Privacy Policy

We collect the following categories of information when you use Mailsflux: **Account Information:** Name, email address, company name, and billing details when you register or subscribe. **Usage Data:** API request logs, email send events, delivery metrics, template usage, and feature usage statistics — used to operate and improve the Service. **Payment Information:** Processed by our payment provider (Stripe). Mailsflux does not store raw card numbers. **Email Content:** The content of emails you send through our platform is processed solely to deliver them. We do not read or analyze your email content for advertising purposes. **Technical Data:** IP addresses, browser type, device identifiers, and cookies for authentication and security purposes.

We use collected information to: • Operate, maintain, and improve the Service • Process payments and manage subscriptions • Send transactional emails (receipts, alerts, service notifications) • Provide email delivery analytics and tracking data • Respond to support requests • Detect and prevent fraud, abuse, or security incidents • Comply with legal obligations We do not sell your personal information to third parties. We do not use your data or your recipients' data to train AI models.

When you send emails through Mailsflux, your recipients' email addresses and engagement data (opens, clicks, bounces) are processed on your behalf. Mailsflux acts as a data processor for this information. You are the data controller and are responsible for: • Obtaining valid consent from your recipients where required by law • Maintaining accurate suppression lists and honoring unsubscribe requests • Ensuring your email content complies with applicable anti-spam laws (CAN-SPAM, CASL, GDPR, etc.) Recipient data is retained for 90 days after an email event unless you configure a different retention period.

For physical mail sent via the Mailsflux Physical Mail API, we process recipient postal addresses solely to fulfill delivery. Address data is shared with our carrier partners (e.g., USPS, DHL, FedEx) only as necessary to complete the delivery. We do not retain physical address data beyond 30 days after confirmed delivery.

We use essential cookies for authentication and session management. We use analytics cookies (aggregated, anonymized) to understand how the dashboard is used. You can manage cookie preferences through our cookie preference center. Disabling essential cookies will prevent you from accessing your account.

We share your information only with: • **Infrastructure providers:** Cloud hosting (AWS), payment processing (Stripe), error tracking (Sentry). All processors are contractually bound to protect your data. • **Carrier partners:** For physical mail delivery only — postal address data is shared with selected carrier partners. • **Legal requirements:** When required by law, court order, or regulatory authority. • **Business transfers:** In the event of a merger, acquisition, or sale of assets, you will be notified before your data is transferred under a different privacy policy.

Account data is retained for the duration of your subscription plus 90 days after cancellation, after which it is deleted or anonymized. Email event logs (delivery, opens, clicks) are retained for 12 months by default. You may request earlier deletion by contacting [email protected].

Depending on your location, you may have the following rights: • **Access:** Request a copy of personal data we hold about you • **Correction:** Request correction of inaccurate data • **Deletion:** Request deletion of your personal data ("right to be forgotten") • **Portability:** Receive your data in a machine-readable format • **Objection:** Object to processing based on legitimate interests • **Opt-out of sale:** We do not sell personal data To exercise any of these rights, email [email protected]. We will respond within 30 days.

We implement industry-standard security measures including TLS 1.3 encryption in transit, AES-256 encryption at rest, access control with least-privilege principles, and regular security audits. SPF, DKIM, and DMARC are enforced on all outbound email infrastructure. Please notify us at [email protected] if you discover a vulnerability.

Mailsflux operates primarily from data centers in the United States. Enterprise customers may select regional data residency (EU, Singapore, or other regions). For EU/EEA users, data transfers to the US are covered by Standard Contractual Clauses (SCCs) as approved by the European Commission.

We may update this Privacy Policy periodically. We will notify you of material changes by email or prominent notice in the dashboard at least 14 days before the changes take effect.