1. Introduction
Torbi is operated by Thinkerwave AITech Private Limited ("Torbi", "we", "us", "our"), a company incorporated in India. We provide an AI-powered platform that reads public buying signals across the web — imports, expansions, hiring, RFQs, regulatory filings — and matches those signals to the products and services our customers sell.
This Privacy Policy describes what information we collect, why we collect it, how we use and share it, and the rights you have. It applies globally and reflects our obligations under the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), India's Digital Personal Data Protection Act, 2023 (DPDP Act), and other applicable laws.
Two-audience policy. Some sections describe how we treat data about our customers — people who sign up to use Torbi. Other sections describe how we treat prospect data — information about businesses (and their public points of contact) that customers research using Torbi. If you're a prospect and want your data removed, jump to Section 11.
2. Who this applies to
This policy covers three groups:
- Customers and users — individuals and businesses who create a Torbi account, use the product, or contact us;
- Prospects — businesses, and the publicly listed business contacts within them, whose information appears in our prospect database;
- Site visitors — anyone visiting our website at torbi.ai or our subdomains.
3. Information we collect
3.1 Information you provide as a customer
- Account information — name, work email, password (stored as a hash), company name, role, and country.
- Workspace content — your company URL, product catalogue, target markets, outreach templates, sequences, and CRM-style notes you save inside Torbi.
- Connected-account data — if you connect Gmail, Outlook, HubSpot, Salesforce, or another tool to your workspace, we receive the OAuth tokens and the scoped data those tools return (e.g. sent messages, contact records). The exact scopes for each integration are listed in your workspace settings, and you can disconnect at any time.
- LinkedIn actions, where you choose to use them — Torbi does not maintain a LinkedIn integration that operates on your behalf in the background. Where Torbi assists with LinkedIn outreach, it does so by drafting copy that you send from your own authenticated LinkedIn session, under your own LinkedIn User Agreement. We do not store credentials for, scrape, or automate actions on LinkedIn outside of what LinkedIn's own products and APIs make available to a user.
- Billing information — billing name, address, GSTIN (for India), VAT ID (for EU), and payment method. Payment card numbers are tokenised by our payment processor — we never see or store the full card.
- Support and feedback — messages you send to support, screenshots you attach, survey responses.
3.2 Information we collect automatically when you use the product
- Usage data — pages visited, features used, searches run, prospects unlocked, outreach drafted, time spent.
- Device data — IP address, user-agent, operating system, browser, device type, approximate location (city-level, from IP), referring URL.
- Cookies and similar technologies — see Section 12.
3.3 Prospect data — the orchestration model
Torbi is a data orchestration platform. We do not maintain our own scraped contact database, and we do not own the underlying personal data we surface to customers. Instead, the prospect data shown in Torbi is assembled from two distinct pipelines:
(a) Company-level public data we index directly. Information about businesses — not people — that we read from public sources and structure into signals:
- Company name, registered address, industry codes, employee count, public revenue estimates;
- Websites, domains, observed technology stack, and other publicly observable web facts;
- Buying signals derived from public sources — imports and exports (customs records), regulatory filings, hiring posts on public careers pages, public RFQs and tenders, press coverage, court records.
(b) Business-contact data routed through licensed Data Partners. Where a customer needs a named contact at a target company, Torbi queries one or more licensed third-party Data Partners (e.g. Apollo, Clearbit, and others — listed at torbi.ai/subprocessors). Each Data Partner is an independent controller of the data it returns, operates under its own published privacy policy and lawful basis, and runs its own opt-out path. Torbi does not maintain a long-term, search-indexable copy of the contact records returned: results are cached only for the limited operational windows described in Section 9, are scoped to the requesting customer's workspace, and are dropped from active matching when a Data Partner notifies us of an opt-out or deletion.
Across the prospect pipeline, the only categories of personal data that may be present are: business email address, business phone number, job title, employer, location at country/city level, and a link out to a publicly accessible profile where the source provides one. We do not intentionally collect personal email addresses, home addresses, government identifiers, financial account details, health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade-union membership, sexual orientation, or any other Special Category of personal data under Article 9 GDPR.
Where any item of prospect data constitutes personal data under the GDPR, UK GDPR, DPDP Act or similar laws, Torbi processes it on the basis of legitimate interest for B2B prospecting (Art. 6(1)(f) GDPR). We have conducted and maintain a written Legitimate Interests Assessment (LIA) — available on reasonable request to dpo@torbi.ai. See also the rights described in Section 10 and Section 11.
