Privacy
A short, plain-English version of the Privacy Policy focused on what you actually care about.
What we collect
- Your email data. Message bodies, attachments, addresses, headers, timestamps for every account you connect. This is the product.
- Your usage data. Which features you used, app version, rough location based on IP. We don’t track you across other sites.
- Your billing data. Name, billing address, last 4 of card. Full card number never touches us.
What we don’t do
- We do not read your email to train AI models.
- We do not sell your data. There is no ad business here.
- We do not share message contents with third parties except the cloud providers who physically host the bits (AWS) or deliver outbound mail (Amazon SES). None of those subprocessors have any use for your mail contents either; they’re bit-pushers.
- We do not use cookies for cross-site tracking. The only cookies are session cookies on the web app and the marketing site’s cookie consent preference.
Subprocessors
See Privacy Policy → Subprocessors for the current list, which includes AWS, Amazon SES, Stripe (billing), and Supabase (auth). We’ll update the list as it changes.
Data-subject rights (GDPR, CCPA, similar)
You can exercise each of these from Settings → Data or by emailing [email protected].
| Right | How |
|---|---|
| Access your data | Export your mailbox as .mbox (mboxrd). |
| Correct your data | You can edit account profile info in Settings → Profile. Message contents you didn’t send to us originally are out of scope (we don’t alter mail you received). |
| Delete your data | Settings → Data → Delete account. Bodies are removed within 30 days, metadata within 90 days, once the retention sweep daemon ships in v0.6.2. Until then, email [email protected] for an immediate purge. |
| Port your data | Same as export. |
| Object / restrict processing | Email [email protected]. We’ll pause non-essential processing (like search indexing) within 7 days. |
| Withdraw consent | Cancel and delete. Consent isn’t our legal basis for most processing (it’s contract - you pay us to handle your mail) but you can stop being a customer any time. |
Children
SuperMail is not intended for children under 16. We don’t knowingly collect data from them. If you think we have, email [email protected] and we’ll delete.
Data location
Customer data is stored in AWS us-east-1 (primary) and us-east-2 (standby). We don’t currently offer EU-only residency. If that’s a hard requirement for you, email [email protected] and we’ll update this page when the feature ships.
Data retention
The deletion windows below are enforced by the retention sweep daemon (ships in v0.6.2 - see the changelog for status). Until that daemon lands you can email [email protected] for an immediate manual purge.
- Message bodies + attachments: retained while your account is active; deleted 30 days after cancellation.
- Message metadata: retained while your account is active; deleted 90 days after cancellation.
- Account + billing records: retained for 7 years after close for legal compliance.
- Logs: 30 days.
- Backups: 30-day rolling; 1-year cold backups for disaster recovery.