MailFlow

Legal

Terms of ServicePrivacy PolicyData Processing AddendumAcceptable Use Policy

Privacy Policy

Last updated: April 1, 2026

This Privacy Policy explains how MailFlow Labs Inc. ("MailFlow") collects, uses and discloses information when you use our Service. We act as the data controller for account information and as a data processor for content you upload.

1. Information we collect

  • Account information. Name, email, hashed password, organization name and billing details.
  • Email account credentials. SMTP and IMAP host, port, username, and the App Password you provide for sending and receiving. Stored encrypted with AES-256-GCM.
  • Lead data. Email addresses, names, custom fields and other lead attributes you upload.
  • Email content. Sequence templates, sent messages, replies and inbox metadata necessary to operate the Service.
  • Usage data. IP address, browser, dashboard interactions, error reports. We use this to operate, secure and improve the Service.

2. How we use it

  • To provide the Service: send mail, receive mail, run warmup, surface analytics.
  • To bill you and prevent fraud.
  • To diagnose issues and improve the product.
  • To respond to support requests.
  • To send transactional emails (verification, password reset, invoices) and, with your consent, occasional product update emails.

3. Sharing

We share data with subprocessors that help us run the Service. The current list includes Stripe (billing), Postmark/Resend (transactional email), Cloudflare (CDN/security), AWS or GCP (compute and storage), and Sentry/PostHog (errors, analytics). The full list with regions is available on request.

We do not sell personal data, and we do not share your lead data with any third party beyond what is technically necessary to deliver mail through your own configured providers.

4. International transfers

Production data lives in EU and US regions. EU customers may pin their workspace to EU residency on the Scale plan. We rely on Standard Contractual Clauses for any cross-border transfer.

5. Retention

We retain account and content data for the lifetime of your subscription plus 30 days post- cancellation, after which it is permanently deleted unless legal hold requires longer retention. You may request earlier deletion at any time.

6. Your rights

Depending on your jurisdiction (GDPR, CCPA, KVKK, LGPD, etc.) you may have the right to access, correct, port or delete your personal data, or to object to certain processing. Contact privacy@mailflow.dev to exercise these rights.

7. Security

AES-256-GCM at rest for sensitive credentials, TLS 1.2+ in transit, bcrypt password hashing, JWT sessions in httpOnly cookies, audit logs, rate limiting and a strict CSP. See our Security page for the full breakdown.

8. Children

The Service is not directed at anyone under 16. We do not knowingly collect data from minors.

9. Changes

Material changes to this Policy will be communicated via email and in-product notification at least 30 days before they take effect.

10. Contact

Privacy questions? Email privacy@mailflow.dev.