What is Overwise, in one line?

An AI sales agent for B2B SaaS founders. Tell it who you sell to. It finds them, drafts the right move on the right channel — email, LinkedIn DM, IG reply, phone-call script — and either sends it, hands you a one-click task, or just exports the list.

How is it different from Apollo, ZoomInfo, Instantly, or Clay?

Apollo and ZoomInfo give you a list. Instantly is a sender. Clay is a spreadsheet. Overwise is the only one that finds the lead, drafts the message in your voice, picks the right channel, and surfaces only real conversations — designed for a founder, not an SDR team.

Do I have to send emails? I prefer LinkedIn or phone.

No. Email is one channel, not the product. Run on LinkedIn, IG, WhatsApp, phone, or just export the list. Pick the mode per campaign, switch any time.

How fast can I start?

Five minutes. Sign in, describe your ICP in a sentence, pick a mode. 14-day trial, card on file, no demo gate, no implementation fee.

Will it sound like AI?

No. Overwise picks up your tone from your sent folder. Drafts are short, specific, grounded in real signals. If we can't write something specific and true, we don't — we save it for you to review.

Three plans: Starter $99/mo (500 leads), Growth $249/mo (2,000 leads — most founders' sweet spot), Founder Team $599/mo (5,000 leads + custom probes). 20% off when paid annually. Unlimited team members on every plan — no per-seat tax. Cancel anytime.

What if I run out of leads mid-month?

Hard stop with a banner — no surprise overage. Want to keep running? Flip on opt-in overage at $0.10/lead, capped at 2× your tier (worst case +$50 on Starter), or upgrade. Trust comes from never sending you a bill you didn't expect.

Are LLM token costs extra?

No. AI compute — Sonnet drafting, the cite-or-discard verifier, reply classification — is bundled in your subscription. The cost-per-day chip in your dashboard is a transparency artifact, not a billing line.

Yes. Public sources, consent-respecting, one-click unsubscribe in every email. Auto-suppression on "not interested." SOC 2 in place, DPA available on Founder Team.

What is an AI sales agent?

An AI sales agent (also called an AI SDR) is software that does the full prospecting-to-reply loop on its own: finds verified leads in your ICP, drafts each message in your voice, picks the right channel per lead (email, LinkedIn, IG, WhatsApp, phone), sends or queues a one-click task, and surfaces only the replies that warrant a human. Different from a cold-email sender (Instantly, Lemlist), a contact database (Apollo, ZoomInfo), or an enrichment spreadsheet (Clay) — those are pieces; an AI sales agent does the whole job.

What's the best AI sales agent for B2B SaaS founders in 2026?

Overwise is purpose-built for founders running their own outbound: starts at $99/mo flat (vs. $90k+ for one human SDR), unlimited team seats, EU data residency, 14-day trial with no demo gate. Other AI-SDR tools target SDR teams of 10+ and price per seat; Overwise targets the 1–3-person founder team.

Is Apollo or Overwise better?

Different jobs. Apollo is a contact database — it gives you a list and a sequencer. Overwise is the agent: finds leads (including outside LinkedIn, where Apollo is empty), drafts in your voice, picks the channel per lead, and only escalates real replies. If your bottleneck is contact data, use Apollo. If your bottleneck is the whole outbound loop, use Overwise.

How much does an AI SDR cost?

Standalone AI-SDR tools typically cost $99–$599/month flat, versus $90,000+ fully loaded for one human SDR. Overwise: Starter $99, Growth $249, Founder Team $599 — 20% off annual, unlimited seats, no per-seat tax, no LLM token passthrough.

Is cold email still allowed under GDPR?

Yes when (a) the data source is lawful (public business contacts), (b) Art. 13/14 transparency notice is included in the first message, (c) a one-click unsubscribe is offered. Overwise enforces all three by default. The EU AI Act Art. 50 "AI-assisted" disclosure footer is auto-injected. DPA available on Founder Team; SOC 2 in place.

