Privacy Policy

Last updated: June 2, 2026

This Policy explains how we collect, use, store, and protect information when you use EdgeMailAPI and EdgeReach (the "Services"). It covers our role both as a data controller (for your account information) and as a data processor (for the email content and recipient data you send through the Services).

1. Information we collect

1.1 Account & identity

Email address and authentication identity (managed via our auth provider, CapchaID).
Plan, subscription status, and billing identifiers (managed via Stripe; we do not store full card numbers).
API keys (stored only as salted hashes; the raw key is shown once).

1.2 Content you submit (processed on your behalf)

Email subjects, bodies, attachments, templates, and AI prompts.
Recipient and subscriber data you upload (email addresses, names, company, custom fields).
Campaign, sequence, and suppression-list data.

1.3 Connected Mailbox credentials (EdgeReach)

SMTP/IMAP usernames and passwords for mailboxes you connect. These are encrypted at rest using AES-GCM and used solely to send and read mail on your behalf. We do not use them for any other purpose and do not share them.

1.4 Operational & log data

Send/delivery/bounce/reply events, usage counters, and error logs.
IP address, request metadata, and timestamps (for security, rate-limiting, and abuse prevention).

2. How we use information

To provide, operate, secure, and improve the Services.
To send email and detect replies/bounces as you instruct.
To enforce usage limits, our Acceptable Use Policy, and anti-abuse/anti-spam controls.
To process payments and manage subscriptions.
To communicate with you about your account, security, and service changes.
To comply with legal obligations and respond to lawful requests.

We do not sell your personal data. We do not read your email content except as necessary to operate features you enable (e.g. reply/bounce detection) or to investigate abuse, security, or legal issues.

3. AI processing

When you use AI features, the prompt and relevant lead/context data are processed by a large-language model running on Cloudflare Workers AI to generate or personalize content. This data is used to produce your output and is not used by us to train models.

4. Subprocessors

We rely on the following third parties to operate the Services. Each processes data only as needed to provide its function:

Subprocessor	Purpose	Data
Cloudflare	Compute (Workers), storage (D1, KV), email send (Email Service), AI	All operational data, content, encrypted credentials
Stripe	Payment processing & subscriptions	Email, billing identifiers, payment method (held by Stripe)
CapchaID	Authentication / login	Email, login credentials, session tokens
Your Connected Mailbox provider (EdgeReach)	Actual mail transmission/receipt	Your outgoing/incoming mail

5. Data retention

Account and billing records: retained for the life of the account and as required for legal/tax purposes.
Content, lists, and event logs: retained while your account is active; deletable on request or on account closure.
Connected Mailbox credentials: retained until you disconnect the mailbox or close the account, then deleted.
Warm-up messages: automatically purged on a rolling basis.

6. Your rights

6.1 GDPR / UK GDPR (EEA/UK residents)

You have rights to access, rectify, erase, restrict, port, and object to processing of your personal data, and to withdraw consent. Where we process recipient data on your behalf, you are the controller and we are the processor acting on your documented instructions; this Policy together with our Terms forms our data-processing commitments.

6.2 CCPA/CPRA (California residents)

You have rights to know, access, delete, and correct personal information, and to opt out of "sale"/"sharing" (we do not sell or share personal information as defined). We will not discriminate against you for exercising these rights.

6.3 Exercising rights

Email [email protected]. We will respond within the timeframes required by applicable law. As a processor of recipient data, we may direct certain requests to the relevant customer (controller).

7. Recipients of your campaigns

If you are a recipient of an email sent through the Services and wish to exercise privacy rights or stop receiving messages, please use the unsubscribe link in the email or contact the sender (our customer) directly, as they are the controller of that data. You may also contact us and we will assist in routing your request.

8. International data transfers

The Services run on globally distributed infrastructure (Cloudflare). Data may be processed in countries other than yours. Where required, transfers rely on appropriate safeguards such as Standard Contractual Clauses.

9. Security

Mailbox credentials encrypted at rest (AES-GCM); API keys stored as hashes only.
TLS in transit; SMTP/IMAP connections use implicit TLS (ports 465/993).
Tenant isolation, rate limiting, and abuse monitoring.
Secrets stored in managed secret stores, not in code.

No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

10. Cookies & tracking

We use only essential cookies/local storage required for authentication and session management. We do not use third-party advertising or cross-site tracking cookies.

11. Children

The Services are not directed to anyone under 18, and we do not knowingly collect data from children.

12. Changes to this Policy

We may update this Policy; material changes will be posted here with a new "Last updated" date and notified where required.

13. Contact

Privacy questions or requests: [email protected]