Privacy Policy

Effective date: April 19, 2026

Who we are

BoomSauce is an email infrastructure product operated by Nimbus.io, LLC (“Nimbus,” “we,” “us”), a Florida limited liability company. This policy explains what we collect, why we collect it, who we share it with, and the controls you have over it.

What we collect

Account information. When you sign in via Google OAuth we receive your email address and basic profile name (userinfo.email + userinfo.profile scopes). We do not request Gmail, Drive, or Calendar access.

Company + profile data. Information you provide about your organization, role, and preferences.

Contacts. Contact records (name, email, any custom fields) you import. Used to personalize outbound messages and store reply history.

Email content. Subject lines, body text, merge-field configuration, and spintax variants for the playbooks + sequences you create. The rendered (per-recipient) version of each sent email is stored so you can review exactly what each contact received.

Sending + engagement events. Delivery confirmations, bounces, replies, unsubscribes, and (for emails that contain links — reply messages only, never first touches) click events. We do not use open-pixel tracking on first emails because first emails contain no images by design.

Wallet + billing. Stripe payment-intent IDs, topup amounts, wallet balance, per-transaction line items (what was charged for, when). Card numbers are never stored on our systems — Stripe handles that.

Usage analytics. Pages visited, features used, and actions taken within the app for product-improvement purposes.

How we use your information

  • Operate the email platform and send the campaigns + sequences you configure
  • Warm your mailboxes through the CheddarInbox peer-to-peer network (see below)
  • Track deliverability, bounce rates, and reply classification
  • Maintain the accounting ledger, process Stripe topups, and compute wallet balances
  • Triage support tickets, including with AI-assisted responses
  • Detect abuse, spam attempts, and violations of our acceptable-use policy
  • Improve the product and build new features

Google OAuth — narrow scope

We use Google OAuth solely for login. We request email + profile only. We never request Gmail, Contacts, Drive, or Calendar permissions. We do not read your Gmail inbox or send mail on your behalf via your Google account.

CheddarInbox warmup network

BoomSauce warmup is powered by CheddarInbox, a peer-to-peer network that Nimbus also operates. When you enable warmup on a mailbox, that mailbox sends and receives pre-approved, non-commercial warmup messages with other mailboxes on the network. This activity does not involve your contact list or your real outbound campaigns — it is separate traffic designed solely to establish sending reputation.

Warmup messages that land in your mailbox may be processed to confirm network health (engagement rate, classification). They are not exposed in your Conversations inbox unless you explicitly opt in to show them.

Data storage and security

Data lives in a PostgreSQL database hosted on Railway (Amsterdam region for EU-relevant tenants, US region otherwise). All connections use TLS. Sessions use iron-session with HTTP-only cookies and a 7-day expiry. SMTP credentials are encrypted at rest.

Third parties we share data with

We share data only with the infrastructure providers that make the platform work. We do not sell, rent, or trade your information.

  • Railway — hosting, database, background workers
  • Stripe — payment processing, statement descriptor NIMBUS*BOOMSAUCE
  • Namecheap — domain registration on your behalf
  • SendGrid (Twilio) — fallback SMTP provider
  • CheddarInbox — primary SMTP + peer-to-peer warmup network, also operated by Nimbus.io, LLC
  • Anthropic — Claude API for AI-assisted support triage, email content classification, and the free-website-per-domain generator. Messages sent to Anthropic are content-only, not identity-linked
  • Google Postmaster Tools — deliverability reputation monitoring for domains you add
  • EasyDMARC — DMARC report aggregation
  • GlockApps — on-demand inbox placement testing

We may also disclose information when required by law, to respond to lawful requests from public authorities, or to protect the security and rights of Nimbus, our users, or the public.

Your rights

Regardless of where you live, you may:

  • Export all of your contacts and playbook content
  • Request deletion of your account and associated data
  • Update your profile information at any time
  • Request a refund of unused wallet balance (subject to the 10% processing fee in the Terms)
  • Revoke Google OAuth access through your Google Account settings

If you are located in the European Economic Area, the United Kingdom, or California, you have additional rights under the GDPR, UK GDPR, or CCPA / CPRA respectively. These include the right to access, correct, delete, port, and restrict processing of your personal data, and the right to object to automated decision-making (we do not do automated decision-making that produces legal effects). Contact us through the in-app support page to exercise any of these rights and we will respond within 30 days.

Data retention

Active account data is retained for as long as the account is active. On account closure we delete identifiable data within 30 days, with two exceptions:

  • Financial-ledger entries and wallet transactions are retained for 7 years for tax and audit compliance
  • Dormant wallets with a positive balance follow the abandoned-property schedule described in the Terms (notice at 24 months, final notice at 36 months, possible state remittance at 60 months)

Cookies

We use a single session cookie (iron-session, HTTP-only, encrypted) to keep you logged in. We do not use advertising cookies, third-party analytics trackers, or session-replay tools on our own site.

Children

The Service is not intended for users under 18. We do not knowingly collect data from children. If you believe a minor has created an account, contact us and we will delete the account and associated data.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated through the platform with at least 30 days’ notice. Continued use after the effective date of a change constitutes acceptance.

Contact

Privacy questions, data requests, and GDPR/CCPA inquiries should be submitted through the in-app support page at app.boomsauce.com/support. We respond within 30 days.

Written notices to Nimbus.io, LLC:

Nimbus.io, LLC
P.O. Box 450352
2346 Belt Line Rd.
Garland, TX 75044-9998
United States