Sign Up

Privacy Policy

Privacy Policy

Privacy Policy

Last updated: 27 April 2026

Cloudfind Ltd, trading as Publisher Discovery ("Publisher Discovery", "we", "us", "our"), operates the website at https://www.publisherdiscovery.com, the Publisher Discovery web application, and the Publisher Discovery browser extension (together, the "Services"). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how we protect it, and your rights and choices.

If you have questions about this policy or wish to exercise any of your rights, contact us at support@publisherdiscovery.com.

1. Who we are

Cloudfind Ltd, trading as Publisher Discovery, is the data controller for personal data processed through the Services. Our website is https://www.publisherdiscovery.com and our registered office is:

Cloudfind Ltd
Cambridge House
1 Henry Street
Bath
BA1 1JS
England

We are the entity responsible for the verification of the Publisher Discovery application by Google and Microsoft.

2. Summary

The Publisher Discovery web application includes an "Outreach" feature that allows users to send affiliate-partnership emails directly from their own Gmail or Microsoft 365 / Outlook account. To do this, the user grants Publisher Discovery permission, via OAuth 2.0, to send mail on their behalf.

We have designed the Outreach feature to use the minimum scopes that Google and Microsoft offer for sending mail, and we do not read the user's inbox, contacts, calendar, or any other Google or Microsoft data.

The remainder of this policy gives a complete account of the data we access, use, store, share, retain, and delete — including the specific disclosures required by the Google API Services User Data Policy and Microsoft's identity platform terms of use.

3. Google API Services — Limited Use Disclosure

Publisher Discovery's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We use Google user data only to provide and improve the user-facing features of the Outreach product (sending email on the user's behalf and verifying the user's identity at the time of OAuth).
  • We do not transfer Google user data to third parties except as necessary to provide or improve the user-facing features of the Outreach product, to comply with applicable law, or as part of a merger, acquisition or sale of assets with notice to users.
  • We do not use Google user data to serve advertisements.
  • We do not allow humans to read Google user data unless (a) we have the user's affirmative agreement for specific messages, (b) it is necessary for security purposes (e.g. investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymised and is used only for internal operations.
  • We do not use any Google user data to train, fine-tune, or otherwise develop generalised AI / machine-learning models. Google user data is not sent to OpenAI, Google Gemini, or any other generative-AI provider for model improvement.

4. Microsoft 365 / Outlook integration

Where the user authenticates with Microsoft, Publisher Discovery acts in accordance with the Microsoft Services Agreement and the Microsoft Identity Platform terms of use. We use the minimum Microsoft Graph permissions necessary to send mail on the user's behalf and verify their identity, and we do not read, store, or process any other Microsoft 365 data.

5. Data we access from Google and Microsoft accounts

When a user enables the Outreach feature, we request the following OAuth scopes:

Google (Gmail) — scopes requested

Scope What it grants Why we request it
https://www.googleapis.com/auth/gmail.send Permission to send mail on the user's behalf via the Gmail API. Does not grant read access to any messages, drafts, labels, threads, or other mailbox data. To deliver outreach emails composed in Publisher Discovery from the user's own Gmail address.
https://www.googleapis.com/auth/userinfo.email The user's primary Google account email address. To verify that the Google account being connected matches the email address on the user's Publisher Discovery account, preventing account takeover and impersonation.

We do not request, and the OAuth grant does not allow us, to: read or list messages, drafts, threads, or labels; access contacts; access Google Calendar, Google Drive, Google Photos, Google Chat, or any other Google service; modify or delete any data in the user's Gmail mailbox other than the act of sending a message via gmail.send.

Microsoft (Outlook / Microsoft 365) — scopes requested

Scope What it grants Why we request it
Mail.Send Permission to send mail as the signed-in user via Microsoft Graph. Does not grant read access to mail. To deliver outreach emails from the user's own Outlook / Microsoft 365 mailbox.
offline_access Issuance of a refresh token so that emails can be sent on a delivery schedule without re-prompting the user. To allow scheduled delivery and queued sending.
openid, email, profile The user's sign-in identifier and primary email address. To verify that the Microsoft account being connected matches the email address on the user's Publisher Discovery account.

We do not request access to Outlook calendar, contacts, files, Teams, or any other Microsoft 365 resource.

6. How we use Google and Microsoft user data

We use the data obtained through the OAuth grants described in Section 5 only for the following purposes:

  1. Sending outreach emails the user has composed. When the user clicks "Send" in Publisher Discovery, the message (subject, body, recipient, optional CC/BCC) is queued for delivery and subsequently transmitted to Gmail or Microsoft Graph using the user's OAuth credentials.
  2. Identity verification at connection time. We read the user's primary email address from Google or Microsoft once at the moment of OAuth, compare it to the email on their Publisher Discovery account, and reject the connection if it does not match. We do not poll or re-read this address afterwards.
  3. Maintaining a sending session. We use the refresh token issued by Google or Microsoft to obtain short-lived access tokens for the sole purpose of sending queued emails on the user's chosen schedule.
  4. Operational logging for security and abuse prevention. We log the success or failure of send operations (timestamp, recipient address, message ID, error code where applicable) so we can investigate delivery problems and prevent misuse.

