Privacy Policy

Last updated: May 20, 2026

1. Introduction

EmailSendX (“we”, “us”, “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our email marketing platform (“the Service”).

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and password (stored as a bcrypt hash). We may also collect your timezone preference and notification settings.

2.2 Workspace Data

Data you upload to your workspaces, including contact lists (email addresses, names, metadata), email templates, campaign content, and automation configurations. This data belongs to you.

2.3 Usage Data

We collect information about how you use the Service, including pages visited, features used, campaigns sent, and email delivery statistics (opens, clicks, bounces, complaints).

2.4 Technical Data

We automatically collect IP addresses, browser type, device information, and session data for security purposes and to provide the Service.

2.5 Email Tracking Data

When you enable open and click tracking for campaigns, we collect the following signals from the recipient's open-pixel and click-redirect requests:

IP address (used to derive country / city / region at the CDN edge);
User-agent string (used to derive device class, OS, and email client name);
Country, city, and region — derived from the IP via CDN edge headers (Cloudflare / Vercel);
Approximate latitude and longitude — same source. These coordinates are not exposed in any workspace-facing UI or API response. They are retained on the underlying event record only for forensic and abuse-investigation purposes; only country / city / region are returned to the workspace owner;
Bot / scanner classification — a flag indicating whether the open or click looks automated (corporate scanners, link previewers).

Each workspace exposes a “Recipient PII visibility” setting (Workspace → Settings → Webhooks) that controls whether the recipient's IP, full user-agent string, and country are returned in three places: (a) outbound email.opened / email.clicked webhook payloads, (b) the contact-drawer activity feed, and (c) form-submission analytics. New workspaces created on or after May 2026 default to OFF (privacy-aligned); workspaces created earlier default to ON so live integrations are not broken without notice. When the setting is OFF, country, device class, and OS remain visible to the workspace owner; the raw IP and full user-agent string do not.

2.6 Form Submission Data

When a visitor submits a form hosted by your workspace (signup forms, double-opt-in confirmations, landing pages), we store the submitted form fields plus the submitter's IP address. The IP is used for anti-spam (rate limiting, duplicate detection) and is visible to the workspace owner in the form analytics only when the workspace's “Recipient PII visibility” setting is on. When the setting is off, the IP is still stored for anti-spam purposes but is omitted from the workspace-facing analytics response.

2.7 Predictive Analytics

To help workspace owners decide who to email and when, the Service derives per-contact predictions from the workspace's own email-event log:

Engagement decile (where this contact ranks against the rest of the workspace's contacts over the last 90 days of opens and clicks);
Churn probability (a heuristic score from 0 to 1 derived from days dormant, open rate, click rate, and subscription status);
Predicted next-open window (the weekday and UTC hour where the contact has historically opened most often).

These predictions are computed by deterministic math over data already collected by the Service. No generalized machine-learning models are trained, and no contact data is sent outside the platform for prediction. Predictions are refreshed nightly and stored as one row per contact, overwriting the previous row.

2.8 Workspace Recommendations and Insights

The Service generates workspace-level recommendations (for example, “these contacts qualify for a VIP segment” or “your automation has a rising exit rate”) by aggregating signals from the workspace's own data. No third-party data sources are used. Workspace admins may opt in to receive a monthly email digest of these recommendations from Workspace → Settings → General → Notifications. Opt-in is off by default and the digest is sent only to the workspace owner.

3. How We Use Your Information

We use the collected information to:

Provide, maintain, and improve the Service
Authenticate your identity and manage your account
Process email campaigns and automations on your behalf
Track email delivery, opens, clicks, bounces, and complaints
Send system emails (verification, password reset, security alerts)
Send notification emails based on your preferences
Monitor for abuse and enforce our Acceptable Use Policy
Generate aggregate analytics and system health metrics
Maintain audit logs for security and compliance

4. Data Storage and Security

Your data is stored in a PostgreSQL database. We implement industry-standard security measures including:

