What is Overwise, in one line?

An AI sales agent for B2B SaaS founders. Tell it who you sell to. It finds them, drafts the right move on the right channel — email, LinkedIn DM, IG reply, phone-call script — and either sends it, hands you a one-click task, or just exports the list.

How is it different from Apollo, ZoomInfo, Instantly, or Clay?

Apollo and ZoomInfo give you a list. Instantly is a sender. Clay is a spreadsheet. Overwise is the only one that finds the lead, drafts the message in your voice, picks the right channel, and surfaces only real conversations — designed for a founder, not an SDR team.

Do I have to send emails? I prefer LinkedIn or phone.

No. Email is one channel, not the product. Run on LinkedIn, IG, WhatsApp, phone, or just export the list. Pick the mode per campaign, switch any time.

How fast can I start?

Five minutes. Sign in, describe your ICP in a sentence, pick a mode. 14-day trial, card on file, no demo gate, no implementation fee.

Will it sound like AI?

No. Overwise picks up your tone from your sent folder. Drafts are short, specific, grounded in real signals. If we can't write something specific and true, we don't — we save it for you to review.

Three plans: Starter $99/mo (500 leads), Growth $249/mo (2,000 leads — most founders' sweet spot), Founder Team $599/mo (5,000 leads + custom probes). 20% off when paid annually. Unlimited team members on every plan — no per-seat tax. Cancel anytime.

What if I run out of leads mid-month?

Hard stop with a banner — no surprise overage. Want to keep running? Flip on opt-in overage at $0.10/lead, capped at 2× your tier (worst case +$50 on Starter), or upgrade. Trust comes from never sending you a bill you didn't expect.

Are LLM token costs extra?

No. AI compute — Sonnet drafting, the cite-or-discard verifier, reply classification — is bundled in your subscription. The cost-per-day chip in your dashboard is a transparency artifact, not a billing line.

Yes. Public sources, consent-respecting, one-click unsubscribe in every email. Auto-suppression on "not interested." SOC 2 in place, DPA available on Founder Team.

What is an AI sales agent?

An AI sales agent (also called an AI SDR) is software that does the full prospecting-to-reply loop on its own: finds verified leads in your ICP, drafts each message in your voice, picks the right channel per lead (email, LinkedIn, IG, WhatsApp, phone), sends or queues a one-click task, and surfaces only the replies that warrant a human. Different from a cold-email sender (Instantly, Lemlist), a contact database (Apollo, ZoomInfo), or an enrichment spreadsheet (Clay) — those are pieces; an AI sales agent does the whole job.

What's the best AI sales agent for B2B SaaS founders in 2026?

Overwise is purpose-built for founders running their own outbound: starts at $99/mo flat (vs. $90k+ for one human SDR), unlimited team seats, EU data residency, 14-day trial with no demo gate. Other AI-SDR tools target SDR teams of 10+ and price per seat; Overwise targets the 1–3-person founder team.

Is Apollo or Overwise better?

Different jobs. Apollo is a contact database — it gives you a list and a sequencer. Overwise is the agent: finds leads (including outside LinkedIn, where Apollo is empty), drafts in your voice, picks the channel per lead, and only escalates real replies. If your bottleneck is contact data, use Apollo. If your bottleneck is the whole outbound loop, use Overwise.

How much does an AI SDR cost?

Standalone AI-SDR tools typically cost $99–$599/month flat, versus $90,000+ fully loaded for one human SDR. Overwise: Starter $99, Growth $249, Founder Team $599 — 20% off annual, unlimited seats, no per-seat tax, no LLM token passthrough.

Is cold email still allowed under GDPR?

Yes when (a) the data source is lawful (public business contacts), (b) Art. 13/14 transparency notice is included in the first message, (c) a one-click unsubscribe is offered. Overwise enforces all three by default. The EU AI Act Art. 50 "AI-assisted" disclosure footer is auto-injected. DPA available on Founder Team; SOC 2 in place.

Will Overwise replace my SDR?

For a 1–3-person founder team, yes — it replaces the discovery + drafting + first-touch loop, which is what a junior SDR spends 80% of their time on. It doesn't replace human closing on a call, and we don't recommend it for SDR teams of 10+.

Where is my data stored?

Primary storage: MongoDB Atlas EU-Central (Frankfurt). Vector index: Qdrant Germany. AES-256 at rest, TLS 1.3 in transit. EU data residency by default; sub-processors with EU DPF / SCCs documented at /security.

Privacy

Privacy Policy

Effective June 2026

1. Who we are

vondot GmbH, Illstraße 3, 6800 Feldkirch, Austria — FN 525834 k, Landesgericht Feldkirch. The party responsible for personal data processed through overwise.com and the Overwise service.

Primary privacy contact: [email protected]. We have not appointed a statutory Data Protection Officer under GDPR Art. 37 (the criteria do not apply to us), but all data-protection matters are routed to the same address and we respond within 30 days.

2. Our role in processing

Overwise wears three hats depending on the data in front of it. Knowing which applies determines who you can hold to account.

Sole Controller — for account data, billing data, website analytics, and the public-source lead pool we build and maintain on our own initiative (PublicLead records, public company signals). We decide which sources to crawl, what attributes to keep and how long to keep them.
Joint Controller with the Overwise customer (GDPR Art. 26) — at the interface where our public-source pool meets the customer's ICP and a specific lead is selected for outreach. Both parties together determine the means by which a lead becomes a target: we through the discovery pipeline and matching logic, the customer through the ICP definition and the act of approval.

The essence of the Art. 26 arrangement (Art. 26(2) GDPR) is the following, set out here so any data subject can rely on it directly without having to read our DPA.

(i) Allocation of responsibility. vondot is responsible for the lawfulness of public-source discovery, source provenance per lead, the Art. 13/14 transparency footer injected into the first message, and the platform-wide suppression list. The Overwise customer is responsible for the legal basis (or consent where required) to contact a specific recipient, the content of the message, and compliance with anti-spam law in the recipient's jurisdiction.

(ii) Single point of contact for data subjects. vondot acts as the operational one-stop-shop at [email protected]: we receive requests, act on our own obligations and forward requests concerning the customer's distinct responsibilities to the customer without delay, in time for them to respond within the Art. 12(3) timelines.

(iii) Joint and several rights under Art. 26(3). Irrespective of the allocation above, you as data subject can exercise your rights against either party. The Art. 82 right to compensation is not limited by our internal allocation.

Processor for the customer — for everything the customer creates or imports inside the customer's project (campaign content, drafts, sent messages, brand-voice samples, suppression list, replies, manually uploaded leads). The Data Processing Addendum at /dpa governs this relationship.

3. Information we process

Account data: name, email and profile photo from your OAuth provider; IP address and user agent of authenticated sessions; team and role.
Organisation data: company name, billing address, VAT ID, Stripe customer ID.
Mailbox access (Google Workspace / Gmail): OAuth scopes gmail.readonly (sent-folder voice extraction), gmail.send (sending) and gmail.modify (label-based reply tracking). Subject to Google's API Services User Data Policy, including the Limited Use requirements: we use this data only to provide and improve user-facing features, we do not transfer it for serving ads, we do not allow humans to read it except where required by law, and we do not use it to develop or improve generalised AI models.
Mailbox access (Microsoft 365 / Outlook): Microsoft Graph scopes Mail.Read, Mail.Send and User.Read. Processed under Microsoft's Graph API terms; same minimum-scope principle.
Refresh tokens for both providers are AES-256-encrypted at rest; nothing readable in plaintext. You can revoke access at any time from your Google or Microsoft account dashboard.
Lead data: for prospects you target or we discover from public sources: business name, business email, role, public social profile URLs, public company signals (hiring, funding, tech stack), engagement events, and the messages drafted, sent and received. Business-context only. We do not collect private email addresses, private phone numbers, home addresses, health/political/religious/biometric indicators, or tracking-pixel-enriched data.
Brand-voice samples: subject and body of sent messages you choose as voice references. Held in your project's private vector index only — never aggregated across customers, never used for cross-tenant retrieval, never sent to model-training endpoints.
Campaign and outreach data: campaign settings, ICP definition, drafts, sent messages, reply classifications, deliverability metrics, suppression-list entries.
System telemetry: application logs, error reports, latency metrics, billing events. Used to operate and secure the service.
Payment data: processed by Stripe directly. We store the Stripe customer ID and subscription status. No card numbers, no card brand, no last-4 digits on our infrastructure.

4. Legal bases (GDPR Art. 6)

Per purpose:

Performance of contract (Art. 6(1)(b)): account, organisation, mailbox access, campaign operation, billing, customer support.
Legal obligation (Art. 6(1)(c)): bookkeeping (UGB §190 — seven-year retention), tax records, cooperation with regulators.
Legitimate interest (Art. 6(1)(f)): public-source lead discovery, system telemetry, anti-abuse, security, product analytics. We rely on legitimate interest for lead discovery on the basis of: (i) restricted business-context data only — see §3; (ii) a low-friction right to object under Art. 21 before any contact attempt — see §10; (iii) no Art. 9 special categories; (iv) no profiling that produces legal or similarly significant effects. A documented Legitimate Interest Assessment is available on request.
Consent (Art. 6(1)(a)): marketing email (newsletter, product announcements), optional cookies if introduced. Revocable at any time at [email protected].

5. AI vendors, training and AI Act disclosure

We send prompts to Anthropic (Claude) and OpenAI APIs to draft messages, classify replies, extract style and embed contact text. According to the current commercial API terms of both providers and the DPAs we have executed with them (copies on request), Anthropic does not train on API inputs or outputs; OpenAI does not train on API data. We do not use customer data to train any Overwise model. Brand-voice samples stay in your project's private vector index — never shared, never aggregated, never used for cross-tenant retrieval.

EU AI Act Art. 50 (effective 2 August 2026). Because messages drafted with Overwise are AI-generated, we automatically include a short AI-assisted-drafting disclosure in every outgoing message. The disclosure language follows the message language; where the message language cannot be determined, English is the default. See /security for the exact footer text.

6. How we score leads and replies

Overwise computes three scores. We describe them here because Art. 13(2)(f) and Art. 15(1)(h) GDPR require meaningful information about the logic involved, the significance and the envisaged consequences.

ICP-Fit score — how well a lead matches the customer's stated ideal profile (industry, size, role, signals). Inputs: public business attributes (LinkedIn role and headline, company website, recent funding, hiring page). Consequence: a numeric score that may cause us to skip a lead before any contact is attempted.
Trust score (per draft) — whether every factual claim in a draft message can be cited to a real signal we hold. Inputs: the draft, the underlying signals, the cite-or-discard verifier. Consequence: if the trust score is below threshold, the draft is discarded and the lead is held back, not sent. Every discarded draft is preserved in the in-app activity log and can be retriggered manually by the customer at any time.
Reply classification — category labels (positive, negative, out-of-office, referral, unsubscribe). Inputs: the reply text. Consequence: drives suppression and follow-up behaviour.

The customer is the final decision-maker — every draft is reviewable, every discard is reversible, autopilot is the customer's express pre-authorisation per ICP definition and pauses on request. To the extent Art. 22(1) GDPR applies to any of these scores, we rely on Art. 22(2)(b) (processing necessary to perform a contract concluded with the customer) and provide the Art. 22(3) safeguards: right to human intervention, right to express your point of view, right to contest the decision — write to [email protected].

7. Sub-processors and integrations

Two categories, deliberately separated.

(a) Sub-processors we engage to provide the service. Art. 28 GDPR applies; we have a DPA with each; we give 30 days' written notice before adding or replacing one. The live list with role, location and DPA links is at /security. As of the effective date of this policy it covers: Anthropic, OpenAI, MongoDB Atlas, Qdrant Cloud, Stripe, Resend, Postmark, Firecrawl, Apify, Sentry, Plausible.

(b) End-user-controlled integrations. These are not Overwise sub-processors. They are services you connect on your own behalf and that hold your credentials; Overwise acts as a conduit only, governed by the providers' own terms and DPAs with you:

Google (Gmail API + OAuth, where you connect a Gmail mailbox)
Microsoft (Microsoft Graph + OAuth, where you connect an Outlook mailbox)
Instantly (where you provide your own Instantly API key for reply webhooks)

8. International transfers (Chapter V GDPR)

Primary storage stays in the EU (Frankfurt). For transfers outside the EEA we layer the legal basis:

EU-US Data Privacy Framework — for providers (and the specific receiving entity) currently certified under the active DPF list at dataprivacyframework.gov/list. We maintain the live provider-to-DPF mapping at /security and re-verify it before each sub-processor change.
Standard Contractual Clauses (Commission Decision 2021/914) with the module that matches the actual roles: Module 1 (controller-to-controller) where we transfer in our controller capacity to an independent-controller provider; Module 2 (controller-to-processor) where the provider acts as our processor; Module 3 (processor-to-processor) for customer data where we act as your processor. SCCs apply both to providers not on the DPF list and as a fallback for DPF-listed providers should the framework be invalidated.
Transfer Impact Assessment per provider, updated whenever underlying US law changes (e.g. FISA §702 reauthorisation status, Executive Order 14086 on signals intelligence).
UK transfers: the International Data Transfer Addendum (IDTA) issued by the ICO.
Swiss transfers: the Swiss FDPIC-approved SCC addendum.

Copies of executed SCCs, the IDTA, the Swiss addendum and the TIAs are available on request to [email protected].

9. Retention

Account, organisation, campaign and lead data: kept while your subscription is active. After cancellation, 30 days read-only (to allow re-activation), then hard-deleted from primary storage. Backup snapshots are kept for an additional 60 days, then purged. Maximum 90 days after cancellation for these categories.
Mailbox refresh tokens and OAuth credentials: revoked at the provider on cancellation; the encrypted token blob in our database is deleted within 24 hours. You can revoke at any time from your Google or Microsoft account.
Brand-voice samples (sent-folder excerpts): treated as mailbox content. Deleted with the project on cancellation; on per-sample request, deleted from primary storage immediately and from the vector index within 24 hours.
Audit and security logs: 90 days.
Suppression-list entries: kept indefinitely as the compliance record that proves an objection was honoured. Deletion would re-expose the data subject — Art. 17(3)(b)/(e) and Art. 21(3) GDPR apply.
Bookkeeping (invoices, tax records): seven years (UGB §190 — Austrian commercial code). This obligation runs separately from the categories above.

Earlier deletion on written request to [email protected] where no statutory retention obligation conflicts.

10. If you are a lead contacted via Overwise

Source of your data. We collected your business contact details from publicly available sources — typically your employer's website, public LinkedIn profile, hiring pages or public press coverage — and processed them so that a specific Overwise customer could send you a relevant business communication. We are the sole controller of the underlying public-source pool. The moment the customer's ICP is applied to that pool and you are selected for outreach, we are joint controllers with the Overwise customer under GDPR Art. 26 (see §2 for the essence of the arrangement). The customer's identity is named in every message sent through Overwise. You can exercise your rights against either of us — write to [email protected] and we will act as one-stop-shop.

Right to object before any contact attempt. You can request that we suppress your address before any Overwise customer contacts you. Write to [email protected] or use the suppression form at overwise.com/suppress. We will suppress the address across all current and future Overwise customers, permanently. There is no fee, no account requirement, no delay.

Rights after contact. You have the standard GDPR rights — access, rectification, erasure, restriction, portability, objection (Art. 15–21) — exercisable directly against us at the address above. Where the request concerns the customer's decision to contact you (not our public-source pool), we will route it to the customer and notify you of the result. Either way, your right to object under Art. 21(2) GDPR is absolute and acted on immediately.

11. Your rights as a data subject

Under GDPR you have the right to access, rectify, erase, restrict, port and object to processing of your personal data, and to withdraw consent at any time. Most rights can be exercised from the in-app Settings page (download lead data as CSV, edit account info, delete the account); for the rest, write to [email protected]. We respond within 30 days, extendable by two months for complex requests with notice (Art. 12(3)).

You also have the right to lodge a complaint with a supervisory authority — for Austria the Österreichische Datenschutzbehörde (DSB), or your local supervisory authority where you are habitually resident.

12. Region-specific notices

California (CCPA / CPRA)

Categories of personal information collected: identifiers, professional and employment information, electronic communications metadata, and — where you connect a mailbox — the contents of your mail, which CCPA §1798.140(ae) classifies as Sensitive Personal Information. We process this SPI only as reasonably necessary to provide the service you requested (brand-voice extraction, reply triage) and do not use it to infer characteristics about you (CPRA §1798.121). We do not sell or share personal information for cross-context behavioural advertising.

Your rights: to know, to delete, to correct, to limit use of SPI, to opt out of sale/sharing (not applicable — we do neither), and to non-discrimination. We accept authorised-agent requests. Shine-the-Light (Civ. Code §1798.83): we did not share personal information with third parties for their direct-marketing purposes in the preceding calendar year. To exercise California rights, write to [email protected].

Universal Opt-Out signals (GPC)

We honour the Global Privacy Control where required (California, Colorado, Connecticut, Texas and others as they activate). Our website uses no behavioural tracking, so GPC has no operational effect — the commitment stands.

Other US states with comprehensive privacy laws

The following states have active comprehensive privacy laws as of the effective date: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Indiana (INCDPA), Tennessee (TIPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Florida (FDBR), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Kentucky (KCDPA), Nebraska (NDPA), Maryland (MODPA), Minnesota (MNCDPA), Rhode Island (RIDTPPA).

Where you reside in one of these states and the law applies to our processing of your data, you have rights equivalent to the California rights above (with state-specific variations).

Texas residents (TDPSA — no revenue threshold): you may opt out of sale, targeted advertising and certain profiling by emailing [email protected] or by sending a recognised opt-out signal such as GPC.

United Kingdom

UK GDPR applies. Complaints to the Information Commissioner's Office (ICO), ico.org.uk. PECR Reg. 22: B2B direct marketing via Overwise is targeted only at corporate subscribers (registered limited companies, LLPs and equivalent). Sole traders and unincorporated partnerships require prior consent — the Overwise customer is responsible for obtaining that consent before contacting such recipients.

Switzerland

The revised Federal Act on Data Protection (revDSG) applies. Complaints to the Federal Data Protection and Information Commissioner (FDPIC), edoeb.admin.ch.

Canada

Overwise does not send commercial electronic messages on its own behalf to recipients in Canada. If you are a Canadian recipient of a message sent through Overwise, the sending customer is responsible for CASL-compliant consent and identification — see Terms §5.

13. Cookies and tracking

We use no tracking cookies and no third-party trackers. Marketing analytics is via Plausible — a cookieless EU analytics tool operated by Plausible Insights OÜ (Estonia) with EU-hosted infrastructure that does not set browser cookies. The product itself uses a single first-party session cookie for authentication. No third-party trackers, no fingerprinting. No consent banner is required under Art. 5(3) of the ePrivacy Directive (and § 165(3) TKG 2021 in Austria), because the only cookie we set is strictly necessary for authentication and therefore exempt from the consent requirement.

14. Portability and cloud switching (EU Data Act)

From in-app Settings you can export your lead data, brand-voice samples and campaign history as CSV/JSON at any time. On written request we provide a full structured export of all data we hold about you and your organisation within 30 days, to support switching to another provider under Article 25 of Regulation (EU) 2023/2854 (Data Act), in force since 12 September 2025. From 12 January 2027, switching charges (if any) will be limited to direct costs in accordance with Article 29 of the Data Act.

15. Security

AES-256 encryption at rest, TLS 1.3 in transit, OAuth-only authentication (we never see your password), least-privilege role separation, encrypted refresh tokens, audit logs, dry-run gate for new mailboxes. Full architecture at /security. Personal data breaches are notified to the supervisory authority within 72 hours and to affected data subjects where Art. 34 GDPR requires.

16. Changes to this policy

We announce material changes at least 30 days before they take effect, by email to account holders and an in-app banner. The effective date is at the top of this page. Continued use after the effective date constitutes acceptance.

17. Contact and supervisory authority

Privacy questions and data-subject requests: [email protected].

Postal: vondot GmbH, Illstraße 3, 6800 Feldkirch, Austria.

Supervisory authority: Österreichische Datenschutzbehörde (DSB) — Barichgasse 40-42, 1030 Vienna, Austria.