Privacy Policy

This Privacy Policy explains how EmailFlow AI collects, uses, discloses, and protects personal information when you use our websites, applications, APIs, and related services. We built EmailFlow AI on a simple promise: your data is yours. We use it to operate the service you pay for and for nothing else.

In this Policy, "EmailFlow AI", "we", "us", and "our" refer to EmailFlow AI and its affiliates. "You" refers to the person or organization using the service. The "Service" means our websites, web and mobile applications, APIs, email sending and automation infrastructure, AI features, and any related products or support. By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with it, do not use the Service.

1. The two roles your data can have

We process personal information in two distinct capacities, and the distinction matters because it determines who is responsible for the data:

• Customer data (we are the controller). This is information about you, our customer — the businesses and individuals who register, subscribe to a plan, and administer an account. We decide how and why this information is processed, so we act as the data controller for it.
• Subscriber data (we are the processor). This is information about your contacts — the recipients you upload, import, collect through forms, or email through the Service. You decide what to collect and why, so you are the data controller and we act as a data processor that handles this information solely on your documented instructions and on your behalf.

Where we act as a processor, the customer is responsible for having a lawful basis to collect and email their contacts, for honoring data subject requests from those contacts, and for providing those contacts with appropriate privacy notices. We will assist customers in meeting these obligations as described below and in our Data Processing Addendum.

2. Definitions

• "Personal information" (or "personal data") means any information relating to an identified or identifiable natural person, such as a name, email address, IP address, or online identifier.
• "Contact" or "Subscriber" means a person whose information a customer uploads to or collects through the Service.
• "Content" means the campaigns, templates, automations, images, copy, lists, custom fields, brand assets, and other materials you create, upload, or generate in the Service.
• "Sub-processor" means a third party we engage to help us provide the Service that may process personal information in doing so.

3. Information we collect

3.1 Information you provide directly

• Account and profile information — your name, email address, password (stored only as a salted hash), company or organization name, role, phone number, time zone, language, and similar details you provide when you register or update your profile.
• Billing and payment information — your billing name, billing address, tax identifiers, plan selection, and transaction history. Full payment card numbers are collected and stored by our PCI-compliant payment processors; we receive only limited information such as the card brand, the last four digits, and an authorization token.
• Content — the campaigns, templates, automations, brand assets, prompts, and other materials you create or upload.
• Subscriber data — the contact records you import or collect, which may include email addresses, names, and any custom fields, tags, or segmentation attributes you choose to store.
• Support and communications — the information you include when you contact support, respond to surveys, leave feedback, or otherwise communicate with us.

3.2 Information we collect automatically

• Usage and log data — pages and features accessed, actions taken, timestamps, referring and exit pages, and diagnostic data used to operate, secure, and improve the Service.
• Device and connection data — IP address, browser type and version, operating system, device identifiers, and approximate location derived from IP address.
• Cookies and similar technologies — see Section 6.
• Email engagement data — when you send a campaign, the Service generates metrics such as deliveries, opens, clicks, bounces, unsubscribes, and complaint reports. This data is processed on your behalf and surfaced to you as analytics.

3.3 Information from third parties

We may receive limited information from service providers that support authentication, payments, fraud prevention, and deliverability (for example, a payment processor confirming a charge, or a mailbox provider reporting a bounce). We combine this only as needed to operate the Service.

4. How we use information

We use personal information only for the following purposes:

• To provide, maintain, secure, and operate the Service, including authenticating you, processing transactions, and storing your Content.
• To send and route the email campaigns and automations you configure, and to generate the analytics associated with them.
• To process the AI requests you initiate, such as generating and editing emails, subject lines, images, and automations (see Section 5).
• To send you transactional, security, and account-related communications (for example, receipts, password resets, deliverability alerts, and service notices).
• To provide customer support and respond to your requests.
• To monitor for, investigate, and prevent fraud, abuse, and security incidents, and to enforce our Acceptable Use Policy and Terms of Service.
• To analyze and improve the Service, develop new features, and understand aggregate usage trends (using aggregated or de-identified data wherever possible).
• To comply with legal obligations, respond to lawful requests, and protect our rights, our users, and the public.

We do not use your Content or your subscribers' data for advertising, and we do not build advertising or marketing profiles about your contacts.

5. Artificial intelligence features

When you use AI features, the relevant inputs you provide — such as your prompt, the email or template you are editing, and any brand context you have configured — are processed by AI models to produce the output you requested. We process this data solely to fulfill your request and to operate, secure, and debug the feature.

• We do not sell your AI inputs or outputs.
• We do not use your Content to train third-party foundation models for their own general-purpose model development, and we contractually require our AI sub-processors not to use your inputs or outputs to train their models except as necessary to provide the feature to you.
• AI output may be inaccurate, incomplete, or unexpected. You are responsible for reviewing all output before relying on or sending it.