Password hashing with bcrypt
HTTP-only, secure session cookies
API key hashing with SHA-256
Webhook signing with HMAC-SHA256
Session expiration and automatic cleanup
Email verification requirement
Role-based access control
Audit logging of administrative actions, with automatic redaction of credential-shaped values (passwords, tokens, API keys, OAuth client secrets, JWTs, AWS / GitHub / Stripe / OpenAI-shaped key patterns) so secrets cannot leak into the audit log even if a caller forgets to scrub them
Per-IP and per-endpoint rate limits on all email tracking routes, login, registration, password reset, 2FA, public form submit, and outbound webhook delivery
Tracking links are signed with HMAC and validated before redirect; bad-token requests return 400 / 410 rather than redirecting to attacker-supplied URLs
Workspace-level “Recipient PII visibility” switch (Section 2.5) gates the disclosure of recipient IP / user-agent in outbound webhooks, in-app feeds, and form analytics

5. Email Infrastructure

EmailSendX operates as a “bring your own provider” platform. Emails are sent through the provider you configure — Amazon SES, a generic SMTP server, or your Google / Gmail account (via OAuth). We store your provider credentials (encrypted at rest) to send emails on your behalf. We do not access your provider accounts for any purpose other than sending emails you initiate and processing delivery webhooks.

If you opt in to the in-app inbox, EmailSendX connects to your mailbox over the standard IMAP protocol using credentials you supply directly (a Google App Password for Gmail accounts, or your IMAP username and password for other providers). IMAP credentials are stored encrypted at rest. While the inbox connection is active, we sync message content (subject, sender and recipient addresses, body, attachments, headers, and folder / thread identifiers) to our database so the inbox view, CRM activity log, and search work without re-fetching from your mail server on every page load. You can disconnect the inbox at any time from Workspace → Settings, which deletes the stored credentials and (within 30 days) the synced message content. We do not transfer mailbox content to third parties for advertising, training of generalized AI/ML models, or any purpose other than the user-facing features you have enabled.

6. Google User Data and Gmail Integration

If you connect a Google or Gmail account to EmailSendX, this section describes exactly what data we access, how we use it, and how we protect it. This section supplements — and in case of conflict, controls over — the rest of this Privacy Policy for data obtained from Google APIs.

6.1 Scopes We Request

When you authorize EmailSendX to connect your Google account via OAuth, we request the following OAuth scopes:

https://www.googleapis.com/auth/gmail.send — required to send mail on your behalf via the Gmail API. We use this scope only to send outgoing mail you compose, schedule, or trigger from automations within EmailSendX. This scope does not permit reading, modifying, or deleting mail in your mailbox.
email, profile — to identify the connected Google account (email address and basic profile) so you know which account is linked and can disconnect it later.

Inbox and CRM features that involve reading mail (for example, the in-app inbox view and automatic CRM activity logging) are not available through the Gmail API. If you choose to enable those features, EmailSendX connects to your mailbox over the standard IMAP protocol using a Google App Password that you generate yourself in your Google Account settings. IMAP is not a Google API; that connection therefore operates outside the Google API Services User Data Policy and uses no Gmail API scopes. The IMAP option is fully opt-in and is described under Section 5 (Email Infrastructure).

6.2 How We Use Google User Data

We use Google User Data obtained via the gmail.send scope solely to send outgoing email you initiate inside EmailSendX. Specifically:

To send campaign emails, automation emails, replies, and test emails that you initiate from your workspace, from your connected Gmail address.
To display the connected Gmail address in your workspace provider settings so you can verify and manage the connection.
To refresh access tokens as needed to keep the connection working.

We do not read, index, or store the contents of your Gmail mailbox, inbox, drafts, labels, contacts, or any messages we did not send on your behalf via the Gmail API. We do not use Google user data for advertising, do not sell it, and do not use it to develop, improve, or train any generalized or non-personalized AI or machine-learning models.