We do not use Google or Microsoft user data to:

  • train, fine-tune, or otherwise develop AI / machine-learning models;
  • target advertising;
  • build user-level profiles for marketing purposes;
  • enrich, sell, or licence data to third parties.

7. AI-generated email content

Publisher Discovery offers an AI assistant that helps users draft outreach emails. The AI assistant operates on the following inputs provided by the user within Publisher Discovery — not on the user's mailbox:

  • The publisher / partner the email is addressed to (domain, public website content, prior outreach context within Publisher Discovery).
  • The user's own campaign configuration (company name, value proposition, commission structure, signature, language preferences).
  • Optionally, examples of previously sent emails the user has chosen to use as tone references.

These inputs are sent to Google Gemini for the sole purpose of generating a draft email body, which is returned to the user for review before any send. The user's Google or Microsoft OAuth tokens, mailbox contents, and contact lists are never sent to Gemini or any other AI provider. The user is always shown the generated draft and must explicitly choose to send it.

8. Data sharing with third parties

We share data only with the following categories of recipients, and only for the purposes described:

Recipient Data shared Purpose
Google LLC OAuth tokens (handled by Google), the user's outbound email content, the user's primary email address. To deliver email from the user's own Gmail account.
Microsoft Corporation OAuth tokens (handled by Microsoft), the user's outbound email content, the user's primary email address. To deliver email from the user's own Outlook / Microsoft 365 account.
Google Cloud (Gemini API) The user's draft prompt inputs (campaign config, publisher domain, optional reference emails) — see Section 7. To generate AI-assisted email drafts for the user's review.
OpenAI Page text and domain names submitted via the Publisher Discovery browser extension — see Section 14. To power AI-assisted content auditing and email-generation features in the extension.
Apollo.io Publisher domains submitted for contact enrichment. We pass domains to obtain professional contact data (name, title, business email, LinkedIn URL). Acceptance of the Apollo Flow Down Terms is a precondition to using the Outreach feature. To suggest appropriate contacts at publisher organisations to reach out to.
Cloud infrastructure providers (Google Cloud Platform) All data we hold, in encrypted form, as part of normal hosting. To host the Services. See Section 9.3 for the hosting region.
Analytics and error-reporting providers Usage events and error traces. We do not include the contents of outreach emails or Google / Microsoft user data in analytics events. To monitor and improve the Services.

We do not sell personal data, and we do not share Google or Microsoft user data for advertising purposes.

We may disclose data where legally required (lawful subpoena, court order, or other legal obligation), or in connection with a corporate transaction (merger, acquisition, sale of assets), in which case we will notify users in advance where lawful to do so.

9. Data storage and security

9.1 OAuth refresh tokens

Refresh tokens issued by Google and Microsoft are never stored in the main Publisher Discovery application database. Instead, they are forwarded immediately to a separate, isolated token-handling service operated by Publisher Discovery, where they are:

  • encrypted at rest using Google Cloud KMS envelope encryption with the Tink cryptographic library;
  • accessible only to the service identity that performs send operations;
  • never returned to the front-end or browser;
  • never logged in plaintext.

The main Publisher Discovery web application holds no copy of the refresh token at any time after the OAuth callback.

9.2 Email content

Email content (subject, body, recipient, optional CC/BCC) is held in a queue table in our database while the message is awaiting delivery. After delivery, a record of the send (recipient address, subject, send timestamp, delivery status, message identifier) is retained as part of the user's outreach history so that the user can audit what they have sent. The full message body is retained alongside this history for the user's own review unless the user deletes it.

9.3 Hosting and other data

All Publisher Discovery data is hosted on Google Cloud Platform in the europe-west1 region (Belgium). Data in transit is protected with TLS 1.2 or higher. Data at rest is protected by cloud-provider disk encryption. Access to production data is restricted to a small number of authorised engineers, controlled via single-sign-on with multi-factor authentication, and audited.

9.4 Account-to-account binding

When a user connects a Google or Microsoft account to Publisher Discovery, we verify that the email address returned by the identity provider matches the email address on their Publisher Discovery account. If it does not, we reject the connection and store nothing. This prevents a Publisher Discovery user from sending mail under a different person's identity.

10. Data retention and deletion

10.1 Disconnecting Google or Microsoft

The user can disconnect their Google or Microsoft account at any time from the Outreach configuration screen. When they do, Publisher Discovery deletes its stored copy of the OAuth refresh token, after which the application can no longer send mail on the user's behalf, and removes any pending queued sends that have not yet been transmitted.

Disconnecting from within Publisher Discovery removes our record of the token but does not, by itself, revoke the original grant at Google or Microsoft. Users can additionally revoke the grant directly with the identity provider — see Section 11.

By default, the user's outreach history (records of emails they have previously sent) is preserved so that the user retains an audit log of their own activity, even after disconnection.

