Privacy Policy — MailKit

MailKit — Privacy Policy Last updated: 2026-04-25 This Privacy Policy describes how MailKit (getmailkit.com, the "Service"), operated by an independent contractor (the "Operator"), collects, uses, and protects information about you when you use the Service. 1. Information we collect When you use MailKit, we collect: a) Account information - Your email address, full name, and profile picture from Google when you sign in via Google OAuth. We use this only to identify your account and personalize your experience in the Service. b) Setup configuration data - Your domain name (the domain you are configuring email for). - Your Cloudflare API token, which you provide during the setup flow. This token is used only to make the necessary DNS and Email Routing changes on your domain. We do not store the token in our database after the setup process completes — it lives in memory only during the active setup session. - Your Gmail SMTP credentials displayed during the Send-As wizard step. These credentials are generated by Postmark (our SMTP provider, ActiveCampaign LLC, US) and shown to you for copy-pasting into Gmail. We do not retain a copy in our database after the session ends. - Setup state and logs (which step succeeded or failed, error messages, timestamps) for diagnostic and refund processing purposes. c) Payment information - Payment is processed by Lemon Squeezy as Merchant of Record. We do not collect or store your credit card or bank account information. We receive only the payment confirmation event from Lemon Squeezy with your order ID, transaction amount, and the email address you used at checkout. d) Usage and technical data - Standard server logs including IP address, user agent, and timestamps of requests, retained for 30 days for security and troubleshooting purposes. - We do not use marketing cookies, third-party analytics with user-level tracking, or behavioral advertising trackers. We may use anonymous aggregate analytics (e.g., page view counts) that do not identify individual users. 2. How we use your information We use your information only to: - Authenticate you when you sign in via Google OAuth. - Configure email infrastructure on your domain through Cloudflare Email Routing and Postmark SMTP, as you have requested. - Display SMTP credentials to you during the Gmail Send-As wizard. - Process payments and refunds through Lemon Squeezy. - Send transactional emails related to your purchase (receipt, setup confirmation, refund notification). - Provide customer support when you contact us. - Detect and prevent abuse of our infrastructure (excessive sending, spam complaints, fraud). We do not use your information to: - Send marketing emails or promotional content. - Sell, rent, or trade your personal information to third parties. - Build behavioral profiles for advertising purposes. - Train machine learning models on your data. 3. Third-party services we use To provide the Service, we work with the following third-party providers. Each has their own privacy policy, which governs their handling of data they receive from us: - Google (OAuth authentication) — google.com/policies/privacy - Cloudflare (DNS, Email Routing) — cloudflare.com/privacypolicy - Postmark / ActiveCampaign LLC (SMTP relay, transactional email) — postmarkapp.com/privacy-policy Data shared: customer email addresses, transactional email content, IP addresses in delivery logs. Retention: 45 days (Postmark default). DPA available at postmarkapp.com/dpa. Cross-border transfer mechanism: Standard Contractual Clauses (EU SCCs). - Lemon Squeezy (payment processing) — lemonsqueezy.com/privacy - Supabase (database hosting) — supabase.com/privacy - Vercel (web hosting) — vercel.com/legal/privacy-policy We share with these providers only the minimum information necessary for them to perform their function. We do not share your information with any other parties beyond what is required for the Service to function or as required by law. 4. How we protect your information - All connections to our Service use HTTPS encryption in transit. - Sensitive credentials (Cloudflare API tokens, SMTP passwords) are not persisted in our database — they are used during the active session and discarded. - Our database uses Row-Level Security policies that enforce access controls at the data layer. - Service-role keys for backend operations are stored in encrypted environment variables, not in source code. - We follow industry-standard security practices for password storage, network configuration, and incident response. For detailed security notes see /security. 5. Data retention - Account information (email, name, profile picture): retained while your account is active. Deleted within 30 days of account deletion request. - Setup configuration logs: retained for 90 days for diagnostic purposes, then automatically purged. - Cloudflare API tokens: not retained after setup completes (in-memory only during active session). - SMTP credentials: not retained (in-memory only during active session). - Payment records: retained for 5 years to comply with financial record-keeping requirements. - Server logs: 30 days. - Email communication with support: retained for 1 year. 6. Your rights You have the right to: - Access the personal information we hold about you. - Correct inaccurate information. - Request deletion of your account and associated data. - Export your data in a machine-readable format. - Withdraw consent for data processing (which may require account deletion since we cannot provide the Service without basic account data). - File a complaint with a data protection authority if you believe your rights have been violated. To exercise any of these rights, email support@getmailkit.com. We respond within 30 days. 7. Children's privacy The Service is not directed at children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us and we will delete it. 8. International data transfers Your information may be stored and processed in countries other than your country of residence, including the United States and the European Union, depending on the location of our service providers (Vercel, Supabase, Cloudflare, Postmark, etc.). For transfers of personal data from the European Economic Area (EEA) to the United States, we rely on Standard Contractual Clauses (SCCs) as the data transfer mechanism where required under GDPR. Our transactional email processor (Postmark / ActiveCampaign LLC) provides a Data Processing Agreement incorporating SCCs for EU-US transfers, available at postmarkapp.com/dpa. By using the Service, you consent to this transfer. We use providers that maintain appropriate safeguards for international data transfers under applicable laws. 9. Changes to this policy We may update this Privacy Policy. Changes take effect when posted at /privacy. Material changes will be communicated via email to active accounts. Continued use of the Service after changes constitutes acceptance. 10. Contact Privacy questions: support@getmailkit.com For Google OAuth-specific data handling questions, see also our OAuth consent screen at sign-in. 11. Use of Google APIs and limited use disclosure MailKit's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: - We use Google OAuth only to authenticate you and identify your account. We do not access your Gmail, Drive, Calendar, Contacts, or any other Google services beyond basic profile information. - We do not transfer Google user data to others except as necessary to provide or improve user-facing features that are prominent in the Service. - We do not use or transfer Google user data for serving advertisements, including retargeting. - We do not allow humans to read Google user data unless required for security purposes, to comply with applicable law, or with your explicit consent.