nominate a representative to exercise these rights on their behalf
- Grievance redressal (DPDP) — contact our Grievance Officer at privacy@divergeix.com. We respond within 30 days.
7. Data Security
- Passwords hashed using bcrypt — never stored in plaintext
- Authentication uses signed JWT tokens with 30-day expiry
- All API communication uses HTTPS / TLS 1.2+
- Database encryption at rest (AES-256)
- Webhook payloads verified with HMAC-SHA256 signatures
- No third-party analytics or tracking pixels embedded in the extension
8. Chrome Extension Permissions
PitchBox requests the following Chrome permissions. Each is used only for the stated purpose:
- activeTab — to read the HTML of the page you're currently viewing when you click Scan
- sidePanel — to display the PitchBox analysis panel alongside the webpage
- storage — to save your settings, prospects, and scan history locally in your browser
- scripting — to inject the page scanner when you click Scan
- tabs — to open the hosted Razorpay checkout and privacy/pricing pages in new tabs
- contextMenus — to add "Analyze with PitchBox" to the right-click menu
host_permissions: <all_urls> — required so the scanner can run on any website you explicitly scan. The scanner never runs automatically or in the background.
9. Children's Privacy
PitchBox is a professional sales tool and is not intended for use by individuals under 18 years of age. We do not knowingly collect data from minors.
10. Changes to This Policy
We may update this privacy policy from time to time. Changes will be reflected in the "Last updated" date above. For material changes, we will notify users through the extension or via email to account holders.
11. Legal Basis for Processing (GDPR Article 6)
- Consent: you consent to data processing by installing and using the extension (opt-in on first scan).
- Legitimate interest: reading publicly available HTML source code for technology detection.
- Contract: account creation and payment processing to deliver the paid service.
- Legal obligation: retaining payment records for Indian GST and tax compliance.
12. Contact
For privacy inquiries, data subject requests, or complaints: