Legal

Privacy Policy

Last updated: 26 April 2026

inroad ("we", "us", "our") is committed to protecting your personal information. This policy explains what data we collect, how we use it, and your rights.

1. What we collect

When you use inroad we may collect:

• Account information — your email address, first name, and university.
• Profile preferences — target industries, company size preference, and a short bio you provide.
• Usage data — which cards you view, whether you send outreach emails, and whether you receive replies.
• Technical data — browser type, device, IP address, and session cookies.
• Third-party professional data — names, job titles, and companies of professionals identified through publicly available web sources. We do not collect or store personal email addresses. All contact email addresses displayed on the platform are expected addresses generated from standard company email formats and are not sourced from or verified against any personal data source.
• Microsoft account connection — if you choose to connect your Outlook or Microsoft 365 account, we store OAuth tokens (access token, refresh token, and expiry time) to enable one-click email sending on your behalf. We do not store the contents of your inbox or any emails beyond those you explicitly send through inroad. You can disconnect your Microsoft account at any time from the dashboard, which immediately removes all stored tokens.
• Professional contact data — when identifying relevant professionals at target companies, we process publicly available information including names, job titles, and company affiliations sourced from public web searches. All email addresses displayed on the platform are expected addresses inferred from standard company email formats. We do not source, store, or display personal email addresses.

2. How we use your data

• To match you with relevant internship and graduate opportunities.
• To identify relevant professionals at target companies using publicly available web data, and to generate expected contact email addresses based on standard company email formats.
• To generate personalised email drafts.
• To send you transactional emails (magic links, match notifications).
• To send outreach emails on your behalf when you use the one-click send feature via your connected Microsoft account.
• To improve our matching algorithms and product quality.

3. Microsoft OAuth and email sending

If you connect your Microsoft account, inroad uses the Microsoft Graph API to send emails directly from your address when you click Send on a match card. We request only the minimum permissions required: Mail.Send and offline_access. We do not read, store, or process any emails in your inbox.

Your OAuth tokens are stored securely and used solely to send emails you have explicitly approved. You may disconnect your Microsoft account at any time from the dashboard, which revokes our access and deletes all stored tokens. Revoking access through your Microsoft account settings will also prevent further sending.

4. Third-party services

We use the following services to operate inroad:

• Serper — used to query publicly available web sources to identify relevant professionals at companies. All email addresses shown on the platform are inferred from publicly known company email formats and have not been independently verified.
• Resend — to send transactional emails.
• Microsoft Graph API — to send outreach emails from your connected Outlook or Microsoft 365 account when you use the one-click send feature.

5. Legal basis for processing

Where we process personal data relating to third-party professionals (names, job titles, company affiliations, and inferred email addresses), we do so on the basis of legitimate interests under UK GDPR Article 6(1)(f). Our legitimate interest is in enabling students and early-career professionals to make personalised career outreach to relevant contacts at companies they are targeting. We have assessed that this interest is not overridden by the rights of the individuals concerned, given that the information is limited to professional context, is sourced from publicly available web sources, and that individuals can request removal at any time.

6. Data retention

We retain your account data for as long as your account is active. Match history is anonymised after 90 days. You can delete your account at any time from the Settings page, which permanently removes all your data including any stored Microsoft OAuth tokens.

7. Your rights

Under applicable data protection law (including UK GDPR) you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion of your account and all associated data.
• Object to certain types of processing.
• Request removal from our contact dataset — if you are a professional whose name or expected email address appears on inroad and you would like it removed, please contact us via our contact page. We will action removal requests within 30 days.

To exercise any of these rights, please visit our contact page.

8. Cookies

We use the following first-party cookies. We do not use advertising cookies or any third-party tracking cookies.

• inroad_session — strictly necessary. Keeps you signed in for up to 30 days. Set on login, deleted on logout.
• inroad_refresh — strictly necessary. Used to re-issue your session without requiring you to log in again. Set on login, deleted on logout.
• inroad_visitor — analytics. A random identifier used to count unique visits to our site. It contains no personal information and is not shared with any third party. It persists for 1 year.

9. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email. Continued use of inroad after changes constitutes acceptance of the updated policy.

10. Contact

For privacy-related enquiries, please contact us at our contact page.