Privacy Policy

Last updated: January 1, 2025

MailFlow ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share information about you when you use our services.

1. Information We Collect

Account Information

When you register, we collect your name, email address, company name (optional), and a hashed password. We never store plaintext passwords.

Usage Data

We log campaign activity, email opens, link clicks, subscriber counts, and system access events (audit log). This is necessary to provide the tracking features of the platform.

Email Subscriber Data

Subscriber lists you upload belong to you. We process them solely to deliver your campaigns and do not use them for any other purpose.

SMTP Credentials

If you configure a custom SMTP server, your credentials are encrypted at rest using AES-256-CBC before storage.

Cookies & Sessions

We use server-side sessions stored in our database (not local files). A session cookie is set in your browser to maintain your login state. We do not use third-party tracking cookies.

2. How We Use Your Information

  • To operate and improve the platform
  • To send transactional emails (verification, password reset, 2FA codes)
  • To enforce plan limits and prevent abuse
  • To maintain security and audit logs
  • To respond to your support requests

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Data Retention

Account data is retained as long as your account is active. Email send logs are retained for 90 days by default. You may request deletion of your account and associated data by contacting us.

4. Security

We implement industry-standard security measures including: encrypted SMTP passwords, CSRF tokens on all forms, HMAC-signed tracking tokens, rate limiting on authentication, and session invalidation on logout. While no system is 100% secure, we take data protection seriously.

5. Your Rights (GDPR / CCPA)

Depending on your location, you may have rights to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Object to processing of your data
  • Data portability (export in CSV format)

To exercise these rights, contact us at the email below.

6. Third-Party Services

We may use third-party SMTP providers (Gmail, SendGrid, Mailgun, etc.) to send emails on your behalf. These providers have their own privacy policies. We also use Google reCAPTCHA (optional) to protect lead capture forms.

7. Children's Privacy

Our service is not directed to children under 13. We do not knowingly collect data from children. If you believe we have inadvertently collected such data, contact us immediately.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via a notice in the dashboard. Continued use of the service after changes constitutes acceptance.

9. Contact Us

For privacy-related inquiries: Contact us here or email support@example.com