Privacy Policy

1. Introduction

Mailhook ("we," "our," or "us") provides a programmable email API service for developers and AI agents. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at mailhook.co and our API.

We are committed to protecting your privacy and handling your data transparently. Please read this policy carefully to understand our practices regarding your personal data.

2. Data Controller and Processor Roles

Under privacy laws like GDPR, different responsibilities apply depending on the role:

Data Controller: Mailhook acts as a data controller for information we collect about our customers (account holders), including account details, billing information, and usage data.
Data Processor: Mailhook acts as a data processor for email content that flows through our platform on behalf of our customers. Our customers determine the purposes and means of processing this email data.

If you are an end user whose email was processed through Mailhook by one of our customers, please contact that customer directly regarding your data rights.

3. Information We Collect

3.1 Account Information

When you register for Mailhook, we collect:

Name and email address
Company name (if applicable)
Password (stored as a secure hash)
API keys (stored as secure hashes)
Custom domain configurations

3.2 Payment Information

Payment processing is handled by Stripe. We do not store your full credit card numbers. Stripe may collect:

Credit/debit card details
Billing address
Transaction history

Please review Stripe's Privacy Policy for details on their data practices.

3.3 Email Content Data

When you use our service to receive or send emails, we process:

Sender and recipient email addresses
Email subject lines
Email body content (text and HTML)
Email headers and metadata
Attachments
Timestamps

3.4 Usage Data

We automatically collect:

API request logs (endpoints accessed, response codes)
Request volume and rate limiting data
IP addresses
Browser type and device information
Pages visited on our marketing site

3.5 Webhook Configurations

If you configure webhooks, we store:

Webhook URLs
Webhook secrets (stored as secure hashes)
Delivery attempt logs

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

Contract Performance: Processing necessary to provide you with our services (account management, email processing, API access).
Legitimate Interests: Processing for fraud prevention, security monitoring, service improvement, and analytics, where our interests do not override your rights.
Legal Obligation: Processing required to comply with applicable laws, regulations, or legal processes.
Consent: Where you have given explicit consent for specific processing activities, such as marketing communications.

5. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain our services
Process and deliver emails through our API
Process payments and manage billing
Send transactional notifications (password resets, service alerts)
Respond to support requests and inquiries
Monitor and analyze usage patterns to improve our service
Detect, prevent, and address fraud and security issues
Enforce our Terms of Service
Comply with legal obligations

6. Data Sharing and Disclosure

6.1 Service Providers (Sub-processors)

We share data with third-party service providers who assist in operating our service. A complete list of our current sub-processors is available on our Sub-processors page.

All sub-processors are bound by data processing agreements requiring them to protect your data in accordance with this policy and applicable law. We provide advance notice of changes to our sub-processors.

6.2 Legal Requirements

We may disclose your information if required by law, such as:

To comply with legal process or government requests
To protect our rights, privacy, safety, or property
To enforce our Terms of Service
In connection with a merger, acquisition, or sale of assets

6.3 No Sale of Personal Data

We do not sell your personal data to third parties. We do not share your personal data for cross-context behavioral advertising.

7. Data Retention

We retain different categories of data for different periods:

7.1 Email Content

Email content is retained according to your subscription plan:

Free: 1 hour
Pro: 7 days
Business: 30 days
Enterprise: Up to 90 days (configurable)

After the retention period, email content is permanently deleted from our systems.

7.2 Account Data

Account information is retained for the duration of your account plus:

7 years for financial records (legal requirement)
30 days in backups after account deletion

7.3 Usage Logs

API logs and usage data are retained for 90 days for operational purposes, then aggregated or deleted.

8. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. We ensure appropriate safeguards are in place:

EU-US Data Privacy Framework: For transfers to certified US organizations
Standard Contractual Clauses (SCCs): For transfers to other third countries
Adequacy Decisions: For transfers to countries with EU adequacy status

For EU/EEA residents, we ensure that any transfer of personal data is subject to appropriate safeguards as required by GDPR.

9. Data Security

We implement industry-standard security measures to protect your data:

Encryption at Rest: AES-256 encryption for stored data
Encryption in Transit: TLS 1.3 for all data transmission
Access Controls: Role-based access with principle of least privilege
API Key Security: Keys stored as BCrypt hashes, never in plaintext
Infrastructure: Hosted in secure, audited data centers
Monitoring: Continuous security monitoring and logging
Backups: Regular encrypted backups with secure disposal

No method of transmission or storage is 100% secure. If you become aware of any security incident, please contact us immediately at [email protected].

10. Your Rights

10.1 Rights Under GDPR (EEA/UK Residents)

If you are in the European Economic Area or UK, you have the right to:

Access: Request a copy of your personal data
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your data ("right to be forgotten")
Restriction: Request limitation of processing
Portability: Receive your data in a portable format
Objection: Object to processing based on legitimate interests
Withdraw Consent: Withdraw consent at any time where processing is based on consent
Lodge a Complaint: File a complaint with your local supervisory authority

We will respond to your request within 30 days.

10.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the right to:

Know: Request disclosure of the categories and specific pieces of personal information we collect
Delete: Request deletion of your personal information
Correct: Request correction of inaccurate personal information
Opt-Out: Opt out of the sale or sharing of personal information (note: we do not sell personal information)
Non-Discrimination: Not be discriminated against for exercising your rights

We will respond to verifiable requests within 45 days.

10.3 Exercising Your Rights

To exercise any of these rights, please contact us at:

Email: [email protected]
Through your account settings at app.mailhook.co/settings

We may need to verify your identity before processing your request.

11. Cookies and Tracking

We use cookies and similar technologies on our marketing website:

Essential Cookies: Required for site functionality and security
Analytics Cookies: Help us understand how visitors use our site (PostHog)

You can control cookies through your browser settings. Disabling cookies may affect site functionality.

Our API does not use cookies.

12. Automated Decision-Making

We use automated systems for:

Rate Limiting: Automatic enforcement of API usage limits based on your plan
Spam Detection: Automated filtering to prevent abuse of our service
Fraud Prevention: Automated monitoring for suspicious activity

These automated processes do not make decisions that produce legal effects or similarly significantly affect you. If you believe an automated decision has adversely affected you, please contact us for human review.

13. Children's Privacy

Our service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

14. Third-Party Links

Our service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

15. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

We will notify the relevant supervisory authority within 72 hours (GDPR requirement)
We will notify affected individuals without undue delay if the breach is likely to result in high risk
We will document all breaches regardless of risk level

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

Posting the new policy on this page
Updating the "Last updated" date
Sending an email notification to account holders for significant changes

We encourage you to review this policy periodically.

17. Data Processing Agreement

For customers who require a Data Processing Agreement (DPA) for GDPR compliance, please contact us at [email protected]. Our DPA covers:

Subject matter and duration of processing
Nature and purpose of processing
Types of personal data processed
Categories of data subjects
Obligations and rights of the controller
Sub-processor authorizations
Security measures
Audit rights

18. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: [email protected]
Legal inquiries: [email protected]
Security concerns: [email protected]