3.4 Bright lines — what Torbi does not do
To make this concrete, Torbi commits that it does not, and will not:
- Scrape LinkedIn, Facebook, Instagram, X/Twitter, or any other social network whose terms of service prohibit automated extraction, and does not store cached copies of profile pages from such services;
- Bypass authentication, paywalls, CAPTCHAs, or rate limits, and ignores no
robots.txtdirective; - Use logged-in customer credentials to harvest data from third-party services for the benefit of other customers;
- Combine business-contact data with consumer datasets, voter rolls, marketing lists, or other consumer-grade personal information;
- Resell, redistribute, or licence Prospect Data as a standalone data product;
- Use Customer Data or Prospect Data to train foundation models — ours or any third party's. See Section 6.
Where you see a link to a LinkedIn (or similar) profile inside Torbi, that URL was provided to us by a licensed Data Partner who supplies it under its own lawful basis, or was constructed from a name and current employer to deep-link out to the source — the click sends you to LinkedIn, where the content is governed by LinkedIn's own terms.
4. Where data in Torbi comes from
4.1 Public sources we read directly (company-level)
For company information and buying signals, we index public sources ourselves. None of these involve personal accounts, logins, or scraped social-network content:
- Company websites and public subpages — homepages, product pages, public careers pages, press pages — accessed within published
robots.txt; - Public business registries — e.g. India's MCA, UK Companies House, Brazil RFB, U.S. SEC EDGAR, EU Open Data Portal;
- Public trade and customs records — bill-of-lading data, import-export filings published by national customs authorities;
- Public regulatory filings and tenders — government procurement portals, environmental clearances, RFQs;
- Public press, court, and indexed news — used within publisher terms and with attribution where required;
- Web indexes and search APIs — used within their published terms and rate limits.
4.2 Licensed Data Partners (contact-level)
For named business contacts inside a target company, Torbi does not maintain its own contact-scraping pipeline. We integrate with a curated set of licensed Data Partners — listed at torbi.ai/subprocessors — and route enrichment queries through them. Each Data Partner:
- Acts as an independent controller of the data it supplies (not as Torbi's processor) and operates under its own published privacy policy;
- Represents that it has a lawful basis for the data it shares (typically legitimate interest for B2B, plus its own consent mechanics for any contact-contribution programmes it runs);
- Maintains its own data-subject-rights and opt-out paths, which Torbi forwards on the partner's behalf when a subject contacts us instead of the partner;
- Is required by contract to honour opt-out signals propagated to it by Torbi (see Section 11).
Where you see a LinkedIn URL, a name, or a work email inside Torbi for a prospect, the most likely path is: a Data Partner supplied it to us in response to a customer query; Torbi cached the response for that customer's workspace for the operational window stated in Section 9; the underlying source (e.g. LinkedIn) is not accessed by Torbi.
4.3 Customer-supplied inputs
The website URL, target market, and product catalogue you give Torbi when you sign up. These guide what we look for, but are not stored as part of a public prospect dataset.
5. How we use information
We process information for these purposes and on these lawful bases:
| Purpose | Examples | Lawful basis (GDPR) |
|---|---|---|
| Providing the service | Matching signals to your catalogue, generating prospect lists, drafting outreach | Contract (Art. 6(1)(b)) |
| Billing and accounts | Charging your subscription, issuing invoices, fraud prevention | Contract; Legal obligation |
| Maintaining the prospect database | Indexing public business data, deduplicating, scoring | Legitimate interest (Art. 6(1)(f)) — B2B prospecting |
| Product analytics & improvement | Understanding usage, fixing bugs, training quality models | Legitimate interest |
| Service emails | Receipts, security alerts, important policy changes | Contract |
| Marketing emails | Product updates, tips, occasional offers (only to customers, with opt-out) | Legitimate interest / Consent (where required) |
| Legal & compliance | Responding to lawful requests, enforcing terms, defending claims | Legal obligation; Legitimate interest |
6. AI & automated processing
Torbi uses machine learning and large language models to (a) classify and score signals, (b) match prospects to your products, and (c) draft personalised outreach copy. We make the following commitments:
- No training on customer content. We do not use your account content — your catalogue, your prospect lists, your sent outreach, your CRM notes — to train foundation models, ours or any third party's. Your data is used to deliver your service.
- Aggregated, de-identified analytics only. Where we improve our matching and ranking models, we use aggregated, de-identified usage signals (e.g. "users who unlocked a prospect responded to it within X days") — not raw customer data.
- Human review available. Where Torbi's automated matching or ranking produces a result that affects you and you'd like a human review, contact privacy@torbi.ai.
- Sub-processors named. The LLM providers Torbi uses are listed on our Subprocessors page. Customer content sent to those providers is processed under zero-retention API agreements.
7. How we share information
We share information only in the following circumstances:
- Subprocessors — vendors that help us run the service (hosting, email delivery, payments, analytics, AI inference). The full list is at torbi.ai/subprocessors.
- At your direction — when you connect a tool (e.g. your CRM, your inbox) or invite a teammate.
- Corporate transactions — in connection with a merger, acquisition, or asset sale, with notice to you and the same protections continuing.
