1. Scope
This Privacy Policy describes how Sendr365 (“Sendr365”, “we”, “our”) collects, uses, and protects information when you use the platform at sendr365.com and the related dashboard, APIs, and SMTP relay (collectively the “Service”).
2. What we collect
- Account data: business email address, display name, workspace name, hashed password (argon2id with a server-side pepper), optional 2FA secret (AES-256-GCM encrypted at rest).
- Send metadata: recipient address, message ID, send timestamp, delivery / open / click / bounce status. Required to operate the Service and produce the analytics shown in your dashboard.
- Email content: the HTML / text body, subject line, and headers of messages you send through Sendr365 transit our infrastructure for the time needed to deliver them. We do not retain message bodies after delivery attempts complete.
- Billing data: payment-provider transaction IDs from NOWPayments (and historically Razorpay). We never see or store card numbers, wallet private keys, or seed phrases.
- Operational logs: IP address, user-agent, and timestamps for signup / login / password change / 2FA toggle / API key use, retained for a maximum of 90 days for security and abuse-prevention purposes.
3. How we use your data
- To operate, secure, and improve the Service.
- To bill you for plans, credits, and overages.
- To send you transactional product email (account verification, billing, security alerts).
- To investigate abuse, fraud, and Acceptable Use violations.
- To meet legal, regulatory, and tax obligations.
4. Marketing communications
We may send occasional product-update or onboarding email to your account address. You can opt out from in-product preferences or by replying “unsubscribe” to any marketing message. Critical service announcements (billing, security incidents, breaking changes) cannot be opted out of while you have an active account.
5. What we do NOT do
- We do not sell your personal data, full stop.
- We do not share your contact lists, mailing-list content, or send analytics with any third party for their own marketing purposes.
- We do not place ad-tracking pixels in your transactional emails.
- We do not run third-party analytics, ad-tech, or session replay on the dashboard.
6. Sub-processors
We rely on the following infrastructure providers to operate the Service. Each handles only the data necessary for its specific function:
- VPS host (Ultahost, EU): stores your database (Postgres) and runs the application. Data-at-rest disk encryption.
- Resend (US): upstream MTA that performs the actual outbound delivery. Receives recipient addresses + message bodies in transit.
- NOWPayments: crypto payment processor. Handles your wallet/payment session; we receive only the transaction status + ID.
- Cloudflare: CDN, DNS, and DDoS mitigation in front of
sendr365.comtraffic.
We will update this list whenever a new sub-processor is added. Material changes will be notified by email and an in-product banner at least 14 days in advance.
7. Data storage & security
- Passwords are hashed with argon2id (memory cost 64 MiB, 3 iterations) plus a server-side pepper.
- 2FA TOTP secrets are encrypted at rest with AES-256-GCM.
- All public traffic to
sendr365.comand SMTP submission is encrypted in transit (TLS 1.2+ on HTTPS, STARTTLS / implicit TLS on SMTP 587/465). - Refresh-token cookies are
httpOnly,SameSite=Lax, andSecurein production. - We follow the principle of least privilege internally — admin actions are recorded in an immutable audit log.
8. Your rights
Depending on your jurisdiction (GDPR / UK GDPR / CCPA / DPDPA / UAE PDPL / etc.) you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion (subject to legal-retention exceptions).
- Export your data in a portable format.
- Object to or restrict certain processing activities.
- Withdraw consent where processing is based on consent.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, email [email protected]. We respond within 30 days (or sooner where required by your jurisdiction's law).
9. Cookies
We use essential first-party cookies only:
- Refresh-token cookie (
mf_rt): scoped tosendr365.com,httpOnly,SameSite=Lax,Secure. Used to maintain your session.
No third-party analytics or advertising cookies are set.
10. Data retention
- Account + billing data: retained while your account is active and 30 days post-deletion.
- Send metadata: retained 90 days for analytics; aggregates kept indefinitely without identifiers.
- Operational security logs: 90 days.
- Records required by tax / legal obligations: as long as the law requires (typically 7 years).
11. International transfers
Your data may be processed outside your country of residence (e.g., the EU host, the US for Resend). We rely on standard contractual clauses and the underlying providers' regional commitments. If you require a Data Processing Agreement, contact [email protected].
12. Children
The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided information to us, contact us and we will delete it.
13. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email and an in-product banner at least 30 days before they take effect.
14. Contact
Privacy / data-protection questions: [email protected].
