Skip to content

About this privacy policy

This privacy policy explains what Ebsta does with personal data.  Please read it carefully.  If there is anything you don’t understand, please email us at and we will be happy to explain further.

We last updated this privacy policy on the 31st October 2015.  As our various services grow and evolve, and as changes in the law arise, we may need to update it from time to time.  Updated versions will be posted on this page.  If appropriate, we will also notify those affected by email of any significant changes.

Who we are and What we do

We are Ebsta Limited.  Our main office is at Congress House, 23-28 Great Russell Street, London, WC1B 3LS.

We offer two products.  The base Ebsta browser extension, which has limited functionality, and the full Ebsta Managed Package.  There are significant differences between how each product handles personal data, which we explain below.

Base Ebsta browser extension

The base browser extension works with your Salesforce account, your browser-based email and your calendar, allowing you to see Salesforce information about a person from your email, to update Salesforce from within your email and to synchronise your Salesforce calendar with your Google calendar.  It also works with social networks and certain other sites, to show the user information which they have in Salesforce about a person when you view their profile or website.  We may add additional functionality to the base browser extension in future, for example by supporting additional websites or services.

Ebsta Managed Package

The full Ebsta Managed Package is an enterprise product which keeps track of who your team are exchanging emails with and extracts key information from those email exchanges (e.g. contact details in email signatures and the frequency of email exchanges). We use that information to create a record for everyone your company exchanges emails with, and those records are then compared to your CRM data in Salesforce to identify which records are new, what updates might be available and the depth or currency of each relationship.

In summary, the Ebsta Managed Package best endeavours to show:

  • A chronological list of emails anyone in your business has exchanged with an individual contact or an entire account
  • If the contact details for a person in Salesforce do not match the signature block in their most recent email to someone in your business
  • Who else in your organisation has interacted with a particular customer or prospect, who they interacted with, when and how
  • Other key information extracted from emails including when contacts have moved jobs

What we collect, what we do with it and why

We mainly collect personal data:

  • from our users’ SalesForce accounts
  • from our users’ emails
  • via our browser plugin
  • using cookies

We also create and analyse statistical data based on the data we collect, in order to identify market trends and metrics, to improve our services and for other related commercial purposes.  We process personal data to the extent necessary to create that statistical data.  We cannot identify any individual from that statistical data and, in the interests of clarity, it will not include any information specific to the business that is our customer.


When someone creates an account with us to use any of our services, we ask them to authorise us to interact with their Salesforce account.  We use that authorisation to access the information we need in Salesforce for account administration, for providing our services and for communicating with your business about our services.  You can read more detail about any of those purposes below.

Account administration

As part of our account creation process, we collect contact details and related data from each Ebsta user’s SalesForce account.

We collect that data in order to allow us to create and administer users’ accounts with us, to set up the business they work for as our customer, to enable us to communicate with our customer about our services, to assess the correct licensing levels for our customer, to ensure compliance with our terms of service and to enable us to provide our services effectively.  In our terms of service, the business that is our customer has agreed that we can do this, and that it has the right to allow it.

Providing our services

To provide our services, we obviously need access to the data in the customer’s SalesForce organisation.

For the Ebsta Managed Package, we do retain copies of that data on our systems.  Doing so enables us to provide the greatly enhanced functionality offered by the Managed Package.  Users can revoke our access to their SalesForce account at any time, although of course if they do so we will not be able to continue to provide the Managed Package.

Communications about our products and services

We also use the contact details we collect in the course of account administration to inform users from time to time about new products or services which we offer, and to invite our customers to consider upgrading to additional services.  We will not use that data to market anyone else’s products or services, and we will stop sending non-essential communications to users if they ask us to.


A key part of our services is the ability to analyse and cross-reference the CRM data with data locked up in a customer’s email mailboxes.  How we handle emails differs considerably between the base browser extension and the full Ebsta managed package, as set out below.

Browser extension

For the browser extension, cross-referencing is done purely transitionally as needed, and we do not retain copies of any emails.

Managed Package

For the Managed Package, when a customer signs up to use it we ask them to authorise us to access and analyse their business’ emails in order to provide that service.  We do that by means of the relevant email vendor’s API (if the email is accessed via a cloud service such as Google Apps or Office 365) or by interfacing directly with the customer’s email system (such as Exchange).

We do retain copies of emails which we analyse as part of providing the managed package, because it is necessary in order to provide that service.

Managed Package customers can control the visibility of emails within their organisation, either by each individual end user setting permissions in respect of his or her own email or, in the case of our enterprise services, by the customer’s administrator setting global permissions applicable to all user’s within that customer’s business.

Please note that, unless you set permissions correctly, emails held in mailboxes connected to Ebsta will be visible to other people working in your organisation.

In our terms of service, our customer has agreed that we can do this, and that it has the right to allow it on behalf of its users.  It is our customer’s responsibility to ensure that it sets permissions correctly to ensure that users do not see emails that they should not see.

We do not share the contents of the emails we collect with anyone outside a customer’s organisation.