10.2 Account closure

If the user closes their Publisher Discovery account, or if they request deletion of all their data:

  • All OAuth refresh tokens associated with the account are deleted from our token-handling service.
  • All outreach history, queued messages, drafts, configuration, signatures, and personas are deleted from our databases within 30 days, except where we are required by law to retain certain records (e.g. financial records under HMRC retention rules).
  • Backups containing the data are overwritten on the normal backup-rotation cycle and are not restored.

10.3 Targeted deletion

Users can request deletion of specific outreach-history records or specific stored email content directly from the application, or by emailing support@publisherdiscovery.com. We action targeted deletion requests within 30 days.

10.4 Token-only retention limits

If a user has connected Gmail or Outlook but has not used the Outreach feature for 180 consecutive days, we automatically delete the stored refresh token. The user can reconnect at any time.

10.5 Website comment data

Where a visitor leaves a comment on https://www.publisherdiscovery.com, the comment and its metadata are retained indefinitely so that follow-up comments can be recognised and approved automatically rather than held in a moderation queue. Registered users of the website can see, edit, or delete the personal information in their user profile at any time, except they cannot change their username. Website administrators can also see and edit that information.

11. Your rights

Depending on your jurisdiction, you have the right to: access the personal data we hold about you; correct inaccurate or incomplete data; request deletion of your data ("right to erasure"); object to or restrict our processing; receive a copy of your data in a portable format; and lodge a complaint with a supervisory authority (in the UK, the Information Commissioner's Office at https://ico.org.uk/).

If you have an account on https://www.publisherdiscovery.com or have left comments there, you can also request an exported file of the personal data we hold about you, including any data you have provided to us, and request that we erase any personal data we hold about you. This does not include data we are obliged to keep for administrative, legal, or security purposes.

To exercise any of these rights, contact support@publisherdiscovery.com. We will respond within 30 days.

For data accessed via Google APIs, you can additionally manage and revoke Publisher Discovery's access at any time at https://myaccount.google.com/permissions. For Microsoft accounts, you can do the same at https://account.live.com/consent/Manage (consumer) or your tenant's Enterprise Applications page (Microsoft 365 work / school accounts).

12. International transfers

Publisher Discovery is established in the United Kingdom and hosts production data in the European Union (Google Cloud europe-west1). Some processing necessarily takes place in the United States, where Google, Microsoft, OpenAI, and certain other sub-processors are headquartered. Where data is transferred outside the UK / EEA, we rely on Standard Contractual Clauses or the UK / EU adequacy regulations applicable to the receiving country.

13. Children

The Services are not directed to, and we do not knowingly collect personal data from, children under 16. If you believe a child has provided personal data, please contact us so we can remove it.

14. Browser extension — additional disclosures

To provide partnership insights and AI-powered outreach, the Publisher Discovery browser extension processes the following data while in active use:

  • Page content — the text and URL of the active tab, analysed to calculate SEO scores, identify competitors and partnership opportunities, and generate context-aware email drafts. Page content is not retained beyond the session unless the user explicitly saves a record.
  • Usage telemetry — anonymised feature-usage events, used to improve the extension.

To power its features, necessary data (such as page text or domain names) is processed by our trusted partners:

  • OpenAI — for content auditing and email generation.
  • Apollo.io — for enriching business contact information.

The browser extension does not access or read Gmail, Outlook, Google Drive, Microsoft OneDrive, or any other authenticated user-data service. The Outreach OAuth flow described above is initiated only from the Publisher Discovery web application, never from the extension.

Your data is never sold. By continuing to use the extension, you agree to this Privacy Policy and to our Terms of Service.

15. Website cookies, comments, media, and embedded content

15.1 Cookies

When you visit https://www.publisherdiscovery.com, we use cookies for session management, security (CSRF protection, login state), preference storage, and analytics. You can control cookies via your browser settings; disabling them may impair some features.

If you leave a comment on the site, you may opt in to saving your name, email address, and website in cookies for your convenience, so you do not have to fill those details in again. These cookies last for one year. If you visit our login page, we set a temporary cookie to determine if your browser accepts cookies; this cookie contains no personal data and is discarded when you close your browser. When you log in we also set cookies to save your login information and screen-display choices: login cookies last for two days; screen-options cookies last for a year. If you select "Remember Me" your login persists for two weeks. If you log out, the login cookies are removed. If you edit or publish an article on the site, an additional cookie is saved in your browser containing no personal data, simply the post ID of the article you just edited; it expires after one day.

15.2 Comments

When visitors leave comments on the site, we collect the data shown in the comments form, plus the visitor's IP address and browser user-agent string, to help with spam detection.

15.3 Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

15.4 Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles). Embedded content from other websites behaves in exactly the same way as if the visitor had visited the other website directly. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with it if you have an account and are logged in to that website.

15.5 Analytics

We use analytics tools to understand how visitors use the website. Analytics events do not include the contents of outreach emails or any Google / Microsoft user data.

16. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Where changes are material — in particular, where we expand the scope of data we collect from Google or Microsoft accounts — we will notify users in advance by email and via in-product notification, and we will not apply the change retroactively.

17. Contact

Privacy questions, deletion requests, and other privacy-related correspondence:

support@publisherdiscovery.com

Cloudfind Ltd
Cambridge House
1 Henry Street
Bath
BA1 1JS
England