Privacy policy

Plain-language privacy.

Pre-launch v0.1. Counsel review before public signup. Effective .

Who we are

Mails.ai (“we”, “us”) operates the agent-native email infrastructure described on this site. Contact: support@mails.ai. For security disclosures see /security.

What we collect

  • Account data. The email address you sign up with, workspace slug + display name, billing identity (handled by Stripe).
  • Message data. Email you send through your agents and email your agents receive: headers, addresses, subject, body content, extracted reply text, attachments metadata. Stored against your workspace_id; not shared with other customers.
  • Classifier output. Typed-event fields derived from inbound messages (intent, entities, urgency, injection_score, sender_reputation). Stored with the inbound message; not shared with other customers.
  • Operational logs. Audit-log rows for every API call (API-key prefix, action, target, timestamp, IP, user-agent), webhook delivery attempts, billing meter increments. Standard server access logs (Vercel-edge, Cloudflare-edge) on public surfaces.

We don’t run analytics, cross-site trackers, or third-party advertising pixels on this marketing site or on the dashboard. The /signup form collects only the email you type.

Why we collect it (lawful basis)

  • Contract performance (GDPR Art. 6(1)(b)).Account, message, and billing data — we can’t send your email or charge you without them.
  • Legitimate interest (GDPR Art. 6(1)(f)). Operational logs for security, abuse prevention, deliverability protection. Classifier inference to label inbound for your agent.
  • Legal obligation (GDPR Art. 6(1)(c)). Tax records (Stripe), abuse reports, lawful requests from competent authorities.

Retention

Active-account data is retained for as long as the account is active. Audit-log rows: target 90 days for Free/Pro, 1 year for Scale; long-term archival is on the Phase 2 roadmap so closed-beta retention is bounded by database size, not policy. Stripe billing data follows Stripe’s retention. Classifier inference payloads are not stored beyond the round-trip with Anthropic (see /sub-processors).

On account closure or erasure request: workspace + message data is deleted within 30 days, with a cryptographic audit trail of the deletion. Anonymized aggregate data (cost-per-call, classifier accuracy) may be retained beyond this for operational analytics.

Sub-processors

We use third-party vendors to operate the service. Each receives only the data needed for its purpose. Full list with vendor name, purpose, data category, region, and added-at date is at /sub-processors. We publish a changelog entry tagged sub-processors whenever a vendor is added, removed, or its scope changes.

Your rights (GDPR Art. 15–22)

You can request, at any time:

  • Access (Art. 15). A copy of the personal data we hold about you.
  • Rectification (Art. 16). Correction of inaccurate or incomplete data (most fields are self-serve from the dashboard).
  • Erasure (Art. 17). Deletion of your account and associated data. Self-serve at launch; during closed beta, email support@mails.ai and we close out within 30 days.
  • Portability (Art. 20). Machine-readable export of your messages, events, agents, and audit-log rows. Self-serve at Phase 1 launch.
  • Restrict / object (Art. 18, 21).Email us; we’ll honor the request unless we have an overriding legitimate interest (e.g., we’re investigating an abuse report against the account).

No fee for a first request in any 12-month period. We respond within 30 days (extendable by 60 days for complex or repetitive requests, per Art. 12(3)). You also have the right to lodge a complaint with your supervisory authority.

Cookies + tracking

No third-party analytics on the marketing site. The dashboard sets a single HttpOnly + Secure session cookie (mails_session) required to keep you signed in. No tracking pixels. No cross-site cookies.

International transfers

Our sub-processors are global (US-primary). Where required, transfers from the EEA / UK rely on the European Commission’s Standard Contractual Clauses (and the UK IDTA) as the legal mechanism — flag this in your DPA request and we’ll provide our SCC-aligned addendum.

Children

Mails.ai is a developer infrastructure product. It is not directed at children under 16 and we don’t knowingly collect data from them. If you believe a minor has signed up, email support@mails.ai and we’ll close the account.

Security

Posture summary at /trust. Vulnerability disclosure at /security. We notify affected customers of any confirmed personal-data breach without undue delay (Art. 33 / 34).

Changes

Material changes ship a /changelog entry and update the “Effective” date above. Non-material edits (typos, restructuring without scope change) ship silently.

Contact / DPO

Email support@mails.ai for any DSR, DPA, or privacy-related question. A dedicated DPO email + Article 27 EU representative are scoped for Phase 2 once headcount supports a separate role.

Related

What to read next.

Sub-processors
Vendors that handle data.
Trust
Security posture, plainly.