Managed Package Fair Usage Policy

The following fair usage terms apply –

  1. Volume of emails processed per annual subscription – Ebsta will attempt to process up to 20,000 emails per individual annual subscription. (shorter contracts will be calculated pro-rata). If this limit is exceeded Ebsta reserves the right to stop processing emails for the mailbox in question until a new subscription is assigned.
  2. Processing of historical emails – Ebsta charge a set-up fee to process historical emails. This set-up fee is calculated on the number of months’ worth of historical data the Customer wants processed into Ebsta. We apply a fair usage cap of 20,000 emails per 12 months of historical data purchased (calculated on a pro rata basis for shorter periods). If this fair usage cap is exceeded Ebsta reserves the right to stop processing emails for the mailbox in question until an additional set up fee is agreed.
  3. Transfer of license between email addresses – Customers may transfer mailbox licenses mid-term without charge. The original mailbox will become inactive, and Ebsta will attempt to process emails for the new mailbox from the date the license is allocated. If the Customer wants historical emails processed for the new mailbox a separate set up charge will apply.
  4. Data sourced from inactive mailboxes – Ebsta will continue to make data sourced from inactive mailboxes visible as long as the customer has live licenses for a minimum of 50% of the mailboxes under management.
  5. Viewing the Ebsta Managed Package – Users that have a paid subscription/active mailbox connected to Ebsta get unrestricted access to the Ebsta managed package services they have subscribed to. Ebsta reserves the right to limit access or functionality to users that do not have a paid subscription.

Browser Plugin

We use the browser plugin itself to collect the personal data described below.  The browser plugin does not collect any other personal data.  In particular, we do not intercept any secure communications or collect any login information.

Information about the websites our users use with our service

Our browser plugin collects information about websites you visit.  Doing this helps us to understand how our customers use our services and which websites they use them with, so we can work out where to concentrate our improvement efforts; for example, if a large number of people are using our services with a particular website, that information will help us to know that we need to direct more resources to ensuring that our services work well with that website.

Information about other browser plugins

Our browser plugin also collects information about other browser plugins installed in the user’s browser.  We do this to help us to understand how our customers use our services in conjunction with other products, to help us to detect and fix incompatibilities between plugins and to help us improve our services.


Like most web services, we use cookies to allow our services to work properly, and to provide us with feedback on how people use our services and our website so we can make them better.

Cookies are small text files stored in a browser’s cache by our servers and which our servers can read when that browser accesses our site or our services.  The Information Commissioner’s website has more detail about how cookies work generally here

We assume that people using our services or accessing our website consent to our use of cookies.  You can of course disable cookies in your browser settings, but large parts of our services will cease to work as a result.

Who we share personal data with and why

We share personal data with some of our suppliers to the extent necessary to allow us to provide and market our own services.  For example, personal data will be stored by our hosting providers, and payment information will be processed by our payment processor.  We would be happy to provide further details to our customers about the suppliers we use to process data for us; please contact for more information.

Export of personal data outside the EEAIn certain limited circumstances, we do export personal data outside of the EEA for processing, and we do use third party service providers who do the same.  We only do that if there is a good reason to do it and where adequate safeguards (such as the appropriate contractual arrangements with suppliers) are in place.  For example, we process personal data on Amazon’s AWS platform at a number of geographical locations around the world in order to improve the speed and resilience of our service.

Our security precautions

We protect our own systems with appropriate technical and organisational measures, including firewalls, access control systems, strong passwords, anti-virus software, and robust information security policies.  We actively monitor our systems for signs of attack or intrusion.

However, there are certain aspects of the security of personal data processed by us which are beyond our control.  In particular:

  • Personal data stored in a user’s account with us is only as secure as the password which is used to access that account. We expect our users to keep their passwords secure, and to change them promptly if they are compromised.
  • We access our customers’ external cloud services such as Salesforce and Office 365 using security access tokens issued to us by the provider of that service. We cannot control, and are not responsible for, any security failure in that provider’s systems or APIs.

Your rights over your personal data

Asking us to stop processing your personal data

We will generally stop processing a person’s personal data if they ask us to, unless we have a good and lawful reason to continue doing so (such as to recover a debt or to investigate abuse of our services).  However, if an Ebsta user asks us to stop processing their personal data, then depending on the precise scope of the request we may not be able to continue to provide our services to that user, or the customer that user works for.  We do not offer refunds in those circumstances.

Opting out of marketing communications

Except for information which an Ebsta user has specifically requested from us, our marketing communications and newsletters will always provide a reasonably obvious means of opting out of such communications in future.  In any event, if you want to stop receiving some or all marketing communications from us, you can let us know by email to or by writing to our head office at the address above, for the attention of the compliance team.

Accessing your personal data held by us

If you want to exercise a legal right to access your personal data held by us, the easiest and most efficient way to do so is to email or write to our head office at the address above, for the attention of the compliance team.  We may make a charge of up to £10 to cover our costs in responding to such requests.