6. Cookies and similar technologies

We use cookies and similar technologies to keep you signed in, remember your preferences, secure the Service, and understand how the Service is used. We use:

• Strictly necessary cookies required for the Service to function, including authentication and security.
• Preference cookies that remember your settings.
• Analytics cookies that help us understand aggregate usage so we can improve the Service.

You can control cookies through your browser settings. Disabling some cookies may affect the functionality of the Service. We honor browser-based privacy signals such as Global Privacy Control where required by law.

7. How we share and disclose information

As stated above, we never sell or rent personal information, and we never share it with third parties for their own marketing or advertising. We disclose personal information only in these limited circumstances:

• Sub-processors and infrastructure providers. We share information with carefully vetted vendors that provide hosting, storage, email transmission, AI processing, payment processing, fraud prevention, analytics, and customer support. These providers may process personal information only to perform services for us, under written contracts that require appropriate confidentiality and security and that prohibit them from using the data for their own purposes.
• At your direction. When you connect an integration or instruct us to send data to a third party, we share information as needed to fulfill that instruction.
• Legal and safety reasons. We may disclose information when we believe in good faith that it is required by law, regulation, legal process, or governmental request, or where necessary to protect the rights, property, or safety of EmailFlow AI, our users, or the public, and to detect or prevent fraud, security, or technical issues.
• Corporate transactions. If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to the commitments in this Policy. We will provide notice before your information becomes subject to a materially different privacy policy.

We may also disclose aggregated or de-identified information that cannot reasonably be used to identify you.

8. Data retention

We retain personal information for as long as your account is active or as needed to provide the Service. When your account is closed, we delete or de-identify your Content and personal information within a commercially reasonable period, except where we are required or permitted to retain it to comply with legal obligations, resolve disputes, prevent fraud and abuse, and enforce our agreements. Backups containing residual data are purged on a rolling schedule. Customers can delete contacts and Content at any time within the Service; deletion requests propagate to our sub-processors.

9. Security

We implement administrative, technical, and organizational measures designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures include encryption of data in transit, encryption of sensitive data at rest, access controls and least-privilege provisioning, network protections, logging and monitoring, and regular review of our practices. No method of transmission or storage is completely secure, so while we work hard to protect your information, we cannot guarantee its absolute security. You are responsible for keeping your credentials confidential and for enabling available account-security features.

10. Your privacy rights

Depending on where you live, you may have some or all of the following rights regarding your personal information:

• The right to access and obtain a copy of the personal information we hold about you.
• The right to correct inaccurate or incomplete personal information.
• The right to delete your personal information.
• The right to restrict or object to certain processing.
• The right to data portability.
• The right to withdraw consent where processing is based on consent.
• The right to opt out of the "sale" or "sharing" of personal information and of targeted advertising — though we do not sell or share personal information, and we do not engage in targeted advertising.
• The right to lodge a complaint with a supervisory authority.

To exercise your rights, contact us at privacy@emailflow.ai. We will respond within the time required by applicable law and will not discriminate against you for exercising your rights. If your request concerns subscriber data for which a customer is the controller, we will refer the request to the relevant customer and assist them in responding. We may need to verify your identity before acting on a request, and you may use an authorized agent where the law permits.

11. Legal bases for processing (EEA/UK)

Where the GDPR or UK GDPR applies, we process personal information on the following legal bases: performance of a contract (to provide the Service you request), legitimate interests (to secure, operate, and improve the Service in ways that are not overridden by your rights), consent (where we ask for it, such as for certain cookies), and compliance with legal obligations. Where we act as a processor, the customer is responsible for establishing the legal basis for processing subscriber data.

12. International data transfers

We operate globally, and your information may be processed and stored in countries other than the one in which you reside, including the United States. These countries may have data-protection laws different from those in your country. Where we transfer personal information across borders, we rely on appropriate safeguards required by applicable law, such as the European Commission's Standard Contractual Clauses, the UK Addendum, and equivalent mechanisms, together with supplementary measures where appropriate.

13. Children's privacy

The Service is intended for businesses and is not directed to children under the age of 16, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will take steps to delete it.

14. Third-party links and integrations

The Service may contain links to, or integrations with, third-party websites and services that we do not control. This Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third party you interact with.

15. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will post the revised Policy with an updated "Last updated" date and, where appropriate, provide additional notice (such as by email or an in-app notice). Your continued use of the Service after the changes take effect constitutes acceptance of the revised Policy.

16. How to contact us

If you have questions, concerns, or requests regarding this Policy or your personal information, contact our privacy team at privacy@emailflow.ai. For data protection matters, including requests under the GDPR, UK GDPR, or comparable laws, you may also reach our data protection contact at dpo@emailflow.ai. We will work in good faith to resolve any concern you bring to us.