Privacy Policy

Last updated: April 18, 2026

1. Introduction

EmailSendX (“we”, “us”, “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our email marketing platform (“the Service”).

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and password (stored as a bcrypt hash). We may also collect your timezone preference and notification settings.

2.2 Workspace Data

Data you upload to your workspaces, including contact lists (email addresses, names, metadata), email templates, campaign content, and automation configurations. This data belongs to you.

2.3 Usage Data

We collect information about how you use the Service, including pages visited, features used, campaigns sent, and email delivery statistics (opens, clicks, bounces, complaints).

2.4 Technical Data

We automatically collect IP addresses, browser type, device information, and session data for security purposes and to provide the Service.

2.5 Email Tracking Data

When you enable open and click tracking for campaigns, we collect IP addresses and user agent information from email recipients. This data is associated with the email event and stored in your workspace.

3. How We Use Your Information

We use the collected information to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage your account
  • Process email campaigns and automations on your behalf
  • Track email delivery, opens, clicks, bounces, and complaints
  • Send system emails (verification, password reset, security alerts)
  • Send notification emails based on your preferences
  • Monitor for abuse and enforce our Acceptable Use Policy
  • Generate aggregate analytics and system health metrics
  • Maintain audit logs for security and compliance

4. Data Storage and Security

Your data is stored in a PostgreSQL database. We implement industry-standard security measures including:

  • Password hashing with bcrypt
  • HTTP-only, secure session cookies
  • API key hashing with SHA-256
  • Webhook signing with HMAC-SHA256
  • Session expiration and automatic cleanup
  • Email verification requirement
  • Role-based access control
  • Audit logging of administrative actions

5. Email Infrastructure

EmailSendX operates as a “bring your own provider” platform. Emails are sent through the provider you configure — Amazon SES, a generic SMTP server, or your Google / Gmail account (via OAuth). We store your provider credentials (encrypted at rest) to send emails on your behalf. We do not access your provider accounts for any purpose other than sending emails you initiate and processing delivery webhooks.

6. Google User Data and Gmail Integration

If you connect a Google or Gmail account to EmailSendX, this section describes exactly what data we access, how we use it, and how we protect it. This section supplements — and in case of conflict, controls over — the rest of this Privacy Policy for data obtained from Google APIs.

6.1 Scopes We Request

When you authorize EmailSendX to connect your Google account, we request the following OAuth scopes:

  • https://mail.google.com/ — required to send mail on your behalf via SMTP (XOAUTH2). We use this scope only to send outgoing mail that you compose or schedule within EmailSendX.
  • email, profile — to identify the connected Google account (email address and basic profile) so you know which account is linked and can disconnect it later.

6.2 How We Use Google User Data

We use Google User Data solely to provide the email-sending features you explicitly request inside EmailSendX. Specifically:

  • To send campaign emails, automation emails, and test emails that you initiate from your workspace.
  • To display the connected Gmail address in your workspace provider settings so you can verify and manage the connection.
  • To refresh access tokens as needed to keep the connection working.

We do not read, index, or store the contents of your Gmail mailbox, inbox, drafts, labels, contacts, or any messages we did not send on your behalf.

6.3 Limited Use Disclosure

EmailSendX's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In particular, EmailSendX:

  • Does not use Google User Data for serving advertisements.
  • Does not sell Google User Data to third parties.
  • Does not transfer Google User Data to third parties except as necessary to provide or improve user-facing features that are prominent in the user-facing interface of the application, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
  • Does not allow humans to read Google User Data except (a) with the user's explicit consent for specific messages, (b) when necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized.
  • Does not use Google User Data to develop, improve, or train generalized or non-personalized AI and/or machine-learning models.

6.4 Storage and Security of Google Credentials

Google OAuth refresh tokens and access tokens are stored encrypted in our database and are used only by our sending infrastructure to authenticate outbound mail as your connected Gmail address. Tokens are transmitted only over TLS. Access to production credentials is restricted to authorized personnel on a need-to-know basis.

6.5 Revoking Access

You can disconnect your Google account from EmailSendX at any time from Workspace → Settings → Providers. You can also revoke EmailSendX's access directly from your Google Account at https://myaccount.google.com/permissions. On revocation, we delete the stored refresh token and stop using the scope. Any previously delivered email and associated metadata (campaigns, open/click events you recorded) remain in your workspace unless you delete them separately.

6.6 Retention

We retain Google OAuth credentials for as long as the connection is active. When you disconnect the provider or delete your workspace/account, associated Google credentials are deleted within 30 days.

7. Data Sharing

We do not sell, trade, or rent your personal information to third parties. We may share information only in these circumstances:

  • With your consent: When you explicitly authorize sharing
  • Service providers: With third-party services that help us operate (hosting, database) under strict data processing agreements
  • Legal requirements: When required by law, legal process, or government request
  • Safety: To protect our rights, safety, and property, or that of our users

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Update or correct inaccurate personal data
  • Deletion: Request deletion of your account and associated data
  • Export: Export your contacts and campaign data in JSON format
  • Restrict processing: Request limitation of processing in certain circumstances
  • Withdraw consent: Withdraw consent for optional data processing at any time

You can exercise most of these rights directly through the Service (Profile → Account settings, or Workspace → Settings → Data Export). For other requests, contact us at support@emailsendx.com.

9. Your Contact Data

You upload contact data (email addresses, names, metadata) to manage your email marketing. You are the data controller for this contact data. We process it on your behalf as a data processor. You are responsible for:

  • Obtaining proper consent to collect and use your contacts' personal data
  • Providing a working unsubscribe mechanism (EmailSendX includes this automatically)
  • Complying with applicable data protection laws (GDPR, CAN-SPAM, CASL, etc.)
  • Responding to data subject requests from your contacts

10. Cookies and Tracking

We use session cookies for authentication purposes only. We do not use advertising cookies or third-party tracking. The esx_session cookie is HTTP-only and essential for the Service to function.

11. Data Retention

We retain your account data for as long as your account is active. Email event data (opens, clicks, bounces) is retained according to the system configuration (default: 90 days for events, 365 days for email records). You can request deletion of your account at any time, after which data is permanently removed within 30 days.

12. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a minor, we will take steps to delete it.

13. International Data Transfers

Your data may be processed in jurisdictions outside your country of residence. We ensure appropriate safeguards are in place for any international data transfers in compliance with applicable data protection laws.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The “Last updated” date at the top of this page indicates when the policy was last revised.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at support@emailsendx.com.