- Legal requirements — to comply with valid legal process, to protect the safety of any person, or to enforce our Terms. We push back on overbroad requests and notify affected customers where lawful.
- Aggregated or de-identified data — we may publish industry benchmarks (e.g. average reply rates) that cannot reasonably be re-identified.
We do not sell personal information and we have not sold or shared personal information for cross-context behavioural advertising in the preceding twelve months as those terms are defined under the CCPA/CPRA.
8. International transfers
Torbi is operated from India and uses subprocessors in the United States, the European Union, the United Kingdom, and Singapore. Where personal data of EU/UK residents is transferred outside those jurisdictions, we rely on the European Commission's Standard Contractual Clauses (SCCs) or the UK Addendum, together with supplementary measures including encryption in transit and at rest. A copy of our SCCs is available on request to privacy@torbi.ai.
9. Data retention
| Category | Retention |
|---|---|
| Account data | For the life of the account, plus 90 days after deletion (to allow account recovery), then deleted within 30 days. |
| Workspace content | Same as account data. On written request after termination, deleted within 30 days. |
| Billing records | Retained for 7 years to comply with Indian tax and accounting law. |
| Prospect data | Refreshed continuously. Records you have opted out of are suppressed for at least 24 months. |
| Server logs | 30 days, then aggregated. |
| Support tickets | 3 years. |
10. Your rights
Depending on where you live, you may have some or all of the following rights:
- Access — a copy of the information we hold about you;
- Correction — to fix inaccurate or incomplete data;
- Deletion / erasure — to ask us to delete your information, subject to legal retention;
- Objection — to object to processing based on legitimate interest, including B2B prospecting;
- Restriction — to limit processing in certain cases;
- Portability — to receive your data in a portable, machine-readable format;
- Withdrawal of consent — where we relied on consent (e.g. marketing emails);
- Non-discrimination — under the CCPA/CPRA, we will not discriminate against you for exercising your rights;
- Nomination — under the DPDP Act, to nominate another person to exercise your rights in the event of your death or incapacity;
- Complaint — to your local supervisory authority (e.g. ICO in the UK, the Data Protection Board of India under the DPDP Act).
To exercise any right, email privacy@torbi.ai from the address on your account, or use the in-product Privacy & data page. We respond within 30 days (and faster wherever required by law).
11. If you're in our prospect data
If you are not a Torbi customer but received outreach from a Torbi customer, or if your work contact details appear in our prospect database, you have specific rights:
- See what we have. Email privacy@torbi.ai from the address listed and we will send a copy within 30 days.
- Be removed. Email optout@torbi.ai, or use the one-click suppression form at torbi.ai/optout. We add your email to a permanent suppression list within 7 days and we remove your record from active prospect search within 14 days.
- Correct what we have. Same address; we will fix or annotate within 14 days.
- Object to processing. If you object to our processing of your data under legitimate interest, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
We do not require you to be a customer to exercise these rights, and we do not charge a fee.
12. Cookies
We use a small number of cookies and similar technologies:
- Strictly necessary — session, CSRF, load balancing. These cannot be turned off.
- Preferences — remembering your locale and currency choice.
- Analytics — first-party analytics on the marketing site (anonymised IPs). You can opt out via the cookie banner on first visit, or via the Cookie preferences link in the footer.
We do not run third-party advertising or cross-site tracking cookies.
13. Security
We protect customer data with a layered programme: TLS 1.2+ in transit, AES-256 at rest, hardened cloud configuration, least-privilege access, mandatory MFA for staff, quarterly access reviews, annual penetration testing, and 24×7 monitoring. Our subprocessors are SOC 2 Type II or ISO 27001 certified. See Security for the full programme overview.
If you believe you've found a vulnerability, please report it to security@torbi.ai. We respond within 1 business day.
14. Children
Torbi is a business product and is not directed to children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact privacy@torbi.ai and we will delete it.
15. Changes to this policy
We may update this policy from time to time. Material changes will be notified to active customers by email at least 30 days before they take effect, and a summary of changes will appear at the top of this page. The "Last updated" date at the top reflects the most recent revision.
16. Contact us
For any privacy question, request, or concern:
- Data Protection Officer — dpo@torbi.ai
- Privacy team — privacy@torbi.ai
- Mailing address — Thinkerwave AITech Private Limited, Attn: Data Protection Officer, India
For EU/EEA matters, our EU representative may be appointed under Art. 27 GDPR — request the current designation by email.
Note for review. This Privacy Policy is provided as a working draft based on common SaaS and B2B prospecting practice. Before publishing publicly, please have it reviewed by qualified counsel in the jurisdictions where Thinkerwave operates and sells, and confirm the operational claims (retention windows, subprocessor list, security controls, DPO contact) match the actual programme you intend to run.