Privacy Policy

Last updated: April 2026

1. Overview

MailSentry ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data. This policy applies to all users of our website and API.

2. Information We Collect

Account Information

When you create an account, we collect your email address and hashed password. If you sign in via OAuth (Google or GitHub), we receive your email address and display name from the provider.

Email Validation Data

Single API validation: Email addresses submitted via the /v1/verify endpoint are processed in real time. The email is not stored in plaintext in the primary validation log — a SHA-256 hash of the email plus the validation result metadata (score, verdict, layer-by-layer flags) is recorded for bounce-feedback accuracy tuning. A separate short-lived score cache retains the plaintext email and full result for up to 30 days from the most recent lookup of that address, so that repeat lookups of the same email return consistent scoring. Aggregate usage counts (validations per day per API key) are stored for billing and analytics.

Bulk validation, Email Finder, and Integrations: When you use bulk validation, the email finder, or a third-party integration (e.g., HubSpot, Mailchimp), the submitted or discovered email addresses and their validation results are stored in your account in plaintext so you can access and download them. This data is retained until you delete the job or your account, whichever comes first.

Our Data Processing Agreement Section 3 provides the full technical breakdown of what is stored for each validation type, including retention windows and encryption details.

Usage Data

We collect anonymized usage statistics including API call counts, response times, and error rates. This data is used to improve the Service and monitor performance.

3. Cookies

We only use essential cookies required for authentication and session management (Supabase auth tokens). We do not use tracking or advertising cookies. UI preferences such as theme are stored in your browser's localStorage, which is not a cookie under the ePrivacy Directive.

4. Third-Party Services

We use the following third-party services to operate MailSentry:

  • Supabase: Authentication, database, and user management. Data is stored in Supabase's secure cloud infrastructure.
  • Vercel: Hosting and serverless functions. Requests are processed through Vercel's edge network.
  • Lemon Squeezy: Payment processing for paid subscriptions. We do not store credit card details — all payment information is handled by Lemon Squeezy.
  • Resend: Transactional email delivery (account notifications, team invites, usage alerts). Resend processes recipient email addresses solely to deliver these messages.

5. Data Security

We take security seriously. All API traffic is encrypted in transit over TLS 1.3. All stored data benefits from AES-256 encryption at rest provided by our infrastructure provider (Supabase on AWS). API keys are hashed using SHA-256 before storage — we never store plaintext API keys. User passwords are hashed using bcrypt via Supabase Auth. Single-call validation logs use SHA-256 hashing of the input email. Row-level security (RLS) policies ensure users can only access their own data. Plaintext email storage is limited to the cases documented in Section 2.

6. Your Rights (GDPR)

If you are in the European Economic Area (EEA), you have the following rights:

  • Right to access: Request a copy of the data we hold about you
  • Right to rectification: Request correction of inaccurate data
  • Right to erasure: Request deletion of your account and associated data
  • Right to data portability: Request your data in a machine-readable format
  • Right to object: Object to processing of your data for specific purposes

You can exercise your right to access and data portability directly from your dashboard (Account Settings → Data & Privacy → Download My Data). For all other requests, contact us at support@mailsentry.dev. We will respond within 30 days.

If you use MailSentry as a data processor on behalf of your users, our Data Processing Agreement details our obligations under GDPR Article 28.

7. Data Retention

Account data is retained for as long as your account is active. Usage analytics data (aggregate daily counts) is retained for 12 months and automatically purged thereafter. Bulk validation results, email finder results, and integration validation logs are retained until you delete them or delete your account.

Upon account deletion, the following are permanently deleted within 45 days from production databases: bulk validation jobs and results, email finder searches, integration validation logs, integration sync state, API keys, usage logs, user settings, team invites, and the user account record. The validation log (SHA-256 hashed emails), score cache (plaintext, 30-day TTL), and bounce-feedback table currently retain entries pending account-deletion cascade implementation prior to public launch — see Data Processing Agreement Section 10 for the full breakdown.

Encrypted backups containing already-deleted production data are purged within 30 days per backup retention policy.

8. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. The notification will include the nature of the breach, the data affected, and the steps we are taking to mitigate the impact. We will also notify the relevant supervisory authority where required by law.

9. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. Our hosting provider Vercel processes requests through its global edge network. Our database provider Supabase stores data in the US. Our payment processor Lemon Squeezy is US-based. Where data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards to ensure your data remains protected in accordance with GDPR requirements.

10. Children's Privacy

MailSentry is not directed to children under 16. We do not knowingly collect information from children. If you believe we have collected data from a child, contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For privacy-related questions or requests, contact us at support@mailsentry.dev.