Privacy Policy
Disclaimer: This document should be reviewed by qualified legal counsel before publication. It is drafted based on regulatory research and industry best practices but does not constitute legal advice.
1. Introduction
This Privacy Policy explains how RelayPost, Inc. ("RelayPost," "we," "us") collects, uses, stores, and protects personal data when you use the RelayPost email delivery platform ("Service").
RelayPost operates in two distinct roles:
| Role | When | What it means |
|---|---|---|
| Data Controller | For your account data, usage data, and billing data | We decide what data to collect and how to use it |
| Data Processor | For email content and recipient data you send through our Service | We process this data on your behalf, under your instructions |
2. Data We Collect as Controller
2.1 Account Data
| Data | Purpose | Lawful Basis (GDPR) |
|---|---|---|
| Name | Account identification | Contract performance |
| Email address | Authentication, notifications | Contract performance |
| Password (hashed) | Authentication | Contract performance |
| Email verification status | Account security | Legitimate interest |
| 2FA status | Account security | Legitimate interest |
2.2 Organization Data
Organization name, slug, member list (user IDs, roles, join dates), invitation records, subscription plan, and rate limits — all for contract performance.
2.3 Authentication and Session Data
Session tokens, IP address, user agent, and active organization ID. Sessions expire after 7 days and refresh daily. All session cookies are httpOnly.
2.4 Billing Data
Invoice records (amount, status, billing period). We do not directly store credit card numbers — payment processing is handled by our payment processor.
2.5 Cookies
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie | Strictly necessary | Authentication (httpOnly, secure) | 7 days |
| CSRF token | Strictly necessary | Cross-site request forgery protection | Session |
| Active organization | Functional | Remembering selected organization | Session |
We do not use third-party advertising cookies, social media tracking pixels, or analytics cookies from third-party providers.
3. Data We Process as Processor
When you send emails through RelayPost, we process data on your behalf. You are the data controller for this data.
3.1 Email Content and Metadata
Sender address, recipient addresses, subject line, email body, custom headers, message ID, and template references.
3.2 Delivery Event Data
Delivery status, recipient address per event, MX host, SMTP response codes, and event timestamps.
3.3 Suppression Data
Suppressed email addresses with reason (hard bounce, soft bounce, complaint, unsubscribe, manual) and source.
4. How We Use Data
4.1 Controller Data
We use your account data to provide the Service, communicate with you, ensure security, improve the Service, and comply with law.
4.2 Processor Data
We process your email data only to deliver your emails, track delivery, manage suppressions, provide analytics, deliver webhooks, and troubleshoot issues.
We do not read or analyze your email content for advertising, sell or share your email content with third parties, or train machine learning models on your email content.
5. Data Retention
5.1 Email Data (by Plan)
| Data Type | Free | Starter | Pro |
|---|---|---|---|
| Email metadata | 30 days | 60 days | 180 days |
| Email content | 30 days | 60 days | 180 days |
| Delivery events | 30 days | 60 days | 180 days |
5.2 Account Data
| Data Type | Retention |
|---|---|
| Account data | While active + 90 days after deletion |
| Suppression lists | While organization is active |
| Invoices and billing | 7 years (legal obligation) |
| Session data | 7 days (auto-expire) |
6. Data Sharing and Third-Party Processors
6.1 Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure hosting (EKS, RDS, ElastiCache, S3) | US regions |
| Cloudflare | DNS, CDN, DDoS protection | Global (edge network) |
6.2 What We Never Do
- We do not sell personal data to anyone, ever
- We do not share data with advertisers or ad networks
- We do not share your email content with other customers or third parties
7. Data Security
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS for all connections (HTTPS, SMTP STARTTLS/implicit TLS) |
| Encryption at rest | AWS RDS encryption, S3 server-side encryption |
| Password hashing | Argon2id (account passwords, SMTP credentials) |
| API key security | SHA-256 hashed; only prefix stored in plaintext |
| Session security | httpOnly cookies, CSRF protection, 7-day expiry |
| Access control | Role-based (owner/admin/member); all queries scoped to organization |
8. International Data Transfers
RelayPost infrastructure is hosted on AWS in US regions. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) and supplementary measures including encryption and access controls. See our DPA for details.
9. Your Rights
9.1 GDPR Rights (EEA, UK, Switzerland)
| Right | How to Exercise |
|---|---|
| Access | Email [email protected] |
| Rectification | Update in account settings or email us |
| Erasure | Delete your account or email us |
| Restriction | Email [email protected] |
| Portability | Export via API or email us |
| Objection | Email [email protected] |
Response time: 30 days (extendable by 60 days with notice).
9.2 CCPA Rights (California Residents)
Right to Know, Right to Delete, Right to Correct, Right to Opt-Out of Sale/Sharing (we do not sell or share your data). Email [email protected] with "CCPA Request" in the subject line. Response time: 45 days.
10. Controller vs. Processor Roles
RelayPost as Controller: Your account data, usage data, billing data, cookies. This Privacy Policy governs our use of this data.
RelayPost as Processor: Email content, recipient addresses, delivery events, suppression lists. You are the controller — your recipients should contact you to exercise their rights. Our DPA governs this relationship.
11. Children's Privacy
RelayPost is a B2B service for developers and organizations. We do not knowingly collect personal data from children under 16. Contact [email protected] if you believe a child has provided us with personal data.
12. Changes to This Policy
We will notify you by email at least 30 days before material changes take effect. Continued use after the effective date constitutes acceptance.
13. Contact Us
- Privacy and data protection inquiries: [email protected]
- General support: [email protected]