6.3 Limited Use Disclosure

EmailSendX's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular, EmailSendX:

Does not use Google User Data for serving advertisements.
Does not sell Google User Data to third parties.
Does not transfer Google User Data to third parties except as necessary to provide or improve user-facing features that are prominent in the user-facing interface of the application, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
Does not allow humans to read Google User Data except (a) with the user's explicit consent for specific messages, (b) when necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized.
Does not use Google User Data to develop, improve, or train generalized or non-personalized AI and/or machine-learning models.

6.4 Storage and Security of Google Credentials

Google OAuth refresh tokens and access tokens are stored encrypted in our database and are used only by our sending infrastructure to authenticate outbound mail as your connected Gmail address. Tokens are transmitted only over TLS. Access to production credentials is restricted to authorized personnel on a need-to-know basis.

6.5 Revoking Access

You can disconnect your Google account from EmailSendX at any time from Workspace → Settings → Providers. You can also revoke EmailSendX's access directly from your Google Account at https://myaccount.google.com/permissions. On revocation, we delete the stored refresh token and stop using the scope. Email you previously sent through EmailSendX, and the associated EmailSendX-side metadata (campaigns, open and click events), remain in your workspace unless you delete them separately.

6.6 Retention

We retain Google OAuth credentials for as long as the connection is active. When you disconnect the provider or delete your workspace/account, associated Google credentials are deleted within 30 days.

7. Data Sharing

We do not sell, trade, or rent your personal information to third parties. We may share information only in these circumstances:

With your consent: When you explicitly authorize sharing.
Service providers: With third-party services that help us operate (hosting, database) under strict data processing agreements.
Outbound webhooks: If a workspace admin configures an outbound webhook (Workspace → Settings → Webhooks), events such as email.opened and email.clicked are POSTed to the admin-supplied URL. The payload always includes platform identifiers (email ID, contact ID, campaign ID, URL clicked). Whether the recipient's IP address, user-agent, and country are included depends on the workspace's Recipient PII visibility setting (Section 2.5). All outbound webhooks are signed with HMAC-SHA256 using a per-webhook secret so the receiver can verify authenticity.
Legal requirements: When required by law, legal process, or government request.
Safety: To protect our rights, safety, and property, or that of our users.

9. Your Contact Data

You upload contact data (email addresses, names, metadata) to manage your email marketing. You are the data controller for this contact data. We process it on your behalf as a data processor. You are responsible for:

Obtaining proper consent to collect and use your contacts' personal data
Providing a working unsubscribe mechanism (EmailSendX includes this automatically)
Complying with applicable data protection laws (GDPR, CAN-SPAM, CASL, etc.)
Responding to data subject requests from your contacts

10. Cookies and Tracking

We use session cookies for authentication purposes only. We do not use advertising cookies or third-party tracking. The esx_session cookie is HTTP-only and essential for the Service to function.

11. Data Retention

We retain your account data for as long as your account is active. Specific retention rules:

Email events (opens, clicks, bounces) — retained according to the system configuration (default: 90 days for events, 365 days for email records). Approximate latitude / longitude (Section 2.5) lives on the underlying event record alongside country / city / region; it is never surfaced in any workspace UI or API.
Contact predictions (Section 2.7) — refreshed nightly; each refresh overwrites the previous row. No prediction history is kept.
Workspace recommendations (Section 2.8) — active recommendations live until dismissed, acted on, or the underlying signal disappears. Dismissed recommendations are kept for 30 days as a cooldown then expire.
Form submissions (Section 2.6) — submitter IPs are kept for anti-spam (currently uncapped; see GDPR / DSAR controls in Section 8 to request deletion of a specific submitter's data).
Audit logs — append-only, retained for security and compliance review.

You can request deletion of your account at any time, after which data is permanently removed within 30 days. Workspace owners can also use the GDPR export and erase tools (Section 8) to act on individual contact requests.

12. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a minor, we will take steps to delete it.

13. International Data Transfers

Your data may be processed in jurisdictions outside your country of residence. We ensure appropriate safeguards are in place for any international data transfers in compliance with applicable data protection laws.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The “Last updated” date at the top of this page indicates when the policy was last revised.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at [email protected].