Privacy policy

Plain-language privacy.

Effective .

This is our privacy policy. It explains what data we collect and why. We keep it in plain English. No legal jargon unless the law requires it. If you have questions, just email us.

Who we are

Mails.ai (“we”, “us”), a service of XAscend LLC, operates the agent-native email infrastructure described on this site. Contact: support@mails.ai. For security disclosures see /security.

What we collect

  • Account data. The email address you sign up with, workspace slug + display name, billing identity (handled by Stripe).
  • Message data. Email you send through your agents and email your agents receive: headers, addresses, subject, body content, extracted reply text, attachments metadata. Stored against your workspace_id; not shared with other customers.
  • Classifier output. Typed-event fields derived from inbound messages (intent, entities, urgency, injection_score, sender_reputation). Stored with the inbound message; not shared with other customers.
  • Operational logs. Audit-log rows for every API call (API-key prefix, action, target, timestamp, IP, user-agent), webhook delivery attempts, billing meter increments. Standard server access logs (Vercel-edge, Cloudflare-edge) on public surfaces.

We don’t run analytics, cross-site trackers, or third-party advertising pixels on this marketing site or on the dashboard. The /signup form collects only the email you type.

Why we collect it (lawful basis)

  • Contract performance (GDPR Art. 6(1)(b)).Account, message, and billing data — we can’t send your email or charge you without them.
  • Legitimate interest (GDPR Art. 6(1)(f)). Operational logs for security, abuse prevention, deliverability protection. Classifier inference to label inbound for your agent.
  • Legal obligation (GDPR Art. 6(1)(c)). Tax records (Stripe), abuse reports, lawful requests from competent authorities.

Retention

Active-account data is retained for as long as the account is active. Audit-log rows: target 90 days for Free/Pro, 1 year for Scale; long-term archival is on the Phase 2 roadmap so closed-beta retention is bounded by database size, not policy. Stripe billing data follows Stripe’s retention. Classifier inference payloads are not stored beyond the round-trip with Anthropic (see /sub-processors).

On account closure or erasure request: workspace + message data is deleted within 30 days, with a cryptographic audit trail of the deletion. Anonymized aggregate data (cost-per-call, classifier accuracy) may be retained beyond this for operational analytics.

Sub-processors

We use third-party vendors to operate the service. Each receives only the data needed for its purpose. Full list with vendor name, purpose, data category, region, and added-at date is at /sub-processors. We publish a changelog entry tagged sub-processors whenever a vendor is added, removed, or its scope changes.

Your rights (GDPR Art. 15–22)

You can request, at any time:

  • Access (Art. 15). A copy of the personal data we hold about you.
  • Rectification (Art. 16). Correction of inaccurate or incomplete data (most fields are self-serve from the dashboard).
  • Erasure (Art. 17). Deletion of your account and associated data. Self-serve at launch; during closed beta, email support@mails.ai and we close out within 30 days.
  • Portability (Art. 20). Machine-readable export of your messages, events, agents, and audit-log rows. Self-serve at Phase 1 launch.
  • Restrict / object (Art. 18, 21).Email us; we’ll honor the request unless we have an overriding legitimate interest (e.g., we’re investigating an abuse report against the account).

No fee for a first request in any 12-month period. We respond within 30 days (extendable by 60 days for complex or repetitive requests, per Art. 12(3)). You also have the right to lodge a complaint with your supervisory authority.

Cookies + tracking

No third-party analytics on the marketing site. The dashboard sets a single HttpOnly + Secure session cookie (mails_session) required to keep you signed in. No tracking pixels. No cross-site cookies.

International transfers

Our sub-processors are global (US-primary). Where required, transfers from the EEA / UK rely on the European Commission’s Standard Contractual Clauses (and the UK IDTA) as the legal mechanism — flag this in your DPA request and we’ll provide our SCC-aligned addendum.

Children

Mails.ai is a developer infrastructure product. It is not directed at children under 16 and we don’t knowingly collect data from them. If you believe a minor has signed up, email support@mails.ai and we’ll close the account.

Security

Posture summary at /trust. Vulnerability disclosure at /security. We notify affected customers of any confirmed personal-data breach without undue delay (Art. 33 / 34).

Changes

Material changes ship a /changelog entry and update the “Effective” date above. Non-material edits (typos, restructuring without scope change) ship silently.

Contact / DPO

Email support@mails.ai for any DSR, DPA, or privacy-related question. A dedicated DPO email + Article 27 EU representative are scoped for Phase 2 once headcount supports a separate role.