Privacy Policy

Last updated: April 2026

1. Overview

MailSentry ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data. This policy applies to all users of our website and API.

2. Information We Collect

Account Information

When you create an account, we collect your email address and hashed password. If you sign in via OAuth (Google or GitHub), we receive your email address and display name from the provider.

Email Validation Data

Single API validation: Email addresses submitted via the /v1/verify endpoint are processed in memory and discarded immediately after the response is returned. We do not store these email addresses. We only store aggregate usage counts (number of validations per day per API key) for billing and analytics.

Bulk validation, Email Finder, and Integrations: When you use bulk validation, the email finder, or a third-party integration (e.g., HubSpot, Mailchimp), the submitted or discovered email addresses and their validation results are stored in your account so you can access and download them. This data is retained until you delete the job, or until you delete your account — at which point it is permanently removed.

Usage Data

We collect anonymized usage statistics including API call counts, response times, and error rates. This data is used to improve the Service and monitor performance.

3. Cookies

We only use essential cookies required for authentication and session management (Supabase auth tokens). We do not use tracking or advertising cookies. UI preferences such as theme are stored in your browser's localStorage, which is not a cookie under the ePrivacy Directive.

4. Third-Party Services

We use the following third-party services to operate MailSentry:

  • Supabase: Authentication, database, and user management. Data is stored in Supabase's secure cloud infrastructure.
  • Vercel: Hosting and serverless functions. Requests are processed through Vercel's edge network.
  • Lemon Squeezy: Payment processing for paid subscriptions. We do not store credit card details — all payment information is handled by Lemon Squeezy.
  • Resend: Transactional email delivery (account notifications, team invites, usage alerts). Resend processes recipient email addresses solely to deliver these messages.

5. Data Security

We take security seriously. All API traffic is encrypted via HTTPS/TLS. API keys are hashed using SHA-256 before storage — we never store plaintext API keys. Passwords are hashed by Supabase using bcrypt. We implement row-level security in our database to ensure users can only access their own data.

6. Your Rights (GDPR)

If you are in the European Economic Area (EEA), you have the following rights:

  • Right to access: Request a copy of the data we hold about you
  • Right to rectification: Request correction of inaccurate data
  • Right to erasure: Request deletion of your account and associated data
  • Right to data portability: Request your data in a machine-readable format
  • Right to object: Object to processing of your data for specific purposes

You can exercise your right to access and data portability directly from your dashboard (Account Settings → Data & Privacy → Download My Data). For all other requests, contact us at support@mailsentry.dev. We will respond within 30 days.

If you use MailSentry as a data processor on behalf of your users, our Data Processing Agreement details our obligations under GDPR Article 28.

7. Data Retention

Account data is retained for as long as your account is active. Usage analytics data (aggregate daily counts) is retained for 12 months and automatically purged thereafter. Bulk validation results, email finder results, and integration validation logs are retained until you delete them or delete your account. Upon account deletion, all associated data — API keys, usage logs, bulk results, finder results, integration data, and account information — is permanently deleted.

8. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. The notification will include the nature of the breach, the data affected, and the steps we are taking to mitigate the impact. We will also notify the relevant supervisory authority where required by law.

9. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. Our hosting provider Vercel processes requests through its global edge network. Our database provider Supabase stores data in the US. Our payment processor Lemon Squeezy is US-based. Where data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards to ensure your data remains protected in accordance with GDPR requirements.

10. Children's Privacy

MailSentry is not directed to children under 16. We do not knowingly collect information from children. If you believe we have collected data from a child, contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For privacy-related questions or requests, contact us at support@mailsentry.dev.