Will Overwise replace my SDR?

For a 1–3-person founder team, yes — it replaces the discovery + drafting + first-touch loop, which is what a junior SDR spends 80% of their time on. It doesn't replace human closing on a call, and we don't recommend it for SDR teams of 10+.

Where is my data stored?

Primary storage: MongoDB Atlas EU-Central (Frankfurt). Vector index: Qdrant Germany. AES-256 at rest, TLS 1.3 in transit. EU data residency by default; sub-processors with EU DPF / SCCs documented at /security.

DPA

Data Processing Addendum

Effective June 2026

1. Parties and scope

Parties. vondot GmbH (Illstraße 3, 6800 Feldkirch, Austria — FN 525834 k) — referred to as "Overwise" or "we"; and the customer named in the underlying subscription — referred to as "Customer" or "you".

Scope. This Data Processing Addendum ("DPA") governs the processing of Personal Data carried out by Overwise on behalf of the Customer in connection with the Overwise service. It supplements the Terms of Service and the Privacy Policy. For the Founder Team plan this DPA is automatically incorporated into the contract. For the Starter and Growth plans it is provided on request to [email protected] (we respond within five business days). The DPA-related arrangements that affect lead-data-subjects independently of any one customer are summarised in the Privacy Policy and apply regardless of plan.

2. Definitions

"Personal Data", "Processing", "Data Subject", "Controller", "Processor", "Personal Data Breach" have the meanings given by the GDPR.

"Service" means Overwise as described at overwise.com.

"Sub-processor" means a third party engaged by Overwise to process Personal Data on behalf of the Customer.

"Applicable Data Protection Laws" means the GDPR, the Austrian Data Protection Act (DSG), the UK GDPR and the UK Data Protection Act 2018, the Swiss revised Federal Act on Data Protection (revDSG), the California Consumer Privacy Act / CPRA and other US comprehensive privacy laws to the extent applicable, and any other law applicable to a party's Processing of Personal Data under this DPA.

"SCCs" means the Standard Contractual Clauses set out in Commission Decision (EU) 2021/914 of 4 June 2021.

"DPF" means the EU-US Data Privacy Framework, and where relevant the UK Extension and the Swiss-US DPF.

"TIA" means a Transfer Impact Assessment carried out in line with the European Data Protection Board Recommendations 01/2020.

3. Roles and allocation of responsibility

Overwise plays three roles, mirroring the Privacy Policy Section 2.

Sole Controller for account, billing and website-analytics data, and for the public-source lead pool (PublicLead) that Overwise builds on its own initiative.
Joint Controller with the Customer (GDPR Art. 26) for the interface at which the Customer's ICP is applied to the lead pool and a specific lead is selected for outreach. The essence of the joint-controllership arrangement is set out in the Privacy Policy Section 2 and is summarised in Annex A to this DPA so the Customer can rely on it in its own records.
Processor for the Customer for everything the Customer creates or imports inside the Customer's project: campaign content, ICP and brand-voice configuration, draft messages, sent messages, replies, brand-voice samples, manually uploaded leads, suppression-list entries and engagement events.

This Section 3 governs the Processor relationship. The Sole-Controller and Joint-Controller relationships are governed by the Privacy Policy and, for the joint-controllership, by Annex A to this DPA.

4. Processing on documented instructions

Overwise processes the Customer's Personal Data only on documented instructions from the Customer (Art. 28(3)(a) GDPR), which include (a) the configuration the Customer makes inside the product (ICP, campaign settings, sender configuration, suppression list, autopilot toggles), (b) this DPA, and (c) the Terms of Service. Overwise will inform the Customer without undue delay if, in Overwise's view, an instruction infringes Applicable Data Protection Laws.

5. Confidentiality and Austrian data secrecy

Overwise ensures that personnel authorised to process Personal Data are subject to a binding obligation of confidentiality. As an Austrian-domiciled processor, Overwise has bound its personnel to the Austrian data-secrecy obligation under § 6 DSG; this obligation persists after termination of the engagement, regardless of where the processing takes place. Personnel access to Customer Personal Data is restricted to staff who require it to perform the Service and to satisfy this DPA.

6. Security (Art. 32 GDPR)

Overwise implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk:

AES-256 encryption at rest for all Personal Data stored in primary and vector databases, and for mailbox refresh tokens (envelope encryption)
TLS 1.3 for all data in transit
OAuth-only authentication for end users; multi-factor authentication enforced for all administrative access and available for end-user accounts
Least-privilege role separation; provisioning and deprovisioning logged
Audit logging of administrative access; logs retained 90 days
Network segmentation; private subnets for primary database and vector store; no public network exposure of stateful services
Encrypted backups with restricted access; backup recovery tested quarterly
Pseudonymisation where feasible
Secrets scanning in CI; dependency vulnerability scanning; weekly patch cadence for critical issues
Documented incident-response runbook; on-call rotation; post-incident review with root-cause analysis

The full security architecture is documented at /security. Measures may evolve to keep pace with the state of the art; the Customer is informed of any material change.

7. Data subjects and types of Personal Data

Data subjects: the prospects / leads the Customer targets via Overwise; the Customer's own team members with Overwise accounts.

Types of Personal Data processed on the Customer's behalf: name, business email, business phone, public LinkedIn / Instagram profile URLs, company affiliation, role, public-source enrichment signals (hiring page, recent funding, tech stack), brand-voice samples (sent-folder excerpts the Customer chooses), outreach correspondence (drafts, sent messages, replies), engagement events.

Special-category data (Art. 9 GDPR). Overwise does not solicit, infer, score or use Special-category data for any purpose. The Customer instructs Overwise to handle any Special-category data that is incidentally received via the mailbox synchronisation feature only as strictly necessary to operate the Service: in-transit handling, reply classification (positive / negative / out-of-office / referral / unsubscribe), suppression and storage in line with the retention schedule. Such data is never used as input to ICP scoring, trust scoring, brand-voice training, or any model. The Customer warrants that it will not deliberately upload or paste Special-category data into Overwise and acknowledges that doing so is outside the agreed scope of processing.

8. Sub-processors

The Customer hereby gives general written authorisation under Art. 28(2) GDPR for Overwise to engage Sub-processors. The current Sub-processors are:

Anthropic, PBC — LLM (drafting and reply classification) — USA (Delaware)
OpenAI Ireland Limited as data-processing entity for EEA-routed inference and OpenAI, L.L.C. as the ancillary entity for account and billing — embeddings and fallback LLM — IE / USA
MongoDB Limited (Ireland) for EEA-hosted clusters / MongoDB, Inc. (Delaware) for non-EEA — primary database, hosting region EU-Central (Frankfurt) — IE / US
Qdrant Solutions GmbH — vector database (brand-voice and contact similarity) — Germany
Stripe Payments Europe, Ltd for EEA Customers / Stripe, Inc. for US Customers — subscription billing — IE / US
Resend Inc. — primary transactional email — USA (Delaware)
ActiveCampaign, LLC (Wildbit business unit / Postmark) — transactional email failover — USA
Sideguide Technologies Inc. (d/b/a Firecrawl) — website rendering for lead research — USA (Delaware)
Apify Technologies s.r.o. — optional lead-discovery scraping — Czechia (Prague)
Functional Software, Inc. (d/b/a Sentry) — error tracking — USA
Plausible Insights OÜ — cookieless analytics for overwise.com — Estonia

The live list, including current DPA links, sits at /security. Overwise gives the Customer at least 30 days' prior written notice (subscribable at /security) before adding or replacing a Sub-processor. The Customer may object on reasonable data-protection grounds within 15 days; if the parties cannot agree on a remedy, the Customer may terminate the part of the Service affected without penalty.

9. International transfers (Chapter V GDPR)

Primary Processing of Customer Personal Data remains in the EU (Frankfurt). For transfers outside the EEA Overwise relies, case-by-case to the specific receiving entity:

DPF where the receiving entity is currently on the active DPF list at dataprivacyframework.gov/list. Overwise verifies the entity before each Sub-processor change and re-publishes the live mapping at /security.
2021 SCCs, with the module that matches the actual roles:
· Module 2 (Controller-to-Processor) for Anthropic, OpenAI, Resend, Postmark (ActiveCampaign), Sentry, Apify, Firecrawl, Qdrant, MongoDB and other Sub-processors acting as processors for Overwise.
· Module 3 (Processor-to-Processor) for Sub-processor transfers chained from the Customer relationship (where Overwise as Customer's Processor onward-transfers to a Sub-processor).
· Module 1 (Controller-to-Controller) for Stripe, which acts as an independent Controller for fraud detection and AML purposes under its own DPA, and for any other transfer Overwise makes in its Controller capacity (public-source lead pool) to an independent-Controller provider. Module 1 is not used for the Sub-processors listed in Section 8 acting as our processors.
UK Addendum (IDTA) for transfers involving UK Personal Data.
Swiss SCC addendum for transfers involving Swiss Personal Data.
TIA per receiving entity following the EDPB Recommendations 01/2020 methodology; reviewed at least annually and on triggers (FISA §702 reauthorisation, Executive Order 14086 on signals intelligence, new SCC versions). Summaries provided on request.

10. Assistance with data-subject requests

Overwise assists the Customer in fulfilling its obligations under Art. 12-23 GDPR through appropriate technical and organisational measures: in-app data export and account deletion, the suppression flow at /suppress, and response tooling. If a data-subject request reaches Overwise that concerns Customer Personal Data, Overwise forwards it to the Customer without undue delay, and in any event in time to enable the Customer to respond within the Art. 12(3) GDPR timelines.

11. Personal Data breach notification

Customer breaches. Overwise notifies the Customer of a confirmed Personal Data Breach affecting the Customer's Personal Data without undue delay, and in any event within 24 hours of confirmation. The initial notification contains the information then available; further Art. 33(3) GDPR-grade information (nature of the breach, categories and approximate number of data subjects and records, likely consequences, measures taken or proposed) is provided as it becomes available, so that the Customer can comply with its own Art. 33 and Art. 34 obligations. Overwise also provides reasonable cooperation in the Customer's investigation, mitigation and notification activities.

Joint-controllership breaches. Where a Personal Data Breach affects the public-source lead pool or the Joint-Controller interface described in Section 3 / Annex A, Overwise notifies the competent supervisory authority (Österreichische Datenschutzbehörde) within 72 hours per Art. 33(1) GDPR and informs the Customer concurrently, so that the Customer can fulfil its own joint-controller obligations.

12. Data Protection Impact Assessments

Overwise provides the Customer with reasonable cooperation and information to support Data Protection Impact Assessments under Art. 35 GDPR and prior consultations with supervisory authorities under Art. 36 GDPR. This includes DPIA-template content for the lead-discovery and outbound-campaign use cases on request.

13. Audit

Once per calendar year, with 30 days' prior written notice, the Customer (or an independent auditor mandated by the Customer and subject to a confidentiality undertaking) may audit Overwise's compliance with this DPA. Overwise's cooperation includes (i) responses to a reasonable security questionnaire, (ii) access to relevant third-party audit reports — SOC 2 Type 1 anticipated Q2 2026; SOC 2 Type 2 anticipated Q4 2026; ISO 27001 roadmap published on request — and (iii) on request a remote audit interview. On-site audits are conducted at the Customer's reasonable cost and where the Customer demonstrates a specific concern that cannot be addressed remotely.

Extended audit rights. The once-per-year cap does not apply (a) where a competent supervisory authority orders or specifically requests an audit of the Customer's Processing affecting Overwise, or (b) following a confirmed Personal Data Breach affecting the Customer's Personal Data. In those cases the Customer may audit on reasonable notice without the annual cap.

14. Return or deletion of Customer Personal Data

On termination of the Service or at the Customer's earlier written request, Overwise deletes Customer Personal Data in line with the retention schedule in the Privacy Policy Section 9: 30 days read-only access for re-activation, then hard delete from primary storage; encrypted backups purged within a further 60 days; mailbox refresh tokens revoked at the provider and deleted from Overwise's storage within 24 hours. On written request Overwise instead returns the Customer Personal Data in a structured export (per Article 25 of Regulation (EU) 2023/2854 — Data Act). The only data retained beyond these windows are (i) billing records and contract documentation, retained for seven years to comply with UGB §190 (Austrian commercial code); these records do not include the lead pool, mailbox content or campaign content. Suppression-list entries are retained indefinitely as the compliance record for objections honoured (Art. 17(3)(b)/(e), Art. 21(3) GDPR).

15. Liability

Liability under this DPA is subject to the limitations and exclusions in Section 10 of the Terms of Service, except that the limitations do not affect any liability that cannot be excluded under Applicable Data Protection Laws or other mandatory law. For (a) administrative fines imposed under Art. 83 GDPR or (b) third-party damages claims under Art. 82 GDPR that are in either case causally attributable to a breach of this DPA by Overwise — including under the joint and several liability of Art. 26(3) / Art. 82 GDPR — the Terms §10 cap is raised to the greater of (i) twenty-four months of fees paid by the Customer or (ii) EUR 250,000. This higher cap reflects the elevated risk allocation in the Joint-Controller arrangement at Annex A.

16. Governing law and forum

This DPA is governed by the substantive laws of Austria; the forum and arbitration arrangements in Section 15 of the Terms of Service apply. In case of conflict between this DPA and the Terms, this DPA prevails for matters of data protection.

17. Acceptance

Founder Team customers: this DPA is incorporated into the contract on acceptance of the Terms of Service. Starter and Growth customers: countersigned execution available on written request to [email protected]; we respond within five business days.

Annex A — Joint-controllership essence (GDPR Art. 26(2))

This Annex sets out the essence of the joint-controllership arrangement between Overwise and the Customer at the interface described in Section 3 above and in the Privacy Policy Section 2.

1. Joint determination. Overwise builds and maintains the public-source lead pool on its own initiative. The Customer defines the Ideal Customer Profile (ICP). The two combined — pool + ICP — determine which natural persons in the pool are selected for outreach. To that extent the parties jointly determine the means of processing within the meaning of Art. 26(1) GDPR.

2. Allocation of obligations.

Overwise is responsible for: the lawfulness of public-source discovery and the lawfulness of holding the underlying pool; source provenance per lead; the Art. 13/14 transparency notice and source-of-data disclosure injected into the first message; the platform-wide suppression list and the propagation of objections (Art. 21) across all Overwise customers; the security of the Service.
The Customer is responsible for: the legal basis (or consent where required) for sending a specific message to a specific recipient; compliance with anti-spam law in the recipient's jurisdiction (including §174 TKG (AT), CAN-SPAM (US), CASL (CA), PECR (UK) and equivalents); the content, accuracy and appropriateness of the message; not removing or altering the AI-assisted-drafting disclosure footer required by EU AI Act Art. 50(4).

3. Single point of contact for data subjects (Art. 26(2)). Irrespective of any allocation between the parties, a data subject can exercise rights against either party. Overwise acts as the operational one-stop-shop at [email protected]: receives requests, triages, acts on its own obligations, and forwards requests concerning the Customer's distinct responsibilities to the Customer without undue delay and in time for the Customer to respond within the Art. 12(3) timelines.

4. Cooperation. Each party provides the other with the information needed to demonstrate compliance with this Annex and the GDPR, and supports the other in responding to enquiries from a supervisory authority.