Legal · Privacy

Privacy Policy

Effective

29 April 2026

Version

1.0

Controller

Hudson & Flowerdew Ltd

This Privacy Policy explains how Hudson & Flowerdew Ltd ("we", "us", "our") collects, uses, and protects personal data when you visit our marketing website at overdrivehq.co.uk or use our products, including Overdrive Engage. Where you are a customer, we also act as a data processor for personal data you upload — that role is described below.

01 Who we are

Company name: Hudson & Flowerdew Ltd, trading as Overdrive Engage and OverdriveHQ.
Company number: 08683882 (registered in England and Wales).
Registered office: Unit C, Regent House, 9 Crown Square, Poundbury, Dorchester, England, DT1 3DY.
Information Commissioner's Office (ICO): we are registered with the ICO as a data controller.
Contact for privacy queries: please write to us at our registered office (see §12).

02 What personal data we collect

From visitors to our website

Demo request form: name, work email, company name, company type, team size, CRM in use, current email tool, and any optional notes you provide.
Server logs: IP address, user-agent, timestamps, and pages visited. Used for security, abuse prevention, and operational debugging.
We do not use third-party analytics, advertising, or marketing cookies on this site.

From customers

Account information: name, work email, company, billing address, and basic identifiers needed to provision your subscription.
Authentication tokens and mailbox metadata: OAuth refresh tokens for the Gmail or Outlook mailbox you connect, plus the limited Gmail metadata described in §05 (headers and snippets of threads matching outreach we have sent, used solely for reply detection). We hold these only with your consent. You can revoke access at any time from your provider's security settings or from within Overdrive Engage.
Configuration: the settings you choose in the product (campaigns, templates, send windows, automated triggers, and similar).

Data we process on your behalf as a data processor

When you use Engage, you grant us access to information that lives in your Salesforce org — typically contact and account records (name, email, job title, company), placement and job history, and notes you have written. The Service reads this data to deliver outreach you have configured and to generate AI-personalised content using third-party AI models. You are the controller of this data; we are the processor. We process it only on your instruction and only to provide the Service.

03 How we use personal data and our lawful bases

We use personal data only for the purposes set out below, on the lawful bases stated.

Responding to demo requests and other enquiries — legitimate interests (responding to your request).
Providing the Service to paying customers — performance of a contract with you.
Service-related communications (billing, downtime, security advisories) — performance of a contract and our legitimate interests in keeping you informed.
Compliance — legal obligation (for example, tax record-keeping).
Direct marketing — only with your consent. You can withdraw it at any time.

We do not sell personal data and we do not use it for automated decision-making with legal effects.

04 Sub-processors and third-party services

We use a small set of third-party services to run the product. Each is bound by data processing terms with us and is reviewed for security and data protection.

Vercel Inc. (US/EU) — hosting our marketing site and serverless functions.
Resend, Inc. (US) — sending transactional and demo-request emails.
Anthropic PBC (US) — generating AI-personalised email content (Claude) from data drawn from your Salesforce org. Gmail data obtained via Google APIs is not sent to Anthropic or any other AI provider, and is not used to train any AI or machine learning models.
Salesforce, Inc. — your own Salesforce org is where Engage operates; we are not the controller of data inside your org.
Google LLC / Microsoft Corporation — when consultants connect Gmail or Outlook accounts via OAuth to send email.

We will keep this list current and notify customers of material changes to sub-processors via email or in-product notification.

05 Google API Services and Gmail data

When you connect a Gmail account to Overdrive Engage, we request the following Google OAuth scopes:

https://www.googleapis.com/auth/gmail.send — to send outreach emails on your behalf as part of sequences you have configured. Emails are sent from your own mailbox and appear in your Sent folder.
https://www.googleapis.com/auth/gmail.readonly — to detect replies to outreach you have sent so we can automatically pause subsequent steps in a sequence and log the reply against the corresponding contact record in your Salesforce org. We read only the headers (From, To, Subject, In-Reply-To, References, Date) and message snippets of recent threads matching outreach we have sent. We do not read, store, modify, label, archive, or delete any other messages in your mailbox.
https://www.googleapis.com/auth/userinfo.email — to identify the Google account you have connected.

Limited Use. Overdrive Engage's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, in respect of data obtained through Google APIs we do not:

transfer this data to third parties except as necessary to provide or improve user-facing features that are prominent in the application's user interface, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users;
use or transfer this data for serving advertising, including retargeted, personalised, or interest-based advertising;
use this data to develop, improve, or train generalised AI and/or machine learning models. AI personalisation features in Overdrive Engage are powered by data drawn from your Salesforce org (such as contact and job history fields you select), not from Gmail content;
allow humans to read this data, unless we have your affirmative agreement for specific messages, where it is necessary for security purposes (for example, investigating abuse), to comply with applicable law, or where the data has been aggregated and anonymised for internal operations.

Storage and retention

OAuth refresh tokens are stored encrypted at rest. Reply detection metadata (message IDs, headers, and short snippets) is stored only for as long as required to power reply tracking and sequence pausing — typically up to 90 days, or until you disconnect the Gmail account, whichever is sooner.

Revoking access

You can revoke Overdrive Engage's access to your Gmail account at any time at myaccount.google.com/permissions, or by disconnecting the mailbox from within the Overdrive Engage setup screen in Salesforce. On revocation, stored tokens are deleted and reply tracking stops immediately.

06 International transfers

Some of our sub-processors are based outside the United Kingdom and may store or process personal data in the United States or the European Union. Where we transfer personal data outside the UK, we rely on UK-recognised transfer mechanisms — primarily UK Standard Contractual Clauses, the UK International Data Transfer Addendum, or an adequacy decision where one applies.

07 How long we keep personal data

Demo requests: retained for up to 24 months from your last interaction with us, then deleted unless you have become a customer.
Customer accounts: retained while your account is active and for 90 days after termination, after which most data is deleted.
Server logs: 30 days.
Billing records: retained for up to 7 years for tax purposes, in line with HMRC requirements.

08 Your rights under UK GDPR

You have the following rights in relation to your personal data:

Access the personal data we hold about you
Have inaccurate or incomplete data corrected
Have your data erased (the right to be forgotten)
Restrict our processing in certain circumstances
Receive your data in a portable, machine-readable format
Object to processing based on legitimate interests
Withdraw consent where consent is the lawful basis
Lodge a complaint with the Information Commissioner's Office at ico.org.uk

To exercise any of these rights, write to us at our registered office (see §12). We will respond within 30 days, or earlier where required.

09 Cookies

We use only the minimum cookies necessary to operate the site:

Essential session cookies set by Vercel for performance and security.
We do not use analytics, advertising, or other tracking cookies on this site.

Because we use no non-essential cookies, we do not display a cookie banner. If we add analytics or marketing cookies in future we will request consent before setting them.

10 Security

We protect personal data with technical and organisational measures appropriate to the risk, including TLS encryption in transit, encryption at rest, restricted access on a need-to-know basis, audit logging, and regular review of our sub-processors. No system is perfectly secure; if a breach occurs that is likely to result in risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware, in line with UK GDPR.

11 Changes to this policy

We may update this Privacy Policy from time to time. The effective date at the top of this page reflects the most recent revision. For material changes affecting customers, we will email you at the address we have on file.

12 Contact

Questions, complaints, or requests under UK GDPR — please write to us at our registered office:

Hudson & Flowerdew Ltd
Unit C, Regent House,
9 Crown Square, Poundbury,
Dorchester, England, DT1 3DY,
